Polkit Helper Timeout And Defunct Pkla-check-authorization Processes On CentOS 7.3

Home » CentOS » Polkit Helper Timeout And Defunct Pkla-check-authorization Processes On CentOS 7.3
CentOS 1 Comment

Hi everyone,

We seem to be having issues on multiple CentOS 7.3 machines. The problem seems to revolve around polkitd. At some random time, polkitd seems to stop responding on my systems. Along with this, there might be hundreds of defunct pkla-check-authorization processes. If I reboot, then things are fine for a while.

I don’t see any activity in the unabridged journal to suggest anything that might be triggering polkitd. The puppet run finished 5 minutes before polkitd lost it’s head.

polkit version is polkit-0.112-11.el7_3.x86_64

Any help is appreciated.

Thanks, Jason

Here is some condensed output from the “journalctl -u polkit” command:
Mar 09 04:02:14 myhost systemd[1]: Starting Authorization Manager… Mar 09 04:02:14 myhost polkitd[1018]: Started polkitd version 0.112
Mar 09 04:02:14 myhost polkitd[1018]: Loading rules from directory
/etc/polkit-1/rules.d Mar 09 04:02:14 myhost polkitd[1018]: Loading rules from directory
/usr/share/polkit-1/rules.d Mar 09 04:02:14 myhost polkitd[1018]: Finished loading, compiling and executing 7 rules Mar 09 04:02:14 myhost systemd[1]: Started Authorization Manager. Mar 09 04:02:14 myhost polkitd[1018]: Acquired the name org.freedesktop.PolicyKit1 on the system bus Mar 09 04:02:53 myhost polkitd[1018]: Registered Authentication Agent for unix-session:c1 (system bus name :1.41 [gnome-shell –mode=gdm], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 09 04:08:25 myhost polkitd[1018]: Reloading rules Mar 09 04:08:25 myhost polkitd[1018]: Collecting garbage unconditionally… Mar 09 04:08:25 myhost polkitd[1018]: Loading rules from directory
/etc/polkit-1/rules.d Mar 09 04:08:25 myhost polkitd[1018]: Loading rules from directory
/usr/share/polkit-1/rules.d Mar 09 04:08:25 myhost polkitd[1018]: Finished loading, compiling and executing 8 rules Mar 09 04:08:25 myhost polkitd[1018]: Reloading rules Mar 09 04:08:25 myhost polkitd[1018]: Collecting garbage unconditionally… Mar 09 04:08:25 myhost polkitd[1018]: Loading rules from directory
/etc/polkit-1/rules.d Mar 09 04:08:25 myhost polkitd[1018]: Loading rules from directory
/usr/share/polkit-1/rules.d Mar 09 04:08:25 myhost polkitd[1018]: Finished loading, compiling and executing 8 rules Mar 09 04:08:53 myhost polkitd[1018]: Reloading rules
… (snipped more rules loading)
Mar 09 04:10:39 myhost polkitd[1018]: Collecting garbage unconditionally… Mar 09 04:10:39 myhost polkitd[1018]: Loading rules from directory
/etc/polkit-1/rules.d Mar 09 04:10:39 myhost polkitd[1018]: Loading rules from directory
/usr/share/polkit-1/rules.d Mar 09 04:10:39 myhost polkitd[1018]: Finished loading, compiling and executing 7 rules Mar 09 16:59:42 myhost polkitd[1018]:
/etc/polkit-1/rules.d/49-polkit-pkla-compat.rules:21: Error: Error spawning helper: Timed out after 10 seconds (g-io-error-quark, 24)
Mar 09 16:59:42 myhost polkitd[1018]: Error evaluating authorization rules Mar 10 04:13:34 myhost polkitd[1018]:
/etc/polkit-1/rules.d/49-polkit-pkla-compat.rules:21: Error: Error spawning helper: Timed out after 10 seconds (g-io-error-quark, 24)
Mar 10 04:13:34 myhost polkitd[1018]: Error evaluating authorization rules Mar 10 04:14:32 myhost polkitd[1018]:
/etc/polkit-1/rules.d/49-polkit-pkla-compat.rules:21: Error: Error spawning helper: Timed out after 10 seconds (g-io-error-quark, 24)
… (snipped more lines about error evaluating rules)…

————————————————————————-

One thought on - Polkit Helper Timeout And Defunct Pkla-check-authorization Processes On CentOS 7.3

  • Hi everyone,

    I’m replying to myself to help anyone else who happens to get the polkit timeouts. Our CentOS7 machines are joined to our Active Directory domain and use AD for authentication and account lookups (Using the SSSD AD
    provider). We’re NOT using FreeIPA. The polkit timeouts were caused by sssd taking too long to respond to user information lookups for users that were in Active Directory.

    The solution was to set “enumerate = False” in /etc/sssd/sssd.conf and restart the sssd service or reboot the machine. If “enumerate” is not present in sssd.conf, then it defaults to False.

    In addition to the polkit hangs, we were also experiencing the following problems, which went away or improved after the sssd.conf change was made:

    – Running “id $USERNAME” was taking many seconds when looking up users
    in Active Directory
    – Logins were taking a while (5+ seconds) or would just hang
    – Unlocking a machine from the screensaver would sometimes fail.
    – General system sluggishness.
    – High system CPU/load with no obvious culprits according to “top”
    – The sssd_be process was often taking 5% or more of a CPU.

    The problems were more prevalent on our big time-sharing systems (64
    cores/512GB RAM), that have multiple (15+) simultaneous users running large memory or CPU interactive jobs. The problems also hit some of our single-user workstations, but the most-affected users were still our compute-heavy research users.

    For others’ reference, I’m also running the sssd cache on a tmpfs filesystem and here is my sanitized sssd.conf file.:

    Sincerely, Jason

    ————————————————————————-

LEAVE A COMMENT