On Fri, Nov 21, 2014 at 06:33:46PM +0100, konrad rzentarzewski wrote: > On Fri, Nov 21, 2014 at 06:23:43PM +0100, Willy Tarreau wrote: > > There were changes to the acl part but in theory this should not > > impact performance, especially not like this. Are you sure you > > compiled 1.5 the same way as you did for 1.4 ? Please run > > "haproxy -vv" for both versions and output the result. It's possible > > that you used libpcre for 1.4 and not for 1.5 for example. PCRE is > > extremely fast in general and not using it could easily cause what > > you're observing. > > yes, both use PCRE, difference is drammatic - 1.4 uses 25-30% CPU with > nbproc 1 and 1.5 maxes out all cores with nbproc 8.
That's a big change. We can see huge variations between regex libs. I remember playing at exploiting some regex flaws in the past and managing to get some very simple regex literally take *days* to execute. But if you're running with the same lib, there certainly is something odd. I could imagine a loss of a few percent due to some code changes, but not something that big. Are you certain the same libpcre is used in both cases ? Running "ldd" on haproxy will tell you if it's dynamically linked or not. For example if version 6.6 comes from a static lib and is only used for 1.5 it can make a difference. Would you be interested in me providing you with a static binary to test ? > this pinpoints to this exact acl i've included - if i hash it out > everything works as normal (same load as 1.4). OK, I'll ask Thierry to take a look at it, as he knows this part better than anyone else. At least your rules don't show anything complex! Just out of curiosity, how many frontends do you have which make use of these files ? I'm just realizing that if we have a bug causing all instances of the same file to be concatenated for all frontends, it could result in a much larger regex list and may explain things a bit. > $ haproxy -vv > HA-Proxy version 1.4.25 2014/03/27 > Copyright 2000-2014 Willy Tarreau <w...@1wt.eu> > > Build options : > TARGET = linux26 > CPU = generic > CC = gcc > CFLAGS = -O2 -g -fno-strict-aliasing > OPTIONS = USE_REGPARM=1 USE_PCRE=1 (...) OK quite simple. > $ haproxy -vv > HA-Proxy version 1.5.8 2014/10/31 > Copyright 2000-2014 Willy Tarreau <w...@1wt.eu> > > Build options : > TARGET = linux26 > CPU = generic > CC = gcc > CFLAGS = -O2 -g -fno-strict-aliasing > OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Here as well. > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 > > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.3 > Compression algorithms supported : identity, deflate, gzip > Built with OpenSSL version : OpenSSL 1.0.1j-fips 15 Oct 2014 > Running on OpenSSL version : OpenSSL 1.0.1j-fips 15 Oct 2014 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > Built with PCRE version : 6.6 06-Feb-2006 Ah you beat me on this one, my oldest one is 7.7 now :-) Best regards, Willy
