Re: GRSEC and Varnish

2010-02-04 Thread Mark Moseley 
On Thu, Feb 4, 2010 at 7:59 AM, Bernardf FRIT  wrote:
> Mark Moseley a écrit :
>>
>> grsec will often report that signals were sent, not that grsec
>> necessarily sent that signal itself. I don't think I've ever actually
>> seen it report itself sending a signal to a process. So varnishd could
>> be segfaulting for some reason and grsec is just reporting this. If
>> you're getting a core file, try loading it into gdb and using 'bt' on
>> it, to see where it's dying.
>
> I cannot get any core file.
>>
>> One other thing to try: As soon as it happens, try using 'dmesg' (or
>> "dmesg -s 131072" in case you have lots of things logging to the
>> kernel logs) and grep for PAX. It's not likely, but PAX could be
>> killing it due to some violation. And for whatever reason, the PAX
>> message doesn't show up in the logs, just in dmesg.
>
> Nothing more in dmesg than in kern.log. ;-[
>
> varnishd[27069]: segfault at 1000 ip 0043abf0 sp 45696ae0
> error 4 in varnishd[40+5]
> grsec: From 80.13.9.224: signal 11 sent to
> /usr/sbin/varnishd[varnishd:27069] uid/euid:65534/65534
> gid/egid:65534/65534, parent /usr/sbin/varnishd[varnishd:11327] uid/euid:0/0
> gid/egid:0/0
> varnishd[27992]: segfault at 1000 ip 0043abf0 sp 48140ae0
> error 4 in varnishd[40+5]
> grsec: From 90.4.162.78: signal 11 sent to
> /usr/sbin/varnishd[varnishd:27992] uid/euid:65534/65534
> gid/egid:65534/65534, parent /usr/sbin/varnishd[varnishd:11327] uid/euid:0/0
> gid/egid:0/0
> varnishd[28119]: segfault at ed000 ip 0043abf0 sp 47ceaae0
> error 4 in varnishd[40+5]
> grsec: From 90.44.219.18: signal 11 sent to
> /usr/sbin/varnishd[varnishd:28119] uid/euid:65534/65534
> gid/egid:65534/65534, parent /usr/sbin/varnishd[varnishd:11327] uid/euid:0/0
> gid/egid:0/0

Try putting "ulimit -c unlimited" in your varnishd rc file. I haven't
needed to get a varnishd core file before, so maybe the devs might be
able to advise if there's other steps necessary as well. There should
also be some logs saying that it died (or at least that it restarted);
dunno what your distro you're using, but in debian, those typically
end up in /var/log/syslog.

You could tail varnishncsa to see if there's a common request where it
seems to segfault at and if there is, you could attach to varnishd
with "gdb /path/to/varnishd " and try to trigger it.
Then get the backtrace with 'bt'. But be aware that it'll bog it down
dreadfully, so i wouldn't advise it in production.
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Re: GRSEC and Varnish

2010-02-04 Thread Kristian Lyngstol 
On Tue, Feb 02, 2010 at 04:44:48PM +0100, Bernardf FRIT wrote:
> Hi,
> 
> I'am running :
> - varnishd (varnish-2.0.4)

Why not 2.0.6?

> and it appears that the grsec Kernel repeatedly and unexpectedly sends 
> signal 11 to the varnishd child.

grsec seems to just report that a segfault occurred. SIGSEG would be a
strange signal to send in any event. You want to fetch yourself a core-dump
of this. However, before we get into that, I'd like to know what parameters
you start Varnish with, and the general setup. VCL too, if possible.

-- 
Kristian Lyngstøl
Redpill Linpro AS
Mob: +47 99014497


pgpFwMaQMo7wh.pgp
Description: PGP signature
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc