Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Memory leak #249

Open
timdittler opened this issue Dec 1, 2023 · 9 comments
Open

Memory leak #249

timdittler opened this issue Dec 1, 2023 · 9 comments

Comments

@timdittler
Copy link

Hey, thank you very much for your extremely interesting project. I would like to try it out with Istio 1.18.5.

This is what my config looks like

---
apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  name: istio-coraza-waf
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  url: oci://ghcr.io/corazawaf/coraza-proxy-wasm:0.4.0
  imagePullPolicy: IfNotPresent
  phase: AUTHN
  pluginConfig:
    default_directives: default
    directives_map:
      default:
        - Include @recommended-conf
        - Include @crs-setup-conf
        - Include @owasp_crs/*.conf
        - SecRuleEngine DetectionOnly

However, it looks like there might be a memory leak in the proxy. The memory consumption of the ingressgateway is stable before enabling the coraza-proxy-wasm, but grows continues after enabling it. Memory growth when disabling coraza-proxy-wasm.

image

Have you seen this behavior before? Can I help debug the problem?

@M4tteoP
Copy link
Member

M4tteoP commented Dec 5, 2023

Hey, thanks for the report. @anuraaga has carried out a lot of work around memory management and https://github.com/wasilibs/nottinygc, but maybe something has to be still taken care of. How is your traffic? Are you experiencing the same behavior even disabling the body analysis (SecRequestBodyAccess off and SecResponseBodyAccess off)?

Thanks for your help

@timdittler
Copy link
Author

timdittler commented Dec 8, 2023

I did some new tests today.

  • 11:05 activate plugin with SecRequestBodyAccess off & SecResponseBodyAccess off
  • 13:35 remove SecRequestBodyAccess off

Screenshot from 2023-12-08 15-02-56

So it looks kind of stable without Request Body Access, but than again continually growing with it, but not as bad as with Response Body Access in the pictures above.

What do you mean by "How is your traffic?"

@M4tteoP
Copy link
Member

M4tteoP commented Dec 11, 2023

Thanks for the additional information. I meant how the traffic that your ingress gateway is receiving, such as mostly get requests, JSON payloads, or files uploaded with a multipart/form-data content type. Mostly I was trying to grasp how the waf was behaving in terms of the body processor used

@timdittler
Copy link
Author

The WAF is attached to the ingress gateway of a kubernetes cluster in the public internet. Therefore, it's really hard to determine what kind of traffic it gets. There is a lot of normal HTTP and REST traffic. There's probably also a good amount of file uploads. Some request looks weird as they have complex parameters. Grafana queries are usally a good example of that. Additionally, we get a lot of scanner and potential exploit traffic.

@jcchavezs
Copy link
Member

jcchavezs commented Mar 12, 2024

Maybe related? wasilibs/nottinygc#46

@kamelj
Copy link

kamelj commented May 12, 2024

Hello @timdittler @M4tteoP
we have almost the exact behavior of a memory leak,
but how do things change when you add SecResponseBodyAccess off and SecRequestBodyAccess off
Since the default value is off, the behavior shouldn't be changed if you add it with off or remove it.

@timdittler
Copy link
Author

They slowed the leakage down, but not enough too be usable in our scenario

@jcchavezs
Copy link
Member

jcchavezs commented May 13, 2024 via email

@kamelj
Copy link

kamelj commented May 16, 2024

Hello @jcchavezs
So, to solve the root cause of this issue "nottinygc" should be replaced by "Go Gc"?
If so, will this milestone be with the upcoming release let's say 0.51 😄

Thank you guys for your efforts 🙏🏻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants