-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keycloak container consumes too much memory in devmode #43601
Conversation
Fixes quarkusio#41813 Signed-off-by: Martin Bartoš <mabartos@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the analysis and the proposed fix, @mabartos.
I'll run it on my laptop a little bit later as well, in addition to @fedinskiy testing it in the constrained memory setup
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
750 MB looks like a lot to me for a Dev Service that will probably have very few users stored in it but if that's what is needed, I suppose it will have to do.
🎊 PR Preview 351b9f9 has been successfully built and deployed to https://quarkus-pr-main-43601-preview.surge.sh/version/main/guides/
|
Status for workflow
|
Status for workflow
|
@sberyozkin Thanks for the review! :)
@gsmet We've touched on the discussion several times, mainly here: keycloak/keycloak#26661, keycloak/keycloak#27079 IMHO, for the dev service, the value is reasonable - not lowering it down. |
@mabartos this worked on the 8GB RAM machine (where the 999-SNAPSHOT failed) so this patch helped. |
@gsmet is it possible to have this backported to 3.15, or even better to 3.15 and 3.8? |
Just for the record, on my laptop the start time is probably the same as it was without this feature, about 15 secs, so no negative impact |
@mabartos Thanks for the fix, if it can be of interest, please have a look at some point if we can somehow have Keycloak Devservice starting faster, in the early days, Devservice was starting in about 11 secs or so as far as I recall, on my older laptop, now it is 15 secs or so on a newer laptop. I recall we discussed with Pedro an idea of shipping a custom image but we can't really do it. Please experiment if you can get some time, with some optional JVM options etc |
@sberyozkin Yes, a custom image would be a way to avoid augmentation. However, I'm aware that we did not have so much time to concentrate on the performance in terms of startup times and memory consumption lately due to other priorities. I'd like to have a look at it for the next releases. |
Proposing a backport to 3.15.x which uses Keycloak 25.x |
Overview
The unset container memory limit is the cause of the issue, for sure.
In Keycloak 24, we introduced a different behavior for memory settings as these values are mostly relative to the whole available memory of the node/machine/agent (see here).
In that case, it is required to set the container limit for Keycloak, otherwise expect a rapid increase of memory consumption (see here).
Since Keycloak 25, Argon2 is the new default password hashing algorithm, that requires more memory than the algorithm before.
Therefore, I'd propose to introduce the ability to set the container limit for Keycloak Dev service with some reasonable default value.
I would not amend the JVM options (as in #41833), as they can be changed in the future and the maintainability would be worse.
cc: @sberyozkin @gsmet @fedinskiy
Proposed changes
Verification
I cannot find an existing test case for new config options.
Memory consumption verification based on the
podman stats
and created 5 realms.OLD (limit = node memory = 32GiB):
NEW (limit = 750MiB):
The OLD memory can grow until the container limit, so it should be limited.
@fedinskiy Could you please test this solution in your deployment? Same as you mentioned in the issue description? Thanks!