#3448 Idle nss file descriptors should be closed
Closed: Fixed 2 years ago Opened 2 years ago by lslebodn.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1464049

Created attachment 1290646
SSSD NSS log file

Description of problem:
When client_idle_timeout is set in SSSD.CONF, sssd should check for and
terminate idle connections. See BZ827036. However, i see a minimum of four file
descriptors active even when a user is inactive for a long time.

This behaviour has caused failures in our automated regression run.

Version-Release number of selected component (if applicable):
sssd-1.15.2-49.el7.x86_64

Steps to Reproduce:
1. Setup sssd.conf as follows:

[sssd]
config_file_version = 2
domains = LDAP
services = nss, pam

[nss]
debug_level = 0xFFF0
client_idle_timeout = 30

[pam]
debug_level = 0xFFF0
client_idle_timeout = 30

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
debug_level = 0xFFF0
cache_credentials = FALSE
ldap_uri = ldaps://hubcap.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
ldap_search_base = dc=example,dc=com

2. login as ldap user and do nothing for 1 minute.

3. Open a new terminal and monitor the number of NSS and PAM file descriptors.

# lsof -p $(pidof sssd_nss) | grep /var/lib/sss/pipes/nss
sssd_nss 4663 root   17u     unix 0xffff88b53b7ff800       0t0   40687
/var/lib/sss/pipes/nss
sssd_nss 4663 root   21u     unix 0xffff88b539489000       0t0   41481
/var/lib/sss/pipes/nss
sssd_nss 4663 root   22u     unix 0xffff88b53868a000       0t0   41913
/var/lib/sss/pipes/nss
sssd_nss 4663 root   23u     unix 0xffff88b539977000       0t0   41683
/var/lib/sss/pipes/nss
sssd_nss 4663 root   24u     unix 0xffff88b538688c00       0t0   41794
/var/lib/sss/pipes/nss

# lsof -p $(pidof sssd_pam) | grep /var/lib/sss/pipes/pam
sssd_pam 4664 root    0u     unix 0xffff88b538a03000       0t0   41454
/var/lib/sss/pipes/pam
sssd_pam 4664 root   20u     unix 0xffff88b51f013400       0t0   42210
/var/lib/sss/pipes/pam


Actual results:
After 30 seconds, sssd should terminate idle FD's however that's not happening.

Expected results:
SSSD should kill idle connections once client_idle_timeout is over.

Additional info:

Metadata Update from @lslebodn:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1464049

2 years ago

Metadata Update from @lslebodn:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1464049

2 years ago

Metadata Update from @lslebodn:
- Issue set to the milestone: None
- Issue tagged with: regression

2 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.3

2 years ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek

2 years ago

WIP patch: https://github.com/jhrozek/sssd/commit/69778bd3abc549e082510facc00e4695b51947a4

But I would also like to confirm with downstream that this helps and write a test..

Metadata Update from @jhrozek:
- Issue priority set to: blocker

2 years ago

Metadata Update from @jhrozek:
- Issue tagged with: PR

2 years ago

Metadata Update from @lslebodn:
- Custom field type adjusted to 1.15.0

2 years ago

Metadata Update from @lslebodn:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata