[Opendnssec-user] ods-enforcerd process crushed

Berry A.W. van Halderen berry at nlnetlabs.nl
Tue Jan 12 16:16:22 UTC 2016 

On 01/12/2016 12:28 PM, yaohongyuan wrote:
> Hi all,
> 
>       Today when I start the opendnssec's ods-enforcerd , but got below
> error messages:
> 
>         System message:
>             Jan 12 15:44:49 pascal kernel: ods-enforcerd[18730]:
> segfault at 0 ip 00007f1a26c4b135 sp 00007fffe0b71d00 error 4 in
> libpkcs11.so[7f1a26bff000+a7000]
>             Jan 12 15:44:50 pascal abrt[19571]: Saved core dump of pid
> 18730 (/home/gtld/software/OpenDNSSEC-1.4.7/sbin/ods-enforcerd) to
> /var/spool/abrt/ccpp-2016-01-12-15:44:49-18730 (26304512 bytes)
>             Jan 12 15:44:50 pascal abrtd: Directory
> 'ccpp-2016-01-12-15:44:49-18730' creation detected
> 
>         After check the core dump file got below info :
>            
>             Core was generated by `./ods-enforcerd'.
>             Program terminated with signal 11, Segmentation fault.
>            
> #0  0x00007fb4fe3f0135 in CI_DestroyObject () from /home/gtld/dependencies/provider/libpkcs11.so
>            
> Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.166.el6_7.3.x86_64 keyutils-libs-1.4-5.el6.x86_64 krb5-libs-1.10.3-42.el6.x86_64 libcom_err-1.41.12-22.el6.x86_64 libgcc-   
>        
> 4.4.7-16.el6.x86_64 libselinux-2.0.94-5.8.el6.x86_64 libstdc++-4.4.7-16.el6.x86_64 libxml2-2.7.6-20.el6_7.1.x86_64 mysql-libs-5.1.73-5.el6_6.x86_64 nss-softokn-freebl-   
>        
> 3.14.3-23.el6_7.x86_64 openssl-1.0.1e-42.el6_7.2.x86_64 openssl098e-0.9.8e-18.el6_5.2.x86_64 zlib-1.2.3-29.el6.x86_64
>             (gdb) bt
>            
> #0  0x00007fb4fe3f0135 in CI_DestroyObject () from /home/gtld/dependencies/provider/libpkcs11.so
>            
> #1  0x00007fb4fe3ff598 in C_DestroyObject () from /home/gtld/dependencies/provider/libpkcs11.so
>            
> #2  0x000000000041ad73 in hsm_remove_key (ctx=0x253f080, key=0x2572da0) at libhsm.c:2619
>            
> #3  0x0000000000409337 in do_purge (interval=1209600, policy_id=<value optimized out>) at enforcer.c:1600
>            
> #4  0x000000000040bd47 in server_main (config=0x62c340) at enforcer.c:246
>            
> #5  0x000000000040c655 in main (argc=1, argv=<value optimized out>) at daemon.c:248
> 
>       We used opendnssecversion is 1.4.7.
>       Could you please give any suggestions or other solution?
> 
> Best Regards,
> Dean.
> 
> 
>  

It looks you are using the PKCS#11 of your real HSM, not of SoftHSM,
this is where the failure occurs.  OpenDNSSEC is trying to remove old
(unused) keys from the HSM.  My initial guess is that OpenDNSSEC still
thinks keys are in the HSM, while in fact there already gone.

ods-ksmutil --all --verbose

should give you also the dead keys, which you might match against

ods-hsmutil list

I'm not sure it will work, but you might be able to remove them from
OpenDNSSEC without the HSM problem with ods-ksmutil key delete --no-hsm.

In any case, if you remove the <Purge> element from your kasp.xml and
reload it, OpenDNSSEC will not try to remove them automatically (which
in the end will give performance degredation and fill up your HSM).
This at least will keep you going for the moment until you are able to
remove the problematic keys.
Only remove dead keys though!

With kind regards,
Berry van Halderen

More information about the Opendnssec-user mailing list