[neutron][requirements] Pyroute2 stable/queens upper version (0.4.21) has a memory leak
Hello folks: As reported in [1], we have found a memory leak in Pyroute stable/queens upper version (0.4.21). This memory leak is reproducible both with Python 2.7 and Python 3.6 (I didn't test 3.5 or 3.7). The script used is [2]. Using "pmap" to read the process memory map (specifically the "total" value), we can see an increase of several MB per minute. This problem is not present in version 0.5.2 (stable/rocky upper-requirements) I know that in stable releases, the policy established [3] is only to modify those external libraries in case of security related issues. This is not exactly a security breach but can tear down a server along the time. I submitted a patch to bump the version in stable/queens [4] and another one to test this change in the Neutron CI [5]. Is it possible to merge [4]? Regards. [1] https://bugs.launchpad.net/neutron/+bug/1835044 [2] http://paste.openstack.org/show/753759/ [3] https://docs.openstack.org/project-team-guide/stable-branches.html [4] https://review.opendev.org/#/c/668676/ [5] https://review.opendev.org/#/c/668677/
On 2019-07-05 17:29:55 +0100 (+0100), Rodolfo Alonso wrote: [...]
I know that in stable releases, the policy established [3] is only to modify those external libraries in case of security related issues. This is not exactly a security breach but can tear down a server along the time. [...] [3] https://docs.openstack.org/project-team-guide/stable-branches.html [...]
You're referring to policy about backporting fixes for bugs in OpenStack software, and so necessitates patch-level version increases for the affected OpenStack components in upper-constraints.txt to make sure we test other software against that newer version. The policy so far regarding stable branch upper-constraints.txt entries for external dependencies of OpenStack has been to not change them even if they include known security vulnerabilities or other critical bugs, unless those bugs impact our ability to reliably test proposed changes to stable branches of OpenStack software for possible regressions. It's a common misconception, but that upper-constraints.txt file is purely a reflection of the (basically frozen in the case of stable branches) set of dependency versions from PyPI against which changes to our software are tested. It is not a good idea to deploy production environments from the PyPI packages corresponding to the versions listed there, for a variety of reasons (most important of which is that they aren't a security-supported distribution, nor can they ever even remotely become one). -- Jeremy Stanley
participants (2)
-
Jeremy Stanley
-
Rodolfo Alonso