Hi, On Sun, Oct 06, 2013 at 09:21:46PM +0800, Brad Zhang wrote: > Do you have some idea about this issue? Looking forward to your reply.
Coming back to *this* thread, after some debugging in the other thread
with Arno, I think what I can say so far is that we're observing two
different things:
- the first renegotiation brings a big jump in memory, but this is to
be expected, because the new keying material needs extra memory, and
the memory for the old key is not released right away (it seems to be
released at the next renegotiation, or at client disconnect - I've
seen VSZ/RSS go down(!) when clients disconnect, so that seems to
work right). This is the "big" jump in memory consumption which is
actually killing Arno's setup, because there is not enough virtual
memory available to hold all that is needed for 3000 clients (but
that can be fixed by increasing max-memory limits if there is enough
RAM).
- each further renegotiation leaks "a few kbyte" of memory per client,
which should also be fully returned when the client disconnects - this
is the issue I discovered earlier, with the GC handling of the per-client
environment set, and I'll send a patch for that "soon" (as soon as I
have fully understood the code involved).
Now, what I do not really understand is why the memory consumption on the
3rd, 4th, 5th renegotiation seems to slow down - there seems to be some
additional memory fragmentation involved in the 2nd+3rd renegotiation,
which leads to memory re-use later on. Or so.
Testing this with "reneg-sec 60" is actually quite interesting... here's
*disconnect* of a client:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 19892 0.0 0.0 7052 4304 pts/7 SN+ 17:48 0:01 openvpn ../serv
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 19892 0.0 0.0 6300 3740 pts/7 SN+ 17:48 0:01 openvpn ../serv
... so you can see that memory is returned to the OS. (I think this will
not be visible if many clients are connected as the free()ed memory will
be "somewhere in the middle" - but disconnecting *all* clients should also
show memory being returned)
Now going to stare more at the code... :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpYdMjsO7BTA.pgp
Description: PGP signature
