Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signing with gpg must be done serially to avoid gpg-agent running out of memory #168

Closed
smarter opened this issue Sep 20, 2019 · 8 comments · Fixed by #171
Closed

Signing with gpg must be done serially to avoid gpg-agent running out of memory #168

smarter opened this issue Sep 20, 2019 · 8 comments · Fixed by #171

Comments

@smarter
Copy link

smarter commented Sep 20, 2019
edited
Loading

When running publishSigned on aggregated projects, we might end up calling gpg multiple times in parallel, this can lead to the gpg-agent running out of "secmem" (secure memory) (see https://dev.gnupg.org/T4255) which can manifest itself with errors such as:

gpg: signing failed: Cannot allocate memory

(as usual with gpg, this error is very confusing: the system didn't run out of memory at all). This isn't just a theoretical concern, this is currently blocking the release of Dotty 0.19.0-RC1: https://dotty-ci.epfl.ch/lampepfl/dotty/1487/1/8

To fix this, an option auto-expand-secmem was added to gpg-agent.conf (https://dev.gnupg.org/T3530), according to that PR:

The --auto-expand-secmem option is available in 2.2. and master for quite some time. It works if libgcrypt 1.8.2 or newer is used.

Unfortunately, Ubuntu 18.04 uses libgcrypt 1.8.1, so this fix isn't usable on a lot of CI setups.

Therefore it seems like the only sane thing to do for sbt-pgp is to wrap calls to gpg into a synchronized block to make sure they're never executed in parallel.
@eed3si9n
Copy link
Member

Would this go away if you set

useGpgAgent := false

given .gnupg/gpg.conf doesn't include use-agent?

@smarter
Copy link
Author

smarter commented Sep 20, 2019

From the gpg manpage on my system:

       --use-agent
       --no-use-agent
              This is dummy option. gpg always requires the agent.

So I'm going to guess no.

smarter added a commit to dotty-staging/dotty that referenced this issue Sep 20, 2019
@smarter
Fix errors while running publishSigned
a419202 
In 54266c1 I upgraded sbt-pgp from
1.1.0 to 2.0.0-M2, this changed the way signing was done: instead of
using the bouncycastle Java library, sbt-pgp now just calls gpg.
Unfortunately, it turns out that multiple parallel calls to gpg can lead
to the gpg-agent running out of memory, causing `publishSigned` to
fai, as happened in https://dotty-ci.epfl.ch/lampepfl/dotty/1487/1/8
while trying to publish Dotty 0.19.0-RC1:
gpg: signing failed: Cannot allocate memory

I've opened an issue at sbt/sbt-pgp#168, but
meanwhile this is fixed by reverting back to using bouncycastle by
setting SBT_PGP_USE_GPG=0 as documented in the README of sbt-pgp.
@smarter smarter mentioned this issue Sep 20, 2019
Merged
smarter added a commit to dotty-staging/dotty that referenced this issue Sep 20, 2019
@smarter
Fix errors while running publishSigned
bdbe657 
In 54266c1 I upgraded sbt-pgp from
1.1.0 to 2.0.0-M2, this changed the way signing was done: instead of
using the bouncycastle Java library, sbt-pgp now just calls gpg.
Unfortunately, it turns out that multiple parallel calls to gpg can lead
to the gpg-agent running out of memory, causing `publishSigned` to
fai, as happened in https://dotty-ci.epfl.ch/lampepfl/dotty/1487/1/8
while trying to publish Dotty 0.19.0-RC1:
gpg: signing failed: Cannot allocate memory

I've opened an issue at sbt/sbt-pgp#168, but
meanwhile this is fixed by reverting back to using bouncycastle by
setting -DSBT_PGP_USE_GPG=false.
@djspiewak djspiewak mentioned this issue Sep 20, 2019
Closed
anatoliykmetyuk pushed a commit to dotty-staging/dotty that referenced this issue Sep 21, 2019
@smarter @anatoliykmetyuk
Fix errors while running publishSigned
0652fb6 
In 54266c1 I upgraded sbt-pgp from
1.1.0 to 2.0.0-M2, this changed the way signing was done: instead of
using the bouncycastle Java library, sbt-pgp now just calls gpg.
Unfortunately, it turns out that multiple parallel calls to gpg can lead
to the gpg-agent running out of memory, causing `publishSigned` to
fai, as happened in https://dotty-ci.epfl.ch/lampepfl/dotty/1487/1/8
while trying to publish Dotty 0.19.0-RC1:
gpg: signing failed: Cannot allocate memory

I've opened an issue at sbt/sbt-pgp#168, but
meanwhile this is fixed by reverting back to using bouncycastle by
setting -DSBT_PGP_USE_GPG=false.
@eed3si9n
Copy link
Member

eed3si9n commented Dec 16, 2019
edited
Loading

Do you know what is the degree of parallelism here that causes the issue? Is it anything more than 1 or 16?

@smarter
Copy link
Author

smarter commented Dec 16, 2019

It happened when publishing dotty which is maybe 8 modules, but it's going to depend on a bunch of things like what is being signed and what parameters gpg-agent is using. So the most conservative thing to do is to be serial.

@eed3si9n
Copy link
Member

ok.

@debasishg said he's hitting it too with a 16 subproject project.

@debasishg
Copy link

@smarter Regarding parameters of gpg-agent, here's my gpg-agent.conf

$ cat gpg-agent.conf 
pinentry-program /usr/local/bin/pinentry-tty
default-cache-ttl 600
max-cache-ttl 7200

Do you have any suggestion that may improve the situation ? /cc @eed3si9n

@smarter
Copy link
Author

smarter commented Dec 17, 2019
edited
Loading

My suggestion is to fix sbt-pgp, or to switch back to making it use bouncycastle (beware, the README instructions for doing that are incorrect, see #169).

eed3si9n added a commit to eed3si9n/sbt-pgp that referenced this issue Dec 17, 2019
@eed3si9n
synchronize signing
12fd1e0 
Fixes sbt#168
@eed3si9n eed3si9n mentioned this issue Dec 17, 2019
Merged
@eed3si9n
Copy link
Member

Here's my PR - #171

eed3si9n added a commit to eed3si9n/sbt-pgp that referenced this issue Dec 17, 2019
@eed3si9n
synchronize signing
33aaf75 
Fixes sbt#168
@mkurz mkurz mentioned this issue Jan 13, 2023
Merged
@squidfunk squidfunk mentioned this issue Sep 8, 2023
Merged
10 tasks
@ChrisKujawa ChrisKujawa mentioned this issue Apr 15, 2024
Merged
github-merge-queue bot pushed a commit to camunda/camunda that referenced this issue Apr 17, 2024
@ChrisKujawa
Fix Zeebe release (avoid oom) (#17474)
ccaa178 
## Description

Changing the concurrency (reducing it from thread per core to half
thread per core) reduces the memory pressure on GPG and allows the
release dry run to succeed.

Success run: https://github.com/camunda/zeebe/actions/runs/8690933557

Found related issue in another project:
Related issue sbt/sbt-pgp#168

After merging this we should try to enable the dry run again.

## Related issues

related #17435
github-merge-queue bot pushed a commit to camunda/camunda that referenced this issue Apr 17, 2024
@ChrisKujawa
Fix Zeebe release (avoid oom) (#17474)
d1461b4 
## Description

Changing the concurrency (reducing it from thread per core to half
thread per core) reduces the memory pressure on GPG and allows the
release dry run to succeed.

Success run: https://github.com/camunda/zeebe/actions/runs/8690933557

Found related issue in another project:
Related issue sbt/sbt-pgp#168

After merging this we should try to enable the dry run again.

## Related issues

related #17435
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

synchronize signing eed3si9n/sbt-pgp
3 participants
@smarter @debasishg @eed3si9n