Public bug reported:
In Ubuntu 16.04 using cups version 2.1.3-4 the cups daemon leaves tcp sockets in CLOSE_WAIT state if a client uses kerberos authentication with encryption (the default for authenticated connections). cupds will then also consume 100% of a CPU. The impact of this bug is that after a few hours cupsd stops accepting new connections as it runs out of sockets. (This can be slowed down by increasing the open files limit and setting MaxClients to a much higher number) This bug does not exist in cups 1.5.3-0ubuntu8.7 on Ubuntu 12.04. To replicate: Cups server requires kerberos authentication. Cups client runs 'lpstat -h cupserver.domain -v' after obtaining valid kerberos credentials. The cups daemon will then have a connection in CLOSE_WAIT state (according to netstat). In cupsd debug mode the client rapidly logs thousands of: D [24/May/2016:11:49:17 +0100] [Client 29] Read: status=100 The debug error_log for a connection is: D [24/May/2016:11:49:17 +0100] cupsdSetBusyState: newbusy="Not busy", busy="Not busy" D [24/May/2016:11:49:17 +0100] [Client 29] Accepted from AAA.BBB.CCC.DDD:40678 (IPv4) D [24/May/2016:11:49:17 +0100] [Client 29] Waiting for request. D [24/May/2016:11:49:17 +0100] [Client 29] OPTIONS * HTTP/1.1 D [24/May/2016:11:49:17 +0100] cupsdSetBusyState: newbusy="Active clients", busy="Not busy" D [24/May/2016:11:49:17 +0100] [Client 29] Read: status=200 D [24/May/2016:11:49:17 +0100] [Client 29] No authentication data provided. D [24/May/2016:11:49:17 +0100] [Client 29] cupsdSendHeader: code=101, type="(null)", auth_type=0 D [24/May/2016:11:49:17 +0100] [Client 29] Connection now encrypted. D [24/May/2016:11:49:17 +0100] [Client 29] cupsdSendHeader: code=200, type="(null)", auth_type=0 D [24/May/2016:11:49:17 +0100] cupsdSetBusyState: newbusy="Not busy", busy="Active clients" D [24/May/2016:11:49:17 +0100] [Client 29] POST / HTTP/1.1 D [24/May/2016:11:49:17 +0100] cupsdSetBusyState: newbusy="Active clients", busy="Not busy" D [24/May/2016:11:49:17 +0100] [Client 29] Read: status=200 D [24/May/2016:11:49:17 +0100] [Client 29] No authentication data provided. D [24/May/2016:11:49:17 +0100] cupsdIsAuthorized: username="" D [24/May/2016:11:49:17 +0100] [Client 29] cupsdSendHeader: code=401, type="text/html", auth_type=0 D [24/May/2016:11:49:17 +0100] [Client 29] WWW-Authenticate: Negotiate D [24/May/2016:11:49:17 +0100] [Client 29] Closing connection. D [24/May/2016:11:49:17 +0100] cupsdSetBusyState: newbusy="Not busy", busy="Active clients" D [24/May/2016:11:49:17 +0100] [Client 29] Waiting for socket close. D [24/May/2016:11:49:17 +0100] [Client 29] Read: status=100 ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: cups-daemon 2.1.3-4 ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8 Uname: Linux 4.4.0-22-generic x86_64 ApportVersion: 2.20.1-0ubuntu2 Architecture: amd64 CupsErrorLog: Date: Thu May 26 08:20:33 2016 InstallationDate: Installed on 2016-04-25 (30 days ago) InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3) KernLog: Lsusb: Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub MachineType: QEMU Standard PC (i440FX + PIIX, 1996) Papersize: a4 ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz root=/dev/mapper/cups2016--vg-root ro SourcePackage: cups UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 01/01/2011 dmi.bios.vendor: Bochs dmi.bios.version: Bochs dmi.chassis.type: 1 dmi.chassis.vendor: Bochs dmi.modalias: dmi:bvnBochs:bvrBochs:bd01/01/2011:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-trusty:cvnBochs:ct1:cvr: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-trusty dmi.sys.vendor: QEMU ** Affects: cups (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug xenial -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1585923 Title: cupsd leaves sockets in CLOSE_WAIT if client uses kerberos authentication Status in cups package in Ubuntu: New Bug description: In Ubuntu 16.04 using cups version 2.1.3-4 the cups daemon leaves tcp sockets in CLOSE_WAIT state if a client uses kerberos authentication with encryption (the default for authenticated connections). cupds will then also consume 100% of a CPU. The impact of this bug is that after a few hours cupsd stops accepting new connections as it runs out of sockets. (This can be slowed down by increasing the open files limit and setting MaxClients to a much higher number) This bug does not exist in cups 1.5.3-0ubuntu8.7 on Ubuntu 12.04. To replicate: Cups server requires kerberos authentication. Cups client runs 'lpstat -h cupserver.domain -v' after obtaining valid kerberos credentials. The cups daemon will then have a connection in CLOSE_WAIT state (according to netstat). In cupsd debug mode the client rapidly logs thousands of: D [24/May/2016:11:49:17 +0100] [Client 29] Read: status=100 The debug error_log for a connection is: D [24/May/2016:11:49:17 +0100] cupsdSetBusyState: newbusy="Not busy", busy="Not busy" D [24/May/2016:11:49:17 +0100] [Client 29] Accepted from AAA.BBB.CCC.DDD:40678 (IPv4) D [24/May/2016:11:49:17 +0100] [Client 29] Waiting for request. D [24/May/2016:11:49:17 +0100] [Client 29] OPTIONS * HTTP/1.1 D [24/May/2016:11:49:17 +0100] cupsdSetBusyState: newbusy="Active clients", busy="Not busy" D [24/May/2016:11:49:17 +0100] [Client 29] Read: status=200 D [24/May/2016:11:49:17 +0100] [Client 29] No authentication data provided. D [24/May/2016:11:49:17 +0100] [Client 29] cupsdSendHeader: code=101, type="(null)", auth_type=0 D [24/May/2016:11:49:17 +0100] [Client 29] Connection now encrypted. D [24/May/2016:11:49:17 +0100] [Client 29] cupsdSendHeader: code=200, type="(null)", auth_type=0 D [24/May/2016:11:49:17 +0100] cupsdSetBusyState: newbusy="Not busy", busy="Active clients" D [24/May/2016:11:49:17 +0100] [Client 29] POST / HTTP/1.1 D [24/May/2016:11:49:17 +0100] cupsdSetBusyState: newbusy="Active clients", busy="Not busy" D [24/May/2016:11:49:17 +0100] [Client 29] Read: status=200 D [24/May/2016:11:49:17 +0100] [Client 29] No authentication data provided. D [24/May/2016:11:49:17 +0100] cupsdIsAuthorized: username="" D [24/May/2016:11:49:17 +0100] [Client 29] cupsdSendHeader: code=401, type="text/html", auth_type=0 D [24/May/2016:11:49:17 +0100] [Client 29] WWW-Authenticate: Negotiate D [24/May/2016:11:49:17 +0100] [Client 29] Closing connection. D [24/May/2016:11:49:17 +0100] cupsdSetBusyState: newbusy="Not busy", busy="Active clients" D [24/May/2016:11:49:17 +0100] [Client 29] Waiting for socket close. D [24/May/2016:11:49:17 +0100] [Client 29] Read: status=100 ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: cups-daemon 2.1.3-4 ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8 Uname: Linux 4.4.0-22-generic x86_64 ApportVersion: 2.20.1-0ubuntu2 Architecture: amd64 CupsErrorLog: Date: Thu May 26 08:20:33 2016 InstallationDate: Installed on 2016-04-25 (30 days ago) InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3) KernLog: Lsusb: Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub MachineType: QEMU Standard PC (i440FX + PIIX, 1996) Papersize: a4 ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz root=/dev/mapper/cups2016--vg-root ro SourcePackage: cups UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 01/01/2011 dmi.bios.vendor: Bochs dmi.bios.version: Bochs dmi.chassis.type: 1 dmi.chassis.vendor: Bochs dmi.modalias: dmi:bvnBochs:bvrBochs:bd01/01/2011:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-trusty:cvnBochs:ct1:cvr: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-trusty dmi.sys.vendor: QEMU To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1585923/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp