Issue #18812 has been updated by Bruno Harbulot.
I've just had the same issue as described in #18573. After investigation with Wireshark (on the server), it turns out that there's a 5-second delay between the TLS Client Hello message and the TLS Server Hello message. Increasing the RSA key length shouldn't have anything to do with this, since the asymmetric cryptographic operations haven't taken place at this stage of the handshake. Instead, by looking at the behaviour of the puppet master using strace, I've realised that it was doing a reverse DNS lookup for the client's address whenever it got a connection. This was taking about 5 seconds to time out indeed (since the client address I was using was in 192.168.x.x and didn't have a reverse entry). Of course, the fact that it doesn't re-use the connection entails a 5-second delay (or whatever the time out is) for each file, which is noticeable when there's a number of files to transfer. However, I don't think the main problem is the lack of connection re-use (re-using connections would be good of course), but this DNS lookup, which is unnecessary. (As a workaround, adding this IP address with a name into /etc/hosts helps avoid this delay.) ---------------------------------------- Bug #18812: Reuse HTTP connection for duration of pluginsync https://projects.puppetlabs.com/issues/18812#change-87115 * Author: Josh Cooper * Status: Accepted * Priority: Normal * Assignee: * Category: * Target version: * Affected Puppet version: * Keywords: performance pluginsync ssl * Branch: ---------------------------------------- Currently, when the agent performs a pluginsync, it creates a new HTTP connection for the file metadata request and for each file content request. It also causes a new SSL handshake for each connection. This is made worse in Puppet 3, because we've increased the default RSA key lengths. Puppet used to try to cache HTTP connections, but the implementation was buggy and disabled since 2008. See commit 3093047e that removed it altogether. Puppet agents should reuse the connection for the duration of pluginsync. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
