Empty openldap slapd consuming 800 MB memory on LXC (solved)

Hello everyone,

I’m having a hard time figuring out why slapd is using so much memory (around 800 MB) in an LXC container.

I’m relying on Ubuntu 17.10 :
driver: lxc
driver_version: 2.1.0
kernel: Linux
kernel_architecture: x86_64
kernel_version: 4.13.0-21-generic
server: lxd
server_pid: 5204
server_version: "2.18"
storage: zfs
storage_version: 0.6.5.11-1ubuntu3

I tried installing slapd on the following images :
images:ubuntu/artful/amd64
images:debian/strech/amd64
ubuntu:xenial/amd64
images:debian/jessie/amd64

The problem is present in both Ubuntu images but only in the Stretch one.
Indeed in the Jessie image slapd is consuming around 45 MB of memory, which sounds correct.

All i’m doing is just launching the image and then “apt install slapd”, then look at memory consumption.

There was the exact same bug on Docker : https://github.com/moby/moby/issues/8231
and https://github.com/dinkel/docker-openldap/blob/master/entrypoint.sh (look at the 3 first lines)

So i tried playing with the umits but this changes nothing, as the ulimit -n is already set at 1024.

Does anyone have an idea how i can have a workaround for this ?
Installing slapd in Jessie container now is not really “future-proof”.

Hi,

I have done a quick test with LXD installed from snapd and launch a xenial container.

Before I set the ulimit -n 1024 and run slapd on the same console I get this on /var/log/syslog

Jan  5 23:12:12 c1 slapd[1250]: @(#) $OpenLDAP: slapd  (Ubuntu) (May 30 2017 19:20:53) $#012#011buildd@lgw01-18:/build/openldap-JXEADB/openldap-2.4.42+dfsg/debian/build/servers/slapd
Jan  5 23:12:12 c1 slapd[1251]: ch_calloc of 1048576 elems of 704 bytes failed
Jan  5 23:12:12 c1 systemd[1]: Starting Apport crash forwarding receiver...
Jan  5 23:12:12 c1 systemd[1]: Started Apport crash forwarding receiver.
Jan  5 23:14:07 c1 slapd: slapd stopped.
Jan  5 23:14:07 c1 slapd: connections_destroy: nothing to destroy.
Jan  5 23:14:10 c1 slapd: slapd stopped.
Jan  5 23:14:10 c1 slapd: connections_destroy: nothing to destroy.

After I set ulimit -n 1024 and run slapd on that same console the daemon starts correctly
Jan 5 23:14:15 c1 slapd[1266]: @(#) $OpenLDAP: slapd (Ubuntu) (May 30 2017 19:20:53) $#012#011buildd@lgw01-18:/build/openldap-JXEADB/openldap-2.4.42+dfsg/debian/build/servers/slapd
Jan 5 23:14:15 c1 slapd[1267]: slapd starting

Can you try the same and see if it works for you?

I’m running LXD from packages/repo and not from snap and i can’t change this for the moment.

My ulimit -n is already set to 1024 :

 # ulimit -a

core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 127967
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) unlimited
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited

I have no problem starting the daemon, and thus i don’t get this error “ch_calloc of 1048576 elems of 704 bytes failed”.
Slapd isn’t complaining at all.

I tried forcing ulimit -n lower, no effect.

But are you running slapd from that same console? Because if you are running through a script or via another user the ulimit is gonna be different if you do not set it properly via /etc/security/limits.conf

I have launched a vm with 17.10, install lxd via apt (2.18) launched a xenial container and run the same steps, I have the same output as I described before. so it seems for now that you are not setting ulimit -n properly for slapd to be able to run.

can you do a cat /proc/$(pgrep slapd)/limits | grep files ?

Ok you found the problem ! Still i can’t manage to get a solution :

# cat /proc/$(pidof slapd)/limits | grep files
Max open files            1048576              1048576              files

I first tried with these params but they didn’t work :

# cat /etc/security/limits.conf
openldap                soft    nofile          1024
openldap                hard    nofile          1024

Then i tried these, still no result :

# cat /etc/security/limits.conf
*                soft    nofile          1024
*                hard    nofile          1024
root             soft    nofile          1024
root             hard    nofile          1024 

I even tried adding the pam module :

 # grep -nr limits /etc/pam.d/
/etc/pam.d/sshd:40:session    required     pam_limits.so
/etc/pam.d/common-session-noninteractive:31:session required    pam_limits.so
/etc/pam.d/cron:20:session    required   pam_limits.so
/etc/pam.d/su:52:session    required   pam_limits.so
/etc/pam.d/common-session:32:session required    pam_limits.so
/etc/pam.d/systemd-user:10:session  required pam_limits.so
/etc/pam.d/runuser:4:session            required        pam_limits.so
/etc/pam.d/login:77:session    required   pam_limits.so

The file limit stay unchanged.

I must be missing something, could you show me what you did ?

Ok finally I found the solution :

I had to add “DefaultLimitNOFILE=1024” to /etc/systemd/system.conf

Limits set via the /etc/security/limits seems to not work with Ubuntu : https://unix.stackexchange.com/questions/366352/etc-security-limits-conf-not-applied

Thank you for your help, greatly appreciated

3 Likes