Change in ovirt-engine[master]: core: Use persistent HTTP connections between engine and SSO
Code Review
gerrit at ovirt.org
Tue Dec 13 09:05:55 UTC 2016
>From Martin Peřina <mperina at redhat.com>:
Martin Peřina has submitted this change and it was merged.
Change subject: core: Use persistent HTTP connections between engine and SSO
......................................................................
core: Use persistent HTTP connections between engine and SSO
The SSO service and the engine authentication filters use HTTP
to talk to each other. The implementation of this HTTP dialog
is such that a new connection is created for each request. In
production environments HTTPS is enabled by default, and that
means that for each request new SSL socket and session are
created and a new SSL handshake is performed. This is bad for
performance, in general, but in certain situations is is also
a potential trigger of engine crashes. For example, lets
assume that the engine is running in a machine with 2 GiB of
RAM and a heap size of 1 GiB, and consider a client that is
continually sending authentication requests to the API, the
following Python SDK script, for example:
#!/usr/bin/python
import sys
from ovirtsdk.api import API
from ovirtsdk.xml import params
while True:
# Connect to the API:
api = API(
url="https://engine40.local/ovirt-engine/api",
username="admin at internal",
password="redhat123",
ca_file="/etc/pki/ovirt-engine/ca.pem",
)
# Do something ...
# Disconnect:
api.disconnect()
This script, alone, will trigger the creation of thousands of
SSL sockets and sessions in the engine, and in the web server.
But the SSL socket class is finalizable, and there is space
enough in the heap, so those thousands of sockets, already
closed, will still be in memory, in the finalizer queue. But
those thousands of sockets also hold native resources, like
socket buffers, which aren't acounted for in the heap. The
result is that the Java virtual machine will consume much more
memory than what you would expect, memory that isn't part of
the heap. The result, in that 2 GiB machine, is that the out
of memory killer of the kernel will trigger, and kill the
engine, even if it isn't using all its heap space.
This could be addressed with smarter handling of the SSL
sockets, but that is well beyond the scope of our project.
Alternatively we can try to reuse the HTTP connections, which
should save sockets, SSL sessions, SSL handshakes and TCP
connections.
This patch tries to improve the use of connections,
introducing a pool of HTTP connections, where connections are
reused as much as possible.
The effect is visible running the above Python SDK script and
counting the number of SSL socketes that are created:
# su -s /bin/sh ovirt
# watch 'jmap -histo $(pidof ovirt-engine) | grep SSLSocketImpl'
Without this patch the number of sockets is ever increasing,
till there engine crashes or there is a garbage collection.
In the 2 GiB environment it is in the order of thousands of
instances.
With the patch, the number is limited to a max of 20 sockets.
In the 2 GiB environment it is usually 2 sockets.
The patch also introduces two new configuration variables that can be
used to adjust the size of the pools of HTTP connections:
# The maximum size of the pool of HTTP connections that
# the engine uses to communicate with the SSO service:
ENGINE_SSO_SERVICE_CLIENT_POOL_SIZE=10
# The maximum size of the pool of HTTP connections that
# the SSO service uses to communicate with the engine:
SSO_CALLBACK_CLIENT_POOL_SIZE=10
Change-Id: Ifa686b9f73c693ec20e0e51f2c004b6eea9e21bc
Related-To: https://bugzilla.redhat.com/1396833
Signed-off-by: Juan Hernandez <juan.hernandez at redhat.com>
Signed-off-by: Ravi Nori <rnori at redhat.com>
---
M backend/manager/modules/aaa/pom.xml
M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoOAuthServiceUtils.java
M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java
M backend/manager/modules/aaa/src/main/modules/org/ovirt/engine/core/aaa/main/module.xml
M backend/manager/modules/enginesso/pom.xml
M backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/InteractiveChangePasswdServlet.java
M backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/utils/SsoUtils.java
M backend/manager/modules/uutils/pom.xml
A backend/manager/modules/uutils/src/main/java/org/ovirt/engine/core/uutils/net/HttpClientBuilder.java
M backend/manager/modules/uutils/src/main/modules/org/ovirt/engine/core/uutils/main/module.xml
M ear/src/main/application/META-INF/jboss-deployment-structure.xml
M packaging/services/ovirt-engine/ovirt-engine.conf.in
12 files changed, 421 insertions(+), 222 deletions(-)
Approvals:
Martin Peřina: Looks good to me, approved
Ravi Nori: Verified
Jenkins CI: Passed CI tests
--
To view, visit https://gerrit.ovirt.org/67294
To unsubscribe, visit https://gerrit.ovirt.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ifa686b9f73c693ec20e0e51f2c004b6eea9e21bc
Gerrit-PatchSet: 9
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez at redhat.com>
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: Juan Hernandez <juan.hernandez at redhat.com>
Gerrit-Reviewer: Martin Peřina <mperina at redhat.com>
Gerrit-Reviewer: Ondra Machacek <omachace at redhat.com>
Gerrit-Reviewer: Ravi Nori <rnori at redhat.com>
Gerrit-Reviewer: Yaniv Kaul <ykaul at redhat.com>
Gerrit-Reviewer: gerrit-hooks <automation at ovirt.org>
More information about the Engine-commits
mailing list