Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47758

Protect against memory leaks from external Groovy scripts if they use SecureGroovyScript.evaluate

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Many plugins use Groovy scripts internally that are evaluated with each build – for example, job-dsl and parameters created by Active Choices plugin.   Script security is used to protect against malicious code in these scripts (either by whole-script approval or by sandbox execution). 

      However when run normally with modern Jenkins cores & Groovy versions, these helper plugins will slowly leak memory (via classes loaded but not unloaded, and via Groovy objects to track Class metadata) unless they do explicit cleanup.  Left unchecked, this will eventually bring a Jenkins master down.

      As users of Jenkins, we would like to extend Script Security to offer these plugins the same protection against memory leaks that Pipeline receives, so that evaluating scripts via Script Security also provides memory leak protection.  Note that this implementation will not cover custom implementations that do not rely on SecureGroovyScript.evaluate, such as job-dsl.  It may be possible to provide a public API  for broader use in the future.

      Note that the memory leak bugs lies in Groovy and in the plugins using it – so I am marking this as a feature because Script Security would be offering a new set of capabilities to the community.   

      To reproduce one of these leaks, create a simple Jenkins pipeline or Freestyle project and add a simple Active Choices parameter to it (see screenshot), then run it frequently.  Please find attached an image showing the memory leak in progress.

        Attachments

          Activity

          Hide
          svanoort Sam Van Oort added a comment -

          Leaks are reproducible with Groovy Post-Build script plugin

          Show
          svanoort Sam Van Oort added a comment - Leaks are reproducible with Groovy Post-Build script plugin
          Hide
          svanoort Sam Van Oort added a comment -

          I think it's safe to assume every Groovy script we run with eval is leaking, most are just too slow for people to realize it.

          Show
          svanoort Sam Van Oort added a comment - I think it's safe to assume every Groovy script we run with eval is leaking, most are just too slow for people to realize it.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Sam Van Oort
          Path:
          pom.xml
          src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java
          src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyMemoryLeakTest.java
          http://jenkins-ci.org/commit/script-security-plugin/2699d5d899588c490ee838074b577db11cffa8a8
          Log:
          Merge pull request #161 from svanoort/memory-cleanup

          JENKINS-47758 Script security provides automatic memory leak protection to many groovy scripts

          Compare: https://github.com/jenkinsci/script-security-plugin/compare/763a5db6cf3f...2699d5d89958

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Sam Van Oort Path: pom.xml src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyMemoryLeakTest.java http://jenkins-ci.org/commit/script-security-plugin/2699d5d899588c490ee838074b577db11cffa8a8 Log: Merge pull request #161 from svanoort/memory-cleanup JENKINS-47758 Script security provides automatic memory leak protection to many groovy scripts Compare: https://github.com/jenkinsci/script-security-plugin/compare/763a5db6cf3f...2699d5d89958
          Hide
          svanoort Sam Van Oort added a comment -

          Released with version 1.35

          Show
          svanoort Sam Van Oort added a comment - Released with version 1.35

            People

            • Assignee:
              svanoort Sam Van Oort
              Reporter:
              svanoort Sam Van Oort
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: