On Thu, Apr 9, 2015 at 9:01 AM, Nino Fink, Contria GmbH <[email protected]> wrote:
> We are running Pound 2.7 on a OpenBSD 5.6 Sever, with LIbreSSL 2.1.6, as > nologin user "_pound" in a jailed environment. > > The server itself runs on ESX 5.5 (Dell R620 2*8 Core 192GB Ram with a > 20GBit backbone) > The VM got 4 Cores, 4GB Ram, 16GB HDD and one NIC assigned. > > In busy times (100-200 users) our pound is experiencing hickups, which > means, the server becomes unresponsive for 3-10 seconds, in this time no > logs are written and no user is able to login via ssh. > After this the server is fine(fast and responsive, the site gets delivered > fast), we don`t see any sign of work overload using top and the vsphere > utillities. > > What could be the cause for this behavior? > Heres my two cents from experience... I haven't used OpenBSD in many years, and have since moved to FreeBSD for various reasons, but it sounds like you are running into some kind of resource limitation in the kernel, particularly if you are not able to SSH to the machine in addition to the pound issues. I would make sure you are not hitting some low limit on number of sockets, connections, mbufs, etc. I don't recall the specific OpenBSD tunables. Check syslog for messages from the kernel about hitting limits. Specific to pound, you might want to increase your Threads limit. The default is 128, which can cause performance issues if you have many simultaneous requests. However I don't see this affecting sshd. I would also make sure there is nothing going on with the VMware ESXI layer. Make sure there are no known performance issues with the OpenBSD virtual NIC driver. If your existing SSH sessions perform fine when this happens, its likely a connections/sockets/threads limit or such in the kernel. If the existing SSH sessions hang during this time, then the problem is likely something deeper and related to the NIC driver or elsewhere. Sometimes making sure vmware-tools is installed in the guest OS can help with weird problems like this, but that is a longshot. -Nick > our config: > > ________________________________________________________________________________ > > User "_pound" > > Group "_pound" > > RootJail "/path/pound/jail" > > > #Control Socket > > Control "/path/pound.socket" > > > # 0=none, 1=normal, 2=extended, 3=CLF, etc. > > LogLevel 5 > > > # backend check interval (in seconds) > > Alive 5 > > # client timeout > > Client 5 > > > # backend timeout > > TimeOut 300 > > > ListenHTTP > > Address xxx.xxx.xxx.xxx > > Port 80 > > # 0=GET/POST/HEAD, 1+=PUT/DELETE, 2+=WebDAV, 3+=MS WebDAV, 4+=MS > RPC > > xHTTP 0 > > #ErrPages > > Err414 "/path/414.html" > > Err500 "/path/500.html" > > Err501 "/path/501.html" > > Err503 "/anon/503.html" > > End > > > ListenHTTPS > > Address xxx.xxx.xxx.xxx > > Port 443 > > # Zertifikatsfile wird vor dem chroot gelesen und im memory > gehalten > > Cert "/path/anon.sha256.pem" > > Cert "/path/anon.org.sha256.pem" > > # 0=GET/POST/HEAD, 1+=PUT/DELETE, 2+=WebDAV, 3+=MS WebDAV, 4+=MS > RPC > > xHTTP 0 > > #ErrPages > > Err414 "/path/414.html" > > Err500 "/path/500.html" > > Err501 "/path/501.html" > > Err503 "/anon/503.html" > > # CIPHER > > SSLHonorCipherOrder 1 > > Ciphers > "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-DES-CBC3-SHA" > > End > > # web1.anon.org > > Service > > HeadRequire "Host: (.?)*anon\.org.*" > > BackEnd > > Address xxx.xxx.xxx.xxx > > Port 80 > > End > > Session > > Type Cookie > > ID "PHPSESSID" > > TTL 10800 > > End > > End > > ___________________________________________________________________ > > > Freundliche GrĂ¼sse > Nino Fink > > -- > Netzwerkabteilung > > Contria GmbH > Steinackerweg 18 > 4901 Langenthal > > Tel. +41 62 919 07 90 > Fax. +41 62 919 07 99 > www.contria.ch >
