Exception storm due to GSS encryption in version 10

[elgerm]

We experienced memory buildup and service crashes because of exception storms in our dockerized services. I know now this is due to a change in version 10 setting GSS session encryption ssl mode to 'prefer'. We found that in a high traffic environment, we got around 50k exceptions of 'Exception while performing GSS encryption' in the first minute, causing a memory buildup and cpu spikes. This happened in all of our services more or less (APIs and worker services). Disabling it via the connection string makes the problem disappear, however, I wouln't say 'the error is harmless', as stated in the docs.

Now 2 things could be going on here if there are no GSS libraries present in the container:

1. the error gets thrown internally repeatedly
2. we configured something wrong with npgsql and something gets reinitialized

We've been using npgsql (and with ef core) for years in prod without issues:

            services
                .AddDbContext<SoiDb>(options =>
                {
                    options.ConfigureWarnings(w => w.Ignore(CoreEventId.RowLimitingOperationWithoutOrderByWarning));
                    options.UseNpgsql(Configuration.GetConnectionString("db"), o =>
                    {
                        o.UseNetTopologySuite().MigrationsAssembly(migrationsAssembly);
                        o.MigrationsHistoryTable(HistoryRepository.DefaultTableName, "ourdb");

                    }).UseSnakeCaseNamingConvention();
);

i couldn't find anyone posting an issue about this so this makes me think it is something we configured wrong?

[vonzshik]

Could you please clarify what actual exception were you getting (Exception while performing GSS encryption should have an inner exception). As for the docs, it's saying that about Cannot load library libgssapi_krb5.so.2, which is indeed harmless.

[elgerm]

Could you please clarify what actual exception were you getting (Exception while performing GSS encryption should have an inner exception). As for the docs, it's saying that about Cannot load library libgssapi_krb5.so.2, which is indeed harmless.

I used dotnet-trace inside a container to get exception traces, but those did not include the innerexceptions unfortunately. I have little doubt it's from unable finding the library, but if you really need it, then I will see if i can and spin up a test container with encrytion enabled in the connection string (it happened in a high traffic prod environment which i rather not do again).

The problem however was there were 56,040 of these exceptions:
ExceptionType="Npgsql.NpgsqlException" ExceptionMessage="Exception while performing GSS encryption".
With encryption off (or using version 10-rc2) there are none of those.

[vonzshik]

I have little doubt it's from unable finding the library

I do, because as we learned in #6360:

1. Cannot load library libgssapi_krb5.so.2 is an error from .NET runtime, which is logged to stderr. It's not actually thrown as an exception.
2. This error only happens once, as afterwards . NET caches the fact that this library is not available
3. And most importantly, this particular error happens only for the first access to GSS API, which incidentally happens outside of try/catch where we do throw Exception while performing GSS encryption. Not exactly true, see comment below.

Which is why I find it much more likely that instead you do have that library installed, your postgresql instance does support GSS authentication, and it just fails because postgresql doesn't authenticate the current user.
Now, we might be able to somewhat reduce memory/cpu impact for GSS encryption, but before investigating that I would prefer to understand completely what exactly you encountered.

[vonzshik]

A follow-up to my previous comment. I experimented a bit with docker and kerberos, and it seems like in case when the native library doesn't exist .NET runtime throws TypeInitializationException and we indeed wrap it in NpgsqlException. This means that instead of continuing with SSL/TLS we're recreating the connection from scratch (as at that point we do not know the state of connection and there is no fallback from GSS encryption once it starts). This can lead to about twice (though probably less as .NET can reuse memory) the amount of memory usage.
While I'll submit a pr to handle that more gracefully, it'll still well be great if you can indeed confirm that it was TypeInitializationException and not something else.

[elgerm]

Sorry, I'll get back to you with a repro this tomorrow as I am away atm. But I did see a lot of TypeInitializationException
this is from the logs i still have:
NpgsqlException 56,040 TypeInitializationException 14,010

[vonzshik]

Alright. We merged the fix to the main and 10.0.2 so it should be alleviated (at least to some extent). Would be great to get a confirmation after the release that it indeed fixes the issue.

[JTeeuwissen]

Is there any estimate as to when 10.0.2 will be released?
We see the same errors in stderr and we think the exception might cause our healthchecks to fail.

[kfuglsang]

Seeing this as well. Its causing my .net core web api deployed as an Azure Container App to fail startup.

[NinoFloris]

10.0.2 has been released. Let us know whether the fix solves the issue, or at least mitigates it well enough.