1 |
I have a Xen guest which is having problems with nginx and grsec. |
2 |
Worker processes for nginx fail when HTTP requests are made. |
3 |
|
4 |
Each request leaves messages much like these: |
5 |
[ 800.424417] nginx[7540]: segfault at 8 ip 00000c513b8ba644 sp |
6 |
00007138a2675300 error 4 in nginx[c513b882000+f0000] |
7 |
[ 800.424428] grsec: From 202.76.166.249: Segmentation fault occurred |
8 |
at 0000000000000008 in /usr/sbin/nginx[nginx:7540] uid/euid:102/102 |
9 |
gid/egid:247/247, parent /usr/sbin/nginx[nginx:7389] uid/euid:0/0 |
10 |
gid/egid:0/0 |
11 |
[ 800.424435] grsec: From 202.76.166.249: bruteforce prevention |
12 |
initiated for the next 30 minutes or until service restarted, stalling |
13 |
each fork 30 seconds. Please investigate the crash report for |
14 |
/usr/sbin/nginx[nginx:7540] uid/euid:102/102 gid/egid:247/247, parent |
15 |
/usr/sbin/nginx[nginx:7389] uid/euid:0/0 gid/egid:0/0 |
16 |
[ 800.424441] grsec: From 202.76.166.249: denied resource overstep by |
17 |
requesting 4096 for RLIMIT_CORE against limit 0 for |
18 |
/usr/sbin/nginx[nginx:7540] uid/euid:102/102 gid/egid:247/247, parent |
19 |
/usr/sbin/nginx[nginx:7389] uid/euid:0/0 gid/egid:0/0 |
20 |
|
21 |
It would be great if someone could tell me what sysctl options or |
22 |
kernel options I can change to fix this in the short term. It might |
23 |
take me a while to understand the problem better and it would be good |
24 |
to have the system running. |
25 |
|
26 |
This system has changed recently from a VirtualBox guest to being a |
27 |
Xen guest. So the kernel is built differently, I am using the |
28 |
grsecurity defaults for a Xen guest with performance priorities. It |
29 |
ran fine as a VirtualBox guest. |
30 |
|
31 |
Let me know if you need more info. |
32 |
|
33 |
-- |
34 |
www.johntate.org |