Kratos Docker container - no response at user registration & high resource usage

bellamira · July 23, 2020, 1:07pm

We are running Kratos in a docker container and using the password strategy to login and register users. The login flow seems to work fine, but when a users attempts to register, the request hangs and the docker container starts using massive amounts of resources. Looking for guidance on why the request is hanging and why the container is using so many resources on that request.

Here are trace level logs from the container:

{
  "file": "/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:143",
  "func": "github.com/ory/x/reqlog.(*Middleware).ServeHTTP",
  "level": "info",
  "method": "GET",
  "msg": "completed handling request",
  "name": "public#https://myapp.com/.ory/kratos/public",
  "remote": "172.18.0.2:58040",
  "request": "/self-service/browser/flows/requests/login?request=99967d0e-bc79-4de8-bf6d-cc95a68959b0",
  "status": 200,
  "text_status": "OK",
  "time": "2020-07-22T13:54:26Z",
  "took": 1140400
}
{
  "file": "/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:135",
  "func": "github.com/ory/x/reqlog.(*Middleware).ServeHTTP",
  "level": "info",
  "method": "GET",
  "msg": "started handling request",
  "name": "public#https://myapp.com/.ory/kratos/public",
  "remote": "172.18.0.2:58040",
  "request": "/self-service/browser/flows/registration",
  "time": "2020-07-22T13:54:33Z"
}
{
  "file": "/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:143",
  "func": "github.com/ory/x/reqlog.(*Middleware).ServeHTTP",
  "level": "info",
  "method": "GET",
  "msg": "completed handling request",
  "name": "public#https://myapp.com/.ory/kratos/public",
  "remote": "172.18.0.2:58040",
  "request": "/self-service/browser/flows/registration",
  "status": 302,
  "text_status": "Found",
  "time": "2020-07-22T13:54:33Z",
  "took": 13969602
}
{
  "file": "/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:135",
  "func": "github.com/ory/x/reqlog.(*Middleware).ServeHTTP",
  "level": "info",
  "method": "GET",
  "msg": "started handling request",
  "name": "public#https://myapp.com/.ory/kratos/public",
  "remote": "172.18.0.2:58040",
  "request": "/self-service/browser/flows/requests/registration?request=d33428bc-f993-4c2f-8e41-466d608fee0f",
  "time": "2020-07-22T13:54:34Z"
}
{
  "file": "/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:143",
  "func": "github.com/ory/x/reqlog.(*Middleware).ServeHTTP",
  "level": "info",
  "method": "GET",
  "msg": "completed handling request",
  "name": "public#https://myapp.com/.ory/kratos/public",
  "remote": "172.18.0.2:58040",
  "request": "/self-service/browser/flows/requests/registration?request=d33428bc-f993-4c2f-8e41-466d608fee0f",
  "status": 200,
  "text_status": "OK",
  "time": "2020-07-22T13:54:34Z",
  "took": 983700
}
{
  "file": "/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:135",
  "func": "github.com/ory/x/reqlog.(*Middleware).ServeHTTP",
  "level": "info",
  "method": "POST",
  "msg": "started handling request",
  "name": "public#https://myapp.com/.ory/kratos/public",
  "remote": "172.18.0.2:58040",
  "request": "/self-service/browser/flows/registration/strategies/password?request=d33428bc-f993-4c2f-8e41-466d608fee0f",
  "time": "2020-07-22T13:54:53Z"
}

Here is our kratos config file:

## ORY Kratos Configuration
#
identity:
  default_schema_url: file:///etc/config/kratos/identity.traits.schema.json
selfservice:
  default_browser_return_url: https://myapp.com/
  whitelisted_return_urls:
    - https://myapp.com/
  flows:
    settings:
      ui_url: https://myapp.com/settings
      request_lifespan: 1h
      privileged_session_max_age: 1h
    logout:
      after:
        default_browser_return_url: https://myapp.com/
    registration:
      ui_url: https://myapp.com/auth/registration
      request_lifespan: 1h
    login:
      ui_url: https://myapp.com/auth/login
      request_lifespan: 1h
      after:
        default_browser_return_url: https://myapp.com/
    verification:
      enabled: true
      ui_url: https://myapp.com/verify
      after:
        default_browser_return_url: https://myapp.com/
      request_lifespan: 1m
    error:
      ui_url: https://myapp.com/error
  strategies:
    profile:
      enabled: false
    recovery_token:
      enabled: false
    password:
      enabled: true

courier:
  smtp:
    connection_uri: smtps://foo:bar@my-mailserver:1234/?skip_ssl_verify=false
    from_address: [email protected]

serve:
  admin:
    base_url: http://kratos:4434/
    port: 4434
  public:
    base_url: https://myapp.com/.ory/kratos/public
    port: 4433
#
log:
  level: trace
  format: json
#
hashers:
  argon2:
    memory: 9923292
    iterations: 93455383
    parallelism: 57113235
    salt_length: 87632070
    key_length: 3894910
#
session:
  lifespan: 1h
  cookie_same_site: Lax

bellamira · July 23, 2020, 2:55pm

I believe we have solved this issue. Our hasher configuration settings were way too high. Most likely, the request was timing out because Kratos was taking so long to hash the password.

After changing the configuration to use more sensible values, as shown here, the system is now working.

Our previous values were taken from this file. Perhaps this example file should be changed to represent “reasonable” default values, with the minimum and maximum values shown as comments.