[jira] [Commented] (KAFKA-15443) Upgrade RocksDB dependency

Wed, 18 Dec 2024 08:10:54 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-15443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17906792#comment-17906792
 ] 

Swikar Patel commented on KAFKA-15443:
--------------------------------------

[~cadonna] [~mjsax] 
 * The field *NO_FILE_CLOSES* is removed since rocksdb 8.0.0 version. Currently 
RocksDBMetricsRecorder.java uses 
[https://github.com/apache/kafka/blob/e551cb7bb36f76db7d2fe8105e964aa30d5c53d2/streams/src/main/java/org/apache/kafka/streams/state/internals/metrics/RocksDBMetricsRecorder.java#L466]

 
 * I investigated the reason behind removal of the field and found this issue 
on rocksdb: 
[https://github.com/search?q=repo%3Afacebook%2Frocksdb+NO_FILE_CLOSES&type=issues]

 

So what do we want to do in this case? I've asked for any replacement of 
*NO_FILE_CLOSES* I am waiting for the response from rocksdb team.

Attached is screenshot of *NO_FILE_CLOSES.* Full report you can find above 
attachment.

 

!NO_FILE_CLOSES.png!
 

> Upgrade RocksDB dependency
> --------------------------
>
>                 Key: KAFKA-15443
>                 URL: https://issues.apache.org/jira/browse/KAFKA-15443
>             Project: Kafka
>          Issue Type: Task
>          Components: streams
>            Reporter: Matthias J. Sax
>            Assignee: Swikar Patel
>            Priority: Blocker
>             Fix For: 4.0.0
>
>         Attachments: NO_FILE_CLOSES.png, compat_report.html
>
>
> Kafka Streams currently depends on RocksDB 7.9.2
> However, the latest version of RocksDB is already 8.5.3. We should check the 
> RocksDB release notes to see what benefits we get to upgrade to the latest 
> version (and file corresponding tickets to exploit improvement of newer 
> releases as applicable).
> From the duplicate ticket KAFKA-18204:
> Kafka still uses rocksdbjni version 7.x (ref: 
> [https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle#L120]) 
> which is no longer receiving backports from upstream.
> Please update to rocksdb version 9.x (latest version) so that security 
> updates are received.
> Examples for critical vulnerabilities (CVE score 9.8) in rocksdb version 7.x:
> [https://nvd.nist.gov/vuln/detail/CVE-2023-45853]
> [https://nvd.nist.gov/vuln/detail/CVE-2022-37434]
> (updating to the tip of 8.x release fixes these two vulnerabilities but for 
> any new security fixes, we will need to move to 9.x)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to