certmonger

#185 Certmonger spawns Zombie Processes
Closed: fixed by rcritten. Opened by rcritten.

Closed: fixed
Reopen Issue

cloned from https://github.com/freeipa/freeipa-container/issues/369

Hello,

I'm on the Latest Fedora 33 Image.
Today I did an upgrade from the container version Fedora-32 to Fedora-33.
The Upgrade worked fine whiteout any hick ups or problems except the container now contains Zombie processes.

I get the following:

root@XXXX:~# ps aux | grep 'Z'
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 3043 0.0 0.0 13464 1036 pts/0 S+ 15:01 0:00 grep --color=auto Z
root 32403 0.0 0.0 0 0 ? Z 15:00 0:00 [certmonger]
root 32424 0.0 0.0 0 0 ? Z 15:00 0:00 [certmonger]
root 32436 0.0 0.0 0 0 ? Z 15:00 0:00 [certmonger]
root 32445 0.0 0.0 0 0 ? Z 15:00 0:00 [certmonger]
root 32465 0.0 0.0 0 0 ? Z 15:00 0:00 [certmonger]
root 32470 0.0 0.0 0 0 ? Z 15:00 0:00 [certmonger]
root 32477 0.0 0.0 0 0 ? Z 15:00 0:00 [certmonger]
root 32481 0.0 0.0 0 0 ? Z 15:00 0:00 [certmonger]

The Certmonger Service after container start and before a kinit admin inside the container:

[root@ipa4 /]# systemctl status certmonger
 certmonger.service - Certificate monitoring and PKI enrollment
     Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled; vendor preset: disabled)
     Active: active (running) since Thu 2021-01-07 14:00:26 UTC; 9min ago
   Main PID: 100 (certmonger)
      Tasks: 9 (limit: 4582)
     Memory: 4.5M
     CGroup: /system.slice/docker.service/system.slice/certmonger.service
             └─100 /usr/sbin/certmonger -S -p /run/certmonger.pid -n -d2
Jan 07 14:00:27 ipa4 certmonger[200]: 2021-01-07 14:00:27 [200] Running enrollment/cadata helper "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit".
Jan 07 14:00:27 ipa4 certmonger[201]: 2021-01-07 14:00:27 [201] Running enrollment/cadata helper "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit".
Jan 07 14:00:27 ipa4 certmonger[202]: 2021-01-07 14:00:27 [202] Running enrollment/cadata helper "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit".
Jan 07 14:00:27 ipa4 certmonger[203]: 2021-01-07 14:00:27 [203] Running enrollment/cadata helper "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit".
Jan 07 14:00:27 ipa4 certmonger[204]: 2021-01-07 14:00:27 [204] Running enrollment/cadata helper "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit".
Jan 07 14:00:27 ipa4 certmonger[206]: 2021-01-07 14:00:27 [206] Certificate "Local Signing Authority" valid for 23706014s.
Jan 07 14:00:27 ipa4 certmonger[206]: 2021-01-07 14:00:27 [206] Certificate "Local Signing Authority 2" valid for 7918212s.
Jan 07 14:00:27 ipa4 certmonger[206]: 2021-01-07 14:00:27 [206] Certificate "Local Signing Authority 3" no longer valid.
Jan 07 14:00:33 ipa4 certmonger[149]: Error obtaining initial credentials: Cannot contact any KDC for requested realm.
Jan 07 14:00:33 ipa4 certmonger[149]: Error setting up ccache at the client: Cannot contact any KDC for requested realm.

The issue is that the certmaster CA helper was not removed and this is causing:

Error running enrollment helper "/usr/libexec/certmonger/certmaster-submit": No such file or directory.

Which results in the zombies. Apparently child processes aren't being reaped if they fail.

Metadata Update from @rcritten:
- Issue priority set to: major

Metadata Update from @rcritten:
- Issue assigned to rcritten

https://pagure.io/certmonger/pull-request/186

Merged.

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
Metadata
None
None
None
Normal
Static archive. pagure.io was sunset in 2026; this is a read-only snapshot.
Red Hat Logo

Fedora is sponsored by Red Hat. Learn more about the relationship between Red Hat and Fedora »

© Red Hat, Inc. and others.