GRSEC and Varnish

Mark Moseley moseleymark at gmail.com
Thu Feb 4 01:10:58 CET 2010


On Tue, Feb 2, 2010 at 11:53 PM, Tollef Fog Heen
<tfheen at varnish-software.com> wrote:
> ]] Bernardf FRIT
>
> | Then the parent varnishd process starts immediately a new child process
> | which lasts some time.
> |
> | Is there any way to fix this. Remocve the GRSEC kernel ? Upgrade the
> | kernel ? Varnish ? or whatever ?
>
> Work out why it thinks that varnishd is doing something wrong?  It
> doesn't seem to say so in the log.
>
> --
> Tollef Fog Heen
> Redpill Linpro -- Changing the game!
> t: +47 21 54 41 73
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at projects.linpro.no
> http://projects.linpro.no/mailman/listinfo/varnish-misc
>

grsec will often report that signals were sent, not that grsec
necessarily sent that signal itself. I don't think I've ever actually
seen it report itself sending a signal to a process. So varnishd could
be segfaulting for some reason and grsec is just reporting this. If
you're getting a core file, try loading it into gdb and using 'bt' on
it, to see where it's dying.

One other thing to try: As soon as it happens, try using 'dmesg' (or
"dmesg -s 131072" in case you have lots of things logging to the
kernel logs) and grep for PAX. It's not likely, but PAX could be
killing it due to some violation. And for whatever reason, the PAX
message doesn't show up in the logs, just in dmesg.



More information about the varnish-misc mailing list