Fix systemd service IPAddressDeny parameter value #312
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… addresses or symbolic names
|
Merged, thanks! |
UserNotFound
added a commit
to aptible/earlyoom
that referenced
this pull request
May 6, 2025
* Let systemd set Nice and OOMScoreAdjust to avoid warnings on startup (with -p): Could not set priority: Permission denied. Continuing anyway Could not set oom_score_adj: Permission denied. Continuing anyway * msg: syslog logging introduced Useful in embedded applications. Signed-off-by: Konstantin Menyaev <[email protected]> * Update MANPAGE.md --syslog param added * earlyoom.service: redirect stderr and more handening * get and show cmdline when earlyomm kill a process (rfjakob#299) * show the cmdline of the process which was sent SIGKILL or SIGTERMIGTERM * add cmdline to struct procinfo * add test code * add 'get-cmdline' to args * add env EARLYOOM_CMDLINE in notify_ext() * delete the flag -get-cmdline; fix some log message * delete get_cmdline from struct poll_loop_args_t * add env EARLYOOM_CMDLINE to MANPAGE.md * add get_cmdline to the end of function is_larger * tests: allow 4 MiB RSS glibc keeps getting bigger. Fixes rfjakob#296 * find proccess with largest rss (rfjakob#300) * show the cmdline of the process which was sent SIGKILL or SIGTERMIGTERM * add cmdline to struct procinfo * add test code * add 'get-cmdline' to args * add env EARLYOOM_CMDLINE in notify_ext() * delete the flag -get-cmdline; fix some log message * delete get_cmdline from struct poll_loop_args_t * add env EARLYOOM_CMDLINE to MANPAGE.md * add get_cmdline to the end of function is_larger * add build.sh * static build with version * To get the latest tag using git command * add flag '--sort-by-rss': find process with the largest rss (default oom_score) * reset Makefile and delete build.sh * delete ignore-root-user from MANPAGE.md * delete duplicate code * make --avoid / --prefer work with --sort-by-rss * add VMRSS_PREFER and VMRSS_AVOID to support prefer_regex and avoid_regex * MANPAGE.md: explain why --syslog exists Relates-to: rfjakob#292 * kill: delete obsolete mrelease() function The sole caller was removed in 1014873 . Fixes: 1014873 * Refactor kill_wait: factor out kill_release * contrib/zombie: print what is happening Also fix "make format" to use the same format as earlyoom. * Create .clang-format and use it everywhere * contrib/membomb: factor out eat_all_memory function * Add contrib/membomb/membomb.subthread When the main thread exits, the whole process becomes invisible to earlyoom. This is no good. Relates-to: rfjakob#309 * is_larger: propagate meminto_t We will use this to estimate the rss for zombie main threads. * is_larger: drop flawed kernel thread check Processes with a zombie main thread have rss=0, too. Relates-to: rfjakob#309 * get_cmdline: don't error out on empty cmdline This can happen with a zombie main thread. * is_larger: --sort-by-rss: handle zombie main thread Estimate rss in this case. * Add parse_proc_pid_stat() We need this to unbreak is_alive() in the zombie main thread case. Relates-to: rfjakob#309 * Add libproc2-test, and explain why we don't use libproc2 * tests: parse_proc_pid_stat: show details for mismatches Test_parse_proc_pid_stat_Self fails on Amazon linux. Let's see why. * tests: replace Test_parse_proc_pid_stat_Self with Test_parse_proc_pid_stat_1 Running the test against ourselves is unreliable due to golang thread multiplexing. Hopefully init (pid1) is almost always is state 'S' (sleeping). === RUN Test_parse_proc_pid_stat_Self testsuite_unit_test.go:247: have=earlyoom_testsuite._Ctype_struct___2{state:83, ppid:237, num_threads:6} want=earlyoom_testsuite._Ctype_struct___2{state:82, ppid:237, num_threads:6} --- FAIL: Test_parse_proc_pid_stat_Self (0.00s) * tests: TestIsAliveMock: use full stat string The upcoming better is_alive() implementation needs the num_threads field. * is_alive(): use new parse_proc_pid_stat() and fix zombie main thread case Relates-to: rfjakob#309 * tests: TestIsAliveMock: add zombiemem test case * kill_release: improve debug output formatting (add colon) * kill_wait: warn when wait timed out * Add PROFILE_FIND_LARGEST_PROCESS For profiling. * Add function name to debug messages * get_cmdline: use procdir_path Use procdir_path to allow mocking in tests. * tests: enable debug output * is_larger / sort-by-rss: use oom_score on zombie main thread, add mock tests The previous rss estimation was very crude. Also allows to get rid of meminfo_t for is_larger. Also add comprehensive unit tests for is_larger. rfjakob#309 * tests: disable debug output in benchmarks * MANPAGE: explain that regexes match against /proc/pid/comm Fixes rfjakob#311 * debug output: declutter process table Before: startup_selftests: dry-running oom kill... pid 1: badness -1 VmRSS -1 uid -1 oom_score_adj -1 "systemd" pid 2: badness 0 VmRSS 0 uid 0 oom_score_adj -1 "kthreadd" pid 3: badness 0 VmRSS 0 uid 0 oom_score_adj -1 "pool_workqueue_release" pid 4: badness 0 VmRSS 0 uid 0 oom_score_adj -1 "kworker/R-rcu_g" pid 5: badness 0 VmRSS 0 uid 0 oom_score_adj -1 "kworker/R-rcu_p" pid 6: badness 0 VmRSS 0 uid 0 oom_score_adj -1 "kworker/R-slub_" After: startup_selftests: dry-running oom kill... PID OOM_SCORE RSSkiB UID OOM_SCORE_ADJ COMM 1 -1 -1 -1 -1 "systemd" 2 0 0 0 -1 "kthreadd" 3 0 0 0 -1 "pool_workqueue_release" 4 0 0 0 -1 "kworker/R-rcu_g" 5 0 0 0 -1 "kworker/R-rcu_p" 6 0 0 0 -1 "kworker/R-slub_" * Use -9999 as placeholder for unset fields We used to use -1, which is valid for oom_score_adj, so that's not a good placeholder. * parse_proc_pid_stat: read rss * is_larger: lazy-load uid * Replace get_vm_rss_kib with parse_proc_pid_stat and delete it It's slower, but we get the ppid from it, which we will need for detecting kernel threads. Benchmark_get_vm_rss_kib-4 178054 6920 ns/op Benchmark_parse_proc_pid_stat-4 107766 11614 ns/op * is_larger: properly check for kernel threads * is_larger: move get_oom_score after kernel thread check This allows us to skip get_oom_score for all kernel threads. * cli: accept both -d and --debug * Introduce PROCINFO_FIELD_NOT_SET = -9999 macro * fill_informative_fields: fill uid * is_larger: fetch comm for zombie warning Also clarify that oom_score is only used for this one process. * find_largest_process: fetch all info on the victim * kill_process: put cmdline on same log line * kill_release: upgrade process_mrelease message to info And also make the log lines appear in the right order. I don't think the printf will hurt us. * Add earlyoom.profile Makefile target, add progress output * MANPAGE: see also: nohang(8) * Rename "badness" -> "oom_score" badness is an internal kernel value we don't have access to. earlyoom only operates on the oom_score value, which is proportional ( https://unix.stackexchange.com/questions/448871/what-is-the-relationship-between-oom-score-and-badness ) but not identical. Fixes rfjakob#308 * make format * README: explain no swap Fixes rfjakob#290 * MANPAGE: explain "user mem total" Fixes rfjakob#303 * Match startup message wording to log lines * README: update for v1.8 * Remove accidentially committed dotfiles ...and add them to .gitignore. * Fix trivial test failures caused by string changes * README: link to man page for user mem total change * Update README for v1.8.1 * fix IPAddressDeny value because it's not a boolean, it's a list of IP addresses or symbolic names (rfjakob#312) * Add process_mrelease to allowed system calls required since 2e00404 Without this, earlyoom seems to work but actually is killed with signal SIGSYS whenever an OOM situation occurs. It is immediately restarted by systemd, which is why this problem might go unnoticed. * remove systemd resources syscall filter because it causes earlyoom to be terminated when launched with -p flag * README: update changelog for v1.8.2 * contrib: add mmap_test Relates-to: rfjakob#318 * Makefile: set MANDIR according to GNU Install Dirs guidelines As described in GNU Coding Standards. This is especially useful for - software distributions that do not follow FHS - splitted packages - slim environments, e.g containers References: - https://www.gnu.org/prep/standards/html_node/Makefile-Conventions.html#Makefile-Conventions - https://www.gnu.org/prep/standards/html_node/Directory-Variables.html#Directory-Variables - https://refspecs.linuxfoundation.org/fhs.shtml * Makefile: factor in PREFIX to install directories Sometimes we want to set PREFIX and leave the installation directories relative to the PREFIX. Other times we want to set some of these installation directories to absolute values. Sometimes we want both. This commit patch achieves this with a reasonably small effort, by not propagating PREFIX around the Makefile. * Makefile: remove spurious whitespace in install-man directive * Makefile: hardcode systemd unit installation path The path can't be relative to PREFIX, because of systemd. Sources: - systemd/systemd#19414 - https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html --------- Signed-off-by: Konstantin Menyaev <[email protected]> Co-authored-by: Bernhard M. Wiedemann <[email protected]> Co-authored-by: Konstantin Menyaev <[email protected]> Co-authored-by: Konstantin Menyaev <[email protected]> Co-authored-by: oxalica <[email protected]> Co-authored-by: Ran Huang <[email protected]> Co-authored-by: Jakob Unterwurzacher <[email protected]> Co-authored-by: Deividas Burškaitis <[email protected]> Co-authored-by: Fabian Zickgraf <[email protected]> Co-authored-by: Anderson Torres <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I noticed in my system logs that the hardening parameter IPAddressDeny has an incorrect value:
bal. 18 10:58:40 systemd[1]: /usr/lib/systemd/system/earlyoom.service:41: Invalid address prefix is specified in [Service] IPAddressDeny=, ignoring assignment: trueIt's not a boolean but a list of IP addresses or predefined symbolic names (according to https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IPAddressAllow=ADDRESS%5B/PREFIXLENGTH%5D%E2%80%A6).
I set it to
anywhich means 0.0.0.0/0 which basically blocks all network access.