[Openswan dev] [Openswan Users] kernel memory leak 2.4.7, 2.4.33 - misconfiguration or bug? (fwd)

Paul Wouters paul at xelerance.com
Thu May 10 22:24:43 EDT 2007 

---------- Forwarded message ----------
Date: Thu, 10 May 2007 15:25:36 -0400
From: Brad Langhorst <brad at coopmetrics.coop>
To:  <users at openswan.org>
Subject: [Openswan Users] kernel memory leak 2.4.7,
    2.4.33 - misconfiguration or bug?

I'm seeing a pretty big memory leak using openswan in a 1-1 vpn
deployment.

The leak is correlated with traffic over ipsec0.
see:
https://development.coopmetrics.coop/munin/mcgruff/mcgruff.html

you can see that the free memory decreases quickly during the nightly
backup.

I have to reboot every few days or the machine runs out of ram and
becomes unstable.

The bad news is that this machine is in production, and I can't take it
down any time soon.  I also don't have  a tool chain in place to build
the packages for this system (bering 3.0 ulibc), but I think I'm going
to need to build one to solve this and will allocate some time to do
that.

I'm pretty sure that it's ipsec related because I don't lose memory when
doing a big scp transfer NOT via the vpn.

I have a similar system on the other side of the tunnel that does not
exhibit the lost memory problem.

LEAF Bering-uClibc 2.3 uClibc 0.9.20 Rev 2
Linux cujo 2.4.32 #1 Sat Mar 4 21:00:13 CET 2006 i686 unknown
ipsec           2.4.4 Rev 4    Openswan IPSEC


What should I do to narrow down this problem?


memory and config below:


here's my config:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from
below:
        # "raw crypt parsing emitting control klips pfkey natt x509
private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:192.168.0.0/16,%v4:!192.168.3.0/24

conn cm-homeoffice
        right=vpn.coopmetrics.coop
        rightsubnet=192.168.3.0/24
        rightid="C=US, ST=NC, L=Carrboro, O=CoopMetrics, OU=VPN server,
CN=vpn.coopmetrics.coop"
        left=%defaultroute
        #left=192.168.0.2
        #leftnexthop=192.168.0.1
        leftsubnet=192.168.0.0/24
        leftcert=mcgruff_cert.pem
        leftsendcert=always
        rightsendcert=yes
        auto=start
        pfs=yes


Here's some memory info (note that the free memory decreases, but no
userpsace memory shows an increase in vmsize)

mcgruff# uname -a
Linux mcgruff 2.4.33 #1 Mon Sep 4 15:52:08 CEST 2006 i686 unknown

mcgruff# ps aux
  PID  Uid     VmSize Stat Command
    1 root        244 S   init [2]
    2 root            SW  [keventd]
    3 root            SWN [ksoftirqd_CPU0]
    4 root            SW  [kswapd]
    5 root            SW  [bdflush]
    6 root            SW  [kupdated]
20110 root        268 S   /sbin/syslogd -m 240
 9531 root        332 S   /sbin/klogd
19053 root            SW  [khubd]
23869 root        244 S   /sbin/dhcpcd-bin -Y -N -R -d eth0
16786 root        136 S   /usr/sbin/watchdog
14975 root        232 S   /usr/sbin/inetd
  914 root        272 S   /usr/sbin/ulogd -d
 8127 root        956 S   /usr/sbin/sshd
11645 root        420 S   /usr/sbin/ntpd -g
10743 dnscache   1224 S   /usr/bin/dnscache
 2076 root        288 S   /usr/bin/ez-ipupdate -c /etc/ez-ipupd.conf
-F /var/run/ez-ipupd.pid
 1016 root        308 S   /usr/sbin/cron
  254 root      13376 S   /usr/sbin/snmpd -Lsd -Lf /dev/null
-p /var/run/snmpd.pid
16747 root        288 S   /sbin/getty 38400 tty1
29709 root        288 S   /sbin/getty 38400 tty2
31535 root        420 S   /usr/sbin/ntpd -g
18574 root       1216 S   /usr/sbin/sshd: root at ttyp0
 5204 root        404 S   -sh
22527 root        340 S   /bin/sh /usr/lib/ipsec/_plutorun --debug
--uniqueids yes --nocrsend  --strictcrlpolicy  --nat_trave
25116 root        296 S   logger -s -p daemon.error -t ipsec__plutorun
30277 root        344 S   /bin/sh /usr/lib/ipsec/_plutorun --debug
--uniqueids yes --nocrsend  --strictcrlpolicy  --nat_trave
27023 root        340 S   /bin/sh /usr/lib/ipsec/_plutoload --wait no
--post
32018 root        844 S   /usr/lib/ipsec/pluto --nofork
--secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --
 2607 root        476 S N pluto helper  #  0
-nofork
 6092 root        132 S   _pluto_adns
 1810 root        284 R   ps aux
mcgruff# free
              total         used         free       shared      buffers
  Mem:       119664       103964        15700            0           56
 Swap:            0            0            0
Total:       119664       103964        15700

mcgruff# cat /proc/meminfo
        total:    used:    free:  shared: buffers:  cached:
Mem:  122535936 106496000 16039936        0    57344 14569472
Swap:        0        0        0
MemTotal:       119664 kB
MemFree:         15664 kB
MemShared:           0 kB
Buffers:            56 kB
Cached:          14228 kB
SwapCached:          0 kB
Active:           9680 kB
Inactive:         4660 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:       119664 kB
LowFree:         15664 kB
SwapTotal:           0 kB
SwapFree:            0 kB


-- 
Brad Langhorst
CTO - CoopMetrics


_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Dev mailing list