Running out of file descriptors
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Aug 15 11:25:12 CEST 2016
> On 15 Aug 2016, at 11:15, Jens Rantil <jens.rantil at tink.se> wrote:
>
> Hi,
>
> I've been running 2.1.10+dfsg-3ubuntu0.12.04.2 for ~165 days now on a
> low-volume machine (~20-30 authentication requests per day). FreeRadius
> delegates authentication requests to the PAM (which uses Yubico's PAM
> module).
>
> Yesterday, FreeRadius suddenly stopped working. Looking into the issue I
> noticed that FreeRadius failed to reload configuration with
>
> Error: Unable to open file "/etc/freeradius/proxy.conf": Too many open
> files
>
> Inspecting open files for the process showed me there were ~1012 open
> /dev/urandom:
>
> root at tink-auth-vpn-production:/var/log# lsof|grep freerad|grep
> /dev/urandom|wc -l
> 1012
>
> Looks like a classic file resource leak. After restarting the process, no
> new /dev/urandom file resources are open. Making two authentication
> requests opens up two /dev/urandom. I'm fairly new to FreeRadius. Should I
> expect /dev/urandom file descriptors to be pooled between requests? Or
> should they be closed between requests? Anyone with input whether this is a
> bug in FreeRadius or simply a misconfiguration on my part?
>
> Also, let me know if you'd like me to debug this further.
You’re welcome to for your own edification, but that version of FreeRADIUS is EOL, and even if it does turn out to be an issue, due to the extensive refactoring in version v3.0.0 it’s unlikely that it’ll still be present.
PAMs are notorious for resource leaks. It might be an idea to upgrade and use the official FreeRADIUS yubikey/yubico module instead.
We do not support or recommend the use of Yubico’s modules over the ones that ship with the server.
-Arran
More information about the Freeradius-Users
mailing list