-
Notifications
You must be signed in to change notification settings - Fork 766
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GRR Client Crashes "Serialized message too large" #978
Comments
This comment was marked as spam.
This comment was marked as spam.
Thanks for your report. This looks like a legit issue on the GRR client side, we'll look into it. Increasing this limit on the client side likely creates more problems on the server side, so changing the chunking logic or similar is probably the way forward. |
So I have tried to decrease the Chunk size to 2000000, which is less then the agent able to receive and the same issue occured: CRITICAL:2022-06-01 10:20:24,761 fleetspeak_client:117] Fatal error occurred: So it is definitely something to be fixed in GRR. |
Ok, so what happens here is pretty interesting. The issue, most definitely, happens on the client side and has nothing to do with how the server database is set up. When working through Fleetspeak, the GRR client runs as a subprocess of the Fleetspeak client. They communicate through shared file descriptors. When a GRR client wants to send a message to its server, it sends a message to the Fleetspeak client on the same machine through the shared fd. Now, Fleetspeak client has a hard message size limit of 2mb: The issue happens because GRR tries to send a message that's bigger than 2mb. There's a dedicated check for this in the GRR client fleetspeak connector code (MAX_SIZE is set to 2Mb): GRR should be careful enough to chunk the messages. Not sure why chunking failed in this case - will investigate further. @bprykhodchenko Could you please specify the exact flow arguments you used to reproduce the issue? |
I looked at the YaraProcessDump client action. It dumps the memory on disk and the sends back a data structure with information about all the processes: What this means: if the
|
Hello, As for the solution,
|
A few comments:
|
Environment
Describe the issue
When I do the Memory Dump of All processes except GRR it works fine for some time, but at some point in time I get this message:
CRITICAL:2022-05-30 11:50:07,252 fleetspeak_client:117] Fatal error occurred:
Traceback (most recent call last):
File "site-packages\grr_response_client\fleetspeak_client.py", line 111, in _RunInLoop
File "site-packages\grr_response_client\fleetspeak_client.py", line 209, in _SendOp
File "site-packages\grr_response_client\fleetspeak_client.py", line 176, in _SendMessages
File "site-packages\fleetspeak\client_connector\connector.py", line 144, in Send
File "site-packages\fleetspeak\client_connector\connector.py", line 154, in _SendImpl
ValueError: Serialized message too large, size must be at most 2097152, got 2323650
So it doesn't like the message size. Now, the question, where this limit can be increased?
The text was updated successfully, but these errors were encountered: