Opened 3 years ago
Closed 2 years ago
#2316 closed defect (invalid)
nginx-1.20.2 worker process memory usage keeps increasing
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-core | Version: | |
| Keywords: | nginx-1.20.2 | Cc: | |
| uname -a: | Linux 5.4.0-97-generic #110-Ubuntu SMP Thu Jan 13 18:22:13 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.20.2
built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04) built with OpenSSL 1.1.1f 31 Mar 2020 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_geoip_module=dynamic --with-http_image_filter_module=dynamic --with-http_xslt_module=dynamic --with-cc-opt='-g -O2 -fdebug-prefix-map=/home/nginx/nginx-1.20.2=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' --add-dynamic-module=/home/nginx/nginx-1.20.2/debian/modules/headers-more-nginx-module-0.33 |
||
Description
I have configured nginx-1.20.2 as a reverse proxy. The request traffic is max 200 req/s. Every time I check the memory usage of nginx: worker processes, usage keeps increasing. When I restart the nginx, memory usage back to normal, but it increasing by time.
I used nginx-1.20.1 for same manners for like 5 months with same configuration, but I did not come across a problem like this.
Any help will be appreciated. Thanks in advance.
Change History (6)
comment:1 by , 3 years ago
comment:2 by , 3 years ago
I've additionally review changes in nginx 1.20.2 and I think I see what can cause a memory leak. Not sure how to reproduce it though. Could you please test if the following patch fixes things for you?
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -3751,6 +3751,8 @@ ngx_http_close_connection(ngx_connection
#if (NGX_HTTP_SSL)
if (c->ssl) {
+ c->ssl->shutdown_without_free = 0;
+
if (ngx_ssl_shutdown(c) == NGX_AGAIN) {
c->ssl->handler = ngx_http_close_connection;
return;
comment:3 by , 3 years ago
I figured out the cause of memory leak. Actually, only difference between the old and new configuration was ssl_engine pkcs11 directive. Meanwhile, I am working on integrating nginx with HSM. In order to do so, this directive is enabled. When I disabled the directive, memory usage stabilizes. However, for integrating with HSM purpose I have to enable it. Addition to memory consuption problem I am facing with performance issues. At nginx error log, I am having SSL handshake errors espacially under the load. Example error log:
[crit] 58#58: *3313805 SSL_do_handshake() failed (SSL: error:8207A090:PKCS#11 module:pkcs11_private_encrypt:Operation active error:141EC044:SSL routines:tls_construct_server_key_exchange:internal error) while SSL handshaking, client: xx.xx.xx.xx, server: 0.0.0.0:443
What can lead to this, I know I wander off the topic but any suggestions/help would be greatly appreciated.
comment:4 by , 3 years ago
Using HSM implies that private key operations are likely limited by the hardware module you are using, and performance issues aren't surprising. It is usually not recommended to use HSMs for anything under load.
As for memory issues and internal errors, these are to be looked in the OpenSSL engine being used. Upgrading to the most recent version of the PKCS11 engine might be the way to go.
One thing which might help as a workaround (though unlikely) is to avoid misusing ssl_engine to load the pkcs11 engine, and use appropriate OpenSSL configuration to initialize the engine instead (see #2271 or this test for examples, note init = 1).
comment:6 by , 2 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
Closing this. The issue as originally observed was reported to be cause by the pkcs11 engine. Also, additional investigation shows that the potential cause suspected in comment:2 cannot result in a memory leak.
There are very few changes in 1.20.2 compared to 1.20.1, no idea what can cause increasing memory usage.
First of all, I would recommend to do the following to further debug this:
It also might be a good idea to show your configuration to see if there are any potential issues.
Hope this helps.