Closed snajpa closed 3 years ago
Firewalld gets stuck while trying to clean up after itself. strace for SIGHUP
:
# strace -f -x -tt -s 1024 firewalld --nofork --debug
[....]
[pid 521] 18:09:54.118008 ioctl(10, FIONBIO, [1]) = 0
[pid 521] 18:09:54.118409 ioctl(10, FIOCLEX) = 0
[pid 521] 18:09:54.118707 ioctl(11, FIONBIO, [1]) = 0
[pid 521] 18:09:54.119021 ioctl(11, FIOCLEX) = 0
[pid 521] 18:09:54.119368 fstat(11, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
[pid 521] 18:09:54.119655 fcntl(11, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)
[pid 521] 18:09:54.120059 fstat(10, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
[pid 521] 18:09:54.120370 fcntl(10, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)
[pid 521] 18:09:54.120848 write(5, "\x01\x00\x00\x00\x00\x00\x00\x00", 8) = 8
[pid 521] 18:09:54.121260 poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=10, events=POLLIN}], 3, 0) = 1 ([{fd=5, revents=POLLIN}])
[pid 521] 18:09:54.121569 read(5, "\x05\x00\x00\x00\x00\x00\x00\x00", 16) = 8
[pid 521] 18:09:54.122047 poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=10, events=POLLIN}], 3, 0) = 0 (Timeout)
[pid 521] 18:09:54.122443 poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=10, events=POLLIN}], 3, 4991) = 0 (Timeout)
[pid 521] 18:09:59.119370 poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=10, events=POLLIN}], 3, -1
) = ? ERESTART_RESTARTBLOCK (Interrupted by signal)
[pid 521] 18:10:53.842747 --- SIGHUP {si_signo=SIGHUP, si_code=SI_USER, si_pid=563, si_uid=0} ---
[pid 521] 18:10:53.843052 write(9, "\x01\x00\x00\x00\x00\x00\x00\x00", 8) = 8
[pid 552] 18:10:53.843600 <... poll resumed>) = 1 ([{fd=9, revents=POLLIN}])
[pid 521] 18:10:53.844593 rt_sigreturn({mask=[]} <unfinished ...>
[pid 552] 18:10:53.844926 read(9, <unfinished ...>
[pid 521] 18:10:53.845235 <... rt_sigreturn resumed>) = -1 EINTR (Interrupted system call)
[pid 552] 18:10:53.845453 <... read resumed>"\x01\x00\x00\x00\x00\x00\x00\x00", 16) = 8
[pid 521] 18:10:53.845713 poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=10, events=POLLIN}], 3, -1 <unfinished ...>
[pid 552] 18:10:53.846034 write(5, "\x01\x00\x00\x00\x00\x00\x00\x00", 8 <unfinished ...>
[pid 521] 18:10:53.846327 <... poll resumed>) = 1 ([{fd=5, revents=POLLIN}])
[pid 552] 18:10:53.846553 <... write resumed>) = 8
[pid 521] 18:10:53.846812 read(5, <unfinished ...>
[pid 552] 18:10:53.847080 poll([{fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 2, -1 <unfinished ...>
[pid 521] 18:10:53.847405 <... read resumed>"\x01\x00\x00\x00\x00\x00\x00\x00", 16) = 8
[pid 521] 18:10:53.847941 write(1, "2020-07-01 18:10:53 DEBUG1: reload()", 362020-07-01 18:10:53 DEBUG1: reload()) = 36
[pid 521] 18:10:53.848428 write(1, "\n", 1
) = 1
[pid 521] 18:10:53.848882 write(3, "2020-07-01 18:10:53 DEBUG1: reload()", 36) = 36
[pid 521] 18:10:53.849386 write(3, "\n", 1) = 1
[pid 521] 18:10:53.849873 write(1, "2020-07-01 18:10:53 DEBUG1: Setting policy to 'DROP'", 522020-07-01 18:10:53 DEBUG1: Setting policy to 'DROP') = 52
[pid 521] 18:10:53.850312 write(1, "\n", 1
) = 1
[pid 521] 18:10:53.850742 write(3, "2020-07-01 18:10:53 DEBUG1: Setting policy to 'DROP'", 52) = 52
[pid 521] 18:10:53.851118 write(3, "\n", 1) = 1
[pid 521] 18:10:53.852577 sendto(6, {{len=20, type=NFNL_SUBSYS_NFTABLES<<8|NFT_MSG_GETGEN, flags=NLM_F_REQUEST, seq=2, pid=0}, {nfgen_family=AF_UNSPEC, version=NFNETLINK_V0, res_id=htons(0)}, 20, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12
This bug is also present in original CentOS 8 kernel version 4.18.0-193.6.3.el8_2.x86_64
- it's all due to wrong client config, which doesn't make sense - it shouldn't cause kernel lockups though.
So in the end, a reproducer looks like this:
firewall-cmd
won't allow you to do this, you need to manually edit your /etc/firewalld/zones/public.xml
and add:
<interface name="any_name_does_this" />
Message from syslogd@localhost at Jul 8 13:40:26 ...
kernel:watchdog: BUG: soft lockup - CPU#16 stuck for 22s! [firewalld:3731]
fixed in 5.9+ kernels
Symptoms: system gets stuck in rcu lockup after up-to-date firewalld in CentOS 8 is started.
https://paste.vpsfree.cz/FLriePDP/