For most things. If you pulled recently, you may need to do: $ git pull --force There were a few commits done out of order. But it works. Both valgrind and the talloc memory checker report minimal errors. There are just a few listeners leaked on exit, which is partly intentional. That will be fixed once the listeners are moved to talloc. The changes result in about 800 lines of code removed from the server. That's 1%, which is small but not negligible. We expect more code to be removed as we migrate everything else to talloc. We also expect that supporting "HUP" will become easier. It may have issues today, but talloc makes it easier to have better support for HUP. I haven't done any performance tests. But the Samba people say that talloc is 4% slower than malloc. Our other tests show that most of the CPU time is spent in MD5, SSL, or in accessing external DBs. So I expect that there should be no performance impact here. Alan DeKok.
Hi,
But it works. Both valgrind and the talloc memory checker report minimal errors. There are just a few listeners leaked on exit, which is partly intentional. That will be fixed once the listeners are moved to talloc.
yep checking for talloc.h... no configure: WARNING: talloc headers not found. Use --with-talloc-include-dir=<path>. configure: error: FreeRADIUS requires libtalloc yum install libtalloc-devel ..then configure passes but it fails at: CC src/main/tls.c CC src/main/tls_listen.c build/objs/src/main/conffile.o: In function `cf_section_parse': /usr/local/src/freeradius-server/src/main/conffile.c:1096: undefined reference to `cf_section_parse_free' collect2: ld returned 1 exit status make: *** [build/bin/local/radiusd] Error 1 alan
On 19 Feb 2013, at 18:00, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
But it works. Both valgrind and the talloc memory checker report minimal errors. There are just a few listeners leaked on exit, which is partly intentional. That will be fixed once the listeners are moved to talloc.
yep
checking for talloc.h... no configure: WARNING: talloc headers not found. Use --with-talloc-include-dir=<path>. configure: error: FreeRADIUS requires libtalloc
yum install libtalloc-devel
..then configure passes but it fails at:
CC src/main/tls.c CC src/main/tls_listen.c build/objs/src/main/conffile.o: In function `cf_section_parse': /usr/local/src/freeradius-server/src/main/conffile.c:1096: undefined reference to `cf_section_parse_free' collect2: ld returned 1 exit status make: *** [build/bin/local/radiusd] Error 1
Pushed fixed. Pull, rebuild. -Arran
Hi,
Pushed fixed. Pull, rebuild.
8-) builds. however, still barfs: Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { tls = "tls-common" type 2632042 not supported yet } rlm_eap: Failed to initialize type tls /etc/raddb/mods-enabled/eap[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[447]: Failed to find "eap" in the "modules" section. /etc/raddb/sites-enabled/default[447]: Failed to parse "eap" entry. alan
A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
Pushed fixed. Pull, rebuild.
8-) builds. however, still barfs:
Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { tls = "tls-common" type 2632042 not supported yet
I have no idea what's going wrong here. I don't see this at all in my config. The fact that it's consistently the *same* issue is suspicious. Maybe valgrind has useful information. Alan DeKok.
Hi,
Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { tls = "tls-common" type 2632042 not supported yet
I have no idea what's going wrong here. I don't see this at all in my config. The fact that it's consistently the *same* issue is suspicious.
Maybe valgrind has useful information.
i'll get through the valgrind info - this happens even with the supplied 'eap' file alan
A.L.M.Buxey@lboro.ac.uk wrote:
i'll get through the valgrind info - this happens even with the supplied 'eap' file
Weird. I don't see it on Mac or Ubuntu. Coverity says it's OK. Maybe you could also try using gdb, and set a breakpoint for that message. Then, see what the backtrace is, and where the weird value for "type" is coming from. Alan DeKok..
On 20 Feb 2013, at 08:20, Alan DeKok <aland@DEPLOYINGRADIUS.COM> wrote:
A.L.M.Buxey@lboro.ac.uk wrote:
i'll get through the valgrind info - this happens even with the supplied 'eap' file
Weird. I don't see it on Mac or Ubuntu. Coverity says it's OK.
Maybe you could also try using gdb, and set a breakpoint for that message. Then, see what the backtrace is, and where the weird value for "type" is coming from.
What version of Centos and what architecture are you experiencing the issue on? -Arran
On 19 Feb 2013, at 17:34, Alan DeKok <aland@DEPLOYINGRADIUS.COM> wrote:
For most things. If you pulled recently, you may need to do:
$ git pull --force
There were a few commits done out of order.
But it works. Both valgrind and the talloc memory checker report minimal errors. There are just a few listeners leaked on exit, which is partly intentional. That will be fixed once the listeners are moved to talloc.
The changes result in about 800 lines of code removed from the server. That's 1%, which is small but not negligible. We expect more code to be removed as we migrate everything else to talloc.
We also expect that supporting "HUP" will become easier. It may have issues today, but talloc makes it easier to have better support for HUP.
I haven't done any performance tests. But the Samba people say that talloc is 4% slower than malloc. Our other tests show that most of the CPU time is spent in MD5, SSL, or in accessing external DBs. So I expect that there should be no performance impact here.
It also allows us to do slab allocation for requests. So instead of lots of small allocs for VPs and associated meta data, we can pre-alloc request_size + 1k. This will mean server performance is increased in some cases, especially if complex unlang policies are used. Once the rest of the server is converted to talloc we'll also be able to definitively say whether the server leaks memory, and the naming/typing of talloc memory blocks will make tracking down the source of the leak far easier. If you're interested radiusd -XM will output a memory report on exit. Even with the minor modifications we've made it will show if RADIUS_PACKETs, configuration data, module data and VALUE_PAIRS being leaked. radiusd -xv will also show you the version of talloc you built with. It should be something like 2.0.*. -Arran
hi, ....and fearing some nasty old config option lurking...i moved config out of way and did a fresh install. same result: radiusd: FreeRADIUS Version 3.0.0 (git #da56f0f), for host i686-pc-linux-gnu, built on Feb 19 2013 at 23:11:19 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/checkval including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/wimax including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/inner-eap including configuration file /etc/raddb/mods-enabled/attr_rewrite including configuration file /etc/raddb/mods-enabled/counter including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/cui including configuration file /etc/raddb/sql/cui/mysql/queries.conf including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/preprocess including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/control including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { security { allow_core_dumps = no } } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/usr/var" sbindir = "/usr/sbin" logdir = "/usr/var/log/radius" run_dir = "/usr/var/run/radiusd" libdir = "/usr/lib" radacctdir = "/usr/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/usr/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/mods-enabled/expr expr { safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } Module: Linked to module rlm_dhcp Module: Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { } # modules } # server server default { # from file /etc/raddb/sites-enabled/default modules { Module: Creating Auth-Type = digest Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/mods-enabled/pap pap { auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/mods-enabled/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/mods-enabled/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/usr/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { tls = "tls-common" type 3590506 not supported yet } rlm_eap: Failed to initialize type tls /etc/raddb/mods-enabled/eap[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[463]: Failed to find "eap" in the "modules" section. /etc/raddb/sites-enabled/default[405]: Errors parsing authenticate section. alan
On 20.02.2013 09:53, A.L.M.Buxey@lboro.ac.uk wrote:
Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { tls = "tls-common" type 3590506 not supported yet } rlm_eap: Failed to initialize type tls /etc/raddb/mods-enabled/eap[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[463]: Failed to find "eap" in the "modules" section. /etc/raddb/sites-enabled/default[405]: Errors parsing authenticate section.
This comes from cf_item_parse ... Are you sure there's no hidden character or escape character somewhere in your config ? What could help Alan/Arran would be to run freeradius from gdb, and break on tls_server_conf_parse. Then you will have to step into cf_section_parse which will parse your tls-config section. Then do step by step until the error arise, so you can see on which statement in your tls config it fails. Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Olivier Beytrison