[jira] [Commented] (FLINK-9878) IO worker threads BLOCKED on SSL Session Cache while CMS full gc

Thu, 16 Aug 2018 02:45:16 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-9878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16582272#comment-16582272
 ] 

ASF GitHub Bot commented on FLINK-9878:
---------------------------------------

pnowojski commented on a change in pull request #6355: 
[FLINK-9878][network][ssl] add more low-level ssl options
URL: https://github.com/apache/flink/pull/6355#discussion_r210515882
 
 

 ##########
 File path: 
flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java
 ##########
 @@ -176,39 +176,43 @@ public static void setSSLVerifyHostname(Configuration 
sslConfig, SSLParameters s
        public static SSLContext createSSLClientContext(Configuration 
sslConfig) throws Exception {
 
                Preconditions.checkNotNull(sslConfig);
-               SSLContext clientSSLContext = null;
 
-               if (getSSLEnabled(sslConfig)) {
-                       LOG.debug("Creating client SSL context from 
configuration");
-
-                       String trustStoreFilePath = 
sslConfig.getString(SecurityOptions.SSL_TRUSTSTORE);
-                       String trustStorePassword = 
sslConfig.getString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD);
-                       String sslProtocolVersion = 
sslConfig.getString(SecurityOptions.SSL_PROTOCOL);
+               if (!getSSLEnabled(sslConfig)) {
+                       return null;
+               }
 
-                       Preconditions.checkNotNull(trustStoreFilePath, 
SecurityOptions.SSL_TRUSTSTORE.key() + " was not configured.");
-                       Preconditions.checkNotNull(trustStorePassword, 
SecurityOptions.SSL_TRUSTSTORE_PASSWORD.key() + " was not configured.");
+               LOG.debug("Creating client SSL context from configuration");
 
-                       KeyStore trustStore = 
KeyStore.getInstance(KeyStore.getDefaultType());
+               String trustStoreFilePath = 
sslConfig.getString(SecurityOptions.SSL_TRUSTSTORE);
+               String trustStorePassword = 
sslConfig.getString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD);
+               String sslProtocolVersion = 
sslConfig.getString(SecurityOptions.SSL_PROTOCOL);
+               int sessionCacheSize = 
sslConfig.getInteger(SecurityOptions.SSL_SESSION_CACHE_SIZE);
+               int sessionTimeoutMs = 
sslConfig.getInteger(SecurityOptions.SSL_SESSION_TIMEOUT);
+               int handshakeTimeoutMs = 
sslConfig.getInteger(SecurityOptions.SSL_HANDSHAKE_TIMEOUT);
+               int closeNotifyFlushTimeoutMs = 
sslConfig.getInteger(SecurityOptions.SSL_CLOSE_NOTIFY_FLUSH_TIMEOUT);
 
-                       FileInputStream trustStoreFile = null;
-                       try {
-                               trustStoreFile = new FileInputStream(new 
File(trustStoreFilePath));
-                               trustStore.load(trustStoreFile, 
trustStorePassword.toCharArray());
-                       } finally {
-                               if (trustStoreFile != null) {
-                                       trustStoreFile.close();
-                               }
-                       }
+               Preconditions.checkNotNull(trustStoreFilePath, 
SecurityOptions.SSL_TRUSTSTORE.key() + " was not configured.");
+               Preconditions.checkNotNull(trustStorePassword, 
SecurityOptions.SSL_TRUSTSTORE_PASSWORD.key() + " was not configured.");
 
-                       TrustManagerFactory trustManagerFactory = 
TrustManagerFactory.getInstance(
-                               TrustManagerFactory.getDefaultAlgorithm());
-                       trustManagerFactory.init(trustStore);
+               KeyStore trustStore = 
KeyStore.getInstance(KeyStore.getDefaultType());
 
-                       clientSSLContext = 
SSLContext.getInstance(sslProtocolVersion);
-                       clientSSLContext.init(null, 
trustManagerFactory.getTrustManagers(), null);
+               try (FileInputStream trustStoreFile = new FileInputStream(new 
File(trustStoreFilePath))) {
+                       trustStore.load(trustStoreFile, 
trustStorePassword.toCharArray());
                }
 
-               return clientSSLContext;
+               TrustManagerFactory trustManagerFactory = 
TrustManagerFactory.getInstance(
+                       TrustManagerFactory.getDefaultAlgorithm());
+               trustManagerFactory.init(trustStore);
+
+               javax.net.ssl.SSLContext clientSSLContext = 
javax.net.ssl.SSLContext.getInstance(sslProtocolVersion);
 
 Review comment:
   `ctrl+c`

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


> IO worker threads BLOCKED on SSL Session Cache while CMS full gc
> ----------------------------------------------------------------
>
>                 Key: FLINK-9878
>                 URL: https://issues.apache.org/jira/browse/FLINK-9878
>             Project: Flink
>          Issue Type: Bug
>          Components: Network
>    Affects Versions: 1.5.0, 1.5.1, 1.6.0
>            Reporter: Nico Kruber
>            Assignee: Nico Kruber
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.5.3, 1.6.1, 1.7.0
>
>
> According to https://github.com/netty/netty/issues/832, there is a JDK issue 
> during garbage collection when the SSL session cache is not limited. We 
> should allow the user to configure this and further (advanced) SSL parameters 
> for fine-tuning to fix this and similar issues. In particular, the following 
> parameters should be configurable:
> - SSL session cache size
> - SSL session timeout
> - SSL handshake timeout
> - SSL close notify flush timeout



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to