-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Chuck,
On 8/22/16 11:27 AM, Chuck Syperski wrote: > I think I found a larger part of the puzzle with the OpenSSL > support for tomcat, it looks like when using the ssl config > provided below (directly from Let's encrypt in this case) in your > server.xml you can consume a large amount of a server's CPU. > > <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" > certificateFile="conf/localhost-rsa-cert.pem" > certificateChainFile="conf/localhost-rsa-chain.pem" type="RSA" /> > > If you use this config and you attempt to connect using IE8, it > will fail to load the page on the client and kill one core of your > box until you restart. > > Can someone attempt to reproduce this? It works against the manage > app (https://.../manager/html) > > I was able to replicate using this site if you don't have an XP box > laying around. > > http://netrenderer.com/index.php > > My setup is Ubuntu 16.04, tomcat 8.5.3 and Oracle Java > 1.8.0_101-b13 This is using the NIO or NIO2 connector, right? I haven't yet tried to reproduce this, but I did take a casual look at the thread dump. The only candidates I see for killing the CPU are the accept() and epoll() calls. accept() should be basically a "free" call that blocks 100% and does nothing unless there are incoming connections. The select() call for NIO can be either cheap or expensive depending upon what's going on in the fd list and the timeout used for checking. I suspect a busy-wait with the select/epoll call(s). The only way to prove that would be to use strace or equivalent, and on a JVM that is going to be a huge mess of calls. You might be able to filter it with grep to see how often the underlying kernel calls are being made -- it they are being made e.g. thousands of times per second then there's the problem. Have you tried any of the other versions in the 8.5.x line? I don't see anything in the 8.5.4 changelog that would seem to affect this, but it's worth trying. Also please try 8.5.0 and, if possible, 9.0. 9.0.x and 8.5.x are very closely related when it comes to the changes that have been made to the various connectors. If there are some versions that don't fail, then it can help determine what change(s) may have broken something. There have recently been a few changes to the way NIO/NIO2 manage connections, fds, etc. and those changes may have caused/fixed this issu e. If you are using NIO, can you try NIO2 and if NIO2 try NIO instead? That could help narrow things down as well. Thanks, - -chris > On Mon, Aug 22, 2016 at 9:40 AM, Chuck Syperski > <csyper...@gmail.com> wrote: > >> Hello, >> >> I am having an issue with a product box running tomcat 8.5.3 >> consuming a high percent of CPU cycles on a single core at what >> seems like random intervals (typically days apart), trigger by >> nothing other than a simple http get request. This didn’t happen >> when I was using the 8.0.x branch with SSL using a JKS. I have >> switched to using the OpenSSL method in 8.5.3 as well (see >> configuration below), so I don’t know if that could contribute >> to the issues I am having >> >> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" >> certificateFile="conf/localhost-rsa-cert.pem" >> certificateChainFile="conf/ localhost-rsa-chain.pem" type="RSA" >> /> >> >> I’ve gone years without any issue until recently (with the >> general changes outlined above). When the issue is occuring I >> noticed when looking at “top” the “system” cpu percent is higher >> then the user space percent (ie: 30% us, 50% sys), and it stays >> pretty stable at the split. This will continue until I restart >> tomcat, and I found that undeploying my webapp didn’t stop the >> run away cpu, only restarting tomcat would stop the process. >> >> I’m running ubuntu 16.04, with java version "1.8.0_101" >> >> I understand there isn’t a lot of details to go on here, I’ve >> included my thread dump and jstack below: >> >> jstack - http://pastebin.com/5Y2C5hzu >> >> threaddump - http://pastebin.com/n9Rkybwv >> >> Any pointers as to where to look next would be appreciated, as >> I’m a bit stuck as to what I should look at next. >> > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXvHd6AAoJEBzwKT+lPKRYSO0P/1BY62BwyH6rLlfiWBaW3tbk mWBhI6+BeZB0uzhHrJN37GsElAjbDi+Vs3riOibR/mzKbVWYbCs0EMAG7ltB2QlE vJnjjGT0z9QNIgrHdyvcV+JrXxF5Vf+4CnK9um/ZlHFKZGpkAabYJauQB3EvK+7w M0RxjrX4yM8Ta6QF1HSlB3MFtMtXDcS/ZtjzSvDUw6nLQ0zWExtuXuWBRvkQmDkL 7mrbVo2bSmzyJyLJuDWM2NXo/M/jI6u5zNsGR+kXSEVbYXkIOW3otg/IImx9xzta RBxWgoc59YF6Jp62SHLBtGebrwV9vqzFRLkVoSdxF8aAikftuYkiS78QBlhv2D8u ooIVhcXBSwC2lzJSne/N+UIzmDS/kr8CmOThxfH8JHU7TGSa8fsespxxQ8JUqtb+ YeaZPymVuapx2V2TKd83Qwjfb5onnbWoMNGGETvD0tPN8qWg0rk7gLsbNoHZHu5U fyRgtbmM86sCfYi7P1tPeANPLJpqYxWb2HXwdmXTBlAEySesfEkxp3q4bbB9rAFv KTSGYEU3TDSnM9ZXrWzhR53PYIkMeesd6xu/NoHdedCp57e96tB9SEbhTl2dBRZl UxZFSuyIrqJaclM7MDZtlLyi6a1dC2N0YO574RsrDNp/We7IhqIUWtQ8vynpFUlQ pVWjSSebsl012Ej7h8+g =ryhm -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
