[ https://issues.apache.org/jira/browse/CLOUDSTACK-9348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15295966#comment-15295966 ]
ASF subversion and git services commented on CLOUDSTACK-9348: ------------------------------------------------------------- Commit d5b61312bfb1c09d0635149810904634c9904ddb in cloudstack's branch refs/heads/4.5 from [~rohit.ya...@shapeblue.com] [ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=d5b6131 ] CLOUDSTACK-9348: NioConnection improvements - Unit test to demonstrate denial of service attack The NioConnection uses blocking handlers for various events such as connect, accept, read, write. In case a client connects NioServer (used by agent mgr to service agents on port 8250) but fails to participate in SSL handshake or just sits idle, this would block the main IO/selector loop in NioConnection. Such a client could be either malicious or aggresive. This unit test demonstrates such a malicious client that can perform a denial-of-service attack on NioServer that blocks it to serve any other client. - Use non-blocking SSL handshake - Uses non-blocking socket config in NioClient and NioServer/NioConnection - Scalable connectivity from agents and peer clustered-management server - Removes blocking ssl handshake code with a non-blocking code - Protects from denial-of-service issues that can degrade mgmt server responsiveness due to an aggressive/malicious client - Uses separate executor services for handling ssl handshakes Cherry-picked and backported from 9c7518698d2f4a9fcc6a83fd22dd5b2fc4260232 Signed-off-by: Rohit Yadav <rohit.ya...@shapeblue.com> > CloudStack Server degrades when a lot of connections on port 8250 > ----------------------------------------------------------------- > > Key: CLOUDSTACK-9348 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9348 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Reporter: Rohit Yadav > Assignee: Rohit Yadav > Fix For: 4.9.0 > > > An intermittent issue was found with a large CloudStack deployment, where > servers could not keep agents connected on port 8250. > All connections are handled by accept() in NioConnection: > https://github.com/apache/cloudstack/blob/master/utils/src/main/java/com/cloud/utils/nio/NioConnection.java#L125 > A new connection is handled by accept() which does blocking SSL handshake. A > good fix would be to make this non-blocking and handle expensive tasks in > separate threads/pool. This way the main IO loop won't be blocked and can > continue to serve other agents/clients. -- This message was sent by Atlassian JIRA (v6.3.4#6332)