Since v0.25.0(maybe?), memory footprint increased by factor of 7 (0.24.1 to 0.26.1, no other change)

[DaveAurionix]

Is this a request for help?: Not in the short-term, although this is blocking us from upgrading past version 0.24.1

What keywords did you search in NGINX Ingress controller issues before filing this one?: memory, RAM, ModSecurity, footprint

---

Is this a BUG REPORT or FEATURE REQUEST?: Bug report
NGINX Ingress controller version: 0.26.1
Kubernetes version: 1.14.6
Environment:

• Cloud provider or hardware configuration: Azure Kubernetes Service

• OS: Ubuntu 16.04

• Kernel (e.g. uname -a): Linux nginx-ingress-controller-756c5867f6-hnpk8 4.15.0-1059-azure Sort whitelist list to avoid random orders #64-Ubuntu SMP Fri Sep 13 17:02:44 UTC 2019 x86_64 GNU/Linux

• Install tools: kubectl apply of mandatory.yaml and cloud-generic.yaml.

• Others:

What happened: We upgraded NGINX from 0.24.1 to 0.26.1. The pods were continuously being OOMKilled. When we upped the memory request from 512MB to 2560MB and then the pods would start. Anecdotally, we tried 0.25.0 a while back and aborted due to pod startup failures, may have been the same issue on reflection (equally may not have been).

What you expected to happen: We expected 0.26.1 to use LESS memory due to ModSecurity being configured at server-level since 0.25.0 IIRC (#4091), not location-level as it is in 0.24.1

How to reproduce it (as minimally and precisely as possible): Enable ModSecurity, configure one ingress resource with about 50 paths split across about 7 hosts, deploy a 0.24.1 controller and check RAM usage, update to 0.26.1 and re-check RAM usage.

Anything else we need to know:
kubectl top pod on 0.24.1 shows 2 pods with RAM 249Mi, 247Mi
kubectl top pod on 0.26.1 shows 2 pods with RAM 1855Mi, 1852Mi - these don't reduce even after 10 minutes of waiting

The nginx-configuration configmap we use is as follows:

  custom-http-errors: <redacted list of about ten 4XX and 5XX codes>
  server-tokens: "false"
  enable-modsecurity: "true"
  http-redirect-code: "301"
  enable-access-log-for-default-backend: "true"
  # we tested 0.26.1 with both geoip flags false too, it didn't seem to change the memory usage significantly (which is good!)
  use-geoip: "true"
  use-geoip2: "true"
  limit-req-status-code: "429"
  limit-conn-status-code: "429"

  hsts: "true"
  hsts-include-subdomains: "true"
  hsts-max-age: "63072000"
  hsts-preload: "true"
  ssl-protocols: "TLSv1.2 TLSv1.3"

  log-format-escape-json: "true"
  log-format-upstream: '<redacted JSON log line, but works on 0.24.1 and probably unrelated>'

The Ingress resource configures TLS to reference a certificate shared by about 7 hosts, with a total of 50 paths spread across those hosts. Some paths reference the same upstream service.

In mandatory.yml we added two container arguments (default-backend-service and default-ssl-certificate), the result being:

            - /nginx-ingress-controller
            - --default-backend-service=default/gp-itops-hosting-customwebbackend-website
            - --default-ssl-certificate=$(POD_NAMESPACE)/default-cert
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx
            - --annotations-prefix=nginx.ingress.kubernetes.io

We also configure resource requests and limits that we discover from performance tests.

Whilst writing this I've realised that the memory increase is a factor of 7 and we have 7 hosts configured in the Ingress resource. Might just be co-incidence but I wonder if something in 0.24.1 is server-wide and has moved to host-wide in 0.26.1, causing the RAM to increase so significantly?

[aledbf]

@DaveAurionix did you just updated the image when you upgraded from 0.24.1 to 0.26?
If that's the case, please check the changelog.

If you want to test the exact same configuration, change https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#worker-shutdown-timeout to 10s

[DaveAurionix]

@aledbf Thank you for responding.

No, we also updated the mandatory.yaml to include changes between 0.24.1 and 0.26.1 (such as the graceful shutdown changes and from memory I think RBAC permissions changed a little). We did read the changelog but may have missed something. It's worth elaborating on the brief comment above that we waited a minimum of ten minutes in our tests to see if the memory usage would drop when old workers terminated. I believe the workers should terminate after a maximum of 5 minutes if I've understood the changelog notes and yaml change right? We were seeing high RAM usage immediately on startup as config is first applied and it wouldn't drop.

I want to do a test with ModSecurity disabled again because I suspect we've seen that the RAM usage is normal without ModSecurity enabled. I'll add a note to confirm that either way when I've done that test.

I'll also do a test with the worker termination time back at 10s as a double-check. Even so, from 250MB to 1855MB is quite a jump....

[aledbf]

I'll also do a test with the worker termination time back at 10s as a double-check. Even so, from 250MB to 1855MB is quite a jump....

Yes, I agree with that, but enabling modsecurity and the new worker-shutdown-timeout combination is the reason for that.

Please also add the mimalloc feature in the ingress controller deployment. That will reduce the memory (modsecurity on or off) in a ~15%.

[DaveAurionix]

First test using this extra line in the configmap: worker-shutdown-timeout: "10s"

CPU = 1320m
RAM = 1909Mi

The pods are being killed before initialising completes as the memory limit is being hit.

0.24.1 was around 250MB with this same config.

I'll try with ModSecurity off next.

[DaveAurionix]

With ModSecurity off, the pods initialise much faster with these average stats (worker-shutdown-timeout is back up to 300s for this test):

CPU = 5m
RAM = 88Mi

I'm investigating our rule customisations in ModSecurity (although Ingress-NGINX 0.24.1 was OK with them)

[DaveAurionix]

With ModSecurity on, but no changes to the shipped configuration, RAM goes high again (~1900Mi) and the pods struggle to initialise.

The pod logs show this repeating a few times, but I'm not sure if it's a symptom of memory starvation rather than part of the problem.

I1002 14:34:56.494756       7 controller.go:150] Backend successfully reloaded.
I1002 14:34:56.494804       7 controller.go:159] Initial sync, sleeping for 1 second.
W1002 14:34:57.496092       7 controller.go:177] Dynamic reconfiguration failed: Post http://127.0.0.1:10246/configuration/backends: dial tcp 127.0.0.1:10246: connect: connection refused
E1002 14:34:57.496829       7 controller.go:181] Unexpected failure reconfiguring NGINX:
Post http://127.0.0.1:10246/configuration/backends: dial tcp 127.0.0.1:10246: connect: connection refused
W1002 14:34:57.497224       7 queue.go:130] requeuing initial-sync, err Post http://127.0.0.1:10246/configuration/backends: dial tcp 127.0.0.1:10246: connect: connection refused
I1002 14:34:57.497996       7 controller.go:134] Configuration changes detected, backend reload required.

[DaveAurionix]

@aledbf The only test left is the mimalloc change you mentioned, but given the finding above around ModSecurity I'm not sure if the test is worth the time yet? I'm fairly sure we're seeing that Ingress-NGINX 0.24.1 would load ModSecurity OK, but 0.26.1 won't. I'm equally sure the picture is not that simple or others would have found it sooner so I know I'm missing something. Thoughts?

[aledbf]

Yes, please add the flag —v=2 to the ingress controller to see the reason of the reload.

Also, what is the number of Nginx workers?

[DaveAurionix]

It's worth noting that in 0.24.1 we "turn on" ModSecurity in a slightly quirky way to improve memory usage. For the 0.26.1 tests we removed this server snippet because Ingress-NGINX is now loading ModSecurity earlier. Maybe this is the bug? Is it now loading ModSecurity host-wide instead of server-wide?

0.24.1 server-snippet:

nginx.ingress.kubernetes.io/server-snippet: |
      modsecurity_rules '
        Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
      ';

      more_clear_headers 'Server' 'X-Powered-By';
      proxy_ignore_client_abort off;

0.26.1 server snippet:

nginx.ingress.kubernetes.io/server-snippet: |
      more_clear_headers 'Server' 'X-Powered-By';
      proxy_ignore_client_abort off;

[DaveAurionix]

@

Yes, please add the flag —v=2 to the ingress controller to see the reason of the reload.

Also, what is the number of Nginx workers?

Will do.

Workers were left at the default which seemed to be 2 per pod.

[DaveAurionix]

To be clear: the 1900Mi RAM stats were per-pod.

[DaveAurionix]

--v=2 gave this:

(preceeded by a long successful configuration dump then this failure)

I1002 14:51:29.332302       7 controller.go:150] Backend successfully reloaded.
I1002 14:51:29.332351       7 controller.go:159] Initial sync, sleeping for 1 second.
W1002 14:51:30.333745       7 controller.go:177] Dynamic reconfiguration failed: Post http://127.0.0.1:10246/configuration/backends: dial tcp 127.0.0.1:10246: connect: connection refused
E1002 14:51:30.334496       7 controller.go:181] Unexpected failure reconfiguring NGINX:
Post http://127.0.0.1:10246/configuration/backends: dial tcp 127.0.0.1:10246: connect: connection refused
W1002 14:51:30.334882       7 queue.go:130] requeuing initial-sync, err Post http://127.0.0.1:10246/configuration/backends: dial tcp 127.0.0.1:10246: connect: connection refused
I1002 14:51:30.335648       7 controller.go:134] Configuration changes detected, backend reload required.
I1002 14:51:30.362955       7 util.go:71] rlimit.max=1048576
I1002 14:51:30.364260       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.365071       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.365579       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.366171       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.366681       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.367194       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.368193       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.368580       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.369117       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.369536       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.370046       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.370620       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.371271       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.371965       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.372401       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.373026       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.373503       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.374060       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.374547       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.375227       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.375616       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.376844       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.377438       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.378116       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.378821       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.379336       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.379649       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.380253       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.380877       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.381276       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.381962       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.382600       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.383043       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.383483       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.383909       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.384418       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.384835       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.385368       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.385648       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.386348       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.386742       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.387323       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.387964       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.388746       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.389402       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.389938       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.390369       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.390896       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.391282       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.391691       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.392066       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.392639       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.393057       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:30.393459       7 template.go:805] empty byte size, hence it will not be set
I1002 14:51:49.381970       7 healthz.go:191] [+]ping ok
[-]nginx-ingress-controller failed: reason withheld
healthz check failed
2019/10/02 14:51:57 [error] 48#48: *60 could not find named location "@custom_upstream-default-backend_500", client: 127.0.0.1, server: , request: "GET /is-dynamic-lb-initialized HTTP/1.1", host: "127.0.0.1:10246"
I1002 14:51:57.778356       7 healthz.go:191] [+]ping ok
[-]nginx-ingress-controller failed: reason withheld
healthz check failed
2019/10/02 14:51:59 [error] 48#48: *68 could not find named location "@custom_upstream-default-backend_500", client: 127.0.0.1, server: , request: "GET /is-dynamic-lb-initialized HTTP/1.1", host: "127.0.0.1:10246"
I1002 14:51:59.384134       7 healthz.go:191] [+]ping ok
[-]nginx-ingress-controller failed: reason withheld
healthz check failed
2019/10/02 14:52:07 [error] 48#48: *121 could not find named location "@custom_upstream-default-backend_500", client: 127.0.0.1, server: , request: "GET /is-dynamic-lb-initialized HTTP/1.1", host: "127.0.0.1:10246"
I1002 14:52:07.777648       7 healthz.go:191] [+]ping ok
[-]nginx-ingress-controller failed: reason withheld
healthz check failed
2019/10/02 14:52:09 [error] 48#48: *132 could not find named location "@custom_upstream-default-backend_500", client: 127.0.0.1, server: , request: "GET /is-dynamic-lb-initialized HTTP/1.1", host: "127.0.0.1:10246"
I1002 14:52:09.383898       7 healthz.go:191] [+]ping ok
[-]nginx-ingress-controller failed: reason withheld
healthz check failed
I1002 14:52:09.459887       7 main.go:153] Received SIGTERM, shutting down
I1002 14:52:09.459911       7 nginx.go:390] Shutting down controller queues
I1002 14:52:09.459924       7 status.go:117] updating status of Ingress rules (remove)
I1002 14:52:09.482283       7 status.go:136] removing address from ingress status ([40.74.40.164])
I1002 14:52:09.490246       7 status.go:274] updating Ingress default/ingress-public status from [{40.74.40.164 }] to []
E1002 14:52:09.498059       7 controller.go:146] Unexpected failure reloading the backend:
signal: terminated
W1002 14:52:09.498085       7 queue.go:130] requeuing configmap-change, err signal: terminated
I1002 14:52:09.513251       7 nginx.go:406] Stopping NGINX process
I1002 14:52:17.779773       7 healthz.go:191] [+]ping ok
[-]nginx-ingress-controller failed: reason withheld
healthz check failed

The dump of successful configuration did include a @custom_upstream-default-backend_500 location section, so I assume NGINX is immediately being triggered to re-configure itself and then failing on this second attempt that is shown in the log lines above. I'm not aware of anything changing configmaps or ingresses to trigger this re-config.

[DaveAurionix]

@aledbf I think I've found it. I'm not a ModSecurity expert, but I think rules are being loaded once inside EVERY location block now (since 0.25.0 maybe?)

In the dumped successful config block, every location block contains this line: modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;

In 0.24.1, turning on modsecurity in the configmap but only loading rules through the server snippet I posted before means that the rules are only loaded once (I think - it might be once per host which is not as good as once for the server but better than once per location).

We can't use that snippet in 0.26.1 because Ingress-NGINX is now loading the rules itself in every location. It didn't do that in 0.24.1.

Does that seem to make sense?

[aledbf]

@DaveAurionix the logic is this https://github.com/kubernetes/ingress-nginx/blob/master/rootfs/etc/nginx/template/nginx.tmpl#L1082

In the dumped successful config block, every location block contains this line: modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;

This means the modsecurity feature is not enabled in the configmap

[DaveAurionix]

Sorry, to clarify: the configmap still features this top-level toggle: enable-modsecurity: "true" which turns the entire modsecurity module (and the line you're quoting) on and off. It's this that I'm referring to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#enable-modsecurity.

I've only read that linked source code in a hurry but I suspect that the "$all.Cfg.EnableModsecurity" parameter is coming from the configmap.

When we toggle that documented configmap value to "true" then RAM usage goes to 1900Mi. When we set it false, RAM usage drops to 88Mi. On 0.24.1 the RAM usage was 250Mi with that value "true".

[aledbf]

@DaveAurionix to test if the load of the configuration is the problem,
Please a custom template to remove

            {{ if (or $location.ModSecurity.Enable $all.Cfg.EnableModsecurity) }}
            {{ if not $all.Cfg.EnableModsecurity }}
            modsecurity on;

            modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
            {{ end }}

Using the server-snippet annotation in the host you need to use it

    nginx.ingress.kubernetes.io/server-snippet: |
            modsecurity on;
            modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;

This change loads the rules only once per server block.

[DaveAurionix]

@aledbf That would be amazing, thank you. I'll try that as soon as soon as I can and will get back to you (might be day or two now).

[DaveAurionix]

@aledbf Sorry I've just had time to go through the code that you linked to. I understand what you mean now. The exact output we're seeing in the logs is interesting in that regard.

We are only seeing this once at http level (which is good):

modsecurity on;

modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;

We are seeing exactly this repeated at each location level (note: no modsecurity on):

modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;

I think we're hitting this line: https://github.com/kubernetes/ingress-nginx/blob/master/rootfs/etc/nginx/template/nginx.tmpl#L1094

We're not setting enable-owasp-modsecurity-crs to true in the configmap. I'm not sure what $location.ModSecurity.OWASPRules is referring to but we're not interacting with that deliberately either.

I'll try the custom template test and will get back to you.

[DaveAurionix]

Adding enable-owasp-modsecurity-crs: "false" to the configmap had no effect.

However @aledbf , I removed the whole section https://github.com/kubernetes/ingress-nginx/blob/nginx-0.26.1/rootfs/etc/nginx/template/nginx.tmpl#L1078 to line 1096 (slightly broader than the snippet you suggested) and the RAM usage dropped to ~100Mi per pod. I couldn't add the server snippet directly because Ingress-NGINX was already adding the rules at server level so we had conflicting rule errors on initialisation.

After a lot of manual testing we've finally cracked it. The workaround is to add enable-owasp-modsecurity-crs: "true" to the configmap alongside enable-modsecurity: "true". This causes the template conditional logic to render the correct http-block configuration but not render any location-block configuration, thus solving the memory usage problem.

I think the bug is on this line: https://github.com/kubernetes/ingress-nginx/blob/nginx-0.26.1/rootfs/etc/nginx/template/nginx.tmpl#L1089

That line of code is saying that if OWASP core rules are not enabled and there is no location-snippet rules (and $location.ModSecurity.OWASPRules is true) then include all of the OWASP core rules anyway. This means that if people turn on ModSecurity, but don't turn on rules, one copy of the rules are included in every location block, which consumes a huge amount of RAM and is not at all expected behaviour. The expected behaviour (in my opinion) is that if people turn on ModSecurity but don't turn on rules, no rules are included.

I'm trying to think of a suggested fix. From our tests it appears that $location.ModSecurity.OWASPRules is evaluating to true by default causing these default rules to be included. Do you know what might be causing that? Our Ingress resource doesn't mention ModSecurity now, and our ConfigMap is as posted above. I don't know where that is set.

On a positive note, the changes in 0.25.0 to load ModSecurity efficiently at http-level work brilliantly if both those flags are set to true, and we're seeing a 50% drop in base memory footprint as a result (~250MB with 0.24.1 to ~110MB with 0.26.1 and both configmap flags true)

[dnauck]

After a lot of manual testing we've finally cracked it. The workaround is to add enable-owasp-modsecurity-crs: "true" to the configmap alongside enable-modsecurity: "true". This causes the template conditional logic to render the correct http-block configuration but not render any location-block configuration, thus solving the memory usage problem.

I can confirm that this action drops memory usage from 4 GB down to 320 MB

@DaveAurionix THANK YOU!