search

hautreux / auks

Kerberos credential support for batch environments
Other
20 stars 18 forks source link

CentOS 7 - Segmentation Fault #25

Closed swallace21 closed 6 years ago

swallace21 commented 6 years ago

Receiving a segmentation fault error on CentOS 7 for auksd. Has anyone encountered something similar using AUKS?

[root@somevm ~]# auksd -v
Mon Aug 13 10:03:11 2018 [INFO1] [euid=0,pid=1384] auksd_engine: initializing engine from 'common' block of file /etc/auks/auks.conf
Mon Aug 13 10:03:11 2018 [INFO1] [euid=0,pid=1384] auksd_engine: initializing engine from 'auksd' block of file /etc/auks/auks.conf
Segmentation fault
swallace21 commented 6 years ago

aukspriv and auksdrenewer are running good

hautreux commented 6 years ago

Seems like an error while reading the 'auksd' section of the config file. It should not segv for that but it should be the origin of the issue. Please give the invalid conf if possible to understand the segv.

Le lun. 13 août 2018 à 16:20, Shaun Wallace notifications@github.com a écrit :

aukspriv and auksdrenewer are running good

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/hautreux/auks/issues/25#issuecomment-412534905, or mute the thread https://github.com/notifications/unsubscribe-auth/AA2ppy3apDCm23SKVMW4uigb9JYTV9QMks5uQYtIgaJpZM4V6mIJ .

swallace21 commented 6 years ago

Using gdb to debug:

(gdb) run
Starting program: /sbin/auksd 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc79d4 in config_GetNbBlocks () from /lib64/libauksapi.so.0
Missing separate debuginfos, use: debuginfo-install glibc-2.17-222.el7.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-19.el7.x86_64 libcom_err-1.42.9-12.el7_5.x86_64 libselinux-2.5-12.el7.x86_64 pcre-8.32-17.el7.x86_64
swallace21 commented 6 years ago

auks.conf file: real@REALM <- removed the url for our realm for security reasons. It is included in the actual conf file

#------------------------------------------------------------------------------
# auks client and server configuration file
#------------------------------------------------------------------------------

#-
# Common client/server elements
#-
common {

 # Primary daemon configuration
 PrimaryHost        =   "auks" ;
 #PrimaryAddress     =  "" ;
 PrimaryPort        =   12345 ;
 PrimaryPrincipal   =   "host/auks.real@REALM" ;

 # Secondary daemon configuration
 SecondaryHost      =   "auks2" ;
 #SecondaryAddress   =  "" ;
 SecondaryPort      =   "12345" ;
 SecondaryPrincipal =   "host/auks2." ;

 # Enable/Disable NAT traversal support (yes/no)
 # this value must be the same on every nodes
 NAT                =   no ;

 # max connection retries number
 Retries            =    3 ;

 # connection timeout
 Timeout            =   10 ;

 # delay in seconds between retries
 Delay              =    3 ;

}

#-
# API only elements
#-
api {

 # log file and level
 LogFile            =   "/tmp/auksapi.log" ;
 LogLevel           =   "0" ;

 # optional debug file and level
 DebugFile          =   "/tmp/auksapi.log" ;
 DebugLevel         =   "0" ;

}

#-
# Auks daemon only elements
#-
auksd {

 # Primary daemon configuration
 PrimaryKeytab      =   "/etc/krb5.keytab" ;

 # Secondary daemon configuration
 SecondaryKeytab    =   "/etc/krb5.keytab" ;

 # log file and level
 LogFile            =   "/var/log/auksd.log" ;
 LogLevel           =   "1" ;

 # optional debug file and level
 DebugFile          =   "/var/log/auksd.log" ;
 DebugLevel         =   "0" ;

 # directory in which daemons store the creds
 CacheDir           =   "/var/cache/auks" ;

 # ACL file for cred repo access authorization rules
 ACLFile            =   "/etc/auks/auksd.acl" ; 

 # default size of incoming requests queue
 # it grows up dynamically
 QueueSize          =   50 ;

 # default repository size (number fo creds)
 # it grows up dynamicaly
 RepoSize           =   500 ;

 # number of workers for incoming request processing
 Workers            =   10 ;

 # delay in seconds between 2 repository clean stages
 CleanDelay         =   300 ;

 # use kerberos replay cache system (slow down)
 ReplayCache        =   yes ;

}

#-
# Auksd renewer only elements
#-
renewer {

 # log file and level
 LogFile            =   "/var/log/auksdrenewer.log" ;
 LogLevel           =   "1" ;

 # optional debug file and level
 DebugFile          =   "/var/log/auksdrenewer.log" ;
 DebugLevel         =   "0" ;

 # delay between two renew loops
 Delay              = "60" ;

 # Min Lifetime for credentials to be renewed
 # This value is also used as the grace trigger to renew creds
 MinLifeTime        = "600" ;

}
swallace21 commented 6 years ago

Here is the backtrace from gdb:

(gdb) bt
#0  0x00007ffff7bc79d4 in config_GetNbBlocks () from /lib64/libauksapi.so.0
#1  0x00007ffff7bc14be in auks_acl_init_from_config_file () from /lib64/libauksapi.so.0
#2  0x00007ffff7bc295b in auksd_engine_init () from /lib64/libauksapi.so.0
#3  0x00007ffff7bc3cf6 in auksd_engine_init_from_config_file () from /lib64/libauksapi.so.0
#4  0x0000000000402d66 in main ()
swallace21 commented 6 years ago

In addition, running journalctl -xe

Aug 13 13:17:51 some.name kernel: auksd[1702]: segfault at 408 ip 00007f23a29bf9d4 sp 00007ffc7a589e20 error 4 in libauksapi.so.0.0.1[7f23a29ac000
Aug 13 13:18:35 some.name auksdrenewer[1682]: Mon Aug 13 13:18:35 2018 [INFO1] [euid=0,pid=1682] renewer: unable to dump auksd creds : auks api :
swallace21 commented 6 years ago

FIXED:

It was the 'auksd' section of the auks.conf file. It was referencing auksd.acl

I copied /etc/auks/auks.acl.example to etc/auks/auks.acl and made some edits per the HOWTO

Fix was to rename, auks.acl to auksd.acl. auksd.acl is what is referenced in the source code.