High Level Kong Mem Question

As I use Kong I have some lingering questions about mem consumption and such I would like clarified.

Kong gives us the ability to increase/decrease the default shared dictionary Kong core utilizes, what other memory settings are there to concern ourselves with in the Kong/Openresty/Nginx stack, and can those be set by us @ the Kong template layer? My specific concern is one such as:

  1. I have heard the term Lua VM thrown around, does it have a defined mem ceiling by default and is it configurable+exposed to us Kongers?

So when we execute something like so:

  ngx.req.read_body()
  local req_body  = ngx.req.get_body_data()

Where in memory is this going? To the Lua VM?

Sorry if these are dumb questions, but I am just pondering if there are situations Kong could run out of mem to service a Proxy, and the volumes/tx sizes it would take.

Thanks!

Kong gives us the ability to increase/decrease the default shared dictionary Kong core utilizes

More specifically, the size of the database cache shared between workers. Kong uses other shared memory zones that are not configurable. In the future, we might separate the database cache into multiple ones.

I have heard the term Lua VM thrown around, does it have a defined mem ceiling by default and is it configurable+exposed to us Kongers?

Lua being an interpreted language, the term Lua VM refers to the Lua interpreter. LuaJIT is subject to some memory limits of its own, around ~2GB (a bit less in my experience) for LuaJIT 2.1 on 64 bits architectures. See http://lua-users.org/lists/lua-l/2010-11/msg00241.html. Each worker gets its own Lua VM.

Because of this, code like the snippet you pasted can be dangerous with large bodies or in instances with a small number of workers, and lead to memory exhaustion of the Lua VM in those workers.

1 Like

This is exactly the level of insight I was looking for. Thanks again @thibaultcha! That snippet of code is how I get the HTTP body to sign in a JWT for non-repudiation in Gateway->API Provider security and I don’t see a way around that without doing Mutual TLS (which has never been one of my favorite patterns). I pondered sacrificing some security and just signing the HTTP headers for providers then to validate on but decided that would not suffice. If you want, I could do a nice write up in some agreeable portion of the Kong documentation on what you mentioned in your post if you like? Certainly could help others. I think it makes sense to set a global gateway limit in the 20-30 MB range anyways to help prevent a lua vm memory exhaustion and if api consumers need to move larger sized payloads to enforce a pattern of chunking on the tx because it just seems bad practice to use a single HTTP Packet for a very large payload (100 MB+).