Core Dump Occurs When the OCKD Process Is Started After Importing an Invalid Certificate

Symptom

When the ZooKeeper security feature is enabled, the core dump error information shown in Figure 1 is displayed when starting the OCKD process.

Use the GNU debugger (GDB) to open the core dump file and check the stack information. The stack information indicates that the ZooKeeper client fails to invoke the certificate verification function of the OpenSSL library. See Figure 2.

Key Process and Cause Analysis

Due to the implementation mechanism of the open source component ZooKeeper client, a core dump may occur when invalid certificates are processed.

Conclusion and Solution

If the ZooKeeper security feature is enabled and the ZooKeeper certificate is invalid, the link between OCKD and ZooKeeper fails to be established, and the OCKD process fails to be started. The OmniShuffle feature only verifies the certificate validity period and cannot intercept all abnormal certificates. As a result, invalid certificates may be transferred to the ZooKeeper client. The certificate is not provided by OmniShuffle. If such a problem occurs, check the certificate validity before using the ZooKeeper security feature.

Common certificate errors include but are not limited to the following:

• The certificate key usage does not comply with X.509v3.
• The issuer information of the root certificate and local certificate is invalid.
• The certificate signature field is incorrect.
• The Common Name field is invalid.
• An intermediate level is missing for multi-level certificate authentication.
• The validity period of the certificate has ended.