Date: Sat, 22 Mar 2014 03:06:10 -0300 From: Marcelo Gondim <gondim@bsdinfo.com.br> To: FreeBSD Stable Mailing List <freebsd-stable@freebsd.org> Subject: Re: sshd with zombie process on FreeBSD 10.0-STABLE - workaround Message-ID: <532D2852.1010700@bsdinfo.com.br> In-Reply-To: <CAN6yY1sf0z_jBJgBy2dZX0a3JJnyTnq76_DepXzG32GWgHHO6A@mail.gmail.com> References: <53016D97.5030909@bsdinfo.com.br> <CAN6yY1uucfkdXxkCF30w1Q9vffRpDLxM90Sz1XVbdn5W69vQMg@mail.gmail.com> <5329D81E.7040709@bsdinfo.com.br> <201403201058.38555.jhb@freebsd.org> <532B7DEC.7010809@bsdinfo.com.br> <CAN6yY1sf0z_jBJgBy2dZX0a3JJnyTnq76_DepXzG32GWgHHO6A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Em 22/03/14 02:02, Kevin Oberman escreveu:
> On Thu, Mar 20, 2014 at 4:46 PM, Marcelo Gondim <gondim@bsdinfo.com.br>wrote:
>
>> Em 20/03/14 11:58, John Baldwin escreveu:
>>
>>> On Wednesday, March 19, 2014 1:47:10 pm Marcelo Gondim wrote:
>>>
>>> Em 19/03/14 13:01, Kevin Oberman escreveu:
>>>>> On Wed, Mar 19, 2014 at 6:00 AM, Marcelo Gondim
>>>>>
>>>> <gondim@bsdinfo.com.br>wrote:
>>>> Hi all,
>>>>>> While the solution does not appear, did the script below and put it in
>>>>>> crontab to automatically delete zombie sshd processes.
>>>>>>
>>>>>> the_walking_dead.sh:
>>>>>>
>>>>>> #!/bin/sh
>>>>>> kill -9 `ps afx|grep sshd|grep unknown|awk '{print $1}'`
>>>>>>
>>>>>>
>>>>>> Put this in /etc/crontab:
>>>>>>
>>>>>> 00 1 * * * root the_walking_dead.sh
>>>>>>
>>>>>>
>>>>>> If 'kill -9' works, the process is not really a zombie. It simply
>>>>> still
>>>>>
>>>> has
>>>> a socket open and is waiting for it to be closed before exiting.
>>>>> You might takes a look at network sockets with sockstat(1) and see if
>>>>> you
>>>>> can get any indication of why these sockets are not being closed. It may
>>>>>
>>>> be
>>>> that the issue is not sshd but some other issue in the OS leaving sockets
>>>>> open.
>>>>>
>>>>> Hi Kevin,
>>>> My ps -afx below:
>>>>
>>>> [...]
>>>> 42139 - Is 0:00.01 sshd: unknown [priv] (sshd)
>>>> 42140 - Z 0:00.01 <defunct>
>>>> 42141 - IW 0:00.00 sshd: unknown [pam] (sshd)
>>>> 58445 - Is 0:00.01 sshd: unknown [priv] (sshd)
>>>> 58446 - Z 0:00.02 <defunct>
>>>> 58447 - IW 0:00.00 sshd: unknown [pam] (sshd)
>>>> 65635 - Is 0:00.01 sshd: vinicius [priv] (sshd)
>>>> 65636 - Z 0:00.01 <defunct>
>>>> [...]
>>>>
>>>> # sockstat | grep 42140
>>>> #
>>>>
>>>> # sockstat | grep 58446
>>>> #
>>>>
>>>> # sockstat | grep 65636
>>>> #
>>>>
>>>> No associated socket with zombie process.
>>>>
>>> Do a pstree. I bet the zombies are children of the other processes that
>>> are stuck on a socket as Kevin described.
>>>
>>> # ps afx|grep sshd |grep unk
>> 10948 - Is 0:00.02 sshd: unknown [priv] (sshd)
>> 10955 - IW 0:00.00 sshd: unknown [pam] (sshd) <====
>> 11701 - Is 0:00.02 sshd: unknown [priv] (sshd)
>> 11704 - IW 0:00.00 sshd: unknown [pam] (sshd)
>> 25450 - Is 0:00.01 sshd: unknown [priv] (sshd)
>> 25452 - IW 0:00.00 sshd: unknown [pam] (sshd)
>> 41193 - Is 0:00.02 sshd: unknown [priv] (sshd)
>> 41196 - IW 0:00.00 sshd: unknown [pam] (sshd)
>> 42193 - Is 0:00.02 sshd: unknown [priv] (sshd)
>> 42195 - IW 0:00.00 sshd: unknown [pam] (sshd)
>> 80638 - Is 0:00.02 sshd: unknown [priv] (sshd)
>> 80640 - IW 0:00.00 sshd: unknown [pam] (sshd)
>> 81484 - Is 0:00.02 sshd: unknown [priv] (sshd)
>> 81486 - IW 0:00.00 sshd: unknown [pam] (sshd)
>>
>> With proctstat I could see the socket as follows:
>>
>> # procstat -f 10955
>> PID COMM FD T V FLAGS REF OFFSET PRO NAME
>> 10955 sshd text v r r------- - - - /usr/sbin/sshd
>> 10955 sshd cwd v d r------- - - - /
>> 10955 sshd root v d r------- - - - /
>> 10955 sshd 0 v c rw------ 6 0 - /dev/null
>> 10955 sshd 1 v c rw------ 6 0 - /dev/null
>> 10955 sshd 2 v c rw------ 6 0 - /dev/null
>> 10955 sshd 3 s - rw---n-- 2 0 TCP 186.xxx.xx.2:22
>> 186.xxx.xx.8:57035
>> 10955 sshd 5 p - rw------ 2 0 - -
>> 10955 sshd 6 s - rw------ 2 0 UDS -
>> 10955 sshd 7 p - rw------ 1 0 - -
>> 10955 sshd 8 s - rw------ 2 0 UDS -
>>
>> I do not understand why these connections are remaining locked in FreeBSD
>> 10.0
>>
>> I'll try this sysctl: net.inet.tcp.delayed_ack=0
>>
> If the problem is still showing up, can you see what is going on with the
> socket? What is the state of the connection. Try "netstat -f inet -p tcp"
> and see what state the connection is in. I'm wondering if there is some
> sort of race going on where the socket hangs.
>
> Ideally I'd look to try and capture the packets st the end of the session.
> Can you do something to trigger this reliably? if so "standard" "tcpdump
> -pw file.bpf host HOST". I seem to recall that these connections are
> scheduled. If so, you can put the packet capture in a crontab to run at the
> same time. If you feed this to a tool like wireshark, you should get a good
> idea of what is happening, if not why. I understand that the timing of this
> might be very tricky.
Hi Kevin,
Thanks for your help.
I did the netstat and the state of the connection is closed as you can
see below:
# procstat -f 26177
PID COMM FD T V FLAGS REF OFFSET PRO NAME
26177 sshd text v r r------- - - - /usr/sbin/sshd
26177 sshd cwd v d r------- - - - /
26177 sshd root v d r------- - - - /
26177 sshd 0 v c rw------ 6 0 - /dev/null
26177 sshd 1 v c rw------ 6 0 - /dev/null
26177 sshd 2 v c rw------ 6 0 - /dev/null
26177 sshd 3 s - rw---n-- 2 0 TCP
186.193.48.10:4321 186.193.48.8:50094
26177 sshd 4 s - rw------ 1 0 UDS -
26177 sshd 5 p - rw------ 2 0 - -
26177 sshd 6 s - rw------ 2 0 UDS -
# procstat -f 10110
PID COMM FD T V FLAGS REF OFFSET PRO NAME
10110 sshd text v r r------- - - - /usr/sbin/sshd
10110 sshd cwd v d r------- - - - /
10110 sshd root v d r------- - - - /
10110 sshd 0 v c rw------ 6 0 - /dev/null
10110 sshd 1 v c rw------ 6 0 - /dev/null
10110 sshd 2 v c rw------ 6 0 - /dev/null
10110 sshd 3 s - rw---n-- 2 0 TCP
186.193.48.10:4321 186.193.48.8:63048
10110 sshd 4 s - rw------ 1 0 UDS -
10110 sshd 5 p - rw------ 2 0 - -
10110 sshd 6 s - rw------ 2 0 UDS -
# netstat -f inet -p tcp
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 bart.24173 pppoe17250.8728 ESTABLISHED
tcp4 0 0 bart.53795 pppoe17249.8728 TIME_WAIT
tcp4 0 0 bart.54191 pppoe149.8728 TIME_WAIT
tcp4 0 0 bart.12476 pppoe148.8728 TIME_WAIT
tcp4 0 0 bart.36846 pppoe142.8728 TIME_WAIT
tcp4 0 0 bart.39944 186.193.48.22.8728 TIME_WAIT
tcp4 0 0 bart.60233 186.193.48.25.8728 TIME_WAIT
tcp4 0 0 bart.50946 186.193.48.9.8728 TIME_WAIT
tcp4 0 0 bart.13403 186.193.48.19.8728 TIME_WAIT
tcp4 0 0 bart.36982 zeus.linuxinfo.c.8728 TIME_WAIT
tcp4 0 0 bart.rwhois pppoe769.49896 ESTABLISHED
tcp4 0 0 bart.mysql mail.15711 ESTABLISHED
tcp4 0 0 bart.mysql mail.16087 ESTABLISHED
tcp4 0 0 bart.mysql mail.25051 ESTABLISHED
tcp4 0 0 bart.mysql mail.59126 ESTABLISHED
tcp4 0 0 bart.mysql mail.59051 ESTABLISHED
tcp4 0 0 bart.mysql mail.29446 ESTABLISHED
tcp4 0 0 bart.mysql mail.45453 ESTABLISHED
tcp4 0 0 bart.mysql mail.14938 ESTABLISHED
tcp4 0 0 bart.mysql mail.46230 FIN_WAIT_2
tcp4 0 0 bart.mysql mail.16930 FIN_WAIT_2
tcp4 0 0 bart.mysql mail.28074 FIN_WAIT_2
tcp4 0 0 bart.mysql mail.53686 FIN_WAIT_2
tcp4 0 0 bart.mysql mail.14448 FIN_WAIT_2
tcp4 0 0 bart.mysql mail.52487 ESTABLISHED
tcp4 0 0 bart.rwhois 186.193.48.8.50094 CLOSED
<====
tcp4 0 0 bart.mysql mail.38286 FIN_WAIT_2
tcp4 0 0 bart.mysql mail.32387 FIN_WAIT_2
tcp4 0 0 bart.mysql mail.52219 ESTABLISHED
tcp4 0 0 bart.mysql mail.52144 ESTABLISHED
tcp4 0 0 bart.mysql mail.18862 FIN_WAIT_2
tcp4 0 0 bart.mysql mail.52636 FIN_WAIT_2
tcp4 0 0 bart.mysql mail.51607 FIN_WAIT_2
tcp4 0 0 bart.mysql mail.62581 FIN_WAIT_2
tcp4 0 0 bart.mysql mail.23071 ESTABLISHED
tcp4 0 0 bart.mysql mail.22862 FIN_WAIT_2
tcp4 0 0 bart.rwhois 186.193.48.8.63048
CLOSED <====
tcp4 0 0 bart.mysql mail.42479 FIN_WAIT_2
tcp4 0 0 bart.mysql mail.18146 ESTABLISHED
tcp4 0 0 bart.mysql mail.46731 FIN_WAIT_2
tcp4 0 0 bart.mysql mail.20498 ESTABLISHED
tcp4 0 0 bart.62869 186.193.48.2.1190 ESTABLISHED
tcp4 0 0 bart.mysql mail.55353 ESTABLISHED
Cheers,
Gondim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?532D2852.1010700>