django-DefectDojo
django-DefectDojo copied to clipboard
DefectDojo
Add --max-fd argument to uwsgi to stop it from getting OOMKilled in Kubernetes
Description
This PR fixes the issue described in issue https://github.com/DefectDojo/django-DefectDojo/issues/9562 regarding uWSGI that under some circumstances will take up an unnecessary amount of resources on a kubernetes node leading to the pod getting OOMKilled.
We introduce the possibility to set the --max-fd argument when starting up uWSGI to mitigate this issue.
Test results
I have tested the fix on a kubernetes cluster where it prevented the pod from getting OOMKilled. For more information see https://github.com/DefectDojo/django-DefectDojo/issues/9562.
Documentation
It is not clear to me where the documentation should be updated.
Checklist
This checklist is for your information.
- [ ] Make sure to rebase your PR against the very latest
dev. - [ ] Features/Changes should be submitted against the
dev. - [x] Bugfixes should be submitted against the
bugfixbranch. - [ ] Give a meaningful name to your PR, as it may end up being used in the release notes.
- [ ] Your code is flake8 compliant.
- [ ] Your code is python 3.11 compliant.
- [ ] If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
- [ ] Model changes must include the necessary migrations in the dojo/db_migrations folder.
- [ ] Add applicable tests to the unit tests.
- [ ] Add the proper label to categorize your PR.
Extra information
Contextual Security Analysis
As DryRun Security performs checks, we’ll summarize them here. You can always dive into the detailed results in the section below for checks.
| Status | DryRun Security Check |
|---|---|
| ✅ | Sensitive Functions Analyzer |
| ❌ | Configured Sensitive Files Analyzer |
| ✅ | Sensitive Files Analyzer |
Chat with your AI-powered Security Buddy by typing @dryrunsecurity followed by your question into a comment.
Example: @dryrunsecurity What are common security issues with web application cookies?
Install and configure more repositories at DryRun Security
![dryrunsecurity[bot] avatar](https://avatars.githubusercontent.com/in/377039?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.
| DryRun Security | Status | Findings |
|---|---|---|
| Sensitive Functions Analyzer | :white_check_mark: | 0 findings |
| Configured Sensitive Files Analyzer | :x: | 4 findings |
| Sensitive Files Analyzer | :grey_exclamation: | 1 findings |
[!Note] :red_circle: Risk threshold exceeded. Adding a reviewer if one is configured in
.dryrunsecurity.yaml.notification list: @mtesauro @grendel513
[!Tip] Get answers to your security questions. Add a comment in this PR starting with @dryrunsecurity. For example...
@dryrunsecurity What are common security issues with web application cookies?
Powered by DryRun Security
@hoeg thanks for updating your commits. It think this will work! There is not a some extra changes unrelated to your file descriptor changes that should not be here. Once those are removed, I think this will be good to go :)
This pull request has conflicts, please resolve those before we can evaluate the pull request.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Conflicts have been resolved. A maintainer will review the pull request shortly.
Closing this PR as the parent issue was addressed by changing the k8s config rather then a code change on the DD side.
I am trying to pick this is this issue up from my colleague @hoeg.
The described solution in k8s does not resolve the issue for us. We do not have any resource limits and requesting 4096Mi of memory. The pod is still OOMKilled. However, using the suggested solution in this PR solves the problem.
