Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47758

Protect against memory leaks from external Groovy scripts if they use SecureGroovyScript.evaluate

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Critical
    • Resolution: Done
    • Component/s: script-security-plugin
    • Environment:
      Jenkins core 2.60.x, 2.73.x, most recent Pipeline plugins, plus Active choice plugin.
    • Similar Issues:

      Description

      Many plugins use Groovy scripts internally that are evaluated with each build – for example, job-dsl and parameters created by Active Choices plugin.   Script security is used to protect against malicious code in these scripts (either by whole-script approval or by sandbox execution). 

      However when run normally with modern Jenkins cores & Groovy versions, these helper plugins will slowly leak memory (via classes loaded but not unloaded, and via Groovy objects to track Class metadata) unless they do explicit cleanup.  Left unchecked, this will eventually bring a Jenkins master down.

      As users of Jenkins, we would like to extend Script Security to offer these plugins the same protection against memory leaks that Pipeline receives, so that evaluating scripts via Script Security also provides memory leak protection.  Note that this implementation will not cover custom implementations that do not rely on SecureGroovyScript.evaluate, such as job-dsl.  It may be possible to provide a public API  for broader use in the future.

      Note that the memory leak bugs lies in Groovy and in the plugins using it – so I am marking this as a feature because Script Security would be offering a new set of capabilities to the community.   

      To reproduce one of these leaks, create a simple Jenkins pipeline or Freestyle project and add a simple Active Choices parameter to it (see screenshot), then run it frequently.  Please find attached an image showing the memory leak in progress.

        Attachments

          Activity

            People

            • Assignee:
              svanoort Sam Van Oort
              Reporter:
              svanoort Sam Van Oort
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: