Checker directive - debug info

Teddy Hogeborn teddy at recompile.se
Sun Jun 24 04:01:23 CEST 2012 

Dick Middleton <dick at fouter.net> writes:

> > >         3. puts funny characters in logger
[...]
> Jun 23 19:18:54 rpi Mandos [2391]: INFO: TCP connection from:
> ('fe80::20a:cdff:fe1c:7cd0%eth0', 43125, 0, 2)

Huh.  On further investigation that turns out to be deliberate; those
characters are the UTF-8 BOM.  From logging/handlers.py:

>         # Treat unicode messages as required by RFC 5424
>         if _unicode and type(msg) is unicode:
>             msg = msg.encode('utf-8')
>             if codecs:
>                 msg = codecs.BOM_UTF8 + msg

So, your syslog daemon doesn't seem to understand the RFC 5424 format.
Also, neither does ours (rsyslog) - we can see the same characters in
the log here.  So I think we can chalk this one up to rsyslog not
following RFC 5424 and move on.

> Regarding 2. pickle file - I think I misunderstood; this file doesn't
> exist when mandos is running.  Is that right?

Yes.

> It's read and deleted then written again when mandos terminates. 

Yes.

> So it's probably been working all along.

Oh; well, that's good.  :)

> Regarding 3.
>
> > See, that's odd.  Twelve lines before that, a child process *was*
> > started, as logged by the debug message.  Even if the subprocess
> > exited before this line, there ought to have been a zombie process
> > with the exit status for waitpid() to read.  So I don't see how this
> > could ever happen.  I've added code to check for this in the latest
> > trunk, though.
>
> "If anything just cannot go wrong, it will anyway." - Murphy's Law

Yes; that's why I added code to handle that condition.  But even in
theory, that condition should be impossible, which is why we didn't
originally check for it.

> I replaced :/true with sleep 1 and it's still going strong.  I think
> you're right it's a race condition. The test is completing before you
> can get to check for it.  Probably aggravated by the very slow
> processor.

Yeah, but the thing is, the code doing the waitpid is there to cover for
this exact race condition - in case the process completed before we
could add the subprocess to the gobject event loop.  When a process
exits, a zombie should remain until waitpid() is called to get the exit
status - that's what zombies are for.  For waitpid to give ECHILD, this
means there is no zombie - either no subprocess was started, or
something else did waitpid() already; neither seems very likely.

Now, if there is no subprocess at all after we just started a checker,
what should we consider the checker result to be?

/Teddy Hogeborn

-- 
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20120624/edbb3a81/attachment.pgp>

More information about the Mandos-Dev mailing list