Re: question about the performance impact of sec=krb5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 13, 2023 at 1:53 PM Olga Kornievskaia <aglo@xxxxxxxxx> wrote:
>
> On Mon, Feb 13, 2023 at 1:02 PM Charles Hedrick <hedrick@xxxxxxxxxxx> wrote:
> >
> > those numbers seem implausible.
> >
> > I just tried my standard quick NFS test on the same file system with sec=sys and sec=krb5. It untar's a file with 80,000 files in it, of a size typical for our users.
> >
> > krb5: 1:38
> > sys: 1:29
> >
> > I did the test only once. Since the server is in use, it should really be tried multiple times.
> >
> > krb5i and krb5p have to work on all the contents. I haven't looked at the protocol details, but krb5 with no suffix should only have to work on headers. 3.2 msec increase in latency would be a disaster, which we would certainly have noticed. (Almost all of our NFS activity uses krb5.)
> >
> > It is particularly implausible that latency would increase by 3.2 msec for krb5, 0.6 msec for krb5i and 1.6 for krb5p. krb5 encrypts only security info. krb5p encrypts everything.  Perhaps they mean 0.32 msec? We'd even notice that, but at least it would be consistent with krb5i and krb5p.
>
> Actually they really did mean 3.2. Here's another reference that
> produces similar numbers :
> https://www.netapp.com/media/19384-tr-4616.pdf . Why krb5 perf gets
> higher latency then the rest is bizarre and should have been looked at
> before publication.

Nevermind. After some investigation, it turns out the public report
has a typo, it should have been 0.2ms. Hopefully they'll fix it.

> > From: Wang Yugui <wangyugui@xxxxxxxxxxxx>
> > Sent: Sunday, February 12, 2023 1:01 AM
> > To: linux-nfs@xxxxxxxxxxxxxxx <linux-nfs@xxxxxxxxxxxxxxx>
> > Subject: question about the performance impact of sec=krb5
> >
> > Hi,
> >
> > question about the performance of sec=krb5.
> >
> > https://learn.microsoft.com/en-us/azure/azure-netapp-files/performance-impact-kerberos
> > Performance impact of krb5:
> >         Average IOPS decreased by 53%
> >         Average throughput decreased by 53%
> >         Average latency increased by 3.2 ms
> >
> > and then in 'man 5 nfs'
> > sec=krb5  provides cryptographic proof of a user's identity in each RPC request.
> >
> > Is there a option of better performance to check krb5 only when mount.nfs4,
> > not when file acess?
> >
> > Best Regards
> > Wang Yugui (wangyugui@xxxxxxxxxxxx)
> > 2023/02/12
> >




[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux