After installing the Deep Security Agent (DSA), the Zypper fails to update.
The following kernel loops show in the /var/log/message when the Zypper update fails:
Mar 19 08:14:10 ip-10-128-143-145 kernel: [19696.333980] gsch_dev_release() done Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.147933] The following is only an harmless informational message. Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.147954] Unless you get a _continuous_flood_ of these messages it means Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.147956] everything is working fine. Allocations from irqs cannot be Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.147957] perfectly reliable and the kernel is designed to handle that. Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.147959] zypper: page allocation failure: order:4, mode:0x20 Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.147962] Pid: 18847, comm: zypper Tainted: P N 3.0.82-0.7-ec2 #1 Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.147964] Call Trace: Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.147981] [<ffffffff8000807e>] dump_trace+0x6e/0x1c0 Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.147987] [<ffffffff80327d7d>] dump_stack+0x69/0x6f Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.147994] [<ffffffff800cffe2>] warn_alloc_failed+0x102/0x190 Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.147998] [<ffffffff800d0db1>] __alloc_pages_slowpath+0x461/0x7b0 Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.148002] [<ffffffff800d12e9>] __alloc_pages_nodemask+0x1e9/0x200 Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.148007] [<ffffffff8010916c>] cache_grow+0x2fc/0x3f0 Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.148010] [<ffffffff80109571>] cache_alloc_refill+0x311/0x440 Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.148013] [<ffffffff80109d30>] __kmalloc+0x1c0/0x2a0 Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.148032] [<ffffffffa01b8370>] tb_alloc+0x110/0x370 [dsa_filter] Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.148119] [<ffffffffa019997b>] dsx_allocate_state+0x5b/0x150 [dsa_filter] Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.148163] [<ffffffffa019a50c>] dsx_process+0x11c/0xbf0 [dsa_filter] Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.148196] [<ffffffffa0179385>] ssl_dsx_process+0x345/0x350 [dsa_filter] Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.148218] [<ffffffffa01796d6>] dsx_process_payload_packet_gen+0x166/0x400 [dsa_filter] Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.148241] [<ffffffffa017bb3d>] dsa_slim_output+0xa3d/0xbc0 [dsa_filter] Mar 19 08:22:37 ip-10-128-143-145 kernel: [20204.148265] [<ffffffffa0180101>] stateful_tcp_filter+0x551/0x730 [dsa_filter] Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148288] [<ffffffffa016c870>] core_pkt_filter+0x2d0/0x560 [dsa_filter] Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148305] [<ffffffffa016cc11>] core_pkt_hook+0x111/0x490 [dsa_filter] Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148321] [<ffffffffa01b67fc>] lin_nf_packet_wrapper+0x1bc/0x3a0 [dsa_filter] Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148363] [<ffffffffa01b6bc7>] lin_nf_packet_wrapper_all+0x1e7/0x210 [dsa_filter] Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148401] [<ffffffff802af744>] nf_iterate+0x84/0xb0 Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148407] [<ffffffff802af8c9>] nf_hook_slow+0x79/0x120 Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148411] [<ffffffff802bdbd8>] ip_output+0x98/0xc0 Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148415] [<ffffffff802bca49>] ip_queue_xmit+0x1c9/0x410 Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148419] [<ffffffff802d23d0>] tcp_transmit_skb+0x4f0/0x700 Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148423] [<ffffffff802d4e28>] tcp_write_xmit+0x1e8/0x510 Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148426] [<ffffffff802d51b5>] __tcp_push_pending_frames+0x25/0x60 Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148431] [<ffffffff802c7a19>] tcp_sendmsg+0x7e9/0xa00 Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148435] [<ffffffff80270a1b>] sock_sendmsg+0xdb/0x120 Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148439] [<ffffffff80270be8>] sys_sendto+0x138/0x1a0 Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148443] [<ffffffff80332bd3>] system_call_fastpath+0x16/0x1b Mar 19 08:22:38 ip-10-128-143-145 kernel: [20204.148452] [<00007f6e9cf48d45>] 0x7f6e9cf48d44
Linux tends to use too much memory for the file system cache to increase performance. In this case, the AWS SuSE 11 x64 micro instance spent too much memory for cache (file system), but the memory reclaim mechanism is not triggered properly. When Zypper tries to connect to the Internet, the dsa_filter encounters a memory allocation failure and dropped packets. This causes the Zypper to work incorrectly.
This issue is considered as a system configuration problem. Stopping the DSA service resolves this issue. For the system without swap, administrator can increase the vm.min_free_kbytes to fix this issue.
To increase the vm.min_free_kbytes, do one of the following options:
- Run the following command:
#sysctl -w vm.min_free_kbytes=20480
- Add the following entry in /etc/sysctl.conf:
vm.min_free_kbytes = 20480