Uploaded image for project: 'Red Hat Advanced Cluster Security'
  1. Red Hat Advanced Cluster Security
  2. ROX-31365

Filling policy category names within Walk for Policies leads to DB conn exhaustion

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 4.9.0, 4.8.6
    • None
    • Central
    • None
    • Incidents & Support
    • False
    • Hide

      None

      Show
      None
    • False
    • Fixed an issue that could cause DB connection exhaustion when many sensors try to reconnect at the same time

      Overview:

      See: https://redhat-internal.slack.com/archives/C09LUC1898W/p1761117388509809
      for a detailed description of this issue.

      TL;DR;

      The change https://github.com/stackrox/stackrox/pull/14747 puts the logic to map policy to categories they are assigned to within the Cursor query to get all policies. When many sensors reconnect they try to fetch the policy. In the specific case of the CS incident this leads to 134 (secured clusters) * 150 (policies) DB requests within the cursor transaction. This leads to connection pool exhaustion.

      Suggested Solution

      • Put the logic to fill category names out of the Policy walk again

      This needs to be back ported to 4.8 and 4.9

              rh-ee-jmalsam Johannes Malsam
              rh-ee-jmalsam Johannes Malsam
              ACS Cloud Service
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: