[Fedora-directory-users] FDS SSL performance tuning query
Jonathan Barber
jon at compbio.dundee.ac.uk
Tue Aug 7 16:38:50 UTC 2007
On Tue, Aug 07, 2007 at 10:26:46AM -0600, Richard Megginson wrote:
> Jonathan Barber wrote:
> >Hello all, currently we have a FDS instance running on RHEL4 with a
> >small number of entries (6,000), we also have a linux compute cluster of
> >100 nodes which uses LDAP for user account data (via libnss_ldap).
> >
> >nss_ldap on the cluster is configured to use SSL, and everything is fine
> >most of the time. However, occasionally, when a large job is started on
> >the cluster, the number of connections increases from 100/minute to
> >1600/minute (26/sec).
> >
> >This causes the server to become generally unresponsive, and FDS
> >especially so (as judged by the time required to retrieve the DSE via
> >TLS). Which is a right pain as it causes our samba PDC to timeout and
> >everything goes wrong very quickly.
> >
> >I can reproducably, impact on FDS performance by running:
> >$ getent passwd | cut -d: -f 1 | while read i; do id $i; done
> >
> >across the cluster. When SSL is off, the command to run fine and doesn't
> >impact on other searches.
> >
> >As a short term measure, we've disabled LDAPS on the cluster nodes,
> >which is fine as users don't log into them, but we had planned to expand
> >the use of LDAP to cover more hosts (Macs and Linux) that require a
> >confidential channal for authentication. So this experience is giving us
> >some trepidation about moving forward with that plan.
> >
> >Our system is configured following the guidance of the wiki [0], with a
> >maximum of 16834 available file descriptors and 50M of cache (more than
> >enough to hold the DB) - and the ratio of cache hits/misses look good
> >with little paging out. Running logconv.pl on the access logs doesn't
> >show any unindexed searches, so that isn't an issue.
> >
> >Our server CPU is a 3Ghz Xeon with 1G of RAM, and looking at the
> >performance of NSS 3.2 [1], I would expect the machine to be able to
> >setup and tear down many more connections than we are currently seeing.
> >Indeed, running the test described in [1] with the nss-3.11.4 binaries,
> >I get over 1200 connections per second [2], so it certainly doesn't seem
> >to be a problem with NSS.
> >
> >This suggests to me that the problem lies in FDS somewhere. So, does
> >anyone have any suggestions as to how to improve the SSL/TLS performance
> >of FDS, or point me at tuning docs for the SSL side of FDS?
> >
>
> I don't know. But opening and closing SSL connections is pretty
> expensive, with all of the TLS/SSL protocol operations. Is it possible
> you could configure the client machines to use LDAP (not LDAPS) and use
> the LDAP startTLS operation to start up the TLS session on the
> non-secure port? This might allow the server to process the connection
> + TLS session creation more efficiently.
I'll give it a go and see how it works. I had assumed SSL would be less
expensive than a start TLS.
Do you have any benchmarks (even rough numbers) available as to how many
connections FDS can copes with TLS/SSL vs. plain LDAP? I've read Howard
Chu's presentation (http://highlandsun.com/hyc/SambaXP.pdf) but it
doesn't compare against SSL, and I didn't do any SSL benchmarks with FDS
when I evaluted LDAP servers. I don't have any real feeling as to how
many TLS/SSL connection you get compared to plain TCP/IP.
Ta.
> >Cheers.
> >
> >[0] http://directory.fedoraproject.org/wiki/Performance_Tuning
> >[1]
> >http://www.mozilla.org/projects/security/pki/nss/nss-3.2-performance-results
> >[2] server$ ./selfserv -n "Server-Cert" -p 6000
> > client$ time ./strsclnt -p 6000 server -c 1000
> > strsclnt: -- SSL: Server Certificate Validated.
> > strsclnt: 0 cache hits; 1 cache misses, 0 cache not reusable
> > strsclnt: 999 cache hits; 1 cache misses, 0 cache not reusable
> >
> > real 0m0.605s
> > user 0m0.795s
> > sys 0m0.226s
> >
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389
More information about the Fedora-directory-users
mailing list