-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose OpenSSL engine settings #41880
Comments
👌 |
I have verified that
Is doing its job and helping, but sadly given that the benchmark I have used is limited by the database, it was "just" saving CPU cycles due to saving the zeroing, which is still a free lunch |
The OpenSSL engine would be an issue in native mode. |
Maybe? I remember some of the Netty stuff has been moved into native image - for micronaut. Maybe worth checking, and not only...what if we could enable it just on JVM mode? Or at least give the users the option to set it? |
Definitely
This is something we generally shy away from doing as it compromised the native image experience. Let's include @cescoffier into the conversation |
I have always stayed away from the OpenSSL engine:
|
I can understand why we don't want to make OpenSSL enabled by default or through some discovery, but similarly to preferNativeTransport exposing it to users which knows what to do seems relevant, especially given the big difference in performance it could bring. Conversely, to improve what we got we still have the option of adding |
Just for reference, before while, after applying it The violet part is @zakkak as well |
Another option could be to enable pooling of byte[], but TBH I'm not feeling very happy about it and I beleive @vietj got some good reason why is not enabled by default on vertx, am I right? |
I think we should make it easy for users to opt-in to OpenSSL because as @franz1981 has demonstrated, the performance improvement is non trivial |
We could add support for OpenSSL. There would be a few action items and constraints:
I'm also concerned with the --add-opens popping up there and there... |
AFAIU, this is not needed for OpenSSL |
+100
Exactly: OpenSSL just use off-heap pooled buffers, which are fine as they are. The JVM arg instead is key with JDK SSL to have decent performance - and still the allocations of byte[] won't go away for JDK SSL - which will likely impact heap sizing/RSS regardless. |
So, about #41880 (comment): adding |
Adding |
I've proceed into understanding why such big allocations for JDK SSL and found that https://github.com/netty/netty/blob/5085cef149134951c94a02a743ed70025c8cdad4/handler/src/main/java/io/netty/handler/ssl/SslHandler.java#L334
@geoand I would like to reconsider what found in vertx at eclipse-vertx/vert.x#5168 (comment) and ask @vietj if we can enable heap buffer pooling if SSL is configured. Allocating such a big heap buffers in the hot path is really not what we want... See netty/netty@39cc7a6#diff-963dd9b8e77e913395273812889e9b6f2f449fe55e2b748b95311b219d1c58faR302 for more info netty/netty#9685 (comment) too (although it was opened when off heap buffers were used) |
I'v sent an additional commit to eclipse-vertx/vert.x#5262 to address this |
I fear that netty/netty#9696 is no longer valid, so i've opened netty/netty#14208 to investigate on it |
Sadly it seems we have no other choice than including other SSL engines somehow or at least proceed with eclipse-vertx/vert.x#5262; netty/netty#14208 shows that the JDK SSL engine still relies on byte[] and cannot use off-heap buffers proficiently. |
Just a head's up - we did not make progress on this so far. |
I have sent 2 pr to vertex to address the initial motivation to expose the engine settings - although being able to do it is still a good idea for xp users to me |
We will start considering this in 2025. Probably Q2 (except if someone beat us) |
Description
Currently, due to #39907 the default JDK provider is (further) under performing.
In particular:
And is pretty relevant in some profiling data on SSLEngine.
To completely solve this, quarkus could expose setting, at least for JVM mode, the choice of the SSL engine which piggyback to https://vertx.io/docs/vertx-core/java/#_ssl_engine
The OpenSSL engine doesn't require to use heap Netty buffers, saving the needy to add JVM options to skip zeroing them.
This would make many JVM Quarkus users happier
Implementation ideas
No response
The text was updated successfully, but these errors were encountered: