[
https://issues.apache.org/jira/browse/CLOUDSTACK-9348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15286026#comment-15286026
]
ASF GitHub Bot commented on CLOUDSTACK-9348:
--------------------------------------------
GitHub user rhtyd opened a pull request:
https://github.com/apache/cloudstack/pull/1549
CLOUDSTACK-9348: NioConnection improvements
Reopened PR with squashed changes for a re-review and testing after
https://github.com/apache/cloudstack/pull/1493 and sub-sequent PRs got reverted
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/shapeblue/cloudstack nio-fixagain-singlepr
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/1549.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1549
----
commit 267b3faa3b56d62ab7b6843cf676e0f6254a82a5
Author: Rohit Yadav <rohit.ya...@shapeblue.com>
Date: 2016-04-14T18:54:53Z
CLOUDSTACK-9348: NioConnection improvements
- Unit test to demonstrate denial of service attack
The NioConnection uses blocking handlers for various events such as
connect,
accept, read, write. In case a client connects NioServer (used by
agent mgr to service agents on port 8250) but fails to participate in SSL
handshake or just sits idle, this would block the main IO/selector loop in
NioConnection. Such a client could be either malicious or aggresive.
This unit test demonstrates such a malicious client that can perform a
denial-of-service attack on NioServer that blocks it to serve any other
client.
- Use non-blocking SSL handshake
- Uses non-blocking socket config in NioClient and NioServer/NioConnection
- Scalable connectivity from agents and peer clustered-management server
- Removes blocking ssl handshake code with a non-blocking code
- Protects from denial-of-service issues that can degrade mgmt server
responsiveness
due to an aggressive/malicious client
- Uses separate executor services for handling ssl handshakes
Signed-off-by: Rohit Yadav <rohit.ya...@shapeblue.com>
----
> CloudStack Server degrades when a lot of connections on port 8250
> -----------------------------------------------------------------
>
> Key: CLOUDSTACK-9348
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9348
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Rohit Yadav
> Assignee: Rohit Yadav
> Fix For: 4.9.0
>
>
> An intermittent issue was found with a large CloudStack deployment, where
> servers could not keep agents connected on port 8250.
> All connections are handled by accept() in NioConnection:
> https://github.com/apache/cloudstack/blob/master/utils/src/main/java/com/cloud/utils/nio/NioConnection.java#L125
> A new connection is handled by accept() which does blocking SSL handshake. A
> good fix would be to make this non-blocking and handle expensive tasks in
> separate threads/pool. This way the main IO loop won't be blocked and can
> continue to serve other agents/clients.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
