[jira] [Comment Edited] (SOLR-5776) Look at speeding up using SSL with tests.
[ https://issues.apache.org/jira/browse/SOLR-5776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14080010#comment-14080010 ] Steve Rowe edited comment on SOLR-5776 at 7/30/14 11:14 PM: bq. Steve Rowe: I have no idea what the cron-job is doing! Can somebody explain and why this helps? The cron job is feeding the entropy pool by writing to {{/dev/random}}, which should unblock reads from {{/dev/random}}, assuming there is some randomness in what gets fed in, and/or that side-effect I/O timings feed the pool. I don't know much about this stuff, but here's some things I've read recently about it: * https://we.riseup.net/debian/entropy (Linux random entropy, some Debian specifics, with a discussion of other OSs) * http://security.stackexchange.com/questions/42952/how-can-i-measure-and-increase-entropy-on-mac-os-x (Q/A about OS X entropy) * http://en.wikipedia.org/wiki/Entropy_(computing) (Brief coverage of various OSs' handling of entropy) * http://en.wikipedia.org/?title=/dev/random (random number generation on various OSs) * https://wiki.freebsd.org/201308DevSummit/Security/DevRandom (FreeBSD /dev/random design discussion) bq. Is there anything to change in Windows or the Linux Jenkins? I don't know; as Hoss says above, we want to run some experiments to see if re-enabling SSL in tests that have had trouble in the past will cause trouble again. So we should know in short order if these need changes. {quote} You can log into MacOSX jenkins (if its running): ssh jenk...@jenkins-mac.thetaphi.de (has IPv4 and IPv6 address), for the password send me a note. You can try out whatever you want. Please note, that the virtual machine gets reset to clean and empty state on every update, so once you found a good cron-job, I can persist it on the VM snapshot. {quote} Done - I only did two things: {{sudo touch /etc/crontab}} to enable cron (apparently on OSX cron doesn't do anything unless this file exists, and it doesn't exist until you create it); and added a crontab for the jenkins user via {{crontab -e}} - here's the result (via {{crontab -l}}): {noformat} # Stolen from FreeBSD's /etc/rc.d/initrandom to unblock /dev/random * * * * * ( ps -faxww ; /usr/sbin/sysctl -a ; date ; df -ib ; ps -faxww ; cat /bin/ls ) | dd of=/dev/random bs=8k 2/dev/null {noformat} I re-enabled SSL on {{TestCloudSchemaless}}, and I'll monitor Jenkins to see if it starts failing. was (Author: steve_rowe): bq. Steve Rowe: I have no idea what the cron-job is doing! Can somebody explain and why this helps? The cron job is feeding the entropy pool by writing to {{/dev/random}}, which should unblock reads from {{/dev/random}}, assuming there is some randomness in what gets fed in, and/or that side-effect I/O timings feed the pool. I don't much about this stuff, but here's some things I've read recently about it: * https://we.riseup.net/debian/entropy (Linux random entropy, some Debian specifics, with a discussion of other OSs) * http://security.stackexchange.com/questions/42952/how-can-i-measure-and-increase-entropy-on-mac-os-x (Q/A about OS X entropy) * http://en.wikipedia.org/wiki/Entropy_(computing) (Brief coverage of various OSs' handling of entropy) * http://en.wikipedia.org/?title=/dev/random (random number generation on various OSs) * https://wiki.freebsd.org/201308DevSummit/Security/DevRandom (FreeBSD /dev/random design discussion) bq. Is there anything to change in Windows or the Linux Jenkins? I don't know; as Hoss says above, we want to run some experiments to see if re-enabling SSL in tests that have had trouble in the past will cause trouble again. So we should know in short order if these need changes. {quote} You can log into MacOSX jenkins (if its running): ssh jenk...@jenkins-mac.thetaphi.de (has IPv4 and IPv6 address), for the password send me a note. You can try out whatever you want. Please note, that the virtual machine gets reset to clean and empty state on every update, so once you found a good cron-job, I can persist it on the VM snapshot. {quote} Done - I only did two things: {{sudo touch /etc/crontab}} to enable cron (apparently on OSX cron doesn't do anything unless this file exists, and it doesn't exist until you create it); and added a crontab for the jenkins user via {{crontab -e}} - here's the result (via {{crontab -l}}): {noformat} # Stolen from FreeBSD's /etc/rc.d/initrandom to unblock /dev/random * * * * * ( ps -faxww ; /usr/sbin/sysctl -a ; date ; df -ib ; ps -faxww ; cat /bin/ls ) | dd of=/dev/random bs=8k 2/dev/null {noformat} I re-enabled SSL on {{TestCloudSchemaless}}, and I'll monitor Jenkins to see if it starts failing. Look at speeding up using SSL with tests. - Key: SOLR-5776 URL: https://issues.apache.org/jira/browse/SOLR-5776 Project: Solr
[jira] [Comment Edited] (SOLR-5776) Look at speeding up using SSL with tests.
[ https://issues.apache.org/jira/browse/SOLR-5776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14077207#comment-14077207 ] Steve Rowe edited comment on SOLR-5776 at 7/30/14 11:22 PM: *edit*: prepended /sbin/ to sysctl and dmesg in the crontab, since /sbin/ isn't in the PATH under cron I logged into ASF FreeBSD Jenkins's lucene.zones.apache.org and ran {{sudo su - hudson}} and {{crontab -e}} to put in place a cron job to run every minute. Here's the result (from user hudson's {{crontab -l}}): {noformat} # Stolen from /etc/rc.d/initrandom to unblock /dev/random * * * * * ( ps -fauxww; /sbin/sysctl -a; date; df -ib; /sbin/dmesg; ps -fauxww ; cat /bin/ls ) | dd of=/dev/random bs=8k 2/dev/null {noformat} When I time the above command, it takes about 0.2 seconds to run, so running this every minute shouldn't overwhelm the system. Maybe it doesn't need to run every minute, I don't know, we can try dialling it back if this works. I'll re-enable SSL for a couple tests on trunk that previously failed regularly on ASF FreeBSD Jenkins, to see if this change allows those to pass. was (Author: steve_rowe): I logged into ASF FreeBSD Jenkins's lucene.zones.apache.org and ran {{sudo su - hudson}} and {{crontab -e}} to put in place a cron job to run every minute. Here's the result (from user hudson's {{crontab -l}}): {noformat} # Stolen from /etc/rc.d/initrandom to unblock /dev/random * * * * * ( ps -fauxww; sysctl -a; date; df -ib; dmesg; ps -fauxww ; cat /bin/ls ) | dd of=/dev/random bs=8k 2/dev/null {noformat} When I time the above command, it takes about 0.2 seconds to run, so running this every minute shouldn't overwhelm the system. Maybe it doesn't need to run every minute, I don't know, we can try dialling it back if this works. I'll re-enable SSL for a couple tests on trunk that previously failed regularly on ASF FreeBSD Jenkins, to see if this change allows those to pass. Look at speeding up using SSL with tests. - Key: SOLR-5776 URL: https://issues.apache.org/jira/browse/SOLR-5776 Project: Solr Issue Type: Test Reporter: Mark Miller Assignee: Mark Miller Fix For: 4.9, 5.0 Attachments: SOLR-5776.patch, SOLR-5776.patch We have to disable SSL on a bunch of tests now because it appears to sometime be ridiculously slow - especially in slow envs (I never see timeouts on my machine). I was talking to Robert about this, and he mentioned that there might be some settings we could change to speed it up. -- This message was sent by Atlassian JIRA (v6.2#6252) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Comment Edited] (SOLR-5776) Look at speeding up using SSL with tests.
[ https://issues.apache.org/jira/browse/SOLR-5776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13973573#comment-13973573 ] Hoss Man edited comment on SOLR-5776 at 4/17/14 11:51 PM: -- [~markrmil...@gmail.com]... 1) I don't think you need to override {{nextBytes}} with a No-Op method .. as long as you override generateSeed we should be fine 2) there's a potential AIOOB error with your implementation of {{generateSeed}} -- the contract says that the byte[] returned will have whatever length was specified in the argument, so this could break spectacularly in a future version of jetty/java 3) I'm not sure that you need {{NullSecureRandom}} at all -- if you go back to Steve's patch, and just ensure that you call {{setSeed(new byte[] \{'f','u'\})}} on the result of {{SecureRandom.getInstance(SHA1PRNG)}} beore letting jetty have it, then generateSeed should never, ever be called. *EDIT:* mid-air-collision, deleted things miller addressed in his previous comment was (Author: hossman): [~markrmil...@gmail.com]... 1) I don't think you need to override {{nextBytes}} with a No-Op method .. as long as you override generateSeed we should be fine 2) there's a potential AIOOB error with your implementation of {{generateSeed}} -- the contract says that the byte[] returned will have whatever length was specified in the argument, so this could break spectacularly in a future version of jetty/java 3) I'm not sure that you need {{NullSecureRandom}} at all -- if you go back to Steve's patch, and just ensure that you call {{setSeed(new byte[] \{'f','u'\})}} on the result of {{SecureRandom.getInstance(SHA1PRNG)}} beore letting jetty have it, then generateSeed should never, ever be called. 4) if we are going to use {{NullSecureRandom}} then we probably shouldn't also add the SecureRandomAlgorithm option since it isn't used? 4) I'm fairly certain this portion of your commit was not intentional: https://svn.apache.org/viewvc/lucene/dev/trunk/solr/test-framework/src/java/org/apache/solr/SolrTestCaseJ4.java?r1=1588388r2=1588387pathrev=1588388 Look at speeding up using SSL with tests. - Key: SOLR-5776 URL: https://issues.apache.org/jira/browse/SOLR-5776 Project: Solr Issue Type: Test Reporter: Mark Miller Assignee: Mark Miller Fix For: 4.9, 5.0 Attachments: SOLR-5776.patch, SOLR-5776.patch We have to disable SSL on a bunch of tests now because it appears to sometime be ridiculously slow - especially in slow envs (I never see timeouts on my machine). I was talking to Robert about this, and he mentioned that there might be some settings we could change to speed it up. -- This message was sent by Atlassian JIRA (v6.2#6252) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Comment Edited] (SOLR-5776) Look at speeding up using SSL with tests.
[ https://issues.apache.org/jira/browse/SOLR-5776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13968077#comment-13968077 ] Mark Miller edited comment on SOLR-5776 at 4/14/14 4:59 AM: Bah, it seems to be much less frequent, but it can still happen. I think the issue is that if you don't specify the seed, it will still read from /dev/random for that. I had looked into a custom SecureRandom via SPI, but it's my first foray into SPI, and while it seems relatively straightforward, I have not yet figured out how to plug in a custom SecureRandomSPI class in tests. Even when that's done, the impl is not so straightforward - from what I can tell, you cannot extend the standard SecureRandom to fix this and the open jdk code is -Oracle- {color:red}GPL{color} and the Harmony code is fairly different and would require some hacking to get in. Otherwise we would need to come up with a clean room impl that was still about as decent as Random. was (Author: markrmil...@gmail.com): Bah, it seems to be much less frequent, but it can still happen. I think the issue is that if you don't specify the seed, it will still read from /dev/random for that. I had looked into a custom SecureRandom via SPI, but it's my first foray into SPI, and while it seems relatively straightforward, I have not yet figured out how to plug in a custom SecureRandomSPI class in tests. Even when that's done, the impl is not so straightforward - from what I can tell, you cannot extend the standard SecureRandom to fix this and the open jdk code is Oracle and the Harmony code is fairly different and would require some hacking to get in. Otherwise we would need to come up with a clean room impl that was still about as decent as Random. Look at speeding up using SSL with tests. - Key: SOLR-5776 URL: https://issues.apache.org/jira/browse/SOLR-5776 Project: Solr Issue Type: Test Reporter: Mark Miller Assignee: Mark Miller Fix For: 4.9, 5.0 Attachments: SOLR-5776.patch We have to disable SSL on a bunch of tests now because it appears to sometime be ridiculously slow - especially in slow envs (I never see timeouts on my machine). I was talking to Robert about this, and he mentioned that there might be some settings we could change to speed it up. -- This message was sent by Atlassian JIRA (v6.2#6252) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Comment Edited] (SOLR-5776) Look at speeding up using SSL with tests.
[ https://issues.apache.org/jira/browse/SOLR-5776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13913205#comment-13913205 ] Mark Miller edited comment on SOLR-5776 at 2/26/14 5:33 PM: bq. Just spawn not so many threads and jetties? To test distributed stuff with SSL, you need 2 or 3 jetties The tests that fail spawn like 1-4 jetties, so that won't help. was (Author: markrmil...@gmail.com): bq. Just spawn not so many threads and jetties? To test distributed stuff with SSL, you need 2 or 3 jetties The tests that fail spawn like 2-4 jetties, so that won't help. Look at speeding up using SSL with tests. - Key: SOLR-5776 URL: https://issues.apache.org/jira/browse/SOLR-5776 Project: Solr Issue Type: Test Reporter: Mark Miller We have to disable SSL on a bunch of tests now because it appears to sometime be ridiculously slow - especially in slow envs (I never see timeouts on my machine). I was talking to Robert about this, and he mentioned that there might be some settings we could change to speed it up. -- This message was sent by Atlassian JIRA (v6.1.5#6160) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org