Closed ns-gzhang closed 1 year ago
This is related to #136
I have a fix in mind but it requires a breaking change and I haven't had enough time to complete it.
Don't know the exact cause but I think it's to do with having a global key value, because initialising it is difficult. We need to recover from panics etc that triggered memory wipes.
I'm planning on creating a new Bubble
type that has its own enclave key, and have callers create and use methods on this.
Thanks Awn. From a user's point of view, if calling initialization of a global key from the app helps, we could easily do.
Do you mean subdivide the set of enclaves into multiple Bubble
s? And a Bubble
will cover a set of enclave instances with a key..., that will reduce the concurrent operations on a key...? Thanks.
Yeah that's exactly what I mean. A a bubble has its own set of containers protected by its key, and destroying it would destroy its contained information.
I'm going to try a quick fix later today, but the newer API will follow at some point. Hopefully this fixes the issue.
Of course there would still have to be a global list of bubbles, but this is fine -- we already keep a global list of buffers. This can be moved into the bubbles.
Hi Awn, just wondering if you would make Bubble
's internal so we don't have to change code. Thinking of Bubble
's just like buckets in a hash table...
I'm not sure if that would be a good solution, or fix the problem.
I made some changes that resulted in a deadlock on the deadlock example instead of a crash. This is a previous problem that happened #132, and that the fix (#133, #135) for that issue caused the bug described by this issue and #136.
I'll push my branch later and maybe you can take a look at it.
Hi Awn, additional info: after we increased the memlock limit successfully in docker containers, the problem seemed to go away. Seems there is some association between low memlock limit and this problem. Thanks.
Hey, that's very interesting. Thanks for telling me.
I've been implementing an alternate container for the Coffer based on channels, but I don't have much time at the moment so it's taking a while. Will post updates to the patch branch.
any update for this issue, i met the same problems.
Increasing ulimit for memlock has been a robust solution for us. When we deploy with pods on K8s, need to increase the underlying server's ulimit to make pods ulimit larger/unlimited.
Increasing ulimit for memlock has been a robust solution for us. When we deploy with pods on K8s, need to increase the underlying server's ulimit to make pods ulimit larger/unlimited.
this operation resolve panic: runtime error: index out of range [0] with length 0
issue?
this operation resolve
panic: runtime error: index out of range [0] with length 0
issue?
Testing locally, properly setting the memlock limit does fix the panics
We encountered an infrequent problem at runtime in one of Ubuntu docker containers:
The code segment around
encrypt.go:125
is (with an added line # and comments)Couldn't figure out what went wrong... would a low memlock ulimit possibly cause this? Thanks. (we do have ulimit setting
Somehow the ulimit command still shows the default (this would encounter problems quickly for us):
so a little puzzled here too.) Appreciate your help!!
Additional info: version github.com/awnumar/memguard v0.22.2 OS: Ubuntu 16.04 docker image Go 1.13
We are also seeing the following error now in one of the docker instances (same instance as above):