Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-2835

Memory Leak within RH-SSO infinispan caches (standalone mode)

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • RH-SSO-7.6.6
    • Server
    • False
    • None
    • False
    • Critical

    Description

      1. Issue description

      RH-SSO standalone mode does also contains embedded caches.
      here is the 7.6.6 standalone.xml

      ~~~
      <local-cache name="sessions"/>
      <local-cache name="authenticationSessions"/>
      <local-cache name="offlineSessions"/>
      <local-cache name="clientSessions"/>
      <local-cache name="offlineClientSessions"/>
      <local-cache name="loginFailures"/>
      ~~~

      There is a memory leak issue with local embedded caches

      2. Similar existing (fixed in SSO 7.6.1 for standalone-HA mode)

      There was in issue with distributed caches which has been fixed since:
      -KEYCLOAK-18518 - (fixed in KC 15) - Expired cache objects in infinispan cache are never garbage collected and lead to out of memory [1]

      -RHSSO-2169 - fixed in RH-SSO 7.6.1 - Expired cache objects in infinispan cache are never garbage collected in standalone configuration [2].

      For further information, see also KCS article:

      -SSO 7.6 OOME due to org.infinispan.container.impl.DefaultSegmentedDataContainer [3]

      3. Existing Work-around
      The issue faced (standalone mode) is similar to RH-SSO-2169, which has been fixed in RH-SSO 7.6.1 for standalone-ha mode, but not for the standalone mode.

      In standalone mode, you should apply the same work-around/solution that is indicated within the KCS to circumvent this issue:

      You need to add expiration and eviction for cache container keycloak. Add expiration in all locals cache as it is shown below.

      here is the 7.6.6 standalone.xml

      ~~~
      <local-cache name="sessions"/>
      <local-cache name="authenticationSessions"/>
      <local-cache name="offlineSessions"/>
      <local-cache name="clientSessions"/>
      <local-cache name="offlineClientSessions"/>
      <local-cache name="loginFailures"/>
      ~~~

      It needs to be updated as follows using jboss cli:

      ~~~
      /subsystem=infinispan/cache-container=keycloak/local-cache=sessions/component=expiration/:write-attribute(name=lifespan,value=2000000000)
      /subsystem=infinispan/cache-container=keycloak/local-cache=clientSessions/component=expiration/:write-attribute(name=lifespan,value=2000000000)
      /subsystem=infinispan/cache-container=keycloak/local-cache=offlineSessions/component=expiration/:write-attribute(name=lifespan,value=2000000000)
      /subsystem=infinispan/cache-container=keycloak/local-cache=offlineClientSessions/component=expiration/:write-attribute(name=lifespan,value=2000000000)
      /subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions/component=expiration/:write-attribute(name=lifespan,value=2000000000)
      /subsystem=infinispan/cache-container=keycloak/local-cache=loginFailures/component=expiration/:write-attribute(name=lifespan,value=2000000000)
      /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=lifespan,value=2000000000)
      ~~~
       

       

       

       

       

       

      [1] https://issues.redhat.com/browse/KEYCLOAK-18518

      [2] https://issues.redhat.com/browse/RHSSO-2169

      [3] https://access.redhat.com/solutions/7011043

       

       

       

       

       

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            rhn-support-orivat Olivier Rivat
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: