search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.77k stars 2.68k forks source link

Enabling SSL can double RSS due to Netty off-heap arenas #42224

Open franz1981 opened 3 months ago

franz1981 commented 3 months ago

This is due to https://github.com/eclipse-vertx/vert.x/issues/5168#issuecomment-2258180519 and will be "fixed" via https://github.com/eclipse-vertx/vert.x/pull/5262

TLDR: enabling SSL make Vertx to use a custom off-heap pooled allocator for I/O (e.g. while reading or copying heap to off-heap to send data on the wire), but Jackson (and other quarkus parts) uses the Netty default one, making both to be resident in memory and doubling the required capacity.

This is the Jackson one: https://github.com/quarkusio/quarkus/blob/261cc877718ef24dd681cb1f3bb1547208535fca/independent-projects/vertx-utils/src/main/java/io/quarkus/vertx/utils/AppendBuffer.java#L136

A complete fix should be able to correctly pass the allocator associated to the vertx connection to the above append buffer, saving to directly reference it.

A simple(r) and less invasive fix, instead, should change the above code to use the vertx pooled allocator, instead, given that via https://github.com/eclipse-vertx/vert.x/pull/5262 it should be the default used.

quarkus-bot[bot] commented 3 months ago

/cc @cescoffier (netty), @jponge (netty)

franz1981 commented 2 months ago

This issue wasn't accurate enough: https://github.com/eclipse-vertx/vert.x/pull/5292#issue-2499447129 describe a non-SSL case where the pooled allocators can still be duplicated - although it shouldn't be used, making the cost to just be in the empty arenas/data structures of the allocator.

franz1981 commented 1 month ago

Ping for @mabartos : keycloak uses the JDK SSL engine by default? Is it a common use for users?

mabartos commented 1 month ago

@franz1981 For the server, we just rely on Quarkus internals with regards to TLS. For other stuff (HTTP client, remote Infinispan,...) we use SSL context obtained from JDK. AFAIK there is no explicit usage of SSLEngine in Keycloak, as mentioned here, and no other impls used as OpenSSL.

Perhaps @pedroigor or @vmuzikar might have more information if necessary.

franz1981 commented 1 month ago

For the server, we just rely on Quarkus internals with regards to TLS

which means the JDK SSL engine sadly .-. see https://github.com/quarkusio/quarkus/issues/41880 we don't yet support exposing any other ATM