[jira] [Commented] (FLINK-9878) IO worker threads BLOCKED on SSL Session Cache while CMS full gc

Wed, 18 Jul 2018 07:41:18 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-9878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16547909#comment-16547909
 ] 

ASF GitHub Bot commented on FLINK-9878:
---------------------------------------

Github user NicoK commented on a diff in the pull request:

    https://github.com/apache/flink/pull/6355#discussion_r203405530
  
    --- Diff: 
flink-core/src/main/java/org/apache/flink/configuration/SecurityOptions.java ---
    @@ -160,4 +160,41 @@
                key("security.ssl.verify-hostname")
                        .defaultValue(true)
                        .withDescription("Flag to enable peer’s hostname 
verification during ssl handshake.");
    +
    +   /**
    +    * SSL session cache size.
    +    */
    +   public static final ConfigOption<Integer> SSL_SESSION_CACHE_SIZE =
    +           key("security.ssl.session-cache-size")
    +                   .defaultValue(-1)
    +                   .withDescription("The size of the cache used for 
storing SSL session objects. "
    +                           + "According to 
https://github.com/netty/netty/issues/832, you should always set "
    +                           + "this to an appropriate number to not run 
into a bug with stalling IO threads "
    +                           + "during garbage collection. (-1 = use system 
default).");
    +
    +   /**
    +    * SSL session timeout.
    +    */
    +   public static final ConfigOption<Integer> SSL_SESSION_TIMEOUT =
    +           key("security.ssl.session-timeout")
    +                   .defaultValue(-1)
    +                   .withDescription("The timeout (in ms) for the cached 
SSL session objects. (-1 = use system default)");
    +
    +   /**
    +    * SSL session timeout during handshakes.
    +    */
    +   public static final ConfigOption<Integer> SSL_HANDSHAKE_TIMEOUT =
    +           key("security.ssl.handshake-timeout")
    +                   .defaultValue(-1)
    +                   .withDescription("The timeout (in ms) during SSL 
handshake. (-1 = use system default)");
    +
    +   /**
    +    * SSL session timeout after flushing the `close_notify` message.
    +    */
    +   public static final ConfigOption<Integer> 
SSL_CLOSE_NOTIFY_FLUSH_TIMEOUT =
    +           key("security.ssl.close-notify-flush-timeout")
    +                   .defaultValue(-1)
    +                   .withDescription("The timeout (in ms) for flushing the 
`close_notify` that was triggered by closing a " +
    --- End diff --
    
    could try - strangely though, this is working for e.g. 
`security.kerberos.login.contexts` although the desired effect (marking it as 
code) is not there...but that's a different problem.


> IO worker threads BLOCKED on SSL Session Cache while CMS full gc
> ----------------------------------------------------------------
>
>                 Key: FLINK-9878
>                 URL: https://issues.apache.org/jira/browse/FLINK-9878
>             Project: Flink
>          Issue Type: Bug
>          Components: Network
>    Affects Versions: 1.5.0, 1.5.1, 1.6.0
>            Reporter: Nico Kruber
>            Assignee: Nico Kruber
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.5.2, 1.6.0
>
>
> According to https://github.com/netty/netty/issues/832, there is a JDK issue 
> during garbage collection when the SSL session cache is not limited. We 
> should allow the user to configure this and further (advanced) SSL parameters 
> for fine-tuning to fix this and similar issues. In particular, the following 
> parameters should be configurable:
> - SSL session cache size
> - SSL session timeout
> - SSL handshake timeout
> - SSL close notify flush timeout



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to