Bug 49910

Summary: Disable pam_systemd by default
Product: UCS Reporter: Philipp Hahn <hahn>
Component: PAMAssignee: Philipp Hahn <hahn>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P5 CC: brodersen
Version: UCS 4.4Keywords: systemd
Target Milestone: UCS 4.4-1-errata   
Hardware: Other   
OS: Linux   
URL: https://serverfault.com/questions/706475/ssh-sessions-hang-on-shutdown-reboot
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=49614
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.429 Enterprise Customer affected?: Yes
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 47233, 49614    
Bug Blocks: 49941    

Description Philipp Hahn univentionstaff 2019-07-23 11:40:19 CEST 
With Bug #47233 we enabled pam_systemd to terminate ssh sessions when the server reboots or is shut down.
Unfortunately this has two negative side effects:

- for each user a `systemd --user` is started, which remains even after exit. On servers (running Samba) this leads to many extra processes consuming valuable system resources like RAM and already lead to processes being killed by OOM.

- for each session the modules creates a new CGroup, which "leaks" memory in the Linux kernel (Bug #49614): In-kernel memory structures are still associated with the CGroup even after all processes have terminated, which prevents the CGroup from being freed finally.

1. Disable the PAM module by default
2. Add a new UCR variable to enable it on demand.
Comment 1 Philipp Hahn univentionstaff 2019-07-23 12:04:18 CEST 
[4.4-1] e9dbd51b28 Bug #49910 pam: Fix swapped UCRV descriptions
 .../debian/univention-pam.univention-config-registry              | 1 +
 .../debian/univention-pam.univention-config-registry-variables    | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

[4.4-1] 43ff7804c3 Bug #49910 pam: Disable pam_systemd by default
 .../conffiles/etc/pam.d/common-session.d/10univention-pam_common    | 2 +-
 base/univention-pam/debian/changelog                                | 6 ++++++
 .../debian/univention-pam.univention-config-registry-variables      | 6 ++++++
 3 files changed, 13 insertions(+), 1 deletion(-)


Package: univention-pam
Version: 12.0.2-3A~4.4.0.201907231200
Branch: ucs_4.4-0
Scope: errata4.4-1

[4.4-1] ea9378acb3 Bug #35173: univention-pam 12.0.2-3A~4.4.0.201907231200
 doc/errata/staging/univention-pam.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

QA:
 grep --color pam_systemd /etc/pam.d/common-session
 ucr set pam/session/systemd=1
 grep --color pam_systemd /etc/pam.d/common-session
 ucr set pam/session/systemd=0
 grep --color pam_systemd /etc/pam.d/common-session
 ucr unset pam/session/systemd
 grep --color pam_systemd /etc/pam.d/common-session
Comment 2 Erik Damrose univentionstaff 2019-07-24 15:03:19 CEST 
<http://errata.software-univention.de/ucs/4.4/191.html>