Hello,
I'm running Radiator as Czech eduroam proxy. At this point I've 173
RadSec peers and restart time starts to worry me. We are running on
Debian GNU/Linux Stretch, Intel(R) Xeon(R) CPU E5-2637 v4 @ 3.50GHz.
Radiator version is 4.20 with patchset 1.2232. Restart takes about
30seconds. Log:
http://tomasek.cz/stuff/radiator.restart.txt
you can see that TERM signal was received at 15:39:27 and the server
started respond at 15:39:53 - 26 seconds.
I think that this is caused by opening all RadSec connections on
startup. I do not want to use ConnectOnDemand, I want to have connection
open and ready. Is there any chance how to make start of all RadSec
connections asynchronous? I see in AuthRADSEC::activate that
stream_connect is called:
sub activate
{
...
$self->stream_connect() unless $self->{ConnectOnDemand};
and it seams to be blocking call. Is there any chance to postpone it?
And note about memory consumption. When you look at my log file, it
contains sections like:
Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/244b5494.r0'
Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/2c543cd1.r0'
Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/2e5ac55d.r0'
Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/3513523f.r0'
Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/4d12be1d.r0'
Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/53f3e569.r0'
Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/578d5c04.r0'
Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/5a5c01b6.r0'
Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/7a491995.r0'
Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/7f8496de.r0'
repeated about 173 times. This causes quite solid memory consuption:
root@radius1mng4:/etc/radiator# ps aux |grep radius
root 20274 36.2 14.8 5006348 4888736 ? S 15:39 6:51
/usr/bin/perl /usr/bin/radiusd -daemon -config_file /etc/radiator/radius.cfg
especialy when comparing to process which is serving just our own users:
ldap21:RADIUS:~# ps aux |grep radius
root 30026 0.6 0.9 150704 48080 ? S 14:18 0:42
/usr/bin/perl /usr/bin/radiusd
I think it should be possible to implement sort of shared SSL context,
but I must admit I didn't try to look at SSL functions. Memory
consumption isn't that big issue. I recently stopped adding new CAs so
after certs at my peers expire and renew I will be able to remove most
of CRLs.
Best regards
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
_______________________________________________
radiator mailing list
[email protected]
http://lists.open.com.au/mailman/listinfo/radiator
