Hi Chris, On Tue, Nov 26, 2019 at 7:51 PM Christopher Schultz < ch...@christopherschultz.net> wrote:
> You never actually said what your definition of "high CPU usage" was. > Are you looking at load-average? %-CPU usage from "top"? > I'm sorry if I wasn't clear enough, I meant high system load (which was according to top) and actually spending time in futex_wait kernel function most of the time. > Do you have the option of comparing your CPU usage when you use APR > versus NIO? I would expect your CPU usage to o *up* by switching from > APR to NIO due to two factors: > This is a production server and it would be a bad idea to compare APR vs NIO on it. > Do you have any scope to separate-out TLS termination from the > application server? That is, use a reverse-proxy for TLS termination > and proxy to another server that only handles the application logic? > You may find that TLS is just "expensive" in terms of CPU which, well, > is simply the truth. > Well, we could separate TLS from the application server by using adequate "proxy" in the future, but I don't see a reason why we would do it now. When we migrated from http to https CPU usage went up multiple times, so I agree that TLS is expensive. I've setup things years ago and I don't remember all the details why things are like that, but there are (probably) some reasons why things are like they are. Our setup is documented here: https://mladenadamovic.wordpress.com/2016/09/06/configure-tomcat-with-ssl-on-ubuntu-minimal/ It wasn't easy for me to configure https/tomcat/letsencrypt... > [1] https://en.wikipedia.org/wiki/Busy_waiting > > > On Tue, Nov 26, 2019 at 4:50 PM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Mladen, > > > > On 11/25/19 14:36, Mladen Adamović wrote: > >>>> On Mon, Nov 25, 2019 at 5:57 PM Christopher Schultz < > >>>> ch...@christopherschultz.net> wrote: > >>>> > >>>>>> We certainly want to be able to serve 10000 hits per > >>>>>> second (!), while some connections might be stalled. > >>>>> > >>>>> What might stall a connection? The network, or the > >>>>> application (or database, etc.)? > >>>>> > >>>> > >>>> Underlying (synchronized) monitors could stall every thread, > >>>> the network, whatever. > >>>> > >>>> The network itself demands a large number of connection, > >>>> i.e. current situation at the server (displaying only remove > >>>> connections): > >>>> > >>>> root@condor1796 ~ # netstat -tnp | grep -v "127.0.0" | wc -l > >>>> 1220 > > > > Note this is every connection, bound port, and cleanup connection > > the kernel knows about ; not just established/active connections to > > your application specifically. > > > >>>> If we now have 1220, we definitely need at least 10000 > >>>> active connections for Tomcat and I don't see that setting > >>>> this to 50000 is a bad idea. > > > > Okay. I think you need a reverse proxy and more servers if you > > think 50000 is going to be your peak load. > > > >>>>> For real DDOS protection, you need a provider who can > >>>>> handle lots of traffic and respond quickly by black-holing > >>>>> that kind of traffic as > >>>> > >>>> Depending on how large server farm they use (hypothetically). > >>>> We want to be able to survive some DDoS attacks. If we limit > >>>> the number of concurrent connections by IP address and the > >>>> number of connections per second, that's some DoS > >>>> protection. > > > > But honestly, this is better done at another layer of the network; > > not at the host-level. > > > >>>> Regarding network delays, out of currently 1220 active > >>>> remove connections, most of them are in TIME_WAIT state. > >>>> Lowering TIME_WAIT settings in Linux are not recommended. > > > > Hmm. Lots of TIME_WAIT connections isn't good. I actually don't > > know if they count "against" your 50000 limit in the Java process. > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3ddD8ACgkQHPApP6U8 > pFjTJBAAuWpntlG9XFNS90GpJc3SWWeOPFQmJN8FTrQNPhJ49sPlk6aOgTbujGwS > eHxQI2NIpgeP0MDqEKWEotOfxn+wwxUMJKOKnuxyxbDU8CGytJ4UwBJ5CddnsA5T > QaIbANdoGI2+K+9v5jjlbv97DK2Vz/dh92v7QaKdJjND/ql61i7g/ZfBnJJmSZSE > ScwVlexuYdG+izy2Vr1PX2lSltMeI+7Dth5JkyhHFVbw1wGF9qZsQ4rsszRKO0ZB > jPrCK2VmHNUcYQNG1q0Gi9bzAUI67fHoaJjmRIU3A8PtoFMehIomKn8HkgBrc9aQ > kmtb7BPxD63VcTK2rVGuMfa5y70AWB2hPcvUtKAO7CBC7LyC9/ux2jZqNTxMVUH6 > wkxIkeQklLYpSDeI0E2xwxiH4OPakP2kZABp2zXH5JyfRQljlnbchWg/gT3DrCck > lDt0ZmZPEfz792Pw8K/vJ4ZZre2BuQXRZhL3XvQUyWMHkHO3XTuWsJ2beaXzbo8E > qFrrU0iXdErC6TT00V75t3MUQWto3Zrvb7Y/n8k3rh4X3pfblUQw6z1mojZui6Ik > XZ4qrWkR9unxYHlMuaYOg3e9Ug67UHgUVM+Vvj3tlI81nJrDw8ikbVDHJ2R6R5Ft > SqZoM7i+Y0i02jH0hpNAukFlw3Vdig1YmoPciAvCJcbZkJDU96E= > =bUtP > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >