Search squid archive

Polygraph Kerberos patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi

 Here is a patch for the latest polygraph version to perform Kerberos based
performance testing.


Apply attached patch and rebuild configure and other files with:

aclocal
autoheader
automake -a
autoreconf -f -i

Now run ./configure ...


Four new options are introduced:

1)  kerberos_auth = true;
    Selects Kerberos over NTLM in Negotiate requests
2) kerberos_config_path = "krb5_WINDOWS.conf";
    Defines the Kerberos configuration file to use
3) kerberos_clear_cache = true;
    Do not cache credentials but re-authenticate user for every HTTP
request. Creates high amount of Keberos traffic to
    kdc or Active Directory and not recommended
4) kerberos_proxy_spn = "HTTP/<fqdn>"   ( and kerberos_server_spn =
"HTTP/<fqdn> for testing web server performance)
    Setting the spn avoids DNS resolution of the proxy or web server
hotsname to IP address and vice versa.

Simple Polygraph configuration

/*
* A very simple "Hello, World!" workload
*/

// this is just one of the simplest workloads that can produce hits
// never use this workload for benchmarking

// SimpleContent defines properties of content that the server generates;
// if you get no hits, set SimpleContent.obj_life_cycle to cntStatic, which
// is defined in workloads/include/contents.pg
Content SimpleContent = {
       size = exp(13KB); // response sizes distributed exponentially
       cachable = 80%;   // 20% of content is uncachable
};

// a primitive server cleverly labeled "S101"
// normally, you would specify more properties,
// but we will mostly rely on defaults for now
Server S = {
       kind = "S101";
       contents = [ SimpleContent ];
       direct_access = contents;

       addresses = [ '192.168.1.12:9090' ]; // where to create these server
agents
};

DnsResolver dr = {
   servers = [ '127.0.0.1:53' ];
   timeout = 5sec;
};

AddrMap M = {
   addresses = [ '192.168.1.10' ,'192.168.1.11', '192.168.1.12' ];
   names = [ 'client.suse.home' , 'proxy.suse.home', 'server.suse.home' ];
};


// a primitive robot
Robot R1 = {
       kind = "R101";
       pop_model = { pop_distr = popUnif(); };
       recurrence = 55% / SimpleContent.cachable; // adjusted to get 55%
DHR

       origins = S.addresses;      // where the origin servers are
       addresses = [ '192.168.1.10' ]; // where these robot agents will be
created
//        kerberos_clear_cache = true;
       kerberos_auth = true;
       kerberos_config_path = "krb5_SUSE.conf";
       kerberos_proxy_spn = "HTTP/proxy.suse.home";
       credentials = [ "user1:user1" ];
       dns_resolver = dr;
};

// a primitive robot
Robot R2 = {
       kind = "R101";
       pop_model = { pop_distr = popUnif(); };
       recurrence = 55% / SimpleContent.cachable; // adjusted to get 55%
DHR

       origins = S.addresses;      // where the origin servers are
       addresses = [ '192.168.1.10' ]; // where these robot agents will be
created
//        kerberos_clear_cache = true;
       kerberos_auth = true;
       kerberos_config_path = "krb5_WINDOWS.conf";
// user can be the same as in Robot R1 as the default domain in krb5 will
differentiate them as user1@<WINDOWS-DOMAIN> and user1@<SUSE-DOMAIN>
       kerberos_proxy_spn = "HTTP/proxy.suse.home";
       credentials = [ "user1:user1" ];
       dns_resolver = dr;
};

// commit to using these servers and robots
use(M);
use(S, R1, R2);



Run the client with:

/opt/polygraph-4.0.11/bin/polygraph-client --proxy
192.168.1.11:3128 --config
/home/markus/mysources/polygraph/simple_proxy.pg --verb_lvl 10 --log
client.log


Simple Kerberos configuration file

[libdefaults]
      default_realm = WIN2003R2.HOME
      default_keytab_name = /etc/krb5.keytab
      default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
      default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
      permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

#Heimdal settings
      default_etypes = arcfour-hmac-md5 des3-cbc-sha1 des-cbc-crc
des-cbc-md5
      default_etypes_des = des-cbc-crc des-cbc-md5

# DNS settings to reduce DNS traffic and rely on below settings
      dns_lookup_kdc = no
      dns_lookup_realm = no

[realms]
      WIN2003R2.HOME = {
              kdc = 192.168.1.10
              admin_server = 192.168.1.10
      }
[domain_realm]
      .win2003r2.home = WIN2003R2.HOME
      win2003r2.home = WIN2003R2.HOME

[logging]



Using IP-addresses reduces the load on DNS !!

In the case of a high number of connections you may see errors 1765328228
from krb5_get_init_creds_password.  This can happen when more than
FD_SETSIZE file descriptors are open. The only way to avoid this is to
recompile the Kerberos library after setting with sysctl ( on Linux) a file
max file descriptor number and changing the header file define for
FD_SETSIZE in typesizes.h (depending on OS it is defined inother header
files).

Any feedback is appreciated.

Regards
Markus


http://www.mail-archive.com/squid-dev@xxxxxxxxxxxxxxx/msg14948/polygraph-4.0.11-kerberos-v7.patch
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux