When nrpe2 built with SSL support accepts a new connection, it enters a loop waiting for SSL handshake. If no handshake occurs but the tcp connection is established, the loop consumes all available cpu time. 1004 /* keep attempting the request if needed */ 1005 while(((rc=SSL_accept(ssl))!=1) && (SSL_get_error(ssl,rc)==SSL_ERROR_WANT_READ)); I've observed this behavior on FreeBSD 9.0 and 9.1, I was told it happens also on 6.x. This does not happen on nrpe2 running on Debian. Running strace/gdb on the process shows that in Linux it is waiting on read(), while on FreeBSD it iterates the loop over and over very fast. Fix: A dirty hack is to add usleep(100000) in the aforementioned loop. How-To-Repeat: `telnet localhost 5666` is enough to observe 100% cpu usage in top.
Maintainer of net-mgmt/nrpe2, Please note that PR ports/176438 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/176438 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Responsible Changed From-To: freebsd-ports-bugs->ohauer I'll take it. Kajetan thanks for the PR, I can verify the high CPU load. Please test the following patch: http://people.freebsd.org/~ohauer/diffs/nrpe_PR_176438.diff The patch resets the SSL connection after ~60s in case the SSL handshake is not finished. Additional I included a polling patch from OpenBSD's nrpe
State Changed From-To: feedback->closed Feedback timeout.
State Changed From-To: closed->open This is still a problem! Please commit the suggested patch.
Responsible Changed From-To: ohauer->zeising This is still a problem! Please commit the suggested patch.
Can we please move forward with this patch? I just had a host nearly go down because of this again.
I run into this very often too. The patch looks somewhat hacky, but does look like it would help. I am applying it in my tree. Please address this.
A commit references this bug: Author: bdrewery Date: Sat Sep 27 19:36:36 UTC 2014 New revision: 369416 URL: https://svnweb.freebsd.org/changeset/ports/369416 Log: - Apply patch to fix timed out SSL connections from spinning CPU Tested by: bdrewery Submitted by: kajetan.staszkiewicz@innogames.de Submitted by: ohauer PR: 176438 Approved by: maintainer timeout Changes: head/net-mgmt/nrpe/Makefile head/net-mgmt/nrpe/files/patch-src-nrpe.c
A commit references this bug: Author: bdrewery Date: Sat Sep 27 19:37:56 UTC 2014 New revision: 369417 URL: https://svnweb.freebsd.org/changeset/ports/369417 Log: MFH: r369416 - Apply patch to fix timed out SSL connections from spinning CPU Tested by: bdrewery Submitted by: kajetan.staszkiewicz@innogames.de Submitted by: ohauer PR: 176438 Approved by: maintainer timeout Changes: _U branches/2014Q3/ branches/2014Q3/net-mgmt/nrpe/Makefile branches/2014Q3/net-mgmt/nrpe/files/patch-src-nrpe.c