Re: RFC: NFS over TLS stats
On Thu, Oct 26, 2023 at 11:28 AM Rick Macklem wrote: > > On Wed, Oct 25, 2023 at 8:10 PM Simon J. Gerraty wrote: > > > > Rick Macklem wrote: > > > > kern.rpctls.tls.snd_msgbytes: 20828 > > > > kern.rpctls.tls.snd_msgcnt: 57 > > > > kern.rpctls.tls.rcv_tmsgbytes: 12336 > > > > kern.rpctls.tls.rcv_msgcnt: 57 > > > > > > > > which allows for sysctl kern.rpctls.tls > > > Not sure what you mean? > > > > If for some reason I only care about tls I can do > > > > sysctl kern.rpctls.tls > > > > and get > > > > kern.rpctls.tls.snd_msgbytes: 20828 > > kern.rpctls.tls.snd_msgcnt: 57 > > kern.rpctls.tls.rcv_tmsgbytes: 12336 > > kern.rpctls.tls.rcv_msgcnt: 57 > > > > otherwise I'd have to do > > > > sysctl kern.rpctls | grep tls > > > > > I am listing counts for TLS and non-TLS so they can > > > be compared. As such, a "tls" in the last component of > > > the name is needed, unless I list the non-TLS ones > > > > Ok > > > > > under something else like: > > > kern.rpc.snd_msgbytes > > > > > > I currently actually have them all as: > > > kern.rpc.tls.XXX instead of kern.rpctls.XXX, > > > > Haha I didn't notice the tls in rpctls ;-) > > > > > since there was already kern.rpc.gss.XXX. > > > > kern.rpc.tls.XXX sounds fine > Ok, how does this look? > > kern.rpc.nontls.tx_msgcnt: 58 > kern.rpc.nontls.tx_msgbytes: 20828 > kern.rpc.nontls.rx_msgcnt: 58 > kern.rpc.nontls.rx_msgbytes: 12072 As suggested by someone off-list, I have replaced "nontls" with "unenc". rick > kern.rpc.tls.tx_msgcnt: 62639 > kern.rpc.tls.tx_msgbytes: 30800352 > kern.rpc.tls.rx_msgcnt: 62639 > kern.rpc.tls.rx_msgbytes: 13473756 > kern.rpc.tls.handshake_success: 1 > kern.rpc.tls.handshake_failed: 0 > kern.rpc.tls.alerts: 1 > > It doesn't put the nonTLS and TLS lines for a given stat next to each other, > but does allow either the nonTLS or TLS stats to be displayed easily > and keeps the two sets adjacent, so they can be compared easily. > > rick > > > > > > > > > rick
Re: RFC: NFS over TLS stats
On Wed, Oct 25, 2023 at 8:10 PM Simon J. Gerraty wrote: > > Rick Macklem wrote: > > > kern.rpctls.tls.snd_msgbytes: 20828 > > > kern.rpctls.tls.snd_msgcnt: 57 > > > kern.rpctls.tls.rcv_tmsgbytes: 12336 > > > kern.rpctls.tls.rcv_msgcnt: 57 > > > > > > which allows for sysctl kern.rpctls.tls > > Not sure what you mean? > > If for some reason I only care about tls I can do > > sysctl kern.rpctls.tls > > and get > > kern.rpctls.tls.snd_msgbytes: 20828 > kern.rpctls.tls.snd_msgcnt: 57 > kern.rpctls.tls.rcv_tmsgbytes: 12336 > kern.rpctls.tls.rcv_msgcnt: 57 > > otherwise I'd have to do > > sysctl kern.rpctls | grep tls > > > I am listing counts for TLS and non-TLS so they can > > be compared. As such, a "tls" in the last component of > > the name is needed, unless I list the non-TLS ones > > Ok > > > under something else like: > > kern.rpc.snd_msgbytes > > > > I currently actually have them all as: > > kern.rpc.tls.XXX instead of kern.rpctls.XXX, > > Haha I didn't notice the tls in rpctls ;-) > > > since there was already kern.rpc.gss.XXX. > > kern.rpc.tls.XXX sounds fine Ok, how does this look? kern.rpc.nontls.tx_msgcnt: 58 kern.rpc.nontls.tx_msgbytes: 20828 kern.rpc.nontls.rx_msgcnt: 58 kern.rpc.nontls.rx_msgbytes: 12072 kern.rpc.tls.tx_msgcnt: 62639 kern.rpc.tls.tx_msgbytes: 30800352 kern.rpc.tls.rx_msgcnt: 62639 kern.rpc.tls.rx_msgbytes: 13473756 kern.rpc.tls.handshake_success: 1 kern.rpc.tls.handshake_failed: 0 kern.rpc.tls.alerts: 1 It doesn't put the nonTLS and TLS lines for a given stat next to each other, but does allow either the nonTLS or TLS stats to be displayed easily and keeps the two sets adjacent, so they can be compared easily. rick > > > > > rick
Re: RFC: NFS over TLS stats
Rick Macklem wrote: > > kern.rpctls.tls.snd_msgbytes: 20828 > > kern.rpctls.tls.snd_msgcnt: 57 > > kern.rpctls.tls.rcv_tmsgbytes: 12336 > > kern.rpctls.tls.rcv_msgcnt: 57 > > > > which allows for sysctl kern.rpctls.tls > Not sure what you mean? If for some reason I only care about tls I can do sysctl kern.rpctls.tls and get kern.rpctls.tls.snd_msgbytes: 20828 kern.rpctls.tls.snd_msgcnt: 57 kern.rpctls.tls.rcv_tmsgbytes: 12336 kern.rpctls.tls.rcv_msgcnt: 57 otherwise I'd have to do sysctl kern.rpctls | grep tls > I am listing counts for TLS and non-TLS so they can > be compared. As such, a "tls" in the last component of > the name is needed, unless I list the non-TLS ones Ok > under something else like: > kern.rpc.snd_msgbytes > > I currently actually have them all as: > kern.rpc.tls.XXX instead of kern.rpctls.XXX, Haha I didn't notice the tls in rpctls ;-) > since there was already kern.rpc.gss.XXX. kern.rpc.tls.XXX sounds fine > > rick
Re: RFC: NFS over TLS stats
On Wed, Oct 25, 2023 at 6:33 PM Simon J. Gerraty wrote: > > Freddie Cash wrote: > > Have no technical comments, but a style suggestion: put the tls at the end > > to make the output look nicer. :) > > > > kern.rpctls.snd_msgbytes: 21508 > > kern.rpctls.snd_msgbytes_tls: 20828 > > kern.rpctls.snd_msgcnt: 58 > > kern.rpctls.snd_msgcnt_tls: 57 > > kern.rpctls.rcv_msgbytes: 12072 > > kern.rpctls.rcv_tmsgbytes_tls: 12336 > > kern.rpctls.rcv_msgcnt: 58 > > kern.rpctls.rcv_msgcnt_tls: 57 > > FWIW I'd probably go the opposite way with > > kern.rpctls.tls.snd_msgbytes: 20828 > kern.rpctls.tls.snd_msgcnt: 57 > kern.rpctls.tls.rcv_tmsgbytes: 12336 > kern.rpctls.tls.rcv_msgcnt: 57 > > which allows for sysctl kern.rpctls.tls Not sure what you mean? I am listing counts for TLS and non-TLS so they can be compared. As such, a "tls" in the last component of the name is needed, unless I list the non-TLS ones under something else like: kern.rpc.snd_msgbytes I currently actually have them all as: kern.rpc.tls.XXX instead of kern.rpctls.XXX, since there was already kern.rpc.gss.XXX. rick
Re: RFC: NFS over TLS stats
Thanks for all the suggestions. I've modified the patch for all of them. (tx/rx instead of snd/rcv, _tls at the end of the names so the order is more readable.) There aren't really errors visible at the RPC/TLS boundary, but I have added counts of successful/failed handshakes and a count of alert messages (basically "Peer Resets" from what I've seen). Thanks, rick ps: Just replying to one of the messages and, yes, I did top post.. On Wed, Oct 25, 2023 at 8:47 AM Freddie Cash wrote: > > On Tue, Oct 24, 2023 at 10:56 PM Rick Macklem wrote: >> >> Garrett Wollman asked me via email how a server >> admin could tell what usage NFS over TLS was >> happening. >> >> I admitted that there was nothing. I have come up >> with a patch that generates the following: >> kern.rpctls.snd_tls_msgbytes: 21508 >> kern.rpctls.snd_msgbytes: 20828 >> kern.rpctls.snd_tls_msgcnt: 57 >> kern.rpctls.snd_msgcnt: 58 >> kern.rpctls.rcv_tls_msgbytes: 12336 >> kern.rpctls.rcv_msgbytes: 12072 >> kern.rpctls.rcv_tls_msgcnt: 57 >> kern.rpctls.rcv_msgcnt: 58 > > > Have no technical comments, but a style suggestion: put the tls at the end > to make the output look nicer. :) > >> kern.rpctls.snd_msgbytes: 21508 >> kern.rpctls.snd_msgbytes_tls: 20828 >> kern.rpctls.snd_msgcnt: 58 >> kern.rpctls.snd_msgcnt_tls: 57 >> kern.rpctls.rcv_msgbytes: 12072 >> kern.rpctls.rcv_tmsgbytes_tls: 12336 >> kern.rpctls.rcv_msgcnt: 58 >> >> kern.rpctls.rcv_msgcnt_tls: 57 > > > -- > Freddie Cash > fjwc...@gmail.com
Re: RFC: NFS over TLS stats
Freddie Cash wrote: > Have no technical comments, but a style suggestion: put the tls at the end > to make the output look nicer. :) > > kern.rpctls.snd_msgbytes: 21508 > kern.rpctls.snd_msgbytes_tls: 20828 > kern.rpctls.snd_msgcnt: 58 > kern.rpctls.snd_msgcnt_tls: 57 > kern.rpctls.rcv_msgbytes: 12072 > kern.rpctls.rcv_tmsgbytes_tls: 12336 > kern.rpctls.rcv_msgcnt: 58 > kern.rpctls.rcv_msgcnt_tls: 57 FWIW I'd probably go the opposite way with kern.rpctls.tls.snd_msgbytes: 20828 kern.rpctls.tls.snd_msgcnt: 57 kern.rpctls.tls.rcv_tmsgbytes: 12336 kern.rpctls.tls.rcv_msgcnt: 57 which allows for sysctl kern.rpctls.tls
Re: RFC: NFS over TLS stats
On Tue, Oct 24, 2023 at 10:56 PM Rick Macklem wrote: > Garrett Wollman asked me via email how a server > admin could tell what usage NFS over TLS was > happening. > > I admitted that there was nothing. I have come up > with a patch that generates the following: > kern.rpctls.snd_tls_msgbytes: 21508 > kern.rpctls.snd_msgbytes: 20828 > kern.rpctls.snd_tls_msgcnt: 57 > kern.rpctls.snd_msgcnt: 58 > kern.rpctls.rcv_tls_msgbytes: 12336 > kern.rpctls.rcv_msgbytes: 12072 > kern.rpctls.rcv_tls_msgcnt: 57 > kern.rpctls.rcv_msgcnt: 58 > Have no technical comments, but a style suggestion: put the tls at the end to make the output look nicer. :) kern.rpctls.snd_msgbytes: 21508 > kern.rpctls.snd_msgbytes_tls: 20828 > kern.rpctls.snd_msgcnt: 58 > kern.rpctls.snd_msgcnt_tls: 57 > kern.rpctls.rcv_msgbytes: 12072 > kern.rpctls.rcv_tmsgbytes_tls: 12336 > kern.rpctls.rcv_msgcnt: 58 kern.rpctls.rcv_msgcnt_tls: 57 -- Freddie Cash fjwc...@gmail.com
Re: RFC: NFS over TLS stats
On 2023-10-25 10:50, Rick Macklem wrote: > Garrett Wollman asked me via email how a server > admin could tell what usage NFS over TLS was > happening. > > I admitted that there was nothing. I have come up > with a patch that generates the following: > kern.rpctls.snd_tls_msgbytes: 21508 > kern.rpctls.snd_msgbytes: 20828 > kern.rpctls.snd_tls_msgcnt: 57 > kern.rpctls.snd_msgcnt: 58 > kern.rpctls.rcv_tls_msgbytes: 12336 > kern.rpctls.rcv_msgbytes: 12072 > kern.rpctls.rcv_tls_msgcnt: 57 > kern.rpctls.rcv_msgcnt: 58 > > Basically counts of number of RPC messages > and total number of bytes those messages > result in. (Both with/without TLS.) This is very cool. > Does this seem reasonable or are there better > statistics that could be generated? Obviously > any other suggestion might or might not be > practical to implement. Is there a preference of snd, and rcv, over rx, and tx? snd is also used by sound(4), tho not for statistics.
Re: RFC: NFS over TLS stats
Maybe tracking of errors can be useful. Great work on this! Regards, Ronald. Van: Rick Macklem Datum: woensdag, 25 oktober 2023 04:50 Aan: FreeBSD CURRENT , Garrett Wollman Onderwerp: RFC: NFS over TLS stats Garrett Wollman asked me via email how a server admin could tell what usage NFS over TLS was happening. I admitted that there was nothing. I have come up with a patch that generates the following: kern.rpctls.snd_tls_msgbytes: 21508 kern.rpctls.snd_msgbytes: 20828 kern.rpctls.snd_tls_msgcnt: 57 kern.rpctls.snd_msgcnt: 58 kern.rpctls.rcv_tls_msgbytes: 12336 kern.rpctls.rcv_msgbytes: 12072 kern.rpctls.rcv_tls_msgcnt: 57 kern.rpctls.rcv_msgcnt: 58 Basically counts of number of RPC messages and total number of bytes those messages result in. (Both with/without TLS.) Does this seem reasonable or are there better statistics that could be generated? Obviously any other suggestion might or might not be practical to implement. Thanks, rick