Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xds: FileWatcherCertificateProvider is leaked #11692

Open
ejona86 opened this issue Nov 14, 2024 · 4 comments
Open

xds: FileWatcherCertificateProvider is leaked #11692

ejona86 opened this issue Nov 14, 2024 · 4 comments
Assignees
@shivaspeaks
Labels
bug xds
Milestone
Next

Comments

@ejona86
Copy link
Member

ejona86 commented Nov 14, 2024

In investigating #11678 (comment) , it was discovered that XdsSecurityClientServerTest looks to create two FileWatcherCertificateProviders each test, but only shuts down one. Since it is using the Channel/Server APIs, this means one of the client or server is highly likely leaking the certificate provider.

CC @kannanjgithub
@ejona86 ejona86 added the bug label Nov 14, 2024
@ejona86 ejona86 added this to the Next milestone Nov 14, 2024
@ejona86 ejona86 mentioned this issue Nov 14, 2024
Closed
@vinodhabib
Copy link
Contributor

vinodhabib commented Dec 24, 2024
edited
Loading

@ejona86 @shivaspeaks Request you to provide the repro steps for the same so that it will be helpful for us to debug and fix the root cause/leakage issue.
in the above linked comments it was not clear on how to repro the same issue which you found earlier as most of the comments are related to flaky test.
Thanks in Advance.

@ejona86
Copy link
Member Author

ejona86 commented Dec 26, 2024

The flakiness was unrelated. Run XdsSecurityClientServerTest, and see that FileWatcherCertificateProvider.start() is called more than close().

It appears to apply to most tests, so you can choose your favorite and run just the one test. For example, in the xds/ directory, run ../gradlew test --tests 'XdsSecurityClientServerTest.tlsClientServer_noClientAuthentication[enableSpiffe=false]'. If you use println debugging, you can find the stdout/stderr in build/reports/tests/test/index.html.

I see SecurityProtocolNegotiators$ClientSecurityHandler in the stack of the non-shutdown instance, so it appears the leak is on client-side. Unfortunately, the client-side is overly complex in the number of classes involved.

@vinodhabib
Copy link
Contributor

vinodhabib commented Dec 31, 2024
edited
Loading

build/reports/tests/test/index.html

@ejona86 @shivaspeaks As per your above suggestion I can see the below println (added in start() and close() methods ) statement for 1 of the test (as attached in below snippet) as below with 2 consecutive starts call execution followed by 1 close call.

Here the expected behaviour for this UT should have only 1 start call followed by 1 close call as below? please confirm ?

Executed start()
Executed close()
Executed start()
Executed close()

image

image

image

@ejona86
Copy link
Member Author

ejona86 commented Jan 3, 2025

@vinodhabib The number of start() calls should match the number of close() calls. The number of start() calls per test is likely to be 2, one for server and one for client. But this issue is that some are started but not closed.

@ejona86 ejona86 added the xds label Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shivaspeaks shivaspeaks

Labels
bug xds
Projects
None yet
Milestone
Next
Development

No branches or pull requests
3 participants
@ejona86 @vinodhabib @shivaspeaks