-
-
Notifications
You must be signed in to change notification settings - Fork 15.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Let OpenSslContext implement ReferenceCounted? #4958
Comments
[netty#4958]: OpenSslContext retains native resources that get released by the Garbage Collector via object finalization. This works fine for traditonal SSL deployments with static working sets of SslContext(s). We intend to load large sets of [Open]SslContext(s) on a per connection basis. Having OpenSslContext implement the ReferenceCounted interface would facilitate efficient sharing and timely relase of all native resources once all client disconnected that used the same context. Modifications Let OpenSslContext implement the ReferenceCounted and delegate all calls to an inner AbstractReferenceCounted field that calls OpenSslContext's destroy() method once the reference count reaches 0. Result It's possible to release OpenSslContext's native resources as soon as it's no longer in use.
@rkapsi I think we could do this. That said we would still need a finalizer for the |
@normanmaurer Correct. It's meant to be an optimization for folks who don't want to wait for the GC. The finalizer will still run but potentially do nothing. |
Motivation: OpenSslEngine and OpenSslContext currently rely on finalizers to ensure that native resources are cleaned up. Finalizers require the GC to do extra work, and this extra work can be avoided if the user instead takes responsibility of releasing the native resources. Modifications: - Make a base class for OpenSslENgine and OpenSslContext which does not have a finalizer but instead implements ReferenceCounted. If this engine is inserted into the pipeline it will be released by the SslHandler - Add a new SslProvider which can be used to enable this new feature Result: Users can opt-in to a finalizer free OpenSslEngine and OpenSslContext. Fixes netty#4958
Motivation: OpenSslEngine and OpenSslContext currently rely on finalizers to ensure that native resources are cleaned up. Finalizers require the GC to do extra work, and this extra work can be avoided if the user instead takes responsibility of releasing the native resources. Modifications: - Make a base class for OpenSslENgine and OpenSslContext which does not have a finalizer but instead implements ReferenceCounted. If this engine is inserted into the pipeline it will be released by the SslHandler - Add a new SslProvider which can be used to enable this new feature Result: Users can opt-in to a finalizer free OpenSslEngine and OpenSslContext. Fixes #4958
Motivation: OpenSslEngine and OpenSslContext currently rely on finalizers to ensure that native resources are cleaned up. Finalizers require the GC to do extra work, and this extra work can be avoided if the user instead takes responsibility of releasing the native resources. Modifications: - Make a base class for OpenSslENgine and OpenSslContext which does not have a finalizer but instead implements ReferenceCounted. If this engine is inserted into the pipeline it will be released by the SslHandler - Add a new SslProvider which can be used to enable this new feature Result: Users can opt-in to a finalizer free OpenSslEngine and OpenSslContext. Fixes netty#4958
@rkapsi are you using the OPENSSL_REFCNT ssl provider in production? I'm currently trying to wrap my head around the usage eg. every call to io.netty.handler.ssl.SslContext#newEngine(io.netty.buffer.ByteBufAllocator) must be matched with releasing it via io.netty.util.ReferenceCountUtil#release(java.lang.Object) or is it enough just to release the io.netty.handler.ssl.SslContext? equally from a client pov it seems it is possible to hack the openssl_refcnt ssl provider into async-http-client using a custom org.asynchttpclient.SslEngineFactory but I suppose each connection may need to be released explicitly too. |
@johnou we do. In our case we match Management of the A client connects and we go thru the SNI flow. The SNI thingy is backed by the said cache. The cache always increments the refCnt by 1 before returning it and we then do To put it differently, a context's refCnt will always be >= 1 as long as a reference is being held in the cache OR one connection is using it. |
@rkapsi perfect, thanks! I am currently investigating implementing it for our server application as we have thousands and thousands of concurrent long lived SSL connections.. at first glance it looks like I don't even need to track the engine as releasing it is already taken care of here io.netty.handler.ssl.SslHandler#handlerRemoved0 😀 |
Yea, we do something like this: class MyHandler extends SslHandler {
SslContext sslContext;
void handlerRemoved(...) {
try {
super.handlerRemoved(...);
} finally {
sslContext.release();
}
}
} |
See also #9626 |
Motivation: OpenSslEngine and OpenSslContext currently rely on finalizers to ensure that native resources are cleaned up. Finalizers require the GC to do extra work, and this extra work can be avoided if the user instead takes responsibility of releasing the native resources. Modifications: - Make a base class for OpenSslENgine and OpenSslContext which does not have a finalizer but instead implements ReferenceCounted. If this engine is inserted into the pipeline it will be released by the SslHandler - Add a new SslProvider which can be used to enable this new feature Result: Users can opt-in to a finalizer free OpenSslEngine and OpenSslContext. Fixes netty#4958
Hello,
would it make sense to let the
OpenSslContext
class implement theReferenceCounted
interface?We have a dynamic and unbound set of OpenSslContext that are concurrently in use and it would be great if we can release the native resources in a timely manner. We're currently using a wrapper object that extends SslContext, implements ReferenceCounted and gets passed into the SniHandler.
Something along the lines of this pseudo code. I'd be happy to open a PR.
The text was updated successfully, but these errors were encountered: