Print

Print

 
This behaviour has been observed with package versions `xrootd.x86_64 1:3.3.6-5.CERN.el7.cern` and `xrootd.x86_64 1:3.3.6-4.CERN.slc6 `.

Using [EOS](https://github.com/cern-eos/eos) with kerberos authentication for which we activated ticket exportation (`-exptkn` option), we have experienced a file descriptors leak (files remain opened by the process) server-side (MGM), up to reaching the OS maximum limit of 65K fds per process after several days, causing service unavailability.
Files descriptors were pointing towards file located in `/var/tmp` directory, most of them were deleted and had a name with pattern `krb5_RCxxxxx`. The process also keeps several file descriptors toward the same existing file named after the principal used for the authentication.

It appeared that these files are [replay cache](https://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html). If we set `KRB5RCACHEDIR`, then files are found to this new location. And if we set `KRB5RCACHETYPE=none` no files are created, and no leak occurs.

We then realized that also when deactivating ticket exportation, the issue also doesn't occur. Since we in fact don't need it (we're not sure what is the role of that), this is what we did as a long term solution. But we still wanted to report the issue in case it makes sense.

Without having any knowledge about kerberos library, we noted that the function [krb5_get_server_rcache](https://github.com/xrootd/xrootd/blob/stable-3.3.6-x/src/XrdSeckrb5/XrdSecProtocolkrb5.cc#L792) is used to generate replay cache, but the `krb5_rc_close` is never mentioned in the code, however it is [said to be necessary](https://web.mit.edu/kerberos/krb5-1.14/doc/appdev/refs/api/krb5_get_server_rcache.html) to clean up the resources.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/414

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1