pfSense fatal error allowed memory exhausted cause



  • I'm in the process of testing a pfsense (v2.4.5) as a DNS firewall using the latest stable Bind 9 package via the WebUI's package manager.

    I am testing different size Response Policy Zones, which all went well except while testing the largest. I crashed with the following error:

    Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 87749944 bytes) in /etc/inc/xmlparse.inc on line 285 PHP ERROR: Type: 1, File: /etc/inc/xmlparse.inc, Line: 285, Message: Allowed memory size of 536870912 bytes exhausted (tried to allocate 87749944 bytes)
    

    This issue caused the web UI to become unresponsive and forced me to SSH in to fix it. I'm not against editing config files via SSH, but if I'm instructing someone else with less CLI knowledge that can become a hurdle for them.

    After reading various threads searching for a solution (results are a bit overwhelming for searching for this pretty common error) I came across one showing how to increase the memory_limit. This sort of works, but has some drawbacks.

    SSH into the pfsense and edit /etc/inc/config.inc

    // Set memory limit to 512M on amd64.
    if ($ARCH == "amd64") {
            ini_set("memory_limit", "1024M");
            // ini_set("memory_limit", "512M"); //-- increased to 1G
    } else {
            ini_set("memory_limit", "128M");
    }
    

    This solution seems to work temporarily. Upgrades will revert the setting back to 512mb, which in turn will cause the crash. I'm also concerned I'm doing something outside the scope of what NetGate intended. Is the 512mb memory limit there for any other security related reason, something else I'm overlooking, etc..?

    • Can anyone explain why php-fpm is running out of memory to start Bind? I'm not getting the connection between PHP and Bind. Is php-fpm creating a child process to start Bind?
    • Does anyone know if there is a more durable solution to increasing the memory_limit setting that survives upgrades etc..?

Log in to reply