Bug#793745: [PATCH] I'm seeing it too.

2015-08-02 Thread sacrificial-spam-address 
Since I run a pool server, I have a customized config.  That means that
I have the pool servers commented out, and the comment on the rlimit
command says it's not needed in that case, so I left it out of my config.

And ran into the same problem.

Really, ntpd should make calls like getpwuid() before calling mlock,
This requires breaking -u option processing has to be broken into
two phases (since you can't mlock after changing uid), but it's not that
hard.  Appended is a (working for me) patch to do just that.

The mlockall() fails because it exceeds the available limit, but ntpd
just logs the error and continues.  In the original, earlier location
it succeeds, but then later allocations fail due to the same limit.
diff -ru ntp-4.2.8p3+dfsg.orig/ntpd/ntpd.c ntp-4.2.8p3+dfsg/ntpd/ntpd.c

--- ntp-4.2.8p3+dfsg.orig/ntpd/ntpd.c   2015-08-01 22:46:20.0 -0400
+++ ntp-4.2.8p3+dfsg/ntpd/ntpd.c2015-08-02 14:53:20.879051191 -0400
@@ -792,37 +792,6 @@
 */
getconfig(argc, argv);
 
-   if (do_memlock) {
-# if defined(HAVE_MLOCKALL)
-   /*
-* lock the process into memory
-*/
-   if (!HAVE_OPT(SAVECONFIGQUIT) 
-   0 != mlockall(MCL_CURRENT|MCL_FUTURE))
-   msyslog(LOG_ERR, mlockall(): %m);
-# else /* !HAVE_MLOCKALL follows */
-#  ifdef HAVE_PLOCK
-#   ifdef PROCLOCK
-   /*
-* lock the process into memory
-*/
-   if (!HAVE_OPT(SAVECONFIGQUIT)  0 != plock(PROCLOCK))
-   msyslog(LOG_ERR, plock(PROCLOCK): %m);
-#   else   /* !PROCLOCK follows  */
-#ifdef TXTLOCK
-   /*
-* Lock text into ram
-*/
-   if (!HAVE_OPT(SAVECONFIGQUIT)  0 != plock(TXTLOCK))
-   msyslog(LOG_ERR, plock(TXTLOCK) error: %m);
-#else  /* !TXTLOCK follows */
-   msyslog(LOG_ERR, plock() - don't know what to lock!);
-#endif /* !TXTLOCK */
-#   endif  /* !PROCLOCK */
-#  endif   /* HAVE_PLOCK */
-# endif/* !HAVE_MLOCKALL */
-   }
-
loop_config(LOOP_DRIFTINIT, 0);
report_event(EVNT_SYSRESTART, NULL, NULL);
initializing = FALSE;
@@ -931,6 +900,49 @@
exit (-1);
}
}
+   }
+# endif /* HAVE_DROPROOT */
+
+   /*
+* DROPROOT is divided into two phases.  Gathering information
+* is done before locking us into memory, since /etc/nsswitch.conf
+* can mess with our address space.  Actually dropping privileges
+* is done after.  (We can chroot() before, since the mlock()
+* system call doesn't depend on that.)
+*/
+   if (do_memlock) {
+# if defined(HAVE_MLOCKALL)
+   /*
+* lock the process into memory
+*/
+   if (!HAVE_OPT(SAVECONFIGQUIT) 
+   0 != mlockall(MCL_CURRENT|MCL_FUTURE))
+   msyslog(LOG_ERR, mlockall(): %m);
+# else /* !HAVE_MLOCKALL follows */
+#  ifdef HAVE_PLOCK
+#   ifdef PROCLOCK
+   /*
+* lock the process into memory
+*/
+   if (!HAVE_OPT(SAVECONFIGQUIT)  0 != plock(PROCLOCK))
+   msyslog(LOG_ERR, plock(PROCLOCK): %m);
+#   else   /* !PROCLOCK follows  */
+#ifdef TXTLOCK
+   /*
+* Lock text into ram
+*/
+   if (!HAVE_OPT(SAVECONFIGQUIT)  0 != plock(TXTLOCK))
+   msyslog(LOG_ERR, plock(TXTLOCK) error: %m);
+#else  /* !TXTLOCK follows */
+   msyslog(LOG_ERR, plock() - don't know what to lock!);
+#endif /* !TXTLOCK */
+#   endif  /* !PROCLOCK */
+#  endif   /* HAVE_PLOCK */
+# endif/* !HAVE_MLOCKALL */
+   }
+
+# ifdef HAVE_DROPROOT
+   if (droproot) {
 #  ifdef HAVE_SOLARIS_PRIVS
if ((lowprivs = priv_str_to_set(LOWPRIVS, ,, NULL)) == NULL) {
msyslog(LOG_ERR, priv_str_to_set() failed:%m);
Only in ntp-4.2.8p3+dfsg/ntpd: ntpd.c.orig


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#793745: [pkg-ntp-maintainers] Bug#793745: [PATCH] I'm seeing it too.

2015-08-02 Thread Kurt Roeckx 
On Sun, Aug 02, 2015 at 03:22:27PM -0400, sacrificial-spam-addr...@horizon.com 
wrote:
 Since I run a pool server, I have a customized config.  That means that
 I have the pool servers commented out, and the comment on the rlimit
 command says it's not needed in that case, so I left it out of my config.

Maybe the comment is a little misleading.  There have been various
reports over the past few year about the rlimit breaking things,
but ussually dieing after a few hours of running or something like
that.  With the pool command it just doesn't start (for me).
Maybe other see different kinds of error like the getpwuid() fail
instead.


Kurt


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#793745: [pkg-ntp-maintainers] Bug#793745: [PATCH] I'm seeing it too.

2015-08-02 Thread sacrificial-spam-address 
 Maybe the comment is a little misleading.

How about

# Preventing ntpd from swapping (with mlockall()) reduces time delays,
# but resource limits (ulimit -l) cause out-of-meory errors that lead to
# ntpd quitting with strange (or no) error messages.  Particular trouble
# spots are the -u option (depending on /etc/nsswitch.conf) and the pool
# command (which does DNS lookups at run time).  It's more reliable with
# this disabled.
#
# Note that the busier your NTP server, the less swapping is a concern
# in the first place.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org