[
https://issues.apache.org/jira/browse/FLINK-9878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16649106#comment-16649106
]
ASF GitHub Bot commented on FLINK-9878:
---------------------------------------
NicoK opened a new pull request #6838: [FLINK-9878][network][ssl] add more
low-level ssl options
URL: https://github.com/apache/flink/pull/6838
## What is the purpose of the change
This is mostly to tackle bugs like https://github.com/netty/netty/issues/832
(JDK issue during garbage collection when the SSL session cache is not
limited).
We add the following low-level configuration options for the user to
fine-tune
their system, i.e. the Flink-internal communication:
- SSL session cache size
- SSL session timeout
- SSL handshake timeout
- SSL close notify flush timeout
FYI: I'll also merge this into `master` if accepted.
## Brief change log
- add `security.ssl.internal.session-cache-size` and
`security.ssl.internal.session-timeout` configuration parameters
-> configure these for `SSLContext`s created by `SSLUtil`
- add `security.ssl.internal.handshake-timeout` and
`security.ssl.internal.close-notify-flush-timeout`
-> configure these for `SslHandler`s created by `SSLHandlerFactory`
(previously `SSLEngineFactory`)
- rename/refactor `SSLEngineFactory` to `SSLHandlerFactory` since no
`SSLEngine` objects alone were actually needed, but only Netty's `SslHandler`
(reduces code duplication which would be worse with this PR)
## Verifying this change
This change added tests and can be verified as follows:
- added configuration-verification test to `NettyClientServerSslTest`
## Does this pull request potentially affect one of the following parts:
- Dependencies (does it add or upgrade a dependency): **no**
- The public API, i.e., is any changed class annotated with
`@Public(Evolving)`: **no**
- The serializers: **no**
- The runtime per-record code paths (performance sensitive): **no**
- Anything that affects deployment or recovery: JobManager (and its
components), Checkpointing, Yarn/Mesos, ZooKeeper: **no**
- The S3 file system connector: **no**
## Documentation
- Does this pull request introduce a new feature? **yes** (kind-of)
- If yes, how is the feature documented? **docs + JavaDocs**
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> IO worker threads BLOCKED on SSL Session Cache while CMS full gc
> ----------------------------------------------------------------
>
> Key: FLINK-9878
> URL: https://issues.apache.org/jira/browse/FLINK-9878
> Project: Flink
> Issue Type: Bug
> Components: Network
> Affects Versions: 1.5.0, 1.5.1, 1.6.0
> Reporter: Nico Kruber
> Assignee: Nico Kruber
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.7.0, 1.5.4, 1.6.2
>
>
> According to https://github.com/netty/netty/issues/832, there is a JDK issue
> during garbage collection when the SSL session cache is not limited. We
> should allow the user to configure this and further (advanced) SSL parameters
> for fine-tuning to fix this and similar issues. In particular, the following
> parameters should be configurable:
> - SSL session cache size
> - SSL session timeout
> - SSL handshake timeout
> - SSL close notify flush timeout
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
