#3448 Idle nss file descriptors should be closed
Closed: Fixed 4 years ago Opened 4 years ago by lslebodn.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1464049

Created attachment 1290646
SSSD NSS log file

Description of problem:
When client_idle_timeout is set in SSSD.CONF, sssd should check for and
terminate idle connections. See BZ827036. However, i see a minimum of four file
descriptors active even when a user is inactive for a long time.

This behaviour has caused failures in our automated regression run.

Version-Release number of selected component (if applicable):
sssd-1.15.2-49.el7.x86_64

Steps to Reproduce:
1. Setup sssd.conf as follows:

[sssd]
config_file_version = 2
domains = LDAP
services = nss, pam

[nss]
debug_level = 0xFFF0
client_idle_timeout = 30

[pam]
debug_level = 0xFFF0
client_idle_timeout = 30

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
debug_level = 0xFFF0
cache_credentials = FALSE
ldap_uri = ldaps://hubcap.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
ldap_search_base = dc=example,dc=com

2. login as ldap user and do nothing for 1 minute.

3. Open a new terminal and monitor the number of NSS and PAM file descriptors.

# lsof -p $(pidof sssd_nss) | grep /var/lib/sss/pipes/nss
sssd_nss 4663 root   17u     unix 0xffff88b53b7ff800       0t0   40687
/var/lib/sss/pipes/nss
sssd_nss 4663 root   21u     unix 0xffff88b539489000       0t0   41481
/var/lib/sss/pipes/nss
sssd_nss 4663 root   22u     unix 0xffff88b53868a000       0t0   41913
/var/lib/sss/pipes/nss
sssd_nss 4663 root   23u     unix 0xffff88b539977000       0t0   41683
/var/lib/sss/pipes/nss
sssd_nss 4663 root   24u     unix 0xffff88b538688c00       0t0   41794
/var/lib/sss/pipes/nss

# lsof -p $(pidof sssd_pam) | grep /var/lib/sss/pipes/pam
sssd_pam 4664 root    0u     unix 0xffff88b538a03000       0t0   41454
/var/lib/sss/pipes/pam
sssd_pam 4664 root   20u     unix 0xffff88b51f013400       0t0   42210
/var/lib/sss/pipes/pam


Actual results:
After 30 seconds, sssd should terminate idle FD's however that's not happening.

Expected results:
SSSD should kill idle connections once client_idle_timeout is over.

Additional info:

Metadata Update from @lslebodn:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1464049

4 years ago

Metadata Update from @lslebodn:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1464049

4 years ago

Metadata Update from @lslebodn:
- Issue set to the milestone: None
- Issue tagged with: regression

4 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.3

4 years ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek

4 years ago

WIP patch: https://github.com/jhrozek/sssd/commit/69778bd3abc549e082510facc00e4695b51947a4

But I would also like to confirm with downstream that this helps and write a test..

Metadata Update from @jhrozek:
- Issue priority set to: blocker

4 years ago

Metadata Update from @jhrozek:
- Issue tagged with: PR

4 years ago

Metadata Update from @lslebodn:
- Custom field type adjusted to 1.15.0

4 years ago

Metadata Update from @lslebodn:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4475

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata