New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] rgw: Libcurl+NSS memory leak mitigation when performing keystone SSL auth #20924
Conversation
there is a memory leak in the libcurl+nss: PK11_CreateGenericObject() function, rgw is affected when Keystone users authority authentication perfomed using ssl Signed-off-by: Mark Kogan <mkogan@redhat.com>
if so enable the libcurl+nss memory cleaning option. Signed-off-by: Mark Kogan <mkogan@redhat.com>
ceph.conf option to enable and configure the libcurl+nss memory cleaning interval. (disabled by default) Signed-off-by: Mark Kogan <mkogan@redhat.com>
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
@mkogan1 could this get a rebase? |
@cbodley and I discussed--maybe the way forward here is to globally transition out of NSS crypto? |
@liewegas ^^ |
IIRC @rzarzynski said the backport is nontrivial, but it brings along some performance benefits with it. If it's feasible it seems like a better cost/benefit than spending time fixing old nss code. |
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
This pull request has been automatically closed because there has been no activity for 90 days. Please feel free to reopen this pull request (or open a new one) if the proposed change is still appropriate. Thank you for your contribution! |
Tracker issue:
http://tracker.ceph.com/issues/23375
When libcurl is configured with --with-nss
There is a memory leak in the PK11_CreateGenericObject() function (in libnss3.so)
that occurs when keystone users authority authentication is using ssl.
(rgw_keystone_verify_ssl = true)
By calling the curl_global_cleanup() its possible to release the memory in libcurl.
(This patch is currently only for the curl_easy_* flow, can be extended to the curl_multi_* flow also)