Hi Ryan, Sorry for my fuzzy report. I have not yet applied for your suggestion but will be back to it very soon.
Many thanks, Patrice Le jeu. 7 sept. 2023 à 19:24, Debian Bug Tracking System <ow...@bugs.debian.org> a écrit : > > This is an automatic notification regarding your Bug report > which was filed against the slapd package: > > #1051349: slapd: DoS after some 'Too many open files'? > > It has been closed by Ryan Tandy <r...@nardis.ca>. > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Ryan Tandy > <r...@nardis.ca> by > replying to this email. > > > -- > 1051349: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051349 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > > > > ---------- Forwarded message ---------- > From: Ryan Tandy <r...@nardis.ca> > To: Patrice Duroux <patrice.dur...@gmail.com> > Cc: 1051349-d...@bugs.debian.org > Bcc: > Date: Thu, 7 Sep 2023 10:17:59 -0700 > Subject: Re: Bug#1051349: slapd: DoS after some 'Too many open files'? > Hello Patrice, > > On Wed, Sep 06, 2023 at 04:43:16PM +0200, Patrice Duroux wrote: > >2023-09-06T14:57:22.996591+02:00 <HOSTNAME> slapd[2200]: warning: cannot > >open /etc/hosts.allow: Too many open files > > As Quanah said, hitting the open files limit is a common issue on Debian > because we link the tcp-wrappers library, which unfortunately consumes > extra file descriptors for each open network connection. > > >ulimit is unlimited in the default any root/user env. > >What about the slapd service that is launched by systemd? > > See /proc/$(pidof slapd)/limits. In a systemd-nspawn container, I see a > default limit of 1024 open files. > > >slapd does not have a .service file to change this, right? > > Not on disk, but a virtual slapd.service is generated from the init > script, and can be modified using a drop-in: > > mkdir -p /etc/systemd/system/slapd.service.d > cat > /etc/systemd/system/slapd.service.d/open-files-limit.conf << eof > [Service] > LimitNOFILE=524288 > eof > systemctl daemon-reload > systemctl restart slapd.service > > Now /proc/$(pidof slapd)/limits should reflect the increased limit. > > Hope this helps, > Ryan > > > ---------- Forwarded message ---------- > From: Patrice Duroux <patrice.dur...@gmail.com> > To: Debian Bug Tracking System <sub...@bugs.debian.org> > Cc: > Bcc: > Date: Wed, 06 Sep 2023 16:43:16 +0200 > Subject: slapd: DoS after some 'Too many open files'? > Package: slapd > Version: 2.5.13+dfsg-5 > Severity: normal > > Dear Maintainer, > > This happens on one physical machine using a Debian Bookworm and only > dedicated to NFS/LDAP > services. > I never faced this before for years with Bulleyes before upgrading to > Bookworm. > > Looking into log files there are the following messages: > > [...] > 2023-09-06T14:57:22.996591+02:00 <HOSTNAME> slapd[2200]: warning: cannot open > /etc/hosts.allow: Too many open files > 2023-09-06T14:57:22.996861+02:00 <HOSTNAME> slapd[2200]: warning: cannot open > /etc/hosts.deny: Too many open files > 2023-09-06T14:57:53.823167+02:00 <HOSTNAME> slapd[2200]: warning: cannot open > /etc/hosts.allow: Too many open files > 2023-09-06T14:57:53.823810+02:00 <HOSTNAME> slapd[2200]: warning: cannot open > /etc/hosts.deny: Too many open files > 2023-09-06T14:59:56.993514+02:00 <HOSTNAME> slapd[2200]: warning: cannot open > /etc/hosts.allow: Too many open files > 2023-09-06T14:59:56.994249+02:00 <HOSTNAME> slapd[2200]: warning: cannot open > /etc/hosts.deny: Too many open files > 2023-09-06T15:00:15.129483+02:00 <HOSTNAME> slapd[2200]: warning: cannot open > /etc/hosts.allow: Too many open files > 2023-09-06T15:00:15.129643+02:00 <HOSTNAME> slapd[2200]: warning: cannot open > /etc/hosts.deny: Too many open files > 2023-09-06T15:00:53.881436+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8) > failed errno=24 (Too many open files) > 2023-09-06T15:01:16.878910+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8) > failed errno=24 (Too many open files) > 2023-09-06T15:01:16.880305+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8) > failed errno=24 (Too many open files) > [...] > > During the DoS, 'systemctl status slapd' did not shown me anything strange. > Restarting the service solved the trouble. > > Are there some possible file closing leaks in slapd it-self? > > ulimit is unlimited in the default any root/user env. > What about the slapd service that is launched by systemd? > > # systemctl status slapd > ● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory > Access Protocol) > Loaded: loaded (/etc/init.d/slapd; generated) > Drop-In: /usr/lib/systemd/system/slapd.service.d > └─slapd-remain-after-exit.conf > Active: active (running) since Wed 2023-09-06 15:41:44 CEST; 51min ago > Docs: man:systemd-sysv-generator(8) > Process: 135002 ExecStart=/etc/init.d/slapd start (code=exited, > status=0/SUCCESS) > Tasks: 9 (limit: 38189) > Memory: 73.9M > CPU: 3.444s > CGroup: /system.slice/slapd.service > └─135008 /usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u > openldap -F /etc/ldap/slapd.d > > Is the 'limit' value (38189) related to the ulimit of its process? > > slapd does not have a .service file to change this, right? > > Many thanks, > Patrice > > # cat /etc/default/slapd > # Default location of the slapd.conf file or slapd.d cn=config directory. If > # empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to > # /etc/ldap/slapd.conf). > SLAPD_CONF= > > # System account to run the slapd server under. If empty the server > # will run as root. > SLAPD_USER="openldap" > > # System group to run the slapd server under. If empty the server will > # run in the primary group of its user. > SLAPD_GROUP="openldap" > > # Path to the pid file of the slapd server. If not set the init.d script > # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by > # default) > SLAPD_PIDFILE= > > # slapd normally serves ldap only on all TCP-ports 389. slapd can also > # service requests on TCP-port 636 (ldaps) and requests via unix > # sockets. > # Example usage: > # SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" > SLAPD_SERVICES="ldap:/// ldapi:///" > > # If SLAPD_NO_START is set, the init script will not start or restart > # slapd (but stop will still work). Uncomment this if you are > # starting slapd via some other means or if you don't want slapd normally > # started at boot. > #SLAPD_NO_START=1 > > # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, > # the init script will not start or restart slapd (but stop will still > # work). Use this for temporarily disabling startup of slapd (when doing > # maintenance, for example, or through a configuration management system) > # when you don't want to edit a configuration file. > SLAPD_SENTINEL_FILE=/etc/ldap/noslapd > > # For Kerberos authentication (via SASL), slapd by default uses the system > # keytab file (/etc/krb5.keytab). To use a different keytab file, > # uncomment this line and change the path. > #export KRB5_KTNAME=/etc/krb5.keytab > > # Additional options to pass to slapd > SLAPD_OPTIONS="" > > > > -- System Information: > Debian Release: trixie/sid > APT prefers unstable-debug > APT policy: (500, 'unstable-debug'), (500, 'unstable') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 6.4.0-2-amd64 (SMP w/24 CPU threads; PREEMPT) > Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND > Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not > set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled
