Bug#1051349: marked as done (slapd: DoS after some 'Too many open files'?)

Debian Bug Tracking System Thu, 07 Sep 2023 10:24:26 -0700

Your message dated Thu, 7 Sep 2023 10:17:59 -0700
with message-id <zpofx8cf0nuwj...@t570.nardis.ca>
and subject line Re: Bug#1051349: slapd: DoS after some 'Too many open files'?
has caused the Debian Bug report #1051349,
regarding slapd: DoS after some 'Too many open files'?
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1051349: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051349
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: slapd
Version: 2.5.13+dfsg-5
Severity: normal

Dear Maintainer,

This happens on one physical machine using a Debian Bookworm and only dedicated 
to NFS/LDAP
services.
I never faced this before for years with Bulleyes before upgrading to Bookworm.

Looking into log files there are the following messages:

[...]
2023-09-06T14:57:22.996591+02:00 <HOSTNAME> slapd[2200]: warning: cannot open 
/etc/hosts.allow: Too many open files
2023-09-06T14:57:22.996861+02:00 <HOSTNAME> slapd[2200]: warning: cannot open 
/etc/hosts.deny: Too many open files
2023-09-06T14:57:53.823167+02:00 <HOSTNAME> slapd[2200]: warning: cannot open 
/etc/hosts.allow: Too many open files
2023-09-06T14:57:53.823810+02:00 <HOSTNAME> slapd[2200]: warning: cannot open 
/etc/hosts.deny: Too many open files
2023-09-06T14:59:56.993514+02:00 <HOSTNAME> slapd[2200]: warning: cannot open 
/etc/hosts.allow: Too many open files
2023-09-06T14:59:56.994249+02:00 <HOSTNAME> slapd[2200]: warning: cannot open 
/etc/hosts.deny: Too many open files
2023-09-06T15:00:15.129483+02:00 <HOSTNAME> slapd[2200]: warning: cannot open 
/etc/hosts.allow: Too many open files
2023-09-06T15:00:15.129643+02:00 <HOSTNAME> slapd[2200]: warning: cannot open 
/etc/hosts.deny: Too many open files
2023-09-06T15:00:53.881436+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8) 
failed errno=24 (Too many open files)
2023-09-06T15:01:16.878910+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8) 
failed errno=24 (Too many open files)
2023-09-06T15:01:16.880305+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8) 
failed errno=24 (Too many open files)
[...]

During the DoS, 'systemctl status slapd' did not shown me anything strange.
Restarting the service solved the trouble.

Are there some possible file closing leaks in slapd it-self?

ulimit is unlimited in the default any root/user env.
What about the slapd service that is launched by systemd?

# systemctl status slapd
● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access 
Protocol)
     Loaded: loaded (/etc/init.d/slapd; generated)
    Drop-In: /usr/lib/systemd/system/slapd.service.d
             └─slapd-remain-after-exit.conf
     Active: active (running) since Wed 2023-09-06 15:41:44 CEST; 51min ago
       Docs: man:systemd-sysv-generator(8)
    Process: 135002 ExecStart=/etc/init.d/slapd start (code=exited, 
status=0/SUCCESS)
      Tasks: 9 (limit: 38189)
     Memory: 73.9M
        CPU: 3.444s
     CGroup: /system.slice/slapd.service
             └─135008 /usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u 
openldap -F /etc/ldap/slapd.d

Is the 'limit' value (38189) related to the ulimit of its process?

slapd does not have a .service file to change this, right?

Many thanks,
Patrice

# cat /etc/default/slapd 
# Default location of the slapd.conf file or slapd.d cn=config directory. If
# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
# /etc/ldap/slapd.conf).
SLAPD_CONF=

# System account to run the slapd server under. If empty the server
# will run as root.
SLAPD_USER="openldap"

# System group to run the slapd server under. If empty the server will
# run in the primary group of its user.
SLAPD_GROUP="openldap"

# Path to the pid file of the slapd server. If not set the init.d script
# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
# default)
SLAPD_PIDFILE=

# slapd normally serves ldap only on all TCP-ports 389. slapd can also
# service requests on TCP-port 636 (ldaps) and requests via unix
# sockets.
# Example usage:
# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
SLAPD_SERVICES="ldap:/// ldapi:///"

# If SLAPD_NO_START is set, the init script will not start or restart
# slapd (but stop will still work).  Uncomment this if you are
# starting slapd via some other means or if you don't want slapd normally
# started at boot.
#SLAPD_NO_START=1

# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
# the init script will not start or restart slapd (but stop will still
# work).  Use this for temporarily disabling startup of slapd (when doing
# maintenance, for example, or through a configuration management system)
# when you don't want to edit a configuration file.
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd

# For Kerberos authentication (via SASL), slapd by default uses the system
# keytab file (/etc/krb5.keytab).  To use a different keytab file,
# uncomment this line and change the path.
#export KRB5_KTNAME=/etc/krb5.keytab

# Additional options to pass to slapd
SLAPD_OPTIONS=""



-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.4.0-2-amd64 (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---
Hello Patrice,

On Wed, Sep 06, 2023 at 04:43:16PM +0200, Patrice Duroux wrote:
2023-09-06T14:57:22.996591+02:00 <HOSTNAME> slapd[2200]: warning: cannot open 
/etc/hosts.allow: Too many open files
As Quanah said, hitting the open files limit is a common issue on Debianbecause we link the tcp-wrappers library, which unfortunately consumesextra file descriptors for each open network connection.
ulimit is unlimited in the default any root/user env.
What about the slapd service that is launched by systemd?
See /proc/$(pidof slapd)/limits. In a systemd-nspawn container, I see adefault limit of 1024 open files.
slapd does not have a .service file to change this, right?
Not on disk, but a virtual slapd.service is generated from the initscript, and can be modified using a drop-in:
mkdir -p /etc/systemd/system/slapd.service.d
cat > /etc/systemd/system/slapd.service.d/open-files-limit.conf << eof
[Service]
LimitNOFILE=524288
eof
systemctl daemon-reload
systemctl restart slapd.service

Now /proc/$(pidof slapd)/limits should reflect the increased limit.

Hope this helps,
Ryan
--- End Message ---

Bug#1051349: marked as done (slapd: DoS after some 'Too many open files'?)

Reply via email to