Tomasz Wendlandt » Linux

Transparent spreading of incoming network traffic load across CPUs

juggler — Sun, 10 Oct 2010 17:03:02 +0000

Ciekawy ficzer w kernelu 2.6.35.

Network cards have improved the bandwidth to the point where it’s hard for a single modern CPU to keep up. Two new features contributed by Google aim to spread the load of network handling across the CPUs available in the system: Receive Packet Steering (RPS) and Receive Flow Steering (RFS).

RPS distributes the load of received packet processing across multiple CPUs. This solution allows protocol processing (e.g. IP and TCP) to be performed on packets in parallel (contrary to the previous code). For each device (or each receive queue in a multi-queue device) a hashing of the packet header is used to index into a mask of CPUs (which can be configured manually in /sys/class/net//queues/rx-/rps_cpus) and decide which CPU will be used to process a packet. But there’re also some heuristics provided by the RFS side of this feature. Instead of randomly choosing the CPU from a hash, RFS tries to use the CPU where the application running the recvmsg() syscall is running or has run in the past, to improve cache utilization. Hardware hashing is used if available. This feature effectively emulates what a multi-queue NIC can provide, but instead it is implement in software and for all kind of network hardware, including single queue cards and not excluding multiqueue cards.

Benchmarks of 500 instances of netperf TCP_RR test with 1 byte request and response show the potential benefit of this feature, a e1000e network card on 8 core Intel server goes from 104K tps at 30% CPU usage, to 303K tps at 61% CPU usage when using RPS+RFS. A RPC test which is similar in structure to the netperf RR test with 100 threads on each host, but doing more work in userspace that netperf, goes from 103K tps at 48% of CPU utilization to 223K at 73% CPU utilization and much lower latency.

Wi�cej o RPS i RFS:
http://lwn.net/Articles/362339/
http://lwn.net/Articles/362339/
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35

�r�d�o

HAProxy and MySQL health check

juggler — Tue, 16 Mar 2010 15:23:57 +0000

Prawie miesi�c temu opublikowano stabiln� wersj� HAProxy 1.4 . W nowej wersji dodano bardzo przydatny check do MySQLa (option mysql-check). W ko�cu HAProxy potrafi monitorowa� stan bazy bez customizowanych skrypt�w czy innych wynalazk�w.

listen mysql 0.0.0.0:3306
mode tcp
option mysql-check
balance roundrobin
server mysql_server_1 1.1.1.1:3306 check port 3306

Linux 2.6.32 Kernel Samepage Merging and Virtualization

juggler — Mon, 11 Jan 2010 08:23:44 +0000

W niedawno wydanym Kernelu 2.6.32 dodano ciekawy ficzer z punktu widzenia wirtualizacji – Kernel Samepage Merging, wcze�niej znany jako Kernel Shared Memory. Specjalny daemon kernel, ksmd skanuje pami�� w poszukiwaniu takich samych stron, kt�re mo�na zast�pi� pojedy�czym wpisem. Jak podaje http://kernelnewbies.org przyczynia si� to do bardzo du�ego obni�enia zu�ycia pami�ci w �rodowiskach wirtualizowanych.

Modern operative systems already use memory sharing extensively, for example forked processes share initially with its parent all the memory, there are shared libraries, etc. Virtualization however can’t benefit easily from memory sharing. Even when all the VMs are running the same OS with the same kernel and libraries the host kernel can’t know that a lot of those pages are identical and can be shared. KSM allows to share those pages. The KSM kernel daemon, ksmd, periodically scans areas of user memory, looking for pages of identical content which can be replaced by a single write-protected page (which is automatically COW’ed if a process wants to update it). Not all the memory is scanned, the areas to look for candidates for merging are specified by userspace apps using madvise(2): madvise(addr, length, MADV_MERGEABLE).

The result is a dramatic decrease in memory usage in virtualization environments. In a virtualization server, Red Hat found that thanks to KSM, KVM can run as many as 52 Windows XP VMs with 1 GB of RAM each on a server with just 16 GB of RAM. Because KSM works transparently to userspace apps, it can be adopted very easily, and provides huge memory savings for free to current production systems. It was originally developed for use with KVM, but it can be also used with any other virtualization system – or even in non virtualization workloads, for example applications that for some reason have several processes using lots of memory that could be shared.

http://lwn.net/Articles/306704/
http://lwn.net/Articles/330589/

Local DoS on Linux 2.6.27.4

juggler — Wed, 12 Nov 2008 09:13:08 +0000

Ostatnio pisa�em o kernelu 2.6.27. Okazuje si�, �e od paru dni kr��y exploit pozwalaj�cy na lokalny atak denial of service na wersje starsze ni� 2.6.27.5 .

The __scm_destroy function in net/core/scm.c in the Linux kernel 2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors.

�r�d�o.

page cache on Linux 2.6.27

juggler — Fri, 07 Nov 2008 22:57:36 +0000

Miesi�c temu wydano kernel 2.6.27, m.in. usprawniono w nim obs�ug� page cache’u dla system�w wieloprocesorowych. Ciekawe jak bardzo nowa funkcja get_user_pages_fast() potrafi poprawi� wydajno�� systemu, mo�e kto� ju� to testowa�?

The page cache is the place where the kernel keeps in RAM a copy of a file to improve performance by avoiding disk I/O when the data that needs to be read is already on RAM. Each “mapping”, which is the data structure that keeps track of the correspondence between a file and the page cache, is SMP-safe thanks to its own lock. So when different processes in different CPUs access different files, there’s no lock contention, but if they access the same file (shared libraries or shared data files for example), they can hit some contention on that lock. In 2.6.27, thanks to some rules on how the page cache can be used and the usage of RCU, the page cache will be able to do lookups (ie., “read” the page cache) without needing to take the mapping lock, and hence improving scalability. But it will only be noticeable on systems with lots of cpus (page fault speedup of 250x on a 64 way system have been measured).

In 2.6.27, a new get_user_pages_fast() function has been introduced, which does the same work that get_user_pages() does, but its simplified to speed up the most common workloads that exercise those paths within the same address space. This new function can avoid taking the mmap_sem semaphore and the page table locks in those cases. Benchmarks showed a 10% speedup running a OLTP workload with a IBM DB2 database in a quad-core system.

�r�d�o.

Nautilus

juggler — Fri, 15 Jun 2007 16:46:56 +0000

Kilka przydatnych skrypt�w do Nautilus’a.

1) �ci�gamy
2) wypakowujemy
3) wrzucamy do ~/.gnome2/nautilus-scripts
4) i ju�

Cisco VPN Client + Linux

juggler — Sun, 03 Jun 2007 18:51:17 +0000

Je�eli kto� z Was chcia�by skompilowa� natywnego Cisco VPN Client’a na Linuksie >= 2.6.19 i mia� z tym problemy to polecam stronk� http://tuxx-home.at/archives/2007/05/29/T16_34_26/, gdzie znajduje si� patch na kernel. Po jego na�o�eniu problem z kompilacj� znika.

Wy��czanie Linuksa

juggler — Tue, 20 Mar 2007 18:33:26 +0000

Zauwa�y�em, �e wiele os�b nie korzysta jeszcze z dobrodziejstwa jakie daje ACPI (Advanced Configuration and Power Interface). Je�eli posiadamy komputer z obecnej epoki;) (czyt. z p�yt� ATX) mo�emy wy��cza� naszego Linuksa za pomoc� przycisku Power na obudowie, zamiast wpisywa� z shella poweroff. Co b�dzie potrzebne nam do tego rozwi�zania?

1) Przede wszystkim wkompilowana obs�uga ACPI w kernelu (je�eli jeszcze tego nie masz).

Power management options (ACPI, APM) —>
ACPI (Advanced Configuration and Power Interface) Support —>
[*] ACPI Support
< M > Button

2) Oraz daemon acpid (Ubuntu way;))

# apt-get install acpid

Po reboocie z nowy kernelem upewnijmy si� czy wszystko gra:

# dmesg | grep Button
ACPI: Power Button (FF) [PWRF]
ACPI: Sleep Button (FF) [SLPF]
ACPI: Power Button (CM) [PWRB]

Je�eli otrzymamy komunikat podobny do powy�szego to znaczy, �e mamy ju� wkompilowan� obs�ug� ACPI. I to w�a�ciwie tyle, to wszystko co jest nam potrzebne. Teraz po naci�ni�ciu guzika ‘Power’ na obudowie Linux zatrzyma wszystkie daemony i na ko�cu wy��czy serwer. Ca�e rozwi�zanie obs�ugiwane jest przez daemona acpid, kt�ry nas�uchuje w /proc/acpi/event, czy nie nast�pi�o zdarzenie obs�ugiwane przez ACPI, jak np. nacisni�cie ‘Power’ na obudowie. Je�eli co� takiego nast�pi, w�wczas acpid wykonuje wcze�niej zdefinowan� akcj� w /etc/acpi/events i uruchamia w userspace’ie dowolne polecenie, np. poweroff lub shutdown -h now.

port knocking

juggler — Sun, 24 Sep 2006 21:30:37 +0000

Bardzo ciekaw� rzecz�, nieznan� jeszcze przez wiele os�b jest technika port knockingu. Umo�liwia ona, za spraw� wys�anej sekwencji pakiet�w (pukni��) do hosta, zdalne wykonanie wcze�niej zdefiniowanego polecenia na wspomnianym hoscie, bez logowania si� na niego. Niby nic nadzwyczajnego, ale ciekaw� spraw� jest mo�liwo�� zdefiniowania sekwencji pukni��, kt�re np. uruchamiaj� jak�� us�ug�, bez konieczno�ci otwierania port�w, na kt�re przychodzi pukni�cie.

Klasycznym zastosowaniem tego rozwi�zania jest udost�pnianie ssh na serwerze, wy��cznie gdy zachodzi taka potrzeba. Istnieje przynajmniej kilka implementacji tej techniki. Ja proponuj� na pocz�tek projekt knock. Po zainstalowaniu demona knockd, w Ubuntu robimy to przez zwyk�e

# apt-get install knockd

przechodzimy do jego konfiguracji.

logfile = syslog

logfile, chyba nie wymaga komentarza, ustawienie tego parametru na syslog spowoduje, �e demon b�dzie pisa� do sysloga.

sequence = 7000,8000,9000

sequence, to sekwencja, okre�laj�ca porty, na kt�re maj� zosta� wys�ane pukni�cia. Mo�na te� poda� typ pakiet�w TCP i/lub UDP.

seq_timeout = 5

seq_timeout, czas w sekundach, w jakim musi zmie�ci� si� sekwencja pukania.

command = /sbin/iptables -A INPUT -s %IP% -p tcp –dport 22 -j ACCEPT

command, polecenie systemowe jakie ma zosta� wykonane

tcpflags = syn

tcpflags, knockd ma zwraca� uwag� tylko na pakiety, z flag� podan� w tym parametrze.

Ostatecznie plik konfiguracyjny wygl�da nast�puj�co

# cat /etc/knockd.conf
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -A INPUT -s %IP% -p tcp –dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp –dport 22 -j ACCEPT
tcpflags = syn

gdzie %IP% to IP maszyny, kt�ra wykonuje pukanie. W ten spos�b wysy�aj�c sekwencj� pakiet�w tcp z ustawiona flag� syn na porty 7000,8000,9000 otworzymy dla siebie furtk� w firewallu na port 22, a zamkniemy j� wysy�aj�c sekwencj� pakiet�w na porty 9000,8000,7000. Do wysy�ania sekwencji pukni�� mo�emy wykorzysta� np. SendIP, klienta knock lub dla Windowsa knockknock.

Polecam te� stron� o port knockingu http://portknocking.org/. Nie twierdz�, �e port knocking wp�ywa rewelacyjnie na popraw� bezpiecze�stwa, jest jednak interesuj�c� technik�, kt�rej warto si� przyjrze�.

Linux distros

juggler — Sun, 17 Sep 2006 23:16:41 +0000

Przegl�daj�c www trafi�em na dwa mini projekty, kt�re wizualizuj� histori� powstawania dystrybucji Linuksa. Zamieszczam link do pierwszego jak i drugiego projektu.