-
Notifications
You must be signed in to change notification settings - Fork 136
Overhead of SecurityManager #134
Comments
That's interesting. Is it only Nailgun related and if such then why? Permission checks are done for all file operations under Oracle's HotSpot implementation of a Path/File provider, it has to do nothing with nailgun. Also, if you use HotSpot then this approach probably violates Oracle's Java license as system code is essentially altered. To come along with this problems on projects we use with Nailgun, we are considering following options:
|
Security checks are triggered just in case securityManager!=null http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8-b132/sun/misc/URLClassPath.java#URLClassPath.checkURL%28java.net.URL%29 |
SecurityManager is the only way to intercept termination that I know of. Without altering bytecode, the only way I see is to pass a parameter to Nailgun whether or not to intercept termination. But, with interception switched off, you can't use System.exit in nail's code as it would do what supposed - terminate jvm instead of terminating a nail. Thoughts? |
The only option 'without side effects' I know is byte code manipulation. I've tried just disabling exit interception and it broke Nailgun protocol, I guess it can be done in more elegant way, but terminating jvm after nail's System.exit doesn't sound like an option. |
What I mean is that instead of calling System.exit() the nail should call some other function explicitly (like NGSession.exit() which yet to be implemented) which will make sure the protocol is not broken and terminate a nail but not jvm. A linter should validate what no System.exit() code sneaks in for nail's codebase. |
Are nails not supposed to run |
The security manager installed by Nailgun seems to add a noticeable overhead in IO operations. facebookarchive#134 As a result, we don't install a security manager. Nailgun only uses it to trap exit, and in our case we don't need to do that since Bloop doesn't define any `nailShutdown`.
ngSession.exit() does not really interrupt running nail and in fact does not work correctly; the problem is client terminates the socket and the server still listens to that in NGCommunicator which cause listening thread to throw and log an error. This needs to be processed gracefully. @justinas-dabravolskas do you mind to share numbers about the optimization win, like how many classes were sent to javac to achieve above mentioned improvement? |
javac for ~50k files takes ~75 minutes without agent and 10-15minutes with one (Xmx set for minimal gc overhead, tested on macOS). Anyways overhead of security manager should be linear and not limited to javac. Offtopic suggestion for running javac 1.8 (should not be an issue with java 9) inside nailgun: use -XDuseUnsharedTable. In our case it saves ~2G of heap without noticeable time overhead. |
The security manager installed by Nailgun seems to add a noticeable overhead in IO operations. facebookarchive#134 As a result, we don't install a security manager. Nailgun only uses it to trap exit, and in our case we don't need to do that since Bloop doesn't define any `nailShutdown`.
The security manager installed by Nailgun seems to add a noticeable overhead in IO operations. facebookarchive#134 As a result, we don't install a security manager. Nailgun only uses it to trap exit, and in our case we don't need to do that since Bloop doesn't define any `nailShutdown`.
An alternative to simply avoiding use of the security manager would change For instance, the default public void checkWrite(String file) {
checkPermission(new FilePermission(file,
SecurityConstants.FILE_WRITE_ACTION));
} Calls (I just came across this performance problem in the context of IntelliJ IDEA's use of Nailgun in its compile server for Scala) I see now that #11 already implemented this idea for |
Continues the work started in facebookarchive#11 by systematically overriding all the other methods of SecurityManager for a fast path when the base security manager is null. Fixes facebookarchive#134
Continues the work started in facebookarchive#11 by systematically overriding all the other methods of SecurityManager for a fast path when the base security manager is null. Fixes facebookarchive#134
This might be unrelated, as my knowledge of the SecurityManager protocol is about ZERO. However, while trying to embed Nailgun into a project, the fact that Nailgun overtakes the SecurityManager makes it so the parent application is unable to exit via My only workaround thus far has been to reset the SecurityManager back to the base after starting the NailgunServer. Unknown to me at this time what side-effects that has. There is another issue about a lack of documentation, if this issue could result in some more documentation for the purpose of the NGSecurityManager and how to properly embed it, that would be awesome. |
+ do not run in the security manager which add 30sec delay on startup due to slowness in java.io.UnixFileSystem.canonicalize0 (more detailed analysis available here: facebookarchive/nailgun#134)
+ do not run in the security manager which add 30sec delay on startup due to slowness in java.io.UnixFileSystem.canonicalize0 (more detailed analysis available here: facebookarchive/nailgun#134)
+ do not run in the security manager which add 30sec delay on startup due to slowness in java.io.UnixFileSystem.canonicalize0 (more detailed analysis available here: facebookarchive/nailgun#134)
Note that SecurityManager is deprecated since Java 17 and will be removed in future releases:
Currently, NailgunServer produces a warning in stderr:
|
So, this is a blocking issue for me because I am trying to run Scala 3 code under JDK18 with Project Loom. I look forward to a fix so that I can use Scala 3... https://users.scala-lang.org/t/scala-compile-server-exception/7972 |
@kolotyluk you are welcome to come up with the fix :) |
I haven't seen a great deal of discussion online about how to replace the SecurityManager. This is one the best to read - https://inside.java/2021/04/23/security-and-sandboxing-post-securitymanager/ . It seems like ASM or byte-buddy might be the best bets for changing the System.exit behaviour. |
Note that in Scala Plugin 2021.3 we added a cosmetic workaround: (IJ Scala Plugin Compile Server uses Nailgun under the hood) |
Could you please clarify in which way it "blocks" you? |
With JDK 18 I get following Exception while starting the nailgun server. Switching back to JDK17 and it works again. Maybe that's related to this topic. [root@xxx]# java -Dlog4j.properties=/opt/xxx/cfg/log4j.properties -cp /opt/xxx/lib/nailgun-server.jar:some.more.jar com.facebook.nailgun.NGServer [root@xxx]# java -version |
Running javac(not limited to) inside nailgun process has very high contention caused by security checks, in our case mostly:
We iterated over several solutions to this and settled on a custom java agent that ‘disables’ security manager. This keeps nailgun protocol intact, but in our case improves compilation speed within pantsbuild from 75 to 12 minutes.
The text was updated successfully, but these errors were encountered: