On Wed, Jul 11, 2018 at 02:58:00PM -0400, Joey Hess wrote:
> After upgrading some openvz container at a hosting provider to unstable,
> ssh stopped working; incoming connections closed before password prompt.
>
> In auth.log, there was this:
>
> ssh_sandbox_child: setrlimit(RLIMIT_NOFILE, { 0, 0 }): Invalid argument
> [preauth]
>
> Seems like there is no way to disable the sandbox any more,
> and so this may cause problems for openvz users.
>
> That openvz was running kernel version 2.6.32-openvz-042stab127.2. I
> have avoided openvz until now, so I don't know if such an outdated
> kernel is typical of openvz hosting providers.
>
> I can't find mention of RLIMIT_NOFILE not being supported in that old
> kernel version though (even with 0, 0), so it may not be the fault of an
> outdated kernel, but a limitation of openvz generally that RLIMIT_NOFILE
> doesn't work.
Yeah, I don't see why reducing the limits would be a problem even in
such an old kernel.
Do you know of a good support/bug contact for OpenVZ? I'm not familiar
with it at all, and I think we need some idea of what the problem is
there before we even have a clue about what a reasonable workaround in
OpenSSH might be. (Disabling the sandbox doesn't count as reasonable
here, at least not long-term.) Have you asked the hosting provider if
they know what might be going on, or if they have an upstream they could
ask? Presumably somebody maintains this kernel.
Thanks,
--
Colin Watson [cjwat...@debian.org]
