Limit the number of negative dentries in the system

We know of an issue with nss versions older than 3.52 which can cause unlimited negative dentry growth. In particular, calling curl with an HTTPS URL can cause negative dentries to be added to the cache and these won't be cleaned up until the system as a whole experiences memory pressure, which can in turn cause application delays while kswapd is running. In order to try to prevent problems from this, we are setting a global environment variable to tell curl to bypass the problematic behaviour. (A separate change will make the equivalent modification in the elasticsearch helm charts.) However, in order to protect against poorly-behaved application software that we don't control, we also use a kernel sysctl to globally limit the amount of memory consumed by negative dentries to 2% of all memory. Change-Id: I7d7726c9e4aed934aad6cc99f081404a51b1059a Closes-Bug: 1896531 Signed-off-by: Chris Friesen <chris.friesen@windriver.com>
2020-09-21 14:44:28 -04:00 · 2020-09-21 14:44:28 -04:00 · 9a5dfa1b1b
commit 9a5dfa1b1b
parent 533ff60a10
4 changed files with 16 additions and 2 deletions
--- a/initscripts-config/centos/build_srpm.data
+++ b/initscripts-config/centos/build_srpm.data
@ -1,2 +1,2 @@
 SRC_DIR="files"
-TIS_PATCH_VER=0
+TIS_PATCH_VER=1
--- a/initscripts-config/files/sysctl.conf
+++ b/initscripts-config/files/sysctl.conf
@ -97,3 +97,11 @@ net.ipv4.tcp_retries2 = 8
 # that will cause the tiller pod to crash when the port is assigned to
 # another client/server
 net.ipv4.ip_local_reserved_ports=35357,44134-44136
+
+# Set a global limit on the number of negative dentries.  This is in units
+# of 0.1 %, so a value of 20 represents 2% of all memory.
+# We know of an issue with curl to an https endpoint when using nss versions
+# older than 3.52 which can cause unlimited negative dentry growth.  We fixed
+# it in the code we control, but this will keep the number at a reasonable
+# size if an application is poorly behaved.
+fs.negative-dentry-limit=20
--- a/setup-config/centos/build_srpm.data
+++ b/setup-config/centos/build_srpm.data
@ -1,2 +1,2 @@
 SRC_DIR="files"
-TIS_PATCH_VER=0
+TIS_PATCH_VER=1
--- a/setup-config/files/custom.sh
+++ b/setup-config/files/custom.sh
@ -1 +1,7 @@
 export TMOUT=900
+
+# This is to work around a bug in curl with https
+# endpoints when using nss versions less than 3.52.
+# Without this it creates many negative dentries
+# each time it is called.
+export NSS_SDB_USE_CACHE=no