<div dir="ltr">Stian,<div><br></div><div>I've noticed some interesting things:</div><div><ul><li><font size="2">When the user cache in enabled, creating a user allocates a block on memory that cannot be GC'd</font></li><li><font size="2">When I restart Keycloak after creating those users, that memory is not re-allocated</font></li></ul><div><font size="2">This begs the question: what is the purpose of the memory allocation on user creation if it doesn't need to stick around upon restart?</font></div></div><div><font size="2"><br></font></div><div><font size="2">It seems to me that the user cache is keeping more than 10k users on user creation. Does this hypothesis agree with your understanding of Keycloak's design?</font></div><div><font size="2"><br>Thanks,<br>Chris</font></div><div><font size="2"><br></font></div><div><font size="2">P.S. I have yet to test authentication load.</font></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield <<a href="mailto:chairfield@gmail.com">chairfield@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">There seems to be a leak when enabling the user cache, even when providing Keycloak with all the memory it needs to perform admirably (initially). My heap drops to 3.4 GB when I perform a manual GC.<br><br>I'm now seeing a number of PessimisticLockExceptions as it fails to lock the USER_ENTITY table. I expect Keycloak to have ground to a halt by the morning.<img src="cid:15580bee5e9b2318e621" alt="test8-graph.png" style="max-width:100%"></div><div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <<a href="mailto:chairfield@gmail.com" target="_blank">chairfield@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I am only testing creating users. With the user cache disabled, I see no evidence of a memory leak at many JVM heap-size settings.<div><br></div><div>Things get interesting when re-enabling the user cache. Performance seems to take a major hit in lower-memory scenarios, with some very worrisome scenarios where the rate at which I ingest continuously decreases.</div><div><br></div><div>I am able to create users at a high rate of speed with a max heap size of 4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting lower than the Xmx setting, which goes against official JBoss GC performance tuning <a href="http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-performance-tuning-part-1" target="_blank">documentation</a>.</div><div><br></div><div>Though speeds are high with a large heap, I <b>do</b> see the possibility of a memory leak with the user cache enabled and no authentication happening. I will be running a test overnight to attempt to confirm or deny.</div><div><br></div><div>Thanks for your help so far, Stian. I will be on vacation tomorrow through Sunday, so I will pick this back up on Monday.</div><div><br></div><div>P.S. I will be thinking of ways to better the documentation around performance tuning, as my tests indicate that standard JVM options cause Keycloak to run in a very sub-optimal state.</div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Are you only creating users or are you also authenticating users? User sessions are kept purely in memory so obviously the more you create the more memory is used. Only creating users should not continue to increase, but will do so for a while at least due to the way Java garbage collection works.<div><br></div><div>I would only have the user cache disabled for testing memory leak. Re-enable it and retest with it before you eventually go into production as it will have a significant impact on performance.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 23 June 2016 at 01:10, Chris Hairfield <span dir="ltr"><<a href="mailto:chairfield@gmail.com" target="_blank">chairfield@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Scratch the results of the graph I posted. I was running the test incorrectly. I'll post back with the results of the test run properly.</div><div><div><br><div class="gmail_quote"><div dir="ltr">On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <<a href="mailto:chairfield@gmail.com" target="_blank">chairfield@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thomas, this test is run with whatever local database Keycloak defaults to. We're using Postgres generally, and we will have more information pertaining to tests against Postgres soon.<br><br>Stian, thanks for the tips. I am currently running a test to ingest about 50m users into the default database with the user cache disabled, 8gb mem (Xmx and Xms), and parallel GC threads == processor count.<br><br>Though my test is young (430k users ingested), I'm noticing memory allocation increasing in lockstep with the number of ingested users. Is it expected to continue in this fashion, or is Keycloak designed to level off in its memory usage?<div><br></div><img src="cid:15579668607dd7962b51" alt="increasing-heap.png" style="max-width:100%"></div><div dir="ltr"><div><br></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Keycloak by default caches users in-memory, by default it will keep up to 10000 entries cached. You can verify that there's no leak by disabling the user cache provider. See <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187</a><div><br></div><div>If you're planning on having millions of users I suggest you increase the allocated memory for the JVM (512MB which it seems you have is not sufficient).</div></div><div class="gmail_extra"><br><div class="gmail_quote"></div></div><div class="gmail_extra"><div class="gmail_quote">On 22 June 2016 at 00:29, Chris Hairfield <span dir="ltr"><<a href="mailto:chairfield@gmail.com" target="_blank">chairfield@gmail.com</a>></span> wrote:<br></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>When testing Keycloak 1.9.8 by ingesting a few million users, we find that Keycloak leaks memory until it is rendered unresponsive (see graph). Increasing JVM memory only increases the time it takes to encounter this issue.</div><div><br></div><div>We have put together a test project <a href="https://github.com/anaerobic/keycloak-leakage" target="_blank">here</a> and opened an issue <a href="https://issues.jboss.org/browse/KEYCLOAK-3146" target="_blank">here</a> as we continue to investigate. As we are relying on Keycloak as a central infrastructural component, any help would be greatly appreciated.</div><div><br></div><div>We'll update with more information as we find it.</div><div><br></div><div>Thanks,<br>Chris</div><div><br></div><div><img src="cid:155750e8bae64c0eceb1" alt="mem-cpu.png" style="max-width:100%"><br></div></div>
<br></blockquote></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div></div></blockquote></div></div></blockquote></div>
</div></div></blockquote></div><br></div>
</blockquote></div></blockquote></div></div></blockquote></div>