Bug ID 1103369: DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant

Last Modified: Nov 19, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
13.1.5, 13.1.5.1, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 17.0.0, 17.0.0.1

Fixed In:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3

Opened: Apr 27, 2022

Severity: 3-Major

Related Article: K000133368

Symptoms

The REST tokens are not deleted from cache /var/run/pamcache when the tokens are expired or deleted.

Impact

The deleted token continue to be available in the cache. Memory is consumed as cache is stored in an in-memory filesystem.

Conditions

- A large number of REST Auth tokens are created in multi-slot VIPRION, multi-slot vCMP Guest, or multi-slot VELOS tenant.

Workaround

First take immediate action to recover memory by removing stale tokens and restarting affected processes. This should be done to free memory, even if planning to update software to prevent reoccurrence. Remove token files from /run/pamcache manually. This may have minor impact to REST API use causing a REST user to need to reauthenticate. Execute the following command by using -print instead of -delete to verify the tokens to be deleted (recommended to not use clsh): # clsh "find /run/pamcache -regextype posix-extended -type f -regex '/run/pamcache/[A-Z0-9]{26}' -delete" httpd processes can be affected - restart them. This has an impact to REST API and GUI for the few seconds until httpd restarts: # clsh bigstart restart httpd Restart csyncd - this is expected to have no adverse impact. # clsh bigstart restart csyncd Alternatively clear any stale content and restart processes simply by rebooting the chassis (ie all blades together). Next, it is possible to prevent the issue reoccurring by the following steps, if not quickly updating software to a fixed version. Execute the following commands in bash to remove the pamcache directory from the set being acted upon by "csyncd": # clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)" # clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf" # clsh "bigstart restart csyncd"

Fix Information

Auth tokens in /run/pamcache are deleted as required.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips