On 2015-05-13, Stuart Henderson <[email protected]> wrote:
> On 2015-05-11, C.L. Martinez <[email protected]> wrote:
>> Yep, it seems the problem is "Too many open files" message:
>>
>> leapis.com/storage.googleapis.com sproto:TLSv1.2:AES128-SHA
>> dproto:TLSv1.2:ECDHE-ECDSA-CHACHA20-POLY1305
>> ssl [172.22.55.1]:41558 [74.125.226.170]:443
>> sni:ci6.googleusercontent.com
>> names:*.googleusercontent.com/*.googleusercontent.com/*.blogspot.com/*.bp.blogspot.com/*.commondatastorage.googleapis.com/*.doubleclickusercontent.com/*.ggpht.com/*.googledrive.com/*.googlesyndication.com/*.googleweblight.com/*.safenup.googleusercontent.com/*.sandbox.googleusercontent.com/*.storage.googleapis.com/blogspot.com/bp.blogspot.com/commondatastorage.googleapis.com/doubleclickusercontent.com/ggpht.com/googledrive.com/googleusercontent.com/googleweblight.com/static.panoramio.com.storage.googleapis.com/storage.googleapis.com
>>
>> sproto:TLSv1.2:AES128-SHA dproto:TLSv1.2:ECDHE-ECDSA-CHACHA20-POLY1305
>> Warning: Failed to write to content log: Bad file descriptor
>> Warning: Failed to write to content log: Bad file descriptor
>> ssl [172.22.55.1]:50639 [74.125.226.171]:443
>> sni:ci4.googleusercontent.com
>> names:*.googleusercontent.com/*.googleusercontent.com/*.blogspot.com/*.bp.blogspot.com/*.commondatastorage.googleapis.com/*.doubleclickusercontent.com/*.ggpht.com/*.googledrive.com/*.googlesyndication.com/*.googleweblight.com/*.safenup.googleusercontent.com/*.sandbox.googleusercontent.com/*.storage.googleapis.com/blogspot.com/bp.blogspot.com/commondatastorage.googleapis.com/doubleclickusercontent.com/ggpht.com/googledrive.com/googleusercontent.com/googleweblight.com/static.panoramio.com.storage.googleapis.com/storage.googleapis.com
>>
>> sproto:TLSv1.2:AES128-SHA dproto:TLSv1.2:ECDHE-ECDSA-CHACHA20-POLY1305
>> Warning: Failed to write to content log: Bad file descriptor
>> Failed to open
>> '/tmp/20150511T113718Z-[172.22.55.1]:50639-[74.125.226.171]:443.log':
>> Too many open files (24)
>> Warning: Failed to write to content log: Bad file descriptor
>> ssl [172.22.55.1]:59905 [74.125.226.160]:443 sni:plus.google.com
>> names:*.google.com/*.google.com/*.android.com/*.appengine.google.com/*.cloud.google.com/*.google-analytics.com/*.google.ca/*.google.cl/*.google.co.in/*.google.co.jp/*.google.co.uk/*.google.com.ar/*.google.com.au/*.google.com.br/*.google.com.co/*.google.com.mx/*.google.com.tr/*.google.com.vn/*.google.de/*.google.es/*.google.fr/*.google.hu/*.google.it/*.google.nl/*.google.pl/*.google.pt/*.googleadapis.com/*.googleapis.cn/*.googlecommerce.com/*.googlevideo.com/*.gstatic.cn/*.gstatic.com/*.gvt1.com/*.gvt2.com/*.metric.gstatic.com/*.urchin.com/*.url.google.com/*.youtube-nocookie.com/*.youtube.com/*.youtubeeducation.com/*.ytimg.com/android.com/g.co/goo.gl/google-analytics.com/google.com/googlecommerce.com/urchin.com/youtu.be/youtube.com/youtubeeducation.com
>>
>> sproto:TLSv1.2:AES128-SHA dproto:TLSv1.2:ECDHE-ECDSA-CHACHA20-POLY1305
>> Error 24 on listener: Too many open files
>>
>> Program exited normally.
>> (gdb) backtrace full
>> No stack.
>> (gdb) thread apply all backtrace
>> (gdb)
>>
>>
>
> Aha. Unless it's very busy I wouldn't expect sslsplit to use a huge
> number of openfiles simultaneously, so I wonder if it is failing
> to close something.
>
> Please try "fstat | grep sslsplit" soon after startup (allow a couple
> of requests to go through first), then again after it has handled
> a larger number of connections (maybe 5 minutes or so?) - let's see
> if something is building up.
>
> No need to run it in gdb for this now, it is exiting normally (i.e.
> following normal error handling and reaching the end of the program)
> so you could just use your normal startup script.
>
>
Also, as mentioned before, please show the command line you're using,
I've just done some small tests with divert-to ("ipfw" nat engine),
rdr-to ("pf" nat engine) and static destination and haven't noticed
an FD leak in the normal case.
Of course if it is just very busy, you may need to raise an openfiles
limit (ulimit -n if starting manually, or via the relevant class in
login.conf if using an rc.d script, which would be 'daemon' unless
you've added a separate class for it).
