12:29 a.m.
Hello,
When testing Keycloak 1.9.8 by ingesting a few million users, we find that
Keycloak leaks memory until it is rendered unresponsive (see graph).
Increasing JVM memory only increases the time it takes to encounter this
issue.
We have put together a test project here
<https://github.com/anaerobic/keycloak-leakage> and opened an issue here
<https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue to
investigate. As we are relying on Keycloak as a central infrastructural
component, any help would be greatly appreciated.
We'll update with more information as we find it.
Thanks,
Chris
[image: mem-cpu.png]
8:31 a.m.
Hello Chris,
which database did you use for Keycloak?
Cheers,
Thomas
2016-06-22 0:29 GMT+02:00 Chris Hairfield <chairfield(a)gmail.com>:
Hello,
When testing Keycloak 1.9.8 by ingesting a few million users, we find that
Keycloak leaks memory until it is rendered unresponsive (see graph).
Increasing JVM memory only increases the time it takes to encounter this
issue.
We have put together a test project here
<https://github.com/anaerobic/keycloak-leakage> and opened an issue here
<https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue to
investigate. As we are relying on Keycloak as a central infrastructural
component, any help would be greatly appreciated.
We'll update with more information as we find it.
Thanks,
Chris
[image: mem-cpu.png]
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:56 a.m.
Keycloak by default caches users in-memory, by default it will keep up to
10000 entries cached. You can verify that there's no leak by disabling the
user cache provider. See
http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cach...
If you're planning on having millions of users I suggest you increase the
allocated memory for the JVM (512MB which it seems you have is not
sufficient).
On 22 June 2016 at 00:29, Chris Hairfield <chairfield(a)gmail.com> wrote:
Hello,
When testing Keycloak 1.9.8 by ingesting a few million users, we find that
Keycloak leaks memory until it is rendered unresponsive (see graph).
Increasing JVM memory only increases the time it takes to encounter this
issue.
We have put together a test project here
<https://github.com/anaerobic/keycloak-leakage> and opened an issue here
<https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue to
investigate. As we are relying on Keycloak as a central infrastructural
component, any help would be greatly appreciated.
We'll update with more information as we find it.
Thanks,
Chris
[image: mem-cpu.png]
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:38 p.m.
Thomas, this test is run with whatever local database Keycloak defaults to.
We're using Postgres generally, and we will have more information
pertaining to tests against Postgres soon.
Stian, thanks for the tips. I am currently running a test to ingest about
50m users into the default database with the user cache disabled, 8gb mem
(Xmx and Xms), and parallel GC threads == processor count.
Though my test is young (430k users ingested), I'm noticing memory
allocation increasing in lockstep with the number of ingested users. Is it
expected to continue in this fashion, or is Keycloak designed to level off
in its memory usage?
[image: increasing-heap.png]
On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
Keycloak by default caches users in-memory, by default it will keep
up to
10000 entries cached. You can verify that there's no leak by disabling the
user cache provider. See
http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cach...
If you're planning on having millions of users I suggest you increase the
allocated memory for the JVM (512MB which it seems you have is not
sufficient).
On 22 June 2016 at 00:29, Chris Hairfield <chairfield(a)gmail.com> wrote:
> Hello,
>
> When testing Keycloak 1.9.8 by ingesting a few million users, we find
> that Keycloak leaks memory until it is rendered unresponsive (see graph).
> Increasing JVM memory only increases the time it takes to encounter this
> issue.
>
> We have put together a test project here
> <https://github.com/anaerobic/keycloak-leakage> and opened an issue here
> <https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue to
> investigate. As we are relying on Keycloak as a central infrastructural
> component, any help would be greatly appreciated.
>
> We'll update with more information as we find it.
>
> Thanks,
> Chris
>
> [image: mem-cpu.png]
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
1:10 a.m.
Scratch the results of the graph I posted. I was running the test
incorrectly. I'll post back with the results of the test run properly.
On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <chairfield(a)gmail.com>
wrote:
Thomas, this test is run with whatever local database Keycloak
defaults
to. We're using Postgres generally, and we will have more information
pertaining to tests against Postgres soon.
Stian, thanks for the tips. I am currently running a test to ingest about
50m users into the default database with the user cache disabled, 8gb mem
(Xmx and Xms), and parallel GC threads == processor count.
Though my test is young (430k users ingested), I'm noticing memory
allocation increasing in lockstep with the number of ingested users. Is it
expected to continue in this fashion, or is Keycloak designed to level off
in its memory usage?
[image: increasing-heap.png]
On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> Keycloak by default caches users in-memory, by default it will keep up to
> 10000 entries cached. You can verify that there's no leak by disabling the
> user cache provider. See
>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cach...
>
> If you're planning on having millions of users I suggest you increase the
> allocated memory for the JVM (512MB which it seems you have is not
> sufficient).
>
> On 22 June 2016 at 00:29, Chris Hairfield <chairfield(a)gmail.com> wrote:
>
>> Hello,
>>
>> When testing Keycloak 1.9.8 by ingesting a few million users, we find
>> that Keycloak leaks memory until it is rendered unresponsive (see graph).
>> Increasing JVM memory only increases the time it takes to encounter this
>> issue.
>>
>> We have put together a test project here
>> <https://github.com/anaerobic/keycloak-leakage> and opened an issue here
>> <https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue to
>> investigate. As we are relying on Keycloak as a central infrastructural
>> component, any help would be greatly appreciated.
>>
>> We'll update with more information as we find it.
>>
>> Thanks,
>> Chris
>>
>> [image: mem-cpu.png]
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
7:59 a.m.
Are you only creating users or are you also authenticating users? User
sessions are kept purely in memory so obviously the more you create the
more memory is used. Only creating users should not continue to increase,
but will do so for a while at least due to the way Java garbage collection
works.
I would only have the user cache disabled for testing memory leak.
Re-enable it and retest with it before you eventually go into production as
it will have a significant impact on performance.
On 23 June 2016 at 01:10, Chris Hairfield <chairfield(a)gmail.com> wrote:
Scratch the results of the graph I posted. I was running the test
incorrectly. I'll post back with the results of the test run properly.
On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <chairfield(a)gmail.com>
wrote:
> Thomas, this test is run with whatever local database Keycloak defaults
> to. We're using Postgres generally, and we will have more information
> pertaining to tests against Postgres soon.
>
> Stian, thanks for the tips. I am currently running a test to ingest about
> 50m users into the default database with the user cache disabled, 8gb mem
> (Xmx and Xms), and parallel GC threads == processor count.
>
> Though my test is young (430k users ingested), I'm noticing memory
> allocation increasing in lockstep with the number of ingested users. Is it
> expected to continue in this fashion, or is Keycloak designed to level off
> in its memory usage?
>
> [image: increasing-heap.png]
>
>
> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> Keycloak by default caches users in-memory, by default it will keep up
>> to 10000 entries cached. You can verify that there's no leak by disabling
>> the user cache provider. See
>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cach...
>>
>> If you're planning on having millions of users I suggest you increase
>> the allocated memory for the JVM (512MB which it seems you have is not
>> sufficient).
>>
>> On 22 June 2016 at 00:29, Chris Hairfield <chairfield(a)gmail.com> wrote:
>>
>>> Hello,
>>>
>>> When testing Keycloak 1.9.8 by ingesting a few million users, we find
>>> that Keycloak leaks memory until it is rendered unresponsive (see graph).
>>> Increasing JVM memory only increases the time it takes to encounter this
>>> issue.
>>>
>>> We have put together a test project here
>>> <https://github.com/anaerobic/keycloak-leakage> and opened an issue
>>> here <https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue to
>>> investigate. As we are relying on Keycloak as a central infrastructural
>>> component, any help would be greatly appreciated.
>>>
>>> We'll update with more information as we find it.
>>>
>>> Thanks,
>>> Chris
>>>
>>> [image: mem-cpu.png]
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
12:52 a.m.
I am only testing creating users. With the user cache disabled, I see no
evidence of a memory leak at many JVM heap-size settings.
Things get interesting when re-enabling the user cache. Performance seems
to take a major hit in lower-memory scenarios, with some very worrisome
scenarios where the rate at which I ingest continuously decreases.
I am able to create users at a high rate of speed with a max heap size of
4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting lower than
the Xmx setting, which goes against official JBoss GC performance tuning
documentation
<http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-perform...
.
Though speeds are high with a large heap, I *do* see the possibility of a
memory leak with the user cache enabled and no authentication happening. I
will be running a test overnight to attempt to confirm or deny.
Thanks for your help so far, Stian. I will be on vacation tomorrow through
Sunday, so I will pick this back up on Monday.
P.S. I will be thinking of ways to better the documentation around
performance tuning, as my tests indicate that standard JVM options cause
Keycloak to run in a very sub-optimal state.
On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
Are you only creating users or are you also authenticating users?
User
sessions are kept purely in memory so obviously the more you create the
more memory is used. Only creating users should not continue to increase,
but will do so for a while at least due to the way Java garbage collection
works.
I would only have the user cache disabled for testing memory leak.
Re-enable it and retest with it before you eventually go into production as
it will have a significant impact on performance.
On 23 June 2016 at 01:10, Chris Hairfield <chairfield(a)gmail.com> wrote:
> Scratch the results of the graph I posted. I was running the test
> incorrectly. I'll post back with the results of the test run properly.
>
> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <chairfield(a)gmail.com>
> wrote:
>
>> Thomas, this test is run with whatever local database Keycloak defaults
>> to. We're using Postgres generally, and we will have more information
>> pertaining to tests against Postgres soon.
>>
>> Stian, thanks for the tips. I am currently running a test to ingest
>> about 50m users into the default database with the user cache disabled, 8gb
>> mem (Xmx and Xms), and parallel GC threads == processor count.
>>
>> Though my test is young (430k users ingested), I'm noticing memory
>> allocation increasing in lockstep with the number of ingested users. Is it
>> expected to continue in this fashion, or is Keycloak designed to level off
>> in its memory usage?
>>
>> [image: increasing-heap.png]
>>
>>
>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <sthorger(a)redhat.com>
>> wrote:
>>
>>> Keycloak by default caches users in-memory, by default it will keep up
>>> to 10000 entries cached. You can verify that there's no leak by
disabling
>>> the user cache provider. See
>>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cach...
>>>
>>> If you're planning on having millions of users I suggest you increase
>>> the allocated memory for the JVM (512MB which it seems you have is not
>>> sufficient).
>>>
>>> On 22 June 2016 at 00:29, Chris Hairfield <chairfield(a)gmail.com>
wrote:
>>>
>>>> Hello,
>>>>
>>>> When testing Keycloak 1.9.8 by ingesting a few million users, we find
>>>> that Keycloak leaks memory until it is rendered unresponsive (see
graph).
>>>> Increasing JVM memory only increases the time it takes to encounter this
>>>> issue.
>>>>
>>>> We have put together a test project here
>>>> <https://github.com/anaerobic/keycloak-leakage> and opened an
issue
>>>> here <https://issues.jboss.org/browse/KEYCLOAK-3146> as we
continue
>>>> to investigate. As we are relying on Keycloak as a central
infrastructural
>>>> component, any help would be greatly appreciated.
>>>>
>>>> We'll update with more information as we find it.
>>>>
>>>> Thanks,
>>>> Chris
>>>>
>>>> [image: mem-cpu.png]
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
6:52 a.m.
There seems to be a leak when enabling the user cache, even when providing
Keycloak with all the memory it needs to perform admirably (initially). My
heap drops to 3.4 GB when I perform a manual GC.
I'm now seeing a number of PessimisticLockExceptions as it fails to lock
the USER_ENTITY table. I expect Keycloak to have ground to a halt by the
morning.[image: test8-graph.png]
On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <chairfield(a)gmail.com>
wrote:
I am only testing creating users. With the user cache disabled, I see
no
evidence of a memory leak at many JVM heap-size settings.
Things get interesting when re-enabling the user cache. Performance seems
to take a major hit in lower-memory scenarios, with some very worrisome
scenarios where the rate at which I ingest continuously decreases.
I am able to create users at a high rate of speed with a max heap size of
4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting lower than
the Xmx setting, which goes against official JBoss GC performance tuning
documentation
<http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-perform...
.
Though speeds are high with a large heap, I *do* see the possibility of a
memory leak with the user cache enabled and no authentication happening. I
will be running a test overnight to attempt to confirm or deny.
Thanks for your help so far, Stian. I will be on vacation tomorrow through
Sunday, so I will pick this back up on Monday.
P.S. I will be thinking of ways to better the documentation around
performance tuning, as my tests indicate that standard JVM options cause
Keycloak to run in a very sub-optimal state.
On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> Are you only creating users or are you also authenticating users? User
> sessions are kept purely in memory so obviously the more you create the
> more memory is used. Only creating users should not continue to increase,
> but will do so for a while at least due to the way Java garbage collection
> works.
>
> I would only have the user cache disabled for testing memory leak.
> Re-enable it and retest with it before you eventually go into production as
> it will have a significant impact on performance.
>
> On 23 June 2016 at 01:10, Chris Hairfield <chairfield(a)gmail.com> wrote:
>
>> Scratch the results of the graph I posted. I was running the test
>> incorrectly. I'll post back with the results of the test run properly.
>>
>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <chairfield(a)gmail.com>
>> wrote:
>>
>>> Thomas, this test is run with whatever local database Keycloak defaults
>>> to. We're using Postgres generally, and we will have more information
>>> pertaining to tests against Postgres soon.
>>>
>>> Stian, thanks for the tips. I am currently running a test to ingest
>>> about 50m users into the default database with the user cache disabled, 8gb
>>> mem (Xmx and Xms), and parallel GC threads == processor count.
>>>
>>> Though my test is young (430k users ingested), I'm noticing memory
>>> allocation increasing in lockstep with the number of ingested users. Is it
>>> expected to continue in this fashion, or is Keycloak designed to level off
>>> in its memory usage?
>>>
>>> [image: increasing-heap.png]
>>>
>>>
>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <sthorger(a)redhat.com>
>>> wrote:
>>>
>>>> Keycloak by default caches users in-memory, by default it will keep up
>>>> to 10000 entries cached. You can verify that there's no leak by
disabling
>>>> the user cache provider. See
>>>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cach...
>>>>
>>>> If you're planning on having millions of users I suggest you
increase
>>>> the allocated memory for the JVM (512MB which it seems you have is not
>>>> sufficient).
>>>>
>>>> On 22 June 2016 at 00:29, Chris Hairfield <chairfield(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> When testing Keycloak 1.9.8 by ingesting a few million users, we
find
>>>>> that Keycloak leaks memory until it is rendered unresponsive (see
graph).
>>>>> Increasing JVM memory only increases the time it takes to encounter
this
>>>>> issue.
>>>>>
>>>>> We have put together a test project here
>>>>> <https://github.com/anaerobic/keycloak-leakage> and opened an
issue
>>>>> here <https://issues.jboss.org/browse/KEYCLOAK-3146> as we
continue
>>>>> to investigate. As we are relying on Keycloak as a central
infrastructural
>>>>> component, any help would be greatly appreciated.
>>>>>
>>>>> We'll update with more information as we find it.
>>>>>
>>>>> Thanks,
>>>>> Chris
>>>>>
>>>>> [image: mem-cpu.png]
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>
5:45 p.m.
Stian,
I've noticed some interesting things:
- When the user cache in enabled, creating a user allocates a block on
memory that cannot be GC'd
- When I restart Keycloak after creating those users, that memory is not
re-allocated
This begs the question: what is the purpose of the memory allocation on
user creation if it doesn't need to stick around upon restart?
It seems to me that the user cache is keeping more than 10k users on user
creation. Does this hypothesis agree with your understanding of Keycloak's
design?
Thanks,
Chris
P.S. I have yet to test authentication load.
On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield <chairfield(a)gmail.com>
wrote:
There seems to be a leak when enabling the user cache, even when
providing
Keycloak with all the memory it needs to perform admirably (initially). My
heap drops to 3.4 GB when I perform a manual GC.
I'm now seeing a number of PessimisticLockExceptions as it fails to lock
the USER_ENTITY table. I expect Keycloak to have ground to a halt by the
morning.[image: test8-graph.png]
On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <chairfield(a)gmail.com>
wrote:
> I am only testing creating users. With the user cache disabled, I see no
> evidence of a memory leak at many JVM heap-size settings.
>
> Things get interesting when re-enabling the user cache. Performance seems
> to take a major hit in lower-memory scenarios, with some very worrisome
> scenarios where the rate at which I ingest continuously decreases.
>
> I am able to create users at a high rate of speed with a max heap size of
> 4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting lower than
> the Xmx setting, which goes against official JBoss GC performance tuning
> documentation
>
<http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-perform...
> .
>
> Though speeds are high with a large heap, I *do* see the possibility of
> a memory leak with the user cache enabled and no authentication happening.
> I will be running a test overnight to attempt to confirm or deny.
>
> Thanks for your help so far, Stian. I will be on vacation tomorrow
> through Sunday, so I will pick this back up on Monday.
>
> P.S. I will be thinking of ways to better the documentation around
> performance tuning, as my tests indicate that standard JVM options cause
> Keycloak to run in a very sub-optimal state.
>
> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> Are you only creating users or are you also authenticating users? User
>> sessions are kept purely in memory so obviously the more you create the
>> more memory is used. Only creating users should not continue to increase,
>> but will do so for a while at least due to the way Java garbage collection
>> works.
>>
>> I would only have the user cache disabled for testing memory leak.
>> Re-enable it and retest with it before you eventually go into production as
>> it will have a significant impact on performance.
>>
>> On 23 June 2016 at 01:10, Chris Hairfield <chairfield(a)gmail.com> wrote:
>>
>>> Scratch the results of the graph I posted. I was running the test
>>> incorrectly. I'll post back with the results of the test run properly.
>>>
>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield
<chairfield(a)gmail.com>
>>> wrote:
>>>
>>>> Thomas, this test is run with whatever local database Keycloak
>>>> defaults to. We're using Postgres generally, and we will have more
>>>> information pertaining to tests against Postgres soon.
>>>>
>>>> Stian, thanks for the tips. I am currently running a test to ingest
>>>> about 50m users into the default database with the user cache disabled,
8gb
>>>> mem (Xmx and Xms), and parallel GC threads == processor count.
>>>>
>>>> Though my test is young (430k users ingested), I'm noticing memory
>>>> allocation increasing in lockstep with the number of ingested users. Is
it
>>>> expected to continue in this fashion, or is Keycloak designed to level
off
>>>> in its memory usage?
>>>>
>>>> [image: increasing-heap.png]
>>>>
>>>>
>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen
<sthorger(a)redhat.com>
>>>> wrote:
>>>>
>>>>> Keycloak by default caches users in-memory, by default it will keep
>>>>> up to 10000 entries cached. You can verify that there's no leak
by
>>>>> disabling the user cache provider. See
>>>>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cach...
>>>>>
>>>>> If you're planning on having millions of users I suggest you
increase
>>>>> the allocated memory for the JVM (512MB which it seems you have is
not
>>>>> sufficient).
>>>>>
>>>>> On 22 June 2016 at 00:29, Chris Hairfield
<chairfield(a)gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> When testing Keycloak 1.9.8 by ingesting a few million users, we
>>>>>> find that Keycloak leaks memory until it is rendered unresponsive
(see
>>>>>> graph). Increasing JVM memory only increases the time it takes to
encounter
>>>>>> this issue.
>>>>>>
>>>>>> We have put together a test project here
>>>>>> <https://github.com/anaerobic/keycloak-leakage> and opened
an issue
>>>>>> here <https://issues.jboss.org/browse/KEYCLOAK-3146> as we
continue
>>>>>> to investigate. As we are relying on Keycloak as a central
infrastructural
>>>>>> component, any help would be greatly appreciated.
>>>>>>
>>>>>> We'll update with more information as we find it.
>>>>>>
>>>>>> Thanks,
>>>>>> Chris
>>>>>>
>>>>>> [image: mem-cpu.png]
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>
6:03 p.m.
One more important note: that memory cannot be GC'd even *after* I manually
clear the user and realm caches.
To be specific, upon adding 71k users, I noticed an extra 50mb was
allocated. Clearing the user and realm caches allowed me to GC 3mb of that.
The only way I know how to clear the remaining 47mb is by restarting
Keycloak.
On Mon, Jun 27, 2016 at 9:44 AM Chris Hairfield <chairfield(a)gmail.com>
wrote:
Stian,
I've noticed some interesting things:
- When the user cache in enabled, creating a user allocates a block on
memory that cannot be GC'd
- When I restart Keycloak after creating those users, that memory is
not re-allocated
This begs the question: what is the purpose of the memory allocation on
user creation if it doesn't need to stick around upon restart?
It seems to me that the user cache is keeping more than 10k users on user
creation. Does this hypothesis agree with your understanding of Keycloak's
design?
Thanks,
Chris
P.S. I have yet to test authentication load.
On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield <chairfield(a)gmail.com>
wrote:
> There seems to be a leak when enabling the user cache, even when
> providing Keycloak with all the memory it needs to perform admirably
> (initially). My heap drops to 3.4 GB when I perform a manual GC.
>
> I'm now seeing a number of PessimisticLockExceptions as it fails to lock
> the USER_ENTITY table. I expect Keycloak to have ground to a halt by the
> morning.[image: test8-graph.png]
>
>
> On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <chairfield(a)gmail.com>
> wrote:
>
>> I am only testing creating users. With the user cache disabled, I see no
>> evidence of a memory leak at many JVM heap-size settings.
>>
>> Things get interesting when re-enabling the user cache. Performance
>> seems to take a major hit in lower-memory scenarios, with some very
>> worrisome scenarios where the rate at which I ingest continuously decreases.
>>
>> I am able to create users at a high rate of speed with a max heap size
>> of 4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting lower
>> than the Xmx setting, which goes against official JBoss GC performance
>> tuning documentation
>>
<http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-perform...
>> .
>>
>> Though speeds are high with a large heap, I *do* see the possibility of
>> a memory leak with the user cache enabled and no authentication happening.
>> I will be running a test overnight to attempt to confirm or deny.
>>
>> Thanks for your help so far, Stian. I will be on vacation tomorrow
>> through Sunday, so I will pick this back up on Monday.
>>
>> P.S. I will be thinking of ways to better the documentation around
>> performance tuning, as my tests indicate that standard JVM options cause
>> Keycloak to run in a very sub-optimal state.
>>
>> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <sthorger(a)redhat.com>
>> wrote:
>>
>>> Are you only creating users or are you also authenticating users? User
>>> sessions are kept purely in memory so obviously the more you create the
>>> more memory is used. Only creating users should not continue to increase,
>>> but will do so for a while at least due to the way Java garbage collection
>>> works.
>>>
>>> I would only have the user cache disabled for testing memory leak.
>>> Re-enable it and retest with it before you eventually go into production as
>>> it will have a significant impact on performance.
>>>
>>> On 23 June 2016 at 01:10, Chris Hairfield <chairfield(a)gmail.com>
wrote:
>>>
>>>> Scratch the results of the graph I posted. I was running the test
>>>> incorrectly. I'll post back with the results of the test run
properly.
>>>>
>>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield
<chairfield(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Thomas, this test is run with whatever local database Keycloak
>>>>> defaults to. We're using Postgres generally, and we will have
more
>>>>> information pertaining to tests against Postgres soon.
>>>>>
>>>>> Stian, thanks for the tips. I am currently running a test to ingest
>>>>> about 50m users into the default database with the user cache
disabled, 8gb
>>>>> mem (Xmx and Xms), and parallel GC threads == processor count.
>>>>>
>>>>> Though my test is young (430k users ingested), I'm noticing
memory
>>>>> allocation increasing in lockstep with the number of ingested users.
Is it
>>>>> expected to continue in this fashion, or is Keycloak designed to
level off
>>>>> in its memory usage?
>>>>>
>>>>> [image: increasing-heap.png]
>>>>>
>>>>>
>>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen
<sthorger(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Keycloak by default caches users in-memory, by default it will
keep
>>>>>> up to 10000 entries cached. You can verify that there's no
leak by
>>>>>> disabling the user cache provider. See
>>>>>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cach...
>>>>>>
>>>>>> If you're planning on having millions of users I suggest you
>>>>>> increase the allocated memory for the JVM (512MB which it seems
you have is
>>>>>> not sufficient).
>>>>>>
>>>>>> On 22 June 2016 at 00:29, Chris Hairfield
<chairfield(a)gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> When testing Keycloak 1.9.8 by ingesting a few million users,
we
>>>>>>> find that Keycloak leaks memory until it is rendered
unresponsive (see
>>>>>>> graph). Increasing JVM memory only increases the time it
takes to encounter
>>>>>>> this issue.
>>>>>>>
>>>>>>> We have put together a test project here
>>>>>>> <https://github.com/anaerobic/keycloak-leakage> and
opened an
>>>>>>> issue here
<https://issues.jboss.org/browse/KEYCLOAK-3146> as we
>>>>>>> continue to investigate. As we are relying on Keycloak as a
central
>>>>>>> infrastructural component, any help would be greatly
appreciated.
>>>>>>>
>>>>>>> We'll update with more information as we find it.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Chris
>>>>>>>
>>>>>>> [image: mem-cpu.png]
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>
8:47 a.m.
We have had our QE guys confirm this issue and it looks like
something ominous is going on.
On 27 June 2016 at 17:45, Chris Hairfield <chairfield(a)gmail.com> wrote:
Stian,
I've noticed some interesting things:
- When the user cache in enabled, creating a user allocates a block on
memory that cannot be GC'd
- When I restart Keycloak after creating those users, that memory is
not re-allocated
This begs the question: what is the purpose of the memory allocation on
user creation if it doesn't need to stick around upon restart?
Creating a new user is expected to consume memory that can't be GC'd due to
the caching. Upon restart the users are loaded on demand into the cache
(user logs in or through admin console/endpoints).
It seems to me that the user cache is keeping more than 10k users on user
creation. Does this hypothesis agree with your understanding of Keycloak's
design?
By default it should only keep 10K users in memory. Once it hits 10K the
least recently used should entries should be evicted from the cache.
However, it seems this is not working properly.
Thanks,
Chris
P.S. I have yet to test authentication load.
On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield <chairfield(a)gmail.com>
wrote:
> There seems to be a leak when enabling the user cache, even when
> providing Keycloak with all the memory it needs to perform admirably
> (initially). My heap drops to 3.4 GB when I perform a manual GC.
>
> I'm now seeing a number of PessimisticLockExceptions as it fails to lock
> the USER_ENTITY table. I expect Keycloak to have ground to a halt by the
> morning.[image: test8-graph.png]
>
>
> On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <chairfield(a)gmail.com>
> wrote:
>
>> I am only testing creating users. With the user cache disabled, I see no
>> evidence of a memory leak at many JVM heap-size settings.
>>
>> Things get interesting when re-enabling the user cache. Performance
>> seems to take a major hit in lower-memory scenarios, with some very
>> worrisome scenarios where the rate at which I ingest continuously decreases.
>>
>> I am able to create users at a high rate of speed with a max heap size
>> of 4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting lower
>> than the Xmx setting, which goes against official JBoss GC performance
>> tuning documentation
>>
<http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-perform...
>> .
>>
>> Though speeds are high with a large heap, I *do* see the possibility of
>> a memory leak with the user cache enabled and no authentication happening.
>> I will be running a test overnight to attempt to confirm or deny.
>>
>> Thanks for your help so far, Stian. I will be on vacation tomorrow
>> through Sunday, so I will pick this back up on Monday.
>>
>> P.S. I will be thinking of ways to better the documentation around
>> performance tuning, as my tests indicate that standard JVM options cause
>> Keycloak to run in a very sub-optimal state.
>>
>> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <sthorger(a)redhat.com>
>> wrote:
>>
>>> Are you only creating users or are you also authenticating users? User
>>> sessions are kept purely in memory so obviously the more you create the
>>> more memory is used. Only creating users should not continue to increase,
>>> but will do so for a while at least due to the way Java garbage collection
>>> works.
>>>
>>> I would only have the user cache disabled for testing memory leak.
>>> Re-enable it and retest with it before you eventually go into production as
>>> it will have a significant impact on performance.
>>>
>>> On 23 June 2016 at 01:10, Chris Hairfield <chairfield(a)gmail.com>
wrote:
>>>
>>>> Scratch the results of the graph I posted. I was running the test
>>>> incorrectly. I'll post back with the results of the test run
properly.
>>>>
>>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield
<chairfield(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Thomas, this test is run with whatever local database Keycloak
>>>>> defaults to. We're using Postgres generally, and we will have
more
>>>>> information pertaining to tests against Postgres soon.
>>>>>
>>>>> Stian, thanks for the tips. I am currently running a test to ingest
>>>>> about 50m users into the default database with the user cache
disabled, 8gb
>>>>> mem (Xmx and Xms), and parallel GC threads == processor count.
>>>>>
>>>>> Though my test is young (430k users ingested), I'm noticing
memory
>>>>> allocation increasing in lockstep with the number of ingested users.
Is it
>>>>> expected to continue in this fashion, or is Keycloak designed to
level off
>>>>> in its memory usage?
>>>>>
>>>>> [image: increasing-heap.png]
>>>>>
>>>>>
>>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen
<sthorger(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Keycloak by default caches users in-memory, by default it will
keep
>>>>>> up to 10000 entries cached. You can verify that there's no
leak by
>>>>>> disabling the user cache provider. See
>>>>>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cach...
>>>>>>
>>>>>> If you're planning on having millions of users I suggest you
>>>>>> increase the allocated memory for the JVM (512MB which it seems
you have is
>>>>>> not sufficient).
>>>>>>
>>>>>> On 22 June 2016 at 00:29, Chris Hairfield
<chairfield(a)gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> When testing Keycloak 1.9.8 by ingesting a few million users,
we
>>>>>>> find that Keycloak leaks memory until it is rendered
unresponsive (see
>>>>>>> graph). Increasing JVM memory only increases the time it
takes to encounter
>>>>>>> this issue.
>>>>>>>
>>>>>>> We have put together a test project here
>>>>>>> <https://github.com/anaerobic/keycloak-leakage> and
opened an
>>>>>>> issue here
<https://issues.jboss.org/browse/KEYCLOAK-3146> as we
>>>>>>> continue to investigate. As we are relying on Keycloak as a
central
>>>>>>> infrastructural component, any help would be greatly
appreciated.
>>>>>>>
>>>>>>> We'll update with more information as we find it.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Chris
>>>>>>>
>>>>>>> [image: mem-cpu.png]
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>
10:13 a.m.
I've confirmed the issue now and found the cause:
https://issues.jboss.org/browse/KEYCLOAK-3202
The leak is in realmVersion cache. A workaround is to set a eviction policy
on this cache, for example LRU 10000.
On 28 June 2016 at 08:47, Stian Thorgersen <sthorger(a)redhat.com> wrote:
We have had our QE guys confirm this issue and it looks like
something ominous is going on.
On 27 June 2016 at 17:45, Chris Hairfield <chairfield(a)gmail.com> wrote:
> Stian,
>
> I've noticed some interesting things:
>
> - When the user cache in enabled, creating a user allocates a block
> on memory that cannot be GC'd
> - When I restart Keycloak after creating those users, that memory is
> not re-allocated
>
> This begs the question: what is the purpose of the memory allocation on
> user creation if it doesn't need to stick around upon restart?
>
Creating a new user is expected to consume memory that can't be GC'd due
to the caching. Upon restart the users are loaded on demand into the cache
(user logs in or through admin console/endpoints).
>
> It seems to me that the user cache is keeping more than 10k users on user
> creation. Does this hypothesis agree with your understanding of Keycloak's
> design?
>
By default it should only keep 10K users in memory. Once it hits 10K the
least recently used should entries should be evicted from the cache.
However, it seems this is not working properly.
>
> Thanks,
> Chris
>
> P.S. I have yet to test authentication load.
>
> On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield <chairfield(a)gmail.com>
> wrote:
>
>> There seems to be a leak when enabling the user cache, even when
>> providing Keycloak with all the memory it needs to perform admirably
>> (initially). My heap drops to 3.4 GB when I perform a manual GC.
>>
>> I'm now seeing a number of PessimisticLockExceptions as it fails to lock
>> the USER_ENTITY table. I expect Keycloak to have ground to a halt by the
>> morning.[image: test8-graph.png]
>>
>>
>> On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <chairfield(a)gmail.com>
>> wrote:
>>
>>> I am only testing creating users. With the user cache disabled, I see
>>> no evidence of a memory leak at many JVM heap-size settings.
>>>
>>> Things get interesting when re-enabling the user cache. Performance
>>> seems to take a major hit in lower-memory scenarios, with some very
>>> worrisome scenarios where the rate at which I ingest continuously decreases.
>>>
>>> I am able to create users at a high rate of speed with a max heap size
>>> of 4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting lower
>>> than the Xmx setting, which goes against official JBoss GC performance
>>> tuning documentation
>>>
<http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-perform...
>>> .
>>>
>>> Though speeds are high with a large heap, I *do* see the possibility
>>> of a memory leak with the user cache enabled and no authentication
>>> happening. I will be running a test overnight to attempt to confirm or deny.
>>>
>>> Thanks for your help so far, Stian. I will be on vacation tomorrow
>>> through Sunday, so I will pick this back up on Monday.
>>>
>>> P.S. I will be thinking of ways to better the documentation around
>>> performance tuning, as my tests indicate that standard JVM options cause
>>> Keycloak to run in a very sub-optimal state.
>>>
>>> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen
<sthorger(a)redhat.com>
>>> wrote:
>>>
>>>> Are you only creating users or are you also authenticating users? User
>>>> sessions are kept purely in memory so obviously the more you create the
>>>> more memory is used. Only creating users should not continue to
increase,
>>>> but will do so for a while at least due to the way Java garbage
collection
>>>> works.
>>>>
>>>> I would only have the user cache disabled for testing memory leak.
>>>> Re-enable it and retest with it before you eventually go into production
as
>>>> it will have a significant impact on performance.
>>>>
>>>> On 23 June 2016 at 01:10, Chris Hairfield <chairfield(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Scratch the results of the graph I posted. I was running the test
>>>>> incorrectly. I'll post back with the results of the test run
properly.
>>>>>
>>>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <
>>>>> chairfield(a)gmail.com> wrote:
>>>>>
>>>>>> Thomas, this test is run with whatever local database Keycloak
>>>>>> defaults to. We're using Postgres generally, and we will have
more
>>>>>> information pertaining to tests against Postgres soon.
>>>>>>
>>>>>> Stian, thanks for the tips. I am currently running a test to
ingest
>>>>>> about 50m users into the default database with the user cache
disabled, 8gb
>>>>>> mem (Xmx and Xms), and parallel GC threads == processor count.
>>>>>>
>>>>>> Though my test is young (430k users ingested), I'm noticing
memory
>>>>>> allocation increasing in lockstep with the number of ingested
users. Is it
>>>>>> expected to continue in this fashion, or is Keycloak designed to
level off
>>>>>> in its memory usage?
>>>>>>
>>>>>> [image: increasing-heap.png]
>>>>>>
>>>>>>
>>>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <
>>>>>> sthorger(a)redhat.com> wrote:
>>>>>>
>>>>>>> Keycloak by default caches users in-memory, by default it
will keep
>>>>>>> up to 10000 entries cached. You can verify that there's
no leak by
>>>>>>> disabling the user cache provider. See
>>>>>>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cach...
>>>>>>>
>>>>>>> If you're planning on having millions of users I suggest
you
>>>>>>> increase the allocated memory for the JVM (512MB which it
seems you have is
>>>>>>> not sufficient).
>>>>>>>
>>>>>>> On 22 June 2016 at 00:29, Chris Hairfield
<chairfield(a)gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> When testing Keycloak 1.9.8 by ingesting a few million
users, we
>>>>>>>> find that Keycloak leaks memory until it is rendered
unresponsive (see
>>>>>>>> graph). Increasing JVM memory only increases the time it
takes to encounter
>>>>>>>> this issue.
>>>>>>>>
>>>>>>>> We have put together a test project here
>>>>>>>> <https://github.com/anaerobic/keycloak-leakage> and
opened an
>>>>>>>> issue here
<https://issues.jboss.org/browse/KEYCLOAK-3146> as we
>>>>>>>> continue to investigate. As we are relying on Keycloak as
a central
>>>>>>>> infrastructural component, any help would be greatly
appreciated.
>>>>>>>>
>>>>>>>> We'll update with more information as we find it.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Chris
>>>>>>>>
>>>>>>>> [image: mem-cpu.png]
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>
6:40 p.m.
I can confirm that adding the eviction policy clears the issue. Thank you
so much for your assistance, Stian. This clears the major hurdle in our
path to using Keycloak as our sole identity management store :)
On Tue, Jun 28, 2016 at 2:13 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
I've confirmed the issue now and found the cause:
https://issues.jboss.org/browse/KEYCLOAK-3202
The leak is in realmVersion cache. A workaround is to set a eviction
policy on this cache, for example LRU 10000.
On 28 June 2016 at 08:47, Stian Thorgersen <sthorger(a)redhat.com> wrote:
> We have had our QE guys confirm this issue and it looks like
> something ominous is going on.
>
> On 27 June 2016 at 17:45, Chris Hairfield <chairfield(a)gmail.com> wrote:
>
>> Stian,
>>
>> I've noticed some interesting things:
>>
>> - When the user cache in enabled, creating a user allocates a block
>> on memory that cannot be GC'd
>> - When I restart Keycloak after creating those users, that memory is
>> not re-allocated
>>
>> This begs the question: what is the purpose of the memory allocation on
>> user creation if it doesn't need to stick around upon restart?
>>
>
> Creating a new user is expected to consume memory that can't be GC'd due
> to the caching. Upon restart the users are loaded on demand into the cache
> (user logs in or through admin console/endpoints).
>
>
>>
>> It seems to me that the user cache is keeping more than 10k users on
>> user creation. Does this hypothesis agree with your understanding of
>> Keycloak's design?
>>
>
> By default it should only keep 10K users in memory. Once it hits 10K the
> least recently used should entries should be evicted from the cache.
> However, it seems this is not working properly.
>
>
>>
>> Thanks,
>> Chris
>>
>> P.S. I have yet to test authentication load.
>>
>> On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield <chairfield(a)gmail.com>
>> wrote:
>>
>>> There seems to be a leak when enabling the user cache, even when
>>> providing Keycloak with all the memory it needs to perform admirably
>>> (initially). My heap drops to 3.4 GB when I perform a manual GC.
>>>
>>> I'm now seeing a number of PessimisticLockExceptions as it fails to
>>> lock the USER_ENTITY table. I expect Keycloak to have ground to a halt by
>>> the morning.[image: test8-graph.png]
>>>
>>>
>>> On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <chairfield(a)gmail.com>
>>> wrote:
>>>
>>>> I am only testing creating users. With the user cache disabled, I see
>>>> no evidence of a memory leak at many JVM heap-size settings.
>>>>
>>>> Things get interesting when re-enabling the user cache. Performance
>>>> seems to take a major hit in lower-memory scenarios, with some very
>>>> worrisome scenarios where the rate at which I ingest continuously
decreases.
>>>>
>>>> I am able to create users at a high rate of speed with a max heap size
>>>> of 4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting
lower
>>>> than the Xmx setting, which goes against official JBoss GC performance
>>>> tuning documentation
>>>>
<http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-perform...
>>>> .
>>>>
>>>> Though speeds are high with a large heap, I *do* see the possibility
>>>> of a memory leak with the user cache enabled and no authentication
>>>> happening. I will be running a test overnight to attempt to confirm or
deny.
>>>>
>>>> Thanks for your help so far, Stian. I will be on vacation tomorrow
>>>> through Sunday, so I will pick this back up on Monday.
>>>>
>>>> P.S. I will be thinking of ways to better the documentation around
>>>> performance tuning, as my tests indicate that standard JVM options cause
>>>> Keycloak to run in a very sub-optimal state.
>>>>
>>>> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen
<sthorger(a)redhat.com>
>>>> wrote:
>>>>
>>>>> Are you only creating users or are you also authenticating users?
>>>>> User sessions are kept purely in memory so obviously the more you
create
>>>>> the more memory is used. Only creating users should not continue to
>>>>> increase, but will do so for a while at least due to the way Java
garbage
>>>>> collection works.
>>>>>
>>>>> I would only have the user cache disabled for testing memory leak.
>>>>> Re-enable it and retest with it before you eventually go into
production as
>>>>> it will have a significant impact on performance.
>>>>>
>>>>> On 23 June 2016 at 01:10, Chris Hairfield
<chairfield(a)gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Scratch the results of the graph I posted. I was running the
test
>>>>>> incorrectly. I'll post back with the results of the test run
properly.
>>>>>>
>>>>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <
>>>>>> chairfield(a)gmail.com> wrote:
>>>>>>
>>>>>>> Thomas, this test is run with whatever local database
Keycloak
>>>>>>> defaults to. We're using Postgres generally, and we will
have more
>>>>>>> information pertaining to tests against Postgres soon.
>>>>>>>
>>>>>>> Stian, thanks for the tips. I am currently running a test to
ingest
>>>>>>> about 50m users into the default database with the user cache
disabled, 8gb
>>>>>>> mem (Xmx and Xms), and parallel GC threads == processor
count.
>>>>>>>
>>>>>>> Though my test is young (430k users ingested), I'm
noticing memory
>>>>>>> allocation increasing in lockstep with the number of ingested
users. Is it
>>>>>>> expected to continue in this fashion, or is Keycloak designed
to level off
>>>>>>> in its memory usage?
>>>>>>>
>>>>>>> [image: increasing-heap.png]
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <
>>>>>>> sthorger(a)redhat.com> wrote:
>>>>>>>
>>>>>>>> Keycloak by default caches users in-memory, by default it
will
>>>>>>>> keep up to 10000 entries cached. You can verify that
there's no leak by
>>>>>>>> disabling the user cache provider. See
>>>>>>>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cach...
>>>>>>>>
>>>>>>>> If you're planning on having millions of users I
suggest you
>>>>>>>> increase the allocated memory for the JVM (512MB which it
seems you have is
>>>>>>>> not sufficient).
>>>>>>>>
>>>>>>>> On 22 June 2016 at 00:29, Chris Hairfield
<chairfield(a)gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> When testing Keycloak 1.9.8 by ingesting a few
million users, we
>>>>>>>>> find that Keycloak leaks memory until it is rendered
unresponsive (see
>>>>>>>>> graph). Increasing JVM memory only increases the time
it takes to encounter
>>>>>>>>> this issue.
>>>>>>>>>
>>>>>>>>> We have put together a test project here
>>>>>>>>> <https://github.com/anaerobic/keycloak-leakage>
and opened an
>>>>>>>>> issue here
<https://issues.jboss.org/browse/KEYCLOAK-3146> as we
>>>>>>>>> continue to investigate. As we are relying on
Keycloak as a central
>>>>>>>>> infrastructural component, any help would be greatly
appreciated.
>>>>>>>>>
>>>>>>>>> We'll update with more information as we find
it.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Chris
>>>>>>>>>
>>>>>>>>> [image: mem-cpu.png]
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>
>
5:31 a.m.
Stian,
We don't seem to be out of the woods yet. The leak is resolved with your
workaround, but performance suffers mightily when an eviction policy is
set. Perhaps you have suggestions on how to get similar performance while
employing this workaround?
Details of test run:
- Eviction policy set at 1 million entries with LRU strategy for
realmVersions cache (no eviction policy on other caches)
- No statistics enabled (to simplify test)
- 1g Xms, 4g Xmx, parallel GC at 4 cores
- No authentication, only user creation
Observations:
- Account creation speeds start out at about half of what I am able to
get without the workaround (~170/s rather than ~350/s)
- I have only been able to create 132k users over a span of ~6 hours
- Memory seems to thrash at a much higher rate than I've seen in
previous tests
Thoughts?
[image: test15-term2.png]
On Tue, Jun 28, 2016 at 10:40 AM Chris Hairfield <chairfield(a)gmail.com>
wrote:
I can confirm that adding the eviction policy clears the issue. Thank
you
so much for your assistance, Stian. This clears the major hurdle in our
path to using Keycloak as our sole identity management store :)
On Tue, Jun 28, 2016 at 2:13 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> I've confirmed the issue now and found the cause:
> https://issues.jboss.org/browse/KEYCLOAK-3202
>
> The leak is in realmVersion cache. A workaround is to set a eviction
> policy on this cache, for example LRU 10000.
>
> On 28 June 216 at 08:47, Stian Thorgersen <sthorger(a)redhat.com> wrote:
>
>> We have had our QE guys confirm this issue and it looks like
>> something ominous is going on.
>>
>> On 27 June 2016 at 17:45, Chris Hairfield <chairfield(a)gmail.com> wrote:
>>
>>> Stian,
>>>
>>> I've noticed some interesting things:
>>>
>>> - When the user cache in enabled, creating a user allocates a block
>>> on memory that cannot be GC'd
>>> - When I restart Keycloak after creating those users, that memory
>>> is not re-allocated
>>>
>>> This begs the question: what is the purpose of the memory allocation on
>>> user creation if it doesn't need to stick around upon restart?
>>>
>>
>> Creating a new user is expected to consume memory that can't be GC'd due
>> to the caching. Upon restart the users are loaded on demand into the cache
>> (user logs in or through admin console/endpoints).
>>
>>
>>>
>>> It seems to me that the user cache is keeping more than 10k users on
>>> user creation. Does this hypothesis agree with your understanding of
>>> Keycloak's design?
>>>
>>
>> By default it should only keep 10K users in memory. Once it hits 10K the
>> least recently used should entries should be evicted from the cache.
>> However, it seems this is not working properly.
>>
>>
>>>
>>> Thanks,
>>> Chris
>>>
>>> P.S. I have yet to test authentication load.
>>>
>>> On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield
<chairfield(a)gmail.com>
>>> wrote:
>>>
>>>> There seems to be a leak when enabling the user cache, even when
>>>> providing Keycloak with all the memory it needs to perform admirably
>>>> (initially). My heap drops to 3.4 GB when I perform a manual GC.
>>>>
>>>> I'm now seeing a number of PessimisticLockExceptions as it fails to
>>>> lock the USER_ENTITY table. I expect Keycloak to have ground to a halt
by
>>>> the morning.[image: test8-graph.png]
>>>>
>>>>
>>>> On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield
<chairfield(a)gmail.com>
>>>> wrote:
>>>>
>>>>> I am only testing creating users. With the user cache disabled, I
see
>>>>> no evidence of a memory leak at many JVM heap-size settings.
>>>>>
>>>>> Things get interesting when re-enabling the user cache. Performance
>>>>> seems to take a major hit in lower-memory scenarios, with some very
>>>>> worrisome scenarios where the rate at which I ingest continuously
decreases.
>>>>>
>>>>> I am able to create users at a high rate of speed with a max heap
>>>>> size of 4g or 8g. Interestingly, Keycloak seems to prefer an Xms
setting
>>>>> lower than the Xmx setting, which goes against official JBoss GC
>>>>> performance tuning documentation
>>>>>
<http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-perform...
>>>>> .
>>>>>
>>>>> Though speeds are high with a large heap, I *do* see the possibility
>>>>> of a memory leak with the user cache enabled and no authentication
>>>>> happening. I will be running a test overnight to attempt to confirm
or deny.
>>>>>
>>>>> Thanks for your help so far, Stian. I will be on vacation tomorrow
>>>>> through Sunday, so I will pick this back up on Monday.
>>>>>
>>>>> P.S. I will be thinking of ways to better the documentation around
>>>>> performance tuning, as my tests indicate that standard JVM options
cause
>>>>> Keycloak to run in a very sub-optimal state.
>>>>>
>>>>> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <
>>>>> sthorger(a)redhat.com> wrote:
>>>>>
>>>>>> Are you only creating users or are you also authenticating
users?
>>>>>> User sessions are kept purely in memory so obviously the more you
create
>>>>>> the more memory is used. Only creating users should not continue
to
>>>>>> increase, but will do so for a while at least due to the way Java
garbage
>>>>>> collection works.
>>>>>>
>>>>>> I would only have the user cache disabled for testing memory
leak.
>>>>>> Re-enable it and retest with it before you eventually go into
production as
>>>>>> it will have a significant impact on performance.
>>>>>>
>>>>>> On 23 June 2016 at 01:10, Chris Hairfield
<chairfield(a)gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Scratch the results of the graph I posted. I was running the
test
>>>>>>> incorrectly. I'll post back with the results of the test
run properly.
>>>>>>>
>>>>>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <
>>>>>>> chairfield(a)gmail.com> wrote:
>>>>>>>
>>>>>>>> Thomas, this test is run with whatever local database
Keycloak
>>>>>>>> defaults to. We're using Postgres generally, and we
will have more
>>>>>>>> information pertaining to tests against Postgres soon.
>>>>>>>>
>>>>>>>> Stian, thanks for the tips. I am currently running a test
to
>>>>>>>> ingest about 50m users into the default database with the
user cache
>>>>>>>> disabled, 8gb mem (Xmx and Xms), and parallel GC threads
== processor count.
>>>>>>>>
>>>>>>>> Though my test is young (430k users ingested), I'm
noticing memory
>>>>>>>> allocation increasing in lockstep with the number of
ingested users. Is it
>>>>>>>> expected to continue in this fashion, or is Keycloak
designed to level off
>>>>>>>> in its memory usage?
>>>>>>>>
>>>>>>>> [image: increasing-heap.png]
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <
>>>>>>>> sthorger(a)redhat.com> wrote:
>>>>>>>>
>>>>>>>>> Keycloak by default caches users in-memory, by
default it will
>>>>>>>>> keep up to 10000 entries cached. You can verify that
there's no leak by
>>>>>>>>> disabling the user cache provider. See
>>>>>>>>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cach...
>>>>>>>>>
>>>>>>>>> If you're planning on having millions of users I
suggest you
>>>>>>>>> increase the allocated memory for the JVM (512MB
which it seems you have is
>>>>>>>>> not sufficient).
>>>>>>>>>
>>>>>>>>> On 22 June 2016 at 00:29, Chris Hairfield
<chairfield(a)gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> When testing Keycloak 1.9.8 by ingesting a few
million users, we
>>>>>>>>>> find that Keycloak leaks memory until it is
rendered unresponsive (see
>>>>>>>>>> graph). Increasing JVM memory only increases the
time it takes to encounter
>>>>>>>>>> this issue.
>>>>>>>>>>
>>>>>>>>>> We have put together a test project here
>>>>>>>>>>
<https://github.com/anaerobic/keycloak-leakage> and opened an
>>>>>>>>>> issue here
<https://issues.jboss.org/browse/KEYCLOAK-3146> as
>>>>>>>>>> we continue to investigate. As we are relying on
Keycloak as a central
>>>>>>>>>> infrastructural component, any help would be
greatly appreciated.
>>>>>>>>>>
>>>>>>>>>> We'll update with more information as we find
it.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Chris
>>>>>>>>>>
>>>>>>>>>> [image: mem-cpu.png]
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>
>>>>>>
>>
>
8:18 a.m.
I was worried that the workaround would have some impact on performance,
but would never have thought it would be anywhere near this bad.
We're still investigating a proper solution. Afraid it's not going to be
resolved for 2.0.0.Final, but most likely will be in 2.1.0.CR1.
On 29 June 2016 at 05:31, Chris Hairfield <chairfield(a)gmail.com> wrote:
Stian,
We don't seem to be out of the woods yet. The leak is resolved with your
workaround, but performance suffers mightily when an eviction policy is
set. Perhaps you have suggestions on how to get similar performance while
employing this workaround?
Details of test run:
- Eviction policy set at 1 million entries with LRU strategy for
realmVersions cache (no eviction policy on other caches)
- No statistics enabled (to simplify test)
- 1g Xms, 4g Xmx, parallel GC at 4 cores
- No authentication, only user creation
Observations:
- Account creation speeds start out at about half of what I am able to
get without the workaround (~170/s rather than ~350/s)
- I have only been able to create 132k users over a span of ~6 hours
- Memory seems to thrash at a much higher rate than I've seen in
previous tests
Thoughts?
[image: test15-term2.png]
On Tue, Jun 28, 2016 at 10:40 AM Chris Hairfield <chairfield(a)gmail.com>
wrote:
> I can confirm that adding the eviction policy clears the issue. Thank you
> so much for your assistance, Stian. This clears the major hurdle in our
> path to using Keycloak as our sole identity management store :)
>
> On Tue, Jun 28, 2016 at 2:13 AM Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> I've confirmed the issue now and found the cause:
>> https://issues.jboss.org/browse/KEYCLOAK-3202
>>
>> The leak is in realmVersion cache. A workaround is to set a eviction
>> policy on this cache, for example LRU 10000.
>>
>> On 28 June 216 at 08:47, Stian Thorgersen <sthorger(a)redhat.com> wrote:
>>
>>> We have had our QE guys confirm this issue and it looks like
>>> something ominous is going on.
>>>
>>> On 27 June 2016 at 17:45, Chris Hairfield <chairfield(a)gmail.com>
wrote:
>>>
>>>> Stian,
>>>>
>>>> I've noticed some interesting things:
>>>>
>>>> - When the user cache in enabled, creating a user allocates a
>>>> block on memory that cannot be GC'd
>>>> - When I restart Keycloak after creating those users, that memory
>>>> is not re-allocated
>>>>
>>>> This begs the question: what is the purpose of the memory allocation
>>>> on user creation if it doesn't need to stick around upon restart?
>>>>
>>>
>>> Creating a new user is expected to consume memory that can't be GC'd
>>> due to the caching. Upon restart the users are loaded on demand into the
>>> cache (user logs in or through admin console/endpoints).
>>>
>>>
>>>>
>>>> It seems to me that the user cache is keeping more than 10k users on
>>>> user creation. Does this hypothesis agree with your understanding of
>>>> Keycloak's design?
>>>>
>>>
>>> By default it should only keep 10K users in memory. Once it hits 10K
>>> the least recently used should entries should be evicted from the cache.
>>> However, it seems this is not working properly.
>>>
>>>
>>>>
>>>> Thanks,
>>>> Chris
>>>>
>>>> P.S. I have yet to test authentication load.
>>>>
>>>> On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield
<chairfield(a)gmail.com>
>>>> wrote:
>>>>
>>>>> There seems to be a leak when enabling the user cache, even when
>>>>> providing Keycloak with all the memory it needs to perform admirably
>>>>> (initially). My heap drops to 3.4 GB when I perform a manual GC.
>>>>>
>>>>> I'm now seeing a number of PessimisticLockExceptions as it fails
to
>>>>> lock the USER_ENTITY table. I expect Keycloak to have ground to a
halt by
>>>>> the morning.[image: test8-graph.png]
>>>>>
>>>>>
>>>>> On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield
<chairfield(a)gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I am only testing creating users. With the user cache disabled,
I
>>>>>> see no evidence of a memory leak at many JVM heap-size settings.
>>>>>>
>>>>>> Things get interesting when re-enabling the user cache.
Performance
>>>>>> seems to take a major hit in lower-memory scenarios, with some
very
>>>>>> worrisome scenarios where the rate at which I ingest continuously
decreases.
>>>>>>
>>>>>> I am able to create users at a high rate of speed with a max
heap
>>>>>> size of 4g or 8g. Interestingly, Keycloak seems to prefer an Xms
setting
>>>>>> lower than the Xmx setting, which goes against official JBoss GC
>>>>>> performance tuning documentation
>>>>>>
<http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-perform...
>>>>>> .
>>>>>>
>>>>>> Though speeds are high with a large heap, I *do* see the
>>>>>> possibility of a memory leak with the user cache enabled and no
>>>>>> authentication happening. I will be running a test overnight to
attempt to
>>>>>> confirm or deny.
>>>>>>
>>>>>> Thanks for your help so far, Stian. I will be on vacation
tomorrow
>>>>>> through Sunday, so I will pick this back up on Monday.
>>>>>>
>>>>>> P.S. I will be thinking of ways to better the documentation
around
>>>>>> performance tuning, as my tests indicate that standard JVM
options cause
>>>>>> Keycloak to run in a very sub-optimal state.
>>>>>>
>>>>>> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <
>>>>>> sthorger(a)redhat.com> wrote:
>>>>>>
>>>>>>> Are you only creating users or are you also authenticating
users?
>>>>>>> User sessions are kept purely in memory so obviously the more
you create
>>>>>>> the more memory is used. Only creating users should not
continue to
>>>>>>> increase, but will do so for a while at least due to the way
Java garbage
>>>>>>> collection works.
>>>>>>>
>>>>>>> I would only have the user cache disabled for testing memory
leak.
>>>>>>> Re-enable it and retest with it before you eventually go into
production as
>>>>>>> it will have a significant impact on performance.
>>>>>>>
>>>>>>> On 23 June 2016 at 01:10, Chris Hairfield
<chairfield(a)gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Scratch the results of the graph I posted. I was running
the test
>>>>>>>> incorrectly. I'll post back with the results of the
test run properly.
>>>>>>>>
>>>>>>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <
>>>>>>>> chairfield(a)gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Thomas, this test is run with whatever local database
Keycloak
>>>>>>>>> defaults to. We're using Postgres generally, and
we will have more
>>>>>>>>> information pertaining to tests against Postgres
soon.
>>>>>>>>>
>>>>>>>>> Stian, thanks for the tips. I am currently running a
test to
>>>>>>>>> ingest about 50m users into the default database with
the user cache
>>>>>>>>> disabled, 8gb mem (Xmx and Xms), and parallel GC
threads == processor count.
>>>>>>>>>
>>>>>>>>> Though my test is young (430k users ingested),
I'm noticing
>>>>>>>>> memory allocation increasing in lockstep with the
number of ingested users.
>>>>>>>>> Is it expected to continue in this fashion, or is
Keycloak designed to
>>>>>>>>> level off in its memory usage?
>>>>>>>>>
>>>>>>>>> [image: increasing-heap.png]
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen
<
>>>>>>>>> sthorger(a)redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> Keycloak by default caches users in-memory, by
default it will
>>>>>>>>>> keep up to 10000 entries cached. You can verify
that there's no leak by
>>>>>>>>>> disabling the user cache provider. See
>>>>>>>>>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cach...
>>>>>>>>>>
>>>>>>>>>> If you're planning on having millions of
users I suggest you
>>>>>>>>>> increase the allocated memory for the JVM (512MB
which it seems you have is
>>>>>>>>>> not sufficient).
>>>>>>>>>>
>>>>>>>>>> On 22 June 2016 at 00:29, Chris Hairfield
<chairfield(a)gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> When testing Keycloak 1.9.8 by ingesting a
few million users,
>>>>>>>>>>> we find that Keycloak leaks memory until it
is rendered unresponsive (see
>>>>>>>>>>> graph). Increasing JVM memory only increases
the time it takes to encounter
>>>>>>>>>>> this issue.
>>>>>>>>>>>
>>>>>>>>>>> We have put together a test project here
>>>>>>>>>>>
<https://github.com/anaerobic/keycloak-leakage> and opened an
>>>>>>>>>>> issue here
<https://issues.jboss.org/browse/KEYCLOAK-3146> as
>>>>>>>>>>> we continue to investigate. As we are relying
on Keycloak as a central
>>>>>>>>>>> infrastructural component, any help would be
greatly appreciated.
>>>>>>>>>>>
>>>>>>>>>>> We'll update with more information as we
find it.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Chris
>>>>>>>>>>>
>>>>>>>>>>> [image: mem-cpu.png]
>>>>>>>>>>>
>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>
>>>
>>
2858
days inactive
2866
days old
14 comments
3 participants
participants (3)
-
Chris Hairfield -
Stian Thorgersen -
Thomas Darimont