[jira] [Commented] (HADOOP-15813) Enable more reliable SSL connection reuse

Wed, 20 Feb 2019 16:57:30 -0800 


    [ 
https://issues.apache.org/jira/browse/HADOOP-15813?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773551#comment-16773551
 ] 

Wei-Chiu Chuang commented on HADOOP-15813:
------------------------------------------

+1
 The patch dramatically improves KMS throughput from 2900 decrypt_eek/s to 8100 
decrypt_eek/s in my test.

Benchmark setup:
{noformat}
4-node cluster, each node 4 core Intel Xeon 2.5Ghz, 25GB memory
CentOS 7.4, CDH 6.2 + CM 6.2, Cloudera Navigator Key Trustee
Oracle Java 8u181
One KMS server. Heap: 5GB, max thread: 32
{noformat}
Ran the KMS benchmark tool (HADOOP-15967) on 3 other nodes to fully saturate 
the KMS server:
{noformat}
HADOOP_CLIENT_OPTS="-Xms10g -Xmx10g"
hadoop jar /tmp/hadoop-kms-3.0.0-cdh6.1.0-tests.jar 
org.apache.hadoop.crypto.key.kms.server.KMSBenchmark -op decrypt -threads 100 
-numops 2000000
{noformat}
Additionally, 
 used heap size = 2GB (prior to the patch, heap size would grow until the max 
heap size),
 open file descriptor 600 (prior to the patch, open file descriptor would grow 
to 7000)

> Enable more reliable SSL connection reuse
> -----------------------------------------
>
>                 Key: HADOOP-15813
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15813
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: common
>    Affects Versions: 2.6.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Major
>         Attachments: HADOOP-15813.patch, HADOOP-15813.patch
>
>
> The java keep-alive cache relies on instance equivalence of the SSL socket 
> factory.  In many java versions, SSLContext#getSocketFactory always returns a 
> new instance which completely breaks the cache.  Clients flooding a service 
> with lingering per-request connections that can lead to port exhaustion.  The 
> hadoop SSLFactory should cache the socket factory associated with the context.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to