You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/07/17 22:21:00 UTC
[jira] [Commented] (FLINK-9878) IO worker threads BLOCKED on SSL
Session Cache while CMS full gc
[ https://issues.apache.org/jira/browse/FLINK-9878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16547160#comment-16547160 ]
ASF GitHub Bot commented on FLINK-9878:
---------------------------------------
GitHub user NicoK opened a pull request:
https://github.com/apache/flink/pull/6355
[FLINK-9878][network][ssl] add more low-level ssl options
## What is the purpose of the change
This is mostly to tackle bugs like https://github.com/netty/netty/issues/832
(JDK issue during garbage collection when the SSL session cache is not limited).
We add the following low-level configuration options for the user to fine-tune
their system:
- SSL session cache size
- SSL session timeout
- SSL handshake timeout
- SSL close notify flush timeout
This is the PR for the `release-1.5` branch only - I'll create a separate one for `master` due to the changes of #6326.
## Brief change log
- add `security.ssl.session-cache-size` and `security.ssl.session-timeout` configuration parameters
-> configure these for `SSLContext`s created by `SSLUtil`
- add `security.ssl.handshake-timeout` and `security.ssl.close-notify-flush-timeout`
-> configure these in the TM-communication channels via `NettyClient` and `NettyServer`
- refactor `SSLUtils` so that we extract these configurations separately
## Verifying this change
This change added tests and can be verified as follows:
- added configuration-verification test to `NettyClientServerSslTest`
## Does this pull request potentially affect one of the following parts:
- Dependencies (does it add or upgrade a dependency): **no**
- The public API, i.e., is any changed class annotated with `@Public(Evolving)`: **no**
- The serializers: **no**
- The runtime per-record code paths (performance sensitive): **no**
- Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Yarn/Mesos, ZooKeeper: **no**
- The S3 file system connector: **no**
## Documentation
- Does this pull request introduce a new feature? **yes** (kind-of)
- If yes, how is the feature documented? **docs + JavaDocs**
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/NicoK/flink flink-9878
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/flink/pull/6355.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #6355
----
commit 9a19f64130837cba40c8f9b708aa98c002ae1a63
Author: Nico Kruber <ni...@...>
Date: 2018-07-17T21:40:11Z
[FLINK-9878][network][ssl] add more low-level ssl options
This is mostly to tackle bugs like https://github.com/netty/netty/issues/832
(JDK issue during garbage collection when the SSL session cache is not limited).
We add the following low-level configuration options for the user to fine-tune
their system:
- SSL session cache size
- SSL session timeout
- SSL handshake timeout
- SSL close notify flush timeout
----
> IO worker threads BLOCKED on SSL Session Cache while CMS full gc
> ----------------------------------------------------------------
>
> Key: FLINK-9878
> URL: https://issues.apache.org/jira/browse/FLINK-9878
> Project: Flink
> Issue Type: Bug
> Components: Network
> Affects Versions: 1.5.0, 1.5.1, 1.6.0
> Reporter: Nico Kruber
> Assignee: Nico Kruber
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.5.2, 1.6.0
>
>
> According to https://github.com/netty/netty/issues/832, there is a JDK issue during garbage collection when the SSL session cache is not limited. We should allow the user to configure this and further (advanced) SSL parameters for fine-tuning to fix this and similar issues. In particular, the following parameters should be configurable:
> - SSL session cache size
> - SSL session timeout
> - SSL handshake timeout
> - SSL close notify flush timeout
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)