I got multiple-second hangs upon every PAM authentication in this scenario: - sys-libs/pam-1.0.1 with audit support - sys-process/audit-1.7.4 installed - kernel 2.6.27-rc3 *without* audit support Disabling audit support in sys-libs/pam fixed this. The messages log doesn't show anything interesting.
Created attachment 163233 [details] emerge_info.txt
dberkholz: Is there anything in your syslog like: audit_log_acct_message() failed: %m OR audit_open() failed: %m
Created attachment 163263 [details] audittest.c Testcase. Please compile and linking against libaudit. Run it as something that gives exact timestamps for each line of output. My own test: # ./audittest | tai64n| tai64nlocal 2008-08-18 17:55:57.872091500 DEBUG:/tmp/audittest.c:173:_pam_audit_end:ENTER 2008-08-18 17:55:57.872092500 DEBUG:/tmp/audittest.c:107:_pam_auditlog:ENTER 2008-08-18 17:55:57.872093500 DEBUG:/tmp/audittest.c:76:_pam_audit_open:ENTER 2008-08-18 17:55:57.872093500 DEBUG:/tmp/audittest.c:95:_pam_audit_open:LEAVE 2008-08-18 17:55:57.872094500 DEBUG:/tmp/audittest.c:41:_pam_audit_writelog:ENTER 2008-08-18 17:55:57.872094500 DEBUG:/tmp/audittest.c:66:_pam_audit_writelog:LEAVE 2008-08-18 17:55:57.872095500 DEBUG:/tmp/audittest.c:164:_pam_auditlog:LEAVE 2008-08-18 17:55:57.872096500 DEBUG:/tmp/audittest.c:175:_pam_audit_end:LEAVE
dberkholz: did you ever run the testcase? # gcc testcase.c -o testcase -laudit # ./audittest | tai64n| tai64nlocal
(In reply to comment #4) > dberkholz: did you ever run the testcase? > # gcc testcase.c -o testcase -laudit > # ./audittest | tai64n| tai64nlocal > I have a theory on why this is. I'm actually tracking down a similar issue. When I login to my box via SSH, it takes multiple seconds to login even though the box is hardly loaded. Here's what I found: 1) SSH is hanging in an audit lib call which opens a netlink socket of protocol type AUDIT. 2) The netlink_create() code notices that the AUDIT protocol is !registered. 3) The kernel then (since we're generally using a modular kernel) does a request_module() 4) request_module() eventually uses call_usermodehelper() to run /sbin/modprobe in userspace to find the module that contains the AUDIT protocol 5) wait_for_completion() introduces the multi-second delay. I haven't debugged it any farther than this, but I'm fairly certain it is a kernel issue. Try compiling/running this small code snippet to see if it hangs in the same fashion. Just running it with no parameters opens a netlink socket for auditing: $ cat socktest.c #include <sys/types.h> #include <sys/socket.h> #include <stdio.h> #include <linux/netlink.h> #include <stdlib.h> #include <unistd.h> int sock_type = 0; char const* options = "s:"; int main(int argc, char** argv) { int proto; int o; o = getopt(argc, argv, options); if ( o == 's' ) proto = atoi(optarg); else proto = 9; int fd; fd = socket(PF_NETLINK, SOCK_RAW, proto); printf("Got socket: %d\n", fd); return 0; }
No response from submitter in 4 years.