Bad owner for CLOSE_WAIT sockets with Xen kernel
Hello,
I am facing a strange problem on Debian Lenny systems using the Xen
Debian kernel.
I run Puppet and the agent seems to leave a lot of sockets in CLOSE_WAIT
state.
Where the funny thing begins is that after some time I can see that same
kind of CLOSE_WAIT sockets owned by other processes. By "same kind" I
mean same src IP and dest IP and port (the puppet server). The owning
process could be the ntpd daemon or my Zabbix agent.
Here is an extract of the "netstat -taupen":
tcp 38 0 *.*.*.*:44766 *.*.*.*:8140 CLOSE_WAIT 0 1527366 17735/zabbix_agentd
tcp 38 0 *.*.*.*:44764 *.*.*.*:8140 CLOSE_WAIT 0 1527355 17735/zabbix_agentd
tcp 38 0 *.*.*.*:37551 *.*.*.*:8140 CLOSE_WAIT 0 4423069 27489/ntpd
tcp 38 0 *.*.*.*:42002 *.*.*.*:8140 CLOSE_WAIT 0 2590041 6252/ruby
...
I can see sometimes like more than 400 socket in CLOSE_WAIT state with
more than the half belonging to ruby process and the remaining belonging
to the other processes...
For information, the hosts are running file integrity checking monitor
that does not indicate that files were altered abnormally. I even switch
the NTP service implementation but same thing happens after some time.
Does anybody have already met the same problem?
Could this be a bug in the Xen patched kernel of Debian?
I can confirm that behavior on the following linux-image version:
* linux-image-2.6.26-2-xen-amd64 2.6.26-26lenny3
* linux-image-2.6.26-2-xen-amd64 2.6.26-26lenny2
This affects the DomU as well as the Dom0.
I did a complete reinstallation on two affected hosts. I need to wait to
see if it happens again.
Thanks.
Regards,
--
Jérôme
Reply to: