Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out-of-memory Exception during Certificate Ingestion #61

Open
cyrill-k opened this issue Apr 8, 2024 · 3 comments
Open

Out-of-memory Exception during Certificate Ingestion #61

cyrill-k opened this issue Apr 8, 2024 · 3 comments
Assignees
@juagargi
Labels
bug Something isn't working

Comments

@cyrill-k
Copy link
Collaborator

cyrill-k commented Apr 8, 2024

When ingesting a batch of ~40 million certificates from local csv files via the CertificateFolders config option introduced in https://github.com/netsec-ethz/fpki/tree/cyrill-mapserver-improvements, the mapserver runs out of memory during the SMT update phase (after adding the certificates and coalescing the payloads).

...
coalescing certificate payloads at 2024-03-21T19:31:52Z
updating SMT at 2024-03-21T19:55:49Z
@juagargi juagargi self-assigned this Apr 8, 2024
@juagargi juagargi added the bug Something isn't working label Apr 8, 2024
@cyrill-k
Copy link
Collaborator Author

cyrill-k commented Apr 8, 2024

This bug can be reproduced as follows:

  • clear DB: ./create_schema.sh
  • set high max ingestion rows limit in mapserver config: CsvIngestionMaxRows: 10000000
  • ingest from google 2024/2025 logs: 
      "CTLogServerURLs": [
      "https://ct.googleapis.com/logs/eu1/xenon2024",
      "https://ct.googleapis.com/logs/eu1/xenon2025h1",
      "https://ct.googleapis.com/logs/eu1/xenon2025h2",
      "https://ct.googleapis.com/logs/us1/argon2024",
      "https://ct.googleapis.com/logs/us1/argon2025h1",
      "https://ct.googleapis.com/logs/us1/argon2025h2"
  ],
  • (optionally) speed up by ingesting from local csv files: 
      "CertificateFolders": {
      "https://ct.googleapis.com/logs/eu1/xenon2024": "/mnt/external/ct-log-download/certificates/https:__ct.googleapis.com_logs_eu1_xenon2024/bundled",
      "https://ct.googleapis.com/logs/eu1/xenon2025h1": "/mnt/external/ct-log-download/certificates/https:__ct.googleapis.com_logs_eu1_xenon2025h1/bundled",
      "https://ct.googleapis.com/logs/us1/argon2024": "/mnt/external/ct-log-download/certificates/https:__ct.googleapis.com_logs_us1_argon2024/bundled",
      "https://ct.googleapis.com/logs/us1/argon2025h1": "/mnt/external/ct-log-download/certificates/https:__ct.googleapis.com_logs_us1_argon2025h1/bundled"
  }
  • restart service: sudo systemctl restart fpki-mapserver.service
  • inspect output sudo journalctl -fu fpki-mapserver.service

@cyrill-k
Copy link
Collaborator Author

cyrill-k commented Apr 8, 2024

When adjusting the batch size to 100000, the SMT can be updated without any issues.

However, when using a batch size of 1000000, the following error message appears:

  • Apr 08 18:01:50 netsec-hpc-articuno mapserver[5245]: ERROR: update returned updating SMT: commitChangesToDB | UpdateKeyValuePairBatches | error inserting key-values into tree: Error 1390 (HY000): Prepared statement contains too many placeholders

We may be able to solve this problem by:

  • limiting the number of certificates added in a single update cycle. This is already supported for the LocalLogFetcher but not so easy to implement for the HttpLogFetcher since we need to process all certificates until the current STH.
  • Or, do a batch-wise update of the tree nodes.

@juagargi
Copy link
Member

Although it could have happened before this step, when the ingest tool runs the SMT update, we run out of memory in mysqld. See attached screenshot.

image

We probably need to:

  • Hard limit the RAM use by mysql
  • Do the SMT update in bundles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@juagargi juagargi

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@juagargi @cyrill-k