Bug#858417: libapache2-mod-shib2: Lots of apache workers in "Closing connection" state. Endless sleeping of apache workers.
cantor.2 at osu.edu
Fri Mar 24 15:58:17 UTC 2017
On 3/24/17, 9:29 AM, "Pkg-shibboleth-devel on behalf of Ferenc Wágner" <pkg-shibboleth-devel-bounces+cantor.2=osu.edu at lists.alioth.debian.org on behalf of wferi at niif.hu> wrote:
> This looks like a log4shib threading problem, probably inherited from log4cpp.
More a "the design of the library just doesn't work for these kinds of process lifecycles" problem, there are issues open on I suspect related issues in the Shibboleth issue tracker, I don't have a specific issue number at hand right this second.
I believe there are a number of issues around changes to that code, some other changes in the SP to deal with the Apache permission issues, etc.
At this point if you can use syslog you can probably avoid a lot of this mess since native.log doesn't really get used much anyway, and another key is to make sure the logger setting in shibboleth2.xml isn't set and it's not trying to reload logging configuration.
This trace also suggests prefork is being used, which should never be used with mod_shib, that's a DOS attack waiting to happen.
More information about the Pkg-shibboleth-devel