I’m migrating several CentOS 7 servers to Alma 8.4 and I noticed an issue with memory usage of firewalld. These servers are small 1GB systems, so this issue caused dead installations because once they boot, 100% of memory is consumed and the kernel starts killing everything.
In CentOS 7, existing firewalld uses 43MB:
root 402 0.0 2.2 372360 43084 ? Ssl May24 0:04 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Once updated to Alma 8.4, firewalld uses 774MB:
root 564 0.0 20.2 1056284 774616 ? Ssl Jun04 1:14 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
Thats right, memory usage went from 43MB to 774MB, consuming almost all of the available 1GB of ram.
Further investigation revealed that the cause of this issue is related to my
ipset rules, which are identical in both the CentOS 7 systems as well as the new Alma 8.4 systems. My rules are the entire ranges of 33 countries, which result in 76138 different ranges of IPv4+IPv6 rules, under /etc/firewalld/ipsets/.
Of course, if I remove them all, memory usage goes back to normal. I don’t know if this issue is specific to Alma, or if its something related to an upstream project (rhel, or firewalld, or whatever firewalld is a front-end for.
Any ideas would be appreciated.