[Apparmor-general] apparmor-parser gone wild?!

Christian Boltz apparmor at cboltz.de
Fri Sep 5 04:48:27 MDT 2008 

Hello,

Am Freitag, 5. September 2008 schrieb John Johansen:
> Christian Boltz wrote:
> > As you can see, apparmor_parser takes 100% of the cpu and 14.4% of
> > the available memory (the server has 6 GB RAM!).
>
> uhm, yeah this is a little ugly, there is a "bug" in the dfa
> generation that causes some policies to consume unbelievable amounts
> of ram and cpu.  It is a problem that I am actively working on now. 

Bug number?

> While I think this is the problem with your current policy I can't be
> sure without you sending me your profiles.

You should have them in the meantime.

Some of the profiles (especially the apache profile) were originally 
used (and created) on a 10.2 server, copied to the 11.0 server and then 
updated using logprof.

> > To make it even worse, it doesn't response to kill, not even kill
> > -9 :-( Since init 6 also doesn't do anything, I had to reboot the
> > server the hard way.
>
> ugh, this should not be the case.  The parser doesn't do anything
> that should cause it to be unkillable. Can you reliably reproduce 

Yes, IMHO too easy :-/
I see the problem at about every third logprof run (given there were 
profile changes) when the profiles are reloaded. And I'm quite sure it 
is also reproducable by calling apparmor-parser directly (what command 
line is used at the end of logprof?)

> > Is this a known problem? How can I avoid it?
>
> The excessive computation and memory consumption is likely a known
> problem, that it is unkillable is not and should not occur, so it is
> important to see if we can reliably replicate.

If needed, I can provide SSH access to the server and a root screen 
session to attach to. Just send me your SSH key in a signed mail and 
offer some possible timeframes (late evening in german time is probably 
the best).

I can already tell you that strace is useless - I got no output after 
attaching it to the running apparmor-parser process (using "strace -p 
<pid of apparmor-parser>)

> > I can provide my profiles off-list (at least the httpd2-prefork
> > profile contains customer names, so I don't want to send them on
> > the list).
>
> yes, please send them to me and I will do some testing against your
> policy.  This should also enable me to make some recommendation about
> what you can do until I get this nasty bug fixed.

I'm quite sure the answer will be something like "simplify your apache 
profile" because this is the largest profile and has lots of hats.


Regards,

Christian Boltz
-- 
> Bitte? Ich glaub ich steh im Wald!
wenn rings um dich lauter Bäume sind dann hast Du vermutlich recht.
[> David Haller und Bernhard Walle in suse-linux]

More information about the Apparmor-general mailing list