Leaky ip_conntrack_ftp in Red Hat kernels

Leaky ip_conntrack_ftp in Red Hat kernels

[Stephen Smoogen]

I am working on tracking down a 'leak' in ip_conntrack_ftp in the RHL
7.x kernels that we are seeing on several FTP servers. The leak seems to
occur with some servers that have automated cron jobs that get updates
every hour. What happens is that as time goes on, we see a larger
disconnect between /proc/slabinfo and /proc/net/ip_conntrack.
ip_conntrack will state that it has only 2-4 entries in it, but the
kernel will state that it has run out of entries and looking at the
/proc/slabinfo we see it has filled up and isnt releasing any entries. 

By various testing of putting all the rules to ACCEPT and keeping the
modules in, and then removing a module at a time, I have gotten it down
to something in the ip_conntrack_ftp. Having the module in the system
will eat up the standard number of entries within 20 hours. I am trying
to figure out where to proceed next in order to help fix:

1) Try a recompiled kernel with POM-20030912 and see if it works?
2) Try some sort of flag to get more info?
3) Anything else?

The kernel is Red Hat's patched 2.4.20-24.7

Thanks (and thankyou all for your work).

-- 
Stephen John Smoogen		smoogen@lanl.gov
Los Alamos National Lab  CCN-5 Sched 5/40  PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S  Los Alamos, NM 87545
-- So shines a good deed in a weary world. = Willy Wonka --

Re: Leaky ip_conntrack_ftp in Red Hat kernels

[Michael Gale]

Hello,

	Why not use another distro ... one that does not all the stable running linux kernel.

Since this only seems to be a problem with RH ... who ... well lets face it. 

May not be around much longer ...

Michael.


On Fri, 12 Dec 2003 10:49:36 -0700
Stephen Smoogen <smoogen@lanl.gov> wrote:

> I am working on tracking down a 'leak' in ip_conntrack_ftp in the RHL
> 7.x kernels that we are seeing on several FTP servers. The leak seems to
> occur with some servers that have automated cron jobs that get updates
> every hour. What happens is that as time goes on, we see a larger
> disconnect between /proc/slabinfo and /proc/net/ip_conntrack.
> ip_conntrack will state that it has only 2-4 entries in it, but the
> kernel will state that it has run out of entries and looking at the
> /proc/slabinfo we see it has filled up and isnt releasing any entries. 
> 
> By various testing of putting all the rules to ACCEPT and keeping the
> modules in, and then removing a module at a time, I have gotten it down
> to something in the ip_conntrack_ftp. Having the module in the system
> will eat up the standard number of entries within 20 hours. I am trying
> to figure out where to proceed next in order to help fix:
> 
> 1) Try a recompiled kernel with POM-20030912 and see if it works?
> 2) Try some sort of flag to get more info?
> 3) Anything else?
> 
> The kernel is Red Hat's patched 2.4.20-24.7
> 
> Thanks (and thankyou all for your work).
> 
> -- 
> Stephen John Smoogen		smoogen@lanl.gov
> Los Alamos National Lab  CCN-5 Sched 5/40  PH: 4-0645
> Ta-03 SM-1498 MailStop B255 DP 10S  Los Alamos, NM 87545
> -- So shines a good deed in a weary world. = Willy Wonka --
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: Leaky ip_conntrack_ftp in Red Hat kernels

[Stephen Smoogen]

On Fri, 2003-12-12 at 11:51, Michael Gale wrote:
> Hello,
> 
> 	Why not use another distro ... one that does not all the stable running linux kernel.
> 

Well that is always possible within the next 2 years. I do not
understand the second part of your sentance.

> Since this only seems to be a problem with RH ... who ... well lets face it. 
> 
> May not be around much longer ...
> 

I have heard this sooo many times in the last 10 years, I have given up
believing that this will be the last year RH will be around. 

-- 
Stephen John Smoogen		smoogen@lanl.gov
Los Alamos National Lab  CCN-5 Sched 5/40  PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S  Los Alamos, NM 87545
-- So shines a good deed in a weary world. = Willy Wonka --

Re: Leaky ip_conntrack_ftp in Red Hat kernels

[Stephen Smoogen]

On Fri, 2003-12-12 at 13:31, Ramin Dousti wrote:
> On Fri, Dec 12, 2003 at 12:13:32PM -0700, Stephen Smoogen wrote:
> 
> > On Fri, 2003-12-12 at 11:51, Michael Gale wrote:
> > > Hello,
> > > 
> > > 	Why not use another distro ... one that does not all the stable running linux kernel.
> > > 
> > 
> > Well that is always possible within the next 2 years. I do not
> > understand the second part of your sentance.
> 
> And besides I don't think Redhat would customize the ip_conntrack_ftp, meaning
> iff there is a problem it's most probably included in all the distro's using
> that version.
> 

I cant find any RH patch in there code that affects that
ip_conntrack_ftp or ip_conntrack. Now other areas...

> Ramin
-- 
Stephen John Smoogen		smoogen@lanl.gov
Los Alamos National Lab  CCN-5 Sched 5/40  PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S  Los Alamos, NM 87545
-- So shines a good deed in a weary world. = Willy Wonka --

Re: Leaky ip_conntrack_ftp in Red Hat kernels

[Michael Gale]

Well ... I have not heard of any other problems such as this .. but that does not mean that this does not exist. Second I meant that RH has been known to make kernel modifications .. which means maybe they did something else in the kernel which is affecting the ip_conn... module.

Also I believe RH has stopped releasing RH Desktop because RH9 was there last release. Now they are releasing it under a different name. Starts with a "F" I think .. not sure.

So I guess now you would have to start paying for RH server class version or use the new desktop version which I hear is full of bugs.

I personally stick with Slackware -- not major changes and they are not going anywhere.

Michael.


On Fri, 12 Dec 2003 12:13:32 -0700
Stephen Smoogen <smoogen@lanl.gov> wrote:

> On Fri, 2003-12-12 at 11:51, Michael Gale wrote:
> > Hello,
> > 
> > 	Why not use another distro ... one that does not all the stable running linux kernel.
> > 
> 
> Well that is always possible within the next 2 years. I do not
> understand the second part of your sentance.
> 
> > Since this only seems to be a problem with RH ... who ... well lets face it. 
> > 
> > May not be around much longer ...
> > 
> 
> I have heard this sooo many times in the last 10 years, I have given up
> believing that this will be the last year RH will be around. 
> 
> -- 
> Stephen John Smoogen		smoogen@lanl.gov
> Los Alamos National Lab  CCN-5 Sched 5/40  PH: 4-0645
> Ta-03 SM-1498 MailStop B255 DP 10S  Los Alamos, NM 87545
> -- So shines a good deed in a weary world. = Willy Wonka --
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: Leaky ip_conntrack_ftp in Red Hat kernels

[Ramin Dousti]

On Fri, Dec 12, 2003 at 12:13:32PM -0700, Stephen Smoogen wrote:

> On Fri, 2003-12-12 at 11:51, Michael Gale wrote:
> > Hello,
> > 
> > 	Why not use another distro ... one that does not all the stable running linux kernel.
> > 
> 
> Well that is always possible within the next 2 years. I do not
> understand the second part of your sentance.

And besides I don't think Redhat would customize the ip_conntrack_ftp, meaning
iff there is a problem it's most probably included in all the distro's using
that version.

Ramin