Re: [Evergreen] 13.1: nscd consumes a lot of memory
On Thursday 07 April 2016, Christian Boltz wrote: > Hello, > > Am Donnerstag, 7. April 2016, 09:57:17 CEST schrieb Ruediger Meier: > > On Wednesday 06 April 2016, Christian Boltz wrote: > > ... > > > > You'll probably need to adjust the AppArmor profile a bit to > > > allow that. Otherwise, nscd won't be able to restart itsself > > > (which effectively means ignoring the paranoia mode). > > > > > > https://bugzilla.opensuse.org/show_bug.cgi?id=971790 > > > > Thanks, good to know. > > > > There seems to be another bug > > $ nscd --invalidate > > does not to work. > > > > The only way to reset cache and stats is to set > > persistent xyz no > > and rcnscd.restart. > > I Just tested this (on 13.1, and also on Tumbleweed), and it works. > > Does the syslog tell you anything about why --invalidate doesn't > work? No logs. Actually it looks like it works but does not clear anything: $ nscd -g | grep -A20 "passwd cache:" passwd cache: yes cache is enabled no cache is persistent no cache is shared 211 suggested size 216064 total data pool size 184 used data pool size 600 seconds time to live for positive entries 20 seconds time to live for negative entries 623 cache hits on positive entries 0 cache hits on negative entries 19 cache misses on positive entries 24 cache misses on negative entries 93% cache hit rate 2 current number of cached values 28 maximum number of cached values 2 maximum chain length searched 0 number of delays on rdlock 0 number of delays on wrlock 0 memory allocations failed $ nscd -i passwd $ nscd -g | grep -A20 "passwd cache:" passwd cache: yes cache is enabled no cache is persistent no cache is shared 211 suggested size 216064 total data pool size 0 used data pool size 600 seconds time to live for positive entries 20 seconds time to live for negative entries 623 cache hits on positive entries 0 cache hits on negative entries 19 cache misses on positive entries 24 cache misses on negative entries 93% cache hit rate 0 current number of cached values 28 maximum number of cached values 2 maximum chain length searched 0 number of delays on rdlock 0 number of delays on wrlock 0 memory allocations failed Only restart clears the cache (and only if you have set "persistent passwd no"): $ rcnscd restart $ nscd -g | grep -A20 "passwd cache:" passwd cache: yes cache is enabled no cache is persistent no cache is shared 211 suggested size 216064 total data pool size 0 used data pool size 600 seconds time to live for positive entries 20 seconds time to live for negative entries 0 cache hits on positive entries 0 cache hits on negative entries 0 cache misses on positive entries 0 cache misses on negative entries 0% cache hit rate 0 current number of cached values 0 maximum number of cached values 0 maximum chain length searched 0 number of delays on rdlock 0 number of delays on wrlock 0 memory allocations failed > Does /var/log/audit/audit.log contain any denials? (I doubt > that AppArmor restrictions are involved here, but just to be sure.) > > > How would I disable appamor system wide? > > Like every other service - rcapparmor stop Ooops ... > [1] Ok, I knew that there was something special ;) > However I hope you won't do this. The better way is usually to Yep, just for quick, painless testing. > - switch the profile to complain/learning mode: aa-complain nscd > - let the service run for a while > - run aa-logprof to update the profile > - enforce the profile again: aa-enforce nscd > > BTW: You might be interested in my AppArmor Crash Course: > http://blog.cboltz.de/archives/65-openSUSE-conference.html > (PDFs linked at the end of the article) > > I'll also give an updated version of this talk at the openSUSE > conference (assuming my proposal gets accepted). > ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
Re: [Evergreen] 13.1: nscd consumes a lot of memory
On Wednesday 06 April 2016, Patrick Shanahan wrote: > * Ruediger Meier <sweet_...@gmx.de> [04-06-16 10:45]: > > Hi, > > > > Since a few weeks I see nscd running crazy on 13.1, like this > > > > USER PR NIVIRTRESSHR S %CPU %MEM TIME+ > > COMMAND nscd 20 0 5265008 1.626g652 S 0.000 5.185 > > 0:30.32 nscd > > > > I guess 1.6G would be enough to cache all existing zones worldwide. > > What could be the problem? > > odd, mine has been up 261 days and: Could you show me your stats? I wonder if you have some reasonable cache hit rates. $ nscd -g > USER PID %CPU %MEMVSZ RSS TTY STAT START TIME > COMMAND nscd 2785 0.0 0.1 1001076 11276 ? Ssl Feb24 > 16:59 /usr/sbin/nscd --foreground > > but I am still on kernel-desktop-3.11.10-29.1.x86_64 > nscd-2.18-4.44.1.x86_64 I assume that it has something to do with recent updates (kernel, systemd?). Maybe my NIS setup is also a bit unusual but this is the reason why I run nscd at all. Anyways it's for sure a bug. It should never use much more than (5 * 32M) = 160M: $ grep max-db /etc/nscd.conf # max-db-size max-db-size passwd 33554432 max-db-size group 33554432 max-db-size hosts 33554432 max-db-size services33554432 max-db-size netgroup33554432 I really hate that nscd. I've had also problems with it a few years ago on 11.4. (crashs, 100% CPU, ...). I wonder why the glibc people do not fix it. Instead they have added a "paranoia" mode to restart it regularly: http://serverfault.com/questions/463648/why-would-nscd-use-a-huge-amount-of-ram I'll try /etc/nscd.conf: paranoiayes restart-interval3600 cu, Rudi ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
Re: [Evergreen] 13.1: nscd consumes a lot of memory
On Wednesday 06 April 2016, Patrick Shanahan wrote: > * Ruediger Meier <sweet_...@gmx.de> [04-06-16 16:03]: > > On Wednesday 06 April 2016, Patrick Shanahan wrote: > > > * Ruediger Meier <sweet_...@gmx.de> [04-06-16 13:07]: > > > > On Wednesday 06 April 2016, Patrick Shanahan wrote: > > > > > * Ruediger Meier <sweet_...@gmx.de> [04-06-16 10:45]: > > > > > > Hi, > > > > > > > > > > > > Since a few weeks I see nscd running crazy on 13.1, like > > > > > > this > > > > > > > > > > > > USER PR NIVIRTRESSHR S %CPU %MEM > > > > > > TIME+ COMMAND nscd 20 0 5265008 1.626g652 S > > > > > > 0.000 5.185 0:30.32 nscd > > > > > > > > > > > > I guess 1.6G would be enough to cache all existing zones > > > > > > worldwide. What could be the problem? > > > > > > > > > > odd, mine has been up 261 days and: > > > > > > > > Could you show me your stats? I wonder if you have some > > > > reasonable cache hit rates. > > > > $ nscd -g > > > > > > nscd configuration: > > > > > > 0 server debug level > > > 42d 3h 27m 41s server runtime > > > > So it was restarted during uptime. Because of libc update, or > > crash? > > must have been libc update, I don't recall now, > but not crash or > uptime would be less/reset ... Ah, I've ment nscd crash/restart, not whole system crash. Could be that OOM killer killed it. This happened on my other machine where nscd consumed more than 8GB! memory. cu, Rudi ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
Re: [Evergreen] 13.1: nscd consumes a lot of memory
On Wednesday 06 April 2016, Christian Boltz wrote: > Hello, > > Am Mittwoch, 6. April 2016, 18:07:26 CEST schrieb Ruediger Meier: > ... > > > I really hate that nscd. I've had also problems with it a few years > > ago on 11.4. (crashs, 100% CPU, ...). I wonder why the glibc people > > do not fix it. Instead they have added a "paranoia" mode to restart > > it regularly: > > http://serverfault.com/questions/463648/why-would-nscd-use-a-huge-a > >mou nt-of-ram > > > > I'll try /etc/nscd.conf: > > paranoiayes > > restart-interval3600 > > You'll probably need to adjust the AppArmor profile a bit to allow > that. Otherwise, nscd won't be able to restart itsself (which > effectively means ignoring the paranoia mode). > > https://bugzilla.opensuse.org/show_bug.cgi?id=971790 Thanks, good to know. There seems to be another bug $ nscd --invalidate does not to work. The only way to reset cache and stats is to set persistent xyz no and rcnscd.restart. > The profile needs to allow reading /proc/$pid/cmdline, which means > you'll need to add the rule > @{PROC}/@{pid}/cmdline r, > > The easiest way is probably: > echo '@{PROC}/@{pid}/cmdline r,' >> > /etc/apparmor.d/local/usr.sbin.nscd rcapparmor reload How would I disable appamor system wide? > This is fixed in the upstream profile (including the upcoming 2.9.3 > and 2.10.1 releases), but I slightly doubt this is worth an update > for Evergreen ;-) > > > Regards, > > Christian Boltz ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
Re: [Evergreen] Where's the last 3.12 kernel update for 13.1
On Tuesday 26 April 2016, Marcus Meissner wrote: > On Tue, Apr 26, 2016 at 03:12:57PM +0200, Michal Kubecek wrote: > > On úterý 26. dubna 2016 15:02 Marcus Meissner wrote: > > > We have a fresh 3.12 kernel in QA, at > > > http://download.opensuse.org/repositories/openSUSE:/Maintenance:/ > > >4989/openSUSE_Leap_42.1_Update/ > > > > > > Could people test it? > > > > Should be > > > > http://download.opensuse.org/repositories/openSUSE:/Maintenance:/49 > >66/openSUSE_13.1_Update/ BTW one thing I was always wondering about. What is the most simple way to install such non-offcial patch without adding that Maintenance repo. Do we have something like zypper patch -r http://download.opensuse.org/repositories/openSUSE:/Maintenance:/4966/openSUSE_13.1_Update/ cu, Rudi ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
[Evergreen] FYI nvidia update for 13.1 kernels
Hi, I'm using a script to update nvidia modules for the new 3.12 kernels. Maybe also useful for other's, here it is: --- #!/bin/bash # This script compiles and installs the nvidia kernel modules for # non-official SUSE kernels to let it work with SUSE's nvidia # packages without downloading drivers manually. # # Requirements: # - kernel-desktop-devel rpm (matching the new target kernel) # - nvidia kmp rpms (matchine the old official SUSE kernel) # # You must set the target kernel version here, we don't want to # guess and use the running or last installed kernel! arch=x86_64 kver=3.12.57-44 flavor=desktop function nvidia_ko() { local ver=$1 local kver=$2 make -C /usr/src/linux-$kver-obj/$arch/$flavor \ modules \ M=/usr/src/kernel-modules/nvidia-$ver-$flavor \ SYSSRC=/usr/src/linux-$kver \ SYSOUT=/usr/src/linux-$kver-obj/$arch/$flavor || return rm -rf /tmp/nvidia_ko cp -a /usr/src/kernel-modules/nvidia-$ver-$flavor /tmp/nvidia_ko || return pushd /tmp/nvidia_ko make -f Makefile \ nv-linux.o \ SYSSRC=/usr/src/linux-$kver \ SYSOUT=/usr/src/linux-$kver-obj/$arch/$flavor || return popd #kver=3.11.6-4 install -m 755 -d /lib/modules/$kver-$flavor/updates install -m 644 /usr/src/kernel-modules/nvidia-$ver-$flavor/nvidia.ko \ /lib/modules/$kver-$flavor/updates depmod $kver-$flavor # TODO weak update support #nvr=nvidia-gfxG03-kmp-desktop-340.96_k3.11.6_4-40.1 #wm2=/usr/lib/module-init-tools/weak-modules2 #if [ -x $wm2 ]; then # /bin/bash -${-/e/} $wm2 --add-kmp $nvr #fi } function nvidia_uvm_ko() { local ver=$1 local kver=$2 rm -rf /tmp/nvidia-uvm_ko cp -a /usr/src/kernel-modules/nvidia-uvm-$ver-$flavor /tmp/nvidia-uvm_ko || return pushd /tmp/nvidia-uvm_ko/rm make module \ SYSSRC=/usr/src/linux-$kver SYSOUT=/usr/src/linux-$kver-obj/$arch/$flavor \ KBUILD_EXTMOD=/tmp/nvidia-uvm_ko/rm popd cp -f /tmp/nvidia-uvm_ko/rm/Module.symvers /tmp/nvidia-uvm_ko/Module.symvers make -C /usr/src/linux-$kver-obj/$arch/$flavor \ modules \ M=/tmp/nvidia-uvm_ko \ SYSSRC=/usr/src/linux-$kver \ SYSOUT=/usr/src/linux-$kver-obj/$arch/$flavor \ RM_OUT_DIR=/tmp/nvidia-uvm_ko/rm #kver=3.11.6-4 install -m 755 -d /lib/modules/$kver-$flavor/updates install -m 644 /tmp/nvidia-uvm_ko/nvidia-uvm.ko \ /lib/modules/$kver-$flavor/updates depmod $kver-$flavor #TODO weak update support #nvr=nvidia-uvm-gfxG03-kmp-desktop-340.96_k3.11.6_4-40.1 #wm2=/usr/lib/module-init-tools/weak-modules2 #if [ -x $wm2 ]; then # /bin/bash -${-/e/} $wm2 --add-kmp $nvr #fi } read name ver_nvidia rest <<<$(rpm -qa --qf "%{NAME} %{VERSION}\n" | grep "nvidia-gfx.*kmp") ver_nvidia=${ver_nvidia%%_*} read name ver_nvidia_uvm rest <<<$(rpm -qa --qf "%{NAME} %{VERSION}\n" | grep "nvidia-uvm-gfx.*kmp") ver_nvidia_uvm=${ver_nvidia_uvm%%_*} if [ -n "$ver_nvidia" ]; then echo "## rebuild nvidia.ko $ver_nvidia for kernel $kver" nvidia_ko $ver_nvidia $kver else echo "## no nvidia.ko installed - nothing to do" fi if [ -n "$ver_nvidia_uvm" ]; then echo "## rebuild nvidia_uvm.ko $ver_nvidia for kernel $kver" nvidia_uvm_ko $ver_nvidia_uvm $kver else echo "## no nvidia_uvm.ko installed - nothing to do" fi - ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
Re: [Evergreen] Continuing evergreen with Leap42.2
On Monday 30 January 2017, Greg Freemyer wrote: > On Mon, Jan 30, 2017 at 11:28 AM, reinhard hennig > >wrote: > > my administration providing 12.000 Linux clients would appreciate > > continueing evergreen with Leap42.2, because it is planned > > to switch to leap 42.2 (13.2 at the moment) in a couple of months. > > > > That would be great. > > I don't know if it is working out, but the fundamental concept of > Leap is that the 42.x series is easy to upgrade between. In theory, > 42.2 is 42.1 with a major service pack. > > Major changes will be held back until 43.x. That's the theory. In practice seems that any packager/maintainer changes their packages however they want. For example one of my packages (sbcl) was even not building anymore for 42,2 although it was fine for 42.1. I've asked to revert the other incompatible change which broke my package but no chance ... I've had to change my package too otherwise they would have even removed my package from 42.2! Even this was a known issue, avoiding or reverting incompatible changes is obviously not important for Leap. 42.2 got a lot upgrades for no reason. Ok, the desktop stuff is always f**ked up anyways and I gave up to complain about that, But even things like texlive (about 6000 packages) got an update from version 2013 to 2015. Why? Because just one user asked about that on mailing list ... > So the need for Evergreen is much reduced with Leap. Maybe you can > ask on the main lists if that desire is working out for people. I > never had a Leap 42.1 machine and I only have one 42.2 machine, so I > can't speak to how the concept is working. > > I can say I heard very few complaints from people seeing regressions > when moving from 42.1 to 42.2 Yes it worked quiet good and I have to admit that this time I even liked the kernel upgrade, etc. because our hardware (Skylake desktop and laptops with intel graphics) was "too new" for 42.1. But I've had expected it and had 42,1 only running on a few test machines. The other 13.1 machines are re-installed directly with 42.2. My users will not have to deal with annoying upgrades once per year ... In general I don't see a major advantage for leap vs the old release model. I would be happy to stick with 42.2 for the next years (unless somebody stops these random package upgrades in the leap series.) cu, Rudi ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
Re: [Evergreen] Continuing evergreen with Leap42.2
On Thursday 23 February 2017, Carlos E. R. wrote: > El 2017-02-22 a las 11:37 +0100, Ruediger Meier escribió: > >> For example one of my packages (sbcl) was even not building > >> anymore for 42,2 although it was fine for 42.1. I've asked to > >> revert the other incompatible change which broke my package but no > >> chance ... I've had to change my package too otherwise they would > >> have even removed my package from 42.2! Even this was a known > >> issue, avoiding or reverting incompatible changes is obviously not > >> important for Leap. > > > > ... and it happened again. They upgraded 42.3 to texlive-2016 and > > it breaks again. Evergreen is still needed. > > That will be solved eventually, I hope. > > What worries me is that we got 2 kernel updates in a month. Several > updates this month that require a reboot (systemd, apparmor...). Not > good for server uptime. You DO NOT NEED to reboot after kernel update. Nowadays the old kernel should be still installed in parallel so module loading still works without reboot. You SHOULD reboot as soon as possible if the kernel update fixes security bugs _and_ if you have local users which you can't trust. For example if you run 100 workstations with 1000 users. cu, Rudi ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
Re: [Evergreen] Continuing evergreen with Leap42.2
On Thursday 23 February 2017, Carlos E. R. wrote: > On 2017-02-23 13:46, Ruediger Meier wrote: > > On Thursday 23 February 2017, Carlos E. R. wrote: > >> El 2017-02-22 a las 11:37 +0100, Ruediger Meier escribió: > >>> ... and it happened again. They upgraded 42.3 to texlive-2016 and > >>> it breaks again. Evergreen is still needed. > >> > >> That will be solved eventually, I hope. > >> > >> What worries me is that we got 2 kernel updates in a month. > >> Several updates this month that require a reboot (systemd, > >> apparmor...). Not good for server uptime. > > > > You DO NOT NEED to reboot after kernel update. Nowadays the old > > kernel should be still installed in parallel so module loading > > still works without reboot. > > If I do that, then I would simply not apply the update at all. Far > easier and more stable. Hm, I never care about updates. I get them automatically everyday and reboot whenever I want. I think that's more simple. Regarding stability I don't think it makes any difference whether you install a kernel update 5 minutes or 5 months before reboot. BTW very often even the "non-reboot" updates require manually restarting affected programs. Otherwise you would still use the old versions too. For example, below you see all the programs which are still using vulnerable openssl. The fact that it's still running the old kernel is my smallest problem ;) glaukos:~ # uptime 14:10pm up 14 days 20:26, 1 user, load average: 3.34, 3.32, 3.32 glaukos:~ # rpm -qa --last | head mariadb-10.0.29-18.1.x86_64 Tue 21 Feb 2017 01:00:13 AM CET mariadb-errormessages-10.0.29-18.1.x86_64 Tue 21 Feb 2017 01:00:11 AM CET mariadb-client-10.0.29-18.1.x86_64Tue 21 Feb 2017 01:00:11 AM CET openssl-1.0.2j-4.1.x86_64 Tue 21 Feb 2017 01:00:10 AM CET libmysqlclient18-10.0.29-18.1.x86_64 Tue 21 Feb 2017 01:00:10 AM CET expat-2.1.0-19.1.x86_64 Tue 21 Feb 2017 01:00:10 AM CET libseccomp2-2.3.1-3.1.x86_64 Tue 21 Feb 2017 01:00:09 AM CET libopenssl1_0_0-1.0.2j-4.1.x86_64 Tue 21 Feb 2017 01:00:09 AM CET libexpat1-2.1.0-19.1.x86_64 Tue 21 Feb 2017 01:00:09 AM CET kernel-default-4.4.46-11.1.x86_64 Wed 15 Feb 2017 01:00:13 AM CET glaukos:~ # uname -r 4.4.36-8-default glaukos:~ # zypper ps The following running processes use deleted files: PID | PPID | UID | User | Command | Service | Files --+--+--++-+-+ 1 | 0| 0| root | systemd | | /usr/lib64/libseccomp.so.2.3.0 | | || | | /lib64/libapparmor.so.1.3.0 1077 | 0| 0| root | systemd | | /usr/lib64/libseccomp.so.2.3.0 | | || | | /lib64/libapparmor.so.1.3.0 1152 | 1| 499 | messagebus | dbus-daemon | dbus| /usr/lib64/libexpat.so.1.6.0 1635 | 1| 492 | nagios | nrpe| nrpe| /lib64/libssl.so.1.0.0 | | || | | /lib64/libcrypto.so.1.0.0 1636 | 1| 0| root | sshd| sshd| /lib64/libcrypto.so.1.0.0 1721 | 1| 44 | named | named | named | /lib64/libcrypto.so.1.0.0 | | || | | /usr/lib64/libmysqlclient.so.18.0.0 | | || | | /usr/lib64/libxml2.so.2.9.4 | | || | | /lib64/libssl.so.1.0.0 1743 | 1| 0| root | nmbd| nmb | /lib64/libssl.so.1.0.0 | | || | | /lib64/libcrypto.so.1.0.0 1807 | 1| 0| root | smbd| smb | /lib64/libssl.so.1.0.0 | | || | | /lib64/libcrypto.so.1.0.0 1808 | 1807 | 0| root | smbd| smb | /lib64/libssl.so.1.0.0 | | || | | /lib64/libcrypto.so.1.0.0 1809 | 1807 | 0| root | smbd| smb | /lib64/libssl.so.1.0.0 | | || | | /lib64/libcrypto.so.1.0.0 1855 | 1807 | 0| root | smbd| smb | /lib64/libssl.so.1.0.0 | | || | | /lib64/libcrypto.so.1.0.0 2889 | 1| 1000 | rudi | systemd | | /usr/lib64/libseccomp.so.2.3.0 | | || | | /lib64/libapparmor.so.1.3.0 2893 | 0| 1000 | rudi | systemd | | /usr/lib64/libseccomp.so.2.3.0 | | || | | /lib64/libapparmor.so.1.3.0 14248 | 1807 | 0| root