Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"out of memory" when changing passwords in dynsec #2525

Closed
sezanzeb opened this issue May 3, 2022 · 3 comments
Closed

"out of memory" when changing passwords in dynsec #2525

sezanzeb opened this issue May 3, 2022 · 3 comments
Milestone
2.0.15

Comments

@sezanzeb
Copy link

sezanzeb commented May 3, 2022
edited

I'm running 32GB of RAM, this is probably not really an out of memory problem, just like #2520

image build:

 1883:1883 mosquitto
Sending build context to Docker daemon  15.87kB
Step 1/5 : FROM eclipse-mosquitto
 ---> 58900513926f
Step 2/5 : COPY mosquitto.conf /mosquitto/config/
 ---> Using cache
 ---> e75f9c3c4fb6
Step 3/5 : RUN mkdir /dynsec
 ---> Using cache
 ---> f78a070afb13
Step 4/5 : COPY dynamic-security.json /dynsec/
 ---> 69874974e260
Step 5/5 : RUN chown mosquitto:mosquitto /dynsec -R
 ---> Running in 3f131093313f
Removing intermediate container 3f131093313f
 ---> 58b22fad682b
Successfully built 58b22fad682b
Successfully tagged mosquitto:latest
1651585528: mosquitto version 2.0.14 starting
1651585528: Config loaded from /mosquitto/config/mosquitto.conf.
1651585528: Loading plugin: /usr/lib/mosquitto_dynamic_security.so
1651585528: Opening ipv4 listen socket on port 1883.
1651585528: Opening ipv6 listen socket on port 1883.
1651585528: mosquitto version 2.0.14 running
1651585532: New connection from 172.17.0.1:49132 on port 1883.
1651585532: New client connected from 172.17.0.1:49132 as auto-B5DD816C-9D2E-1CA9-7000-4490957E19D1 (p5, c1, k60, u'admin').
1651585532: Client auto-B5DD816C-9D2E-1CA9-7000-4490957E19D1 been disconnected by administrative action.
1651585532: dynsec: (null)/admin | setClientPassword | username=admin | password=******
1651585532: Client <unknown> disconnected due to out of memory.

dynamic-security.json:

{
	"clients":	[{
			"username":	"admin",
			"textName":	"Dynsec admin user",
			"password":	"HR8ZZDIIS42+0vmgLPpHuyrLkv23CYBuFYZFL9tqcL/QBVvOijqOfoQILndpcHejvR901nrxKBNrNwTRkj7QtA==",
			"salt":	"8pO+b79uAdLBiBqs",
			"iterations":	101,
			"roles":	[{
					"rolename":	"admin"
				}]
		}],
	"roles":	[{
			"rolename":	"admin",
			"acls":	[{
					"acltype":	"publishClientSend",
					"topic":	"$CONTROL/dynamic-security/#",
					"allow":	true
				}, {
					"acltype":	"publishClientReceive",
					"topic":	"$CONTROL/dynamic-security/#",
					"allow":	true
				}, {
					"acltype":	"subscribeLiteral",
					"topic":	"$CONTROL/dynamic-security/#",
					"allow":	true
				}, {
					"acltype":	"subscribePattern",
					"topic":	"$CONTROL/dynamic-security/#",
					"allow":	true
				}, {
					"acltype":	"unsubscribeLiteral",
					"topic":	"$CONTROL/dynamic-security/#",
					"allow":	true
				}, {
					"acltype":	"unsubscribePattern",
					"topic":	"$CONTROL/dynamic-security/#",
					"allow":	true
				}]
		}],
	"defaultACLAccess":	{
		"publishClientSend":	false,
		"publishClientReceive":	true,
		"subscribe":	false,
		"unsubscribe":	true
	}
}

mosquitto.conf:

per_listener_settings false

listener 1883
allow_anonymous false
# dynsec plugin
# put `RUN find / -name mosquitto_dynamic_security.so` into the dockerfile to figure out where this is
plugin /usr/lib/mosquitto_dynamic_security.so
# mount volume here via aws. Good look figuring out how to do that.
plugin_opt_config_file /dynsec/dynamic-security.json

trying to set the password:

mosquitto_ctrl -h localhost -u admin -P admin dynsec setClientPassword admin
New password for admin: 
Reenter password for admin: 
Warning: You are running mosquitto_ctrl without encryption.
This means all of the configuration changes you are making are visible on the network, including passwords

mosquitt_ctrl blocks afterwards until I hit ctrl+c
@sezanzeb
Copy link
Author

sezanzeb commented May 3, 2022

the password change seems to work though

@ralight
Copy link
Contributor

ralight commented May 12, 2022

There are a couple of things going on here. First off, the out of memory error is false, as you've guessed. A return code was being set to 1 for the client disconnecting, which is the same as the out of memory error code and hence why the message is given. So nothing to worry about.

The other problem you're seeing is related to the fact that the user is making a change which affects them. When changes are made to a client/group/role, all clients that are affected by that change are kicked off the server and have to reconnect. In 2.0.x, this happens before the command reply is sent to the client. In the develop branch the kick happens afterwards, so the client gets the reply and closes ok. There should be a 10 second timeout in 2.0.x as well.

@ralight
Copy link
Contributor

ralight commented Aug 12, 2022

The confusing error message is now fixed for 2.0.15.

@ralight ralight closed this as completed Aug 12, 2022
@ralight ralight added this to the 2.0.15 milestone Aug 12, 2022
ralight added a commit that referenced this issue Aug 12, 2022
@ralight
Fix confusing "out of memory" error.
775bd2e 
This happens when a client is kicked in the dynamic security plugin.

Closes #2525. Thanks to sezanzeb.
@dirkfeytons dirkfeytons mentioned this issue Sep 5, 2022
Open
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 13, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.0.15
Development

No branches or pull requests
2 participants
@ralight @sezanzeb