2009/9/30 Mariusz Gronczewski <xani...@gmail.com>:
> 2009/9/29 Willy Tarreau <w...@1wt.eu>:
>> On Tue, Sep 29, 2009 at 10:41:28AM -0700, David Birdsong wrote:
>> (...)
>>> > Which translates into that for one CPU :
>>> > 10% user
>>> > 40% system
>>> > 50% soft-irq
>>> >
>>> > This means that 90% of the time is spent in the kernel (network
>>> > stack+drivers).
>>> > Do you have a high bit rate (multi-gigabit) ? Are you sure you aren't
>>> > running
>>> > with any ip_conntrack/nf_conntrack module loaded ? Can you show the
>>> > output of
>>
>>> do you recommend against these modules? we have a stock fedora 10
>>> kernel that have nf_conntrack compiled in statically.
>>
>> By default I recommend against it because it's never tuned for server usage,
>> and if people don't know if they are using it, then they might be using it
>> with inadequate desktop tuning.
>>
>>> i've increased:
>>> /proc/sys/net/netfilter/nf_conntrack_max but is it correct to expect
>>> connection tracking to add kernel networking cpu overhead due to
>>> netfilter? i've speculated that it might, but fruitless searches for
>>> discussions that would suggest so have restrained me from bothering to
>>> re-compile a custom kernel for our haproxy machines.
>>
>> Yes, from my experience, using conntrack on a machine (with large enough
>> hash buckets) still results in 1/3 of the CPU being usable for haproxy+system
>> and 2/3 being consumed by conntrack. You must understand that when running
>> conntrack on a proxy, it has to setup and tear down two connections per
>> proxy connection, explaining why it ends up with that amount of CPU used.
>>
>> Often if you absolutely need conntrack to NAT packets, the solution consist
>> in setting it on one front machine and having the proxies on a second level
>> machine (run both in series). It will *triple* the performance because the
>> number of conntrack entries will be halved and it will have more CPU to run.
> You could also try to do something like this
>
> # iptables -I PREROUTING -p tcp --dport 80 -j NOTRACK
> # iptables -I OUTPUT -p tcp --dport 80 -j NOTRACK
# iptables -t raw -I PREROUTING -p tcp --dport 80 -j NOTRACK
# iptables -t raw -I OUTPUT -p tcp --dport 80 -j NOTRACK
sorry for mistake
