[RADIATOR] Memory Leak on RHEL 8.5

Stefan Paetow (OpenSource) oss at eons.net
Tue Apr 5 19:14:15 UTC 2022


Hi Heikki, Wolfgang,

I would suggest that you raise a ticket at RedHat against OpenSSL about the
memory leaks with exactly the analysis you did here because it proves that
one of the patches in the source RPM introduces the memory leak.

:-)

Stefan


On Tue, 5 Apr 2022 at 18:49, Heikki Vatiainen <hvn at open.com.au> wrote:

> On 4.4.2022 21.14, Wolfgang Breyha wrote:
>
> > We (University of Vienna) recently noticed performance issues with our
> new
> > Radiator Servers running on RHEL 8.5. These were caused by radiusd (4.26)
> > itself eating memory until the machines started swaping and the IO-waits
> > raised until radiusd wasn't able to handle the load anymore.
>
> Hello Wolfgang, we can reproduce this with RHEL 8.5 and AlmaLinux and
> Rocky Linux too. With RHEL 9 beta the problem doesn't occur and memory
> usage is stable.
>
> > The same config was running on RHEL 6 with radiator 4.18 without any
> > problems or noticeable leaks for years.
>
> We used the same config on all of the above 4 versions. It's based on
> your configuration with more simplification. Could you try and see that
> you get the same result too. That is, the config below also uses memory
> on your test server.
>
> > I tried to run radiusd under valgrind with our configuration and assuming
> > that perl itself is not the cause I think the leak(s) happen(s) somewhere
> > down the Net::SSLeay->opennssl pipe. Since our config is rather complex I
> > tried to set up a simple EAP example config to see if it happens there as
> > well... and "luckily" it does. config is attached.
>
> I did some more expirements and found out the following:
> - Net::SSLeay compiled against RHEL supplied OpenSSL 1.1.1k doesn't fix
> leak. This is the same result as you wrote about
> - OpenSSL 1.1.1k compiled from source on RHEL 8 with Net::SSLeay 1.88
> does not leak
> - OpenSSL 1.1.1k, Net::SSLeay 1.88 and Perl 5.26.3-threads-multi
> compiled on macOS 10.15.7 does not leak
>
>
> In other words, on RHEL8 OpenSSL 1.1.1k that comes with the OS leaks but
> locally compiled unpatched OpenSSL 1.1.1k does not leak.
>
> I then downloaded openssl-1.1.1k-5.el8_5.src.rpm from
> https://repo.almalinux.org/almalinux/8/BaseOS/Source/Packages/
> and did this to unpack it:
>
> rpm2cpio < openssl-1.1.1k-5.el8_5.src.rpm|cpio -i
>
> There are quite a few patches that are applied to RHEL and its derivatives.
>
>  From the above it seems that a combination of what Radiator does,
> OpenSSL 1.1.1k and the patches applied to it trigger a leak.
>
> If you'd like to do more debugging, you can compile a local OpenSSL and
> Net::SSLeay like this:
>
> In OpenSSL directory, for example $HOME/src/p5-net-ssleay/ :
> ./config --prefix=$HOME/opt/openssl-1.1.1k
> make
> make install_sw
> make install_ssldirs
>
> The setup environment and compile Net::SSLeay. In Net::SSleay directory:
> export LD_LIBRARY_PATH=$HOME/opt/openssl-1.1.1k/lib
> OPENSSL_PREFIX=$HOME/opt/openssl-1.1.1k perl Makefile.PL
> make
> make test # Check the locations in the test output
>
> You can then run Radiator from command line directly if you run it like
> this:
> perl -I $HOME/src/p5-net-ssleay/blib/lib/ -I
> $HOME/src/p5-net-ssleay/blib/arch /opt/radiator//radiator/radiusd
> -dictionary /opt/radiator/radiator/dictionary -foreground -log_stdout
> -trace 4 -config leak-test.conf
>
> > I then start eapol_test (from wpa_supplicant RPM) with a config of
> > network={
> > eap=PEAP
> > eapol_flags=0
> > key_mgmt=IEEE8021X
> > identity="testuser"
> > anonymous_identity="anonymous"
> > password="testpass"
> > ca_cert="/etc/pki/tls/cert.pem"
> > phase2="auth=MSCHAPV2"
> > }
> > in a loop and can watch radiusd eating memory.
>
> I used exactly the same config with my testing. I even used eapol_test
> that comes with 'yum install wpa_supplicant', but I don't think
> eapol_test version matters.
>
> Radiator's shortened config we used was this. It was run from command
> line and certifcates are the demo certs that come with Radiator in
> /opt/radiator/radiator/certificates directory.
>
> Trace 4
> LogTraceId
> LogMicroseconds
> DbDir .
> LogDir .
> LogFile %L/radius.log
> DictionaryFile /opt/radiator/radiator/dictionary
> AuthPort 1645,1812
> AcctPort 1646,1813
>
> <Client DEFAULT>
>          Secret  mysecret
> </Client>
>
> <AuthBy FILE>
>      Identifier AuthTEST
>      Filename %D/users
>      EAPType PEAP,MSCHAP-V2
>      EAPTLS_CAFile %D/demoCA/cacert.pem
>      EAPTLS_CertificateFile %D/cert-srv.pem
>      EAPTLS_PrivateKeyFile %D/key.pem
>      EAPTLS_CertificateType PEM
>      EAPTLS_MaxFragmentSize 1000
>      EAPTLS_SessionResumption 0
>      AutoMPPEKeys
> </AuthBy>
>
> <Handler TunnelledByPEAP=1>
>      AuthBy AuthTEST
> </Handler>
>
> <Handler>
>      AuthBy AuthTEST
> </Handler>
>
> > I started it in batches of 1000 and the RSS increased from fresh start...
> > 36884->115592->124648->132256->135120->139868->139868->143116->147152
>
> The valgrind results below are interesting. I could not immediately find
> anything from OpenSSL patches the distributions use that touch these
> functions. Well, apart from FIPS changes that change many parts of the
> code.
>
> Do you think you could also try against a locally compiled OpenSSL? It
> seems that distribution patches affect the leak, but I'd like to get a
> confirmation for this.
>
> Thanks again for the detailed report. If you think you could do more
> work with valgrind, I'd interested to see the results.
>
>
> > If I run this config with valgrind again I find a similar "definitely
> lost
> > memory" section with a close amount of requests as with our full config:
> > ==1420461== 233,728 bytes in 913 blocks are definitely lost in loss
> record
> > 6,062 of 6,088
> > ==1420461==    at 0x4C360A5: malloc (vg_replace_malloc.c:380)
> > ==1420461==    by 0xA39690C: CRYPTO_zalloc (in
> /usr/lib64/libcrypto.so.1.1.1k)
> > ==1420461==    by 0xA382AC3: EVP_PKEY_meth_new (in
> > /usr/lib64/libcrypto.so.1.1.1k)
> > ==1420461==    by 0xCF3CAD7: ??? (in /usr/lib64/engines-1.1/pkcs11.so)
> > ==1420461==    by 0xA3648E4: ENGINE_get_pkey_meth (in
> > /usr/lib64/libcrypto.so.1.1.1k)
> > ==1420461==    by 0xA382EA4: ??? (in /usr/lib64/libcrypto.so.1.1.1k)
> > ==1420461==    by 0xA37E543: ??? (in /usr/lib64/libcrypto.so.1.1.1k)
> > ==1420461==    by 0x9FD5A41: ??? (in /usr/lib64/libssl.so.1.1.1k)
> > ==1420461==    by 0x9FC833E: ??? (in /usr/lib64/libssl.so.1.1.1k)
> > ==1420461==    by 0x9FB3C97: SSL_do_handshake (in
> /usr/lib64/libssl.so.1.1.1k)
> > ==1420461==    by 0x9D3ACA3: ??? (in
> > /usr/lib64/perl5/vendor_perl/auto/Net/SSLeay/SSLeay.so)
> > ==1420461==    by 0x4F2F4B8: Perl_pp_entersub (in
> /usr/lib64/libperl.so.5.26.3)
> >
> > and a "possibly lost memory"
> > ==1420461== 640,000 bytes in 1,000 blocks are possibly lost in loss
> record
> > 6,079 of 6,088
> > ==1420461==    at 0x4C360A5: malloc (vg_replace_malloc.c:380)
> > ==1420461==    by 0xA39690C: CRYPTO_zalloc (in
> /usr/lib64/libcrypto.so.1.1.1k)
> > ==1420461==    by 0x9FBA5AC: SSL_SESSION_new (in
> /usr/lib64/libssl.so.1.1.1k)
> > ==1420461==    by 0x9FBAE06: ??? (in /usr/lib64/libssl.so.1.1.1k)
> > ==1420461==    by 0x9FD9E78: ??? (in /usr/lib64/libssl.so.1.1.1k)
> > ==1420461==    by 0x9FC855A: ??? (in /usr/lib64/libssl.so.1.1.1k)
> > ==1420461==    by 0x9FB3C97: SSL_do_handshake (in
> /usr/lib64/libssl.so.1.1.1k)
> > ==1420461==    by 0x9D3ACA3: ??? (in
> > /usr/lib64/perl5/vendor_perl/auto/Net/SSLeay/SSLeay.so)
> > ==1420461==    by 0x4F2F4B8: Perl_pp_entersub (in
> /usr/lib64/libperl.so.5.26.3)
> > ==1420461==    by 0x4F27324: Perl_runops_standard (in
> > /usr/lib64/libperl.so.5.26.3)
> > ==1420461==    by 0x4EA6FFC: perl_run (in /usr/lib64/libperl.so.5.26.3)
> > ==1420461==    by 0x108ED9: ??? (in /usr/bin/perl)
> >
> > The machines run a fully patched RHEL 8.5 with the current
> > radiator-4.26-1.el8.noarch from your website
> > openssl-libs-1.1.1k-5.el8_5.x86_64
> > perl-Net-SSLeay-1.88-1.module+el8.3.0+6446+594cad75.x86_64
> >
> > I also tried to build a new Net::SSLeay-1.92. Same results.
> >
> > If we can't find the cause it seems we need to restart radiator
> periodically.
>
> Hopefully there's another solution. It might be that the OS (RHEL, Alma,
> Rocky) patches, and how they affect Radiator, need to be checked at some
> point.
>
> Thanks,
> Heikki
>
> --
> Heikki Vatiainen
> OSC, makers of Radiator
> Visit radiatorsoftware.com for Radiator AAA server software
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20220405/88c97581/attachment-0001.html>


More information about the radiator mailing list