[RFC] rgw: Libcurl+NSS memory leak mitigation when performing keystone SSL auth #20924
Conversation
there is a memory leak in the libcurl+nss: PK11_CreateGenericObject() function, rgw is affected when Keystone users authority authentication perfomed using ssl Signed-off-by: Mark Kogan <mkogan@redhat.com>
if so enable the libcurl+nss memory cleaning option. Signed-off-by: Mark Kogan <mkogan@redhat.com>
ceph.conf option to enable and configure the libcurl+nss memory cleaning interval. (disabled by default) Signed-off-by: Mark Kogan <mkogan@redhat.com>
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
|
@mkogan1 could this get a rebase? |
|
@cbodley and I discussed--maybe the way forward here is to globally transition out of NSS crypto? |
|
@liewegas ^^ |
|
IIRC @rzarzynski said the backport is nontrivial, but it brings along some performance benefits with it. If it's feasible it seems like a better cost/benefit than spending time fixing old nss code. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
|
This pull request has been automatically closed because there has been no activity for 90 days. Please feel free to reopen this pull request (or open a new one) if the proposed change is still appropriate. Thank you for your contribution! |
Tracker issue:
http://tracker.ceph.com/issues/23375
When libcurl is configured with --with-nss
There is a memory leak in the PK11_CreateGenericObject() function (in libnss3.so)
that occurs when keystone users authority authentication is using ssl.
(rgw_keystone_verify_ssl = true)
By calling the curl_global_cleanup() its possible to release the memory in libcurl.
(This patch is currently only for the curl_easy_* flow, can be extended to the curl_multi_* flow also)