You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
This behaviour has been observed with package versions xrootd.x86_64 1:3.3.6-5.CERN.el7.cern and xrootd.x86_64 1:3.3.6-4.CERN.slc6.
Using EOS with kerberos authentication for which we activated ticket exportation (-exptkn option), we have experienced a file descriptors leak (files remain opened by the process) server-side (MGM), up to reaching the OS maximum limit of 65K fds per process after several days, causing service unavailability.
Files descriptors were pointing towards file located in /var/tmp directory, most of them were deleted and had a name with pattern krb5_RCxxxxx. The process also keeps several file descriptors toward the same existing file named after the principal used for the authentication.
It appeared that these files are replay cache. If we set KRB5RCACHEDIR, then files are found to this new location. And if we set KRB5RCACHETYPE=none no files are created, and no leak occurs.
We then realized that also when deactivating ticket exportation, the issue also doesn't occur. Since we in fact don't need it (we're not sure what is the role of that), this is what we did as a long term solution. But we still wanted to report the issue in case it makes sense.
Without having any knowledge about kerberos library, we noted that the function krb5_get_server_rcache is used to generate replay cache, but the krb5_rc_close is never mentioned in the code, however it is said to be necessary to clean up the resources.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1