Tuesday December 20, 2005

Directory Server disk layout: the "new" way

• ZFS provides many ways in which you can pool all your disks together. You can stripe multiple disks together to make one big volume with no redundancy, or you can mirror disks to make them fully redundant, or you can stripe mirrors or mirror stripes if you want to. And of course, there is RAID-Z, which is kind of like RAID-5 in that it provides striping with pairity so that you only lose the capacity of a single disk (no matter how many disks you have in the pool) without giving up redundancy and fault-tolerance.
  
  
• ZFS uses a copy-on-write (COW) approach to I/O so that all writes are sequential so you don't need to have disks seeking all over the place when performing writes.
  
  
• ZFS offers the ability to use compression in order to even further improve performance in many cases. This may sound counter-intuitive, but most of the time the CPU overhead required to perform the compression is pretty handily outweighed by the performance gains that you get from having to put less data on the disk. And as an added bonus you get increased storage capacity at the same time (and directory data generally compresses very well).
  
  
• ZFS provides end-to-end data integrity using 256-bit message digests with a few options for the digest algorithm. You can even use the 256-bit SHA-2 variant if you're really paranoid. This checksumming mechanism goes beyond what you can get from storage hardware because it can catch errors that happen outside the hardware. See this post for more details.
  
  
• ZFS provides an instantaneous point-in-time snapshot mechanism that allows you to create atomic views of the data that you can instantly roll back to if necessary, or even clone to have multiple divergent branches. And because of its copy-on-write nature, the only extra disk space consumed by a snapshot is the amount taken up by the blocks that have changed after the snapshot was taken (so a snapshot doesn't take any disk space initially, but the amount of space consumed grows over time as changes occur). Because you can create them in an instant and there's very little overhead in having them, you can take lots of snapshots over the course of a day and roll back to any one of them if the need arises. Of course, that assumes that your redundant storage is intact, but if you want to copy a snapshot to another system then you can easily do that as well.

zpool create directory-pool raidz c0t0d0 c1t0d0 c2t0d0

zfs set mountpoint=/export/ds directory-pool
zfs set compression=on directory-pool
zfs set atime=off directory-pool

zfs snapshot directory-pool@snap1

zfs rollback directory-pool@snap1

zfs backup directory-pool@snap1 > /backup/snap1.backup

zfs backup -i directory-pool@snap1 directory-pool@snap2 > /backup/snap2.incremental

Sunday December 18, 2005

Directory Server disk layout: the "old" way

• The Main Database Files -- These are all the *.db3 files that comprise the Directory Server data and index files. With ideal caching, there will not be any read activity against these files, but if that's not the case, then it will be random access, and even a little activity in this area can saturate the underlying storage subsystem. Writes to these files will occur only during checkpoints, and the DB will try to optimize for sequential writes, but if there have been a lot of changes since the last checkpoint, then this can still be very disk intensive and saturate the underlying storage.
  
  
• The Transaction Logs -- These are all the log.* files, which hold a record of all changes that have been made for use when updating the main database files during a checkpoint. Reads from these files should only occur during checkpoints, and they should only be sequential, but generally they will be held in the filesystem cache so there shouldn't be much actual disk I/O there. Writes to these files are also sequential and the write rate by itself does not generally saturate the disks, but the frequent fsync(3C) operations to ensure that the information is on-disk can be very costly. As I wrote earlier, you can use transaction batching to share these fsync calls among multiple writes, but under heavy write load it can still be pretty expensive.
  
  
• The Changelog DB Files -- The Directory Server changelog (and I'll throw the retro changelog in here too because its access patterns are about the same) keeps a record of all changes that occur for the purpose of replicating them to other systems. Both reads and writes here are sequential, and generally are not enough to saturate the underlying storage.
  
  
• The Server Log Files -- The server log files include the access, error, and audit logs, as well as the referential integrity log file (if this plugin is enabled and configured for asynchronous mode, which it should be). The Directory Server itself doesn't read from these files (except possibly for the referential integrity log file, but it will usually be held in the filesystem cache), but if they are read by an external process (e.g., a log analysis tool), then it will be sequential. Writes to these files are always sequential, and are generally not enough to saturate the underlying storage. The main exception to this is the case in which audit logging is enabled (and it is not by default) because writes to it are not buffered and therefore each write would require an fsync, putting it into the same category as the transaction logs. The same is also true for the error log, but unless you've got some kind of debugging enabled or a significant problem of some kind, writes to the error log will be negligible.
  
  
• The DB Cache Backing Files -- By default, the database cache uses mmap(2) for its memory, which means that changes to the content of the DB cache will ultimately be reflected on disk. The use of mmap makes it possible for multiple processes to access the database concurrently (e.g., allowing you to use db2bak or db2ldif while the server is running), but if there are a lot of changes to the DB cache content, then that can cause a lot of disk thrashing. On Solaris, the way to mitigate this problem is to store the DB cache backing files on a tmpfs volume (e.g., in a directory under /tmp). On other operating systems, you should use a ramdisk or whatever equivalent will allow the files to be held in memory. The DB cache is only used while the Directory Server is running, and it doesn't need to be re-used if the server is stopped and then restarted, so there isn't a problem if these files are lost if the system is rebooted. The only potential penalty is that if the files are lost then they need to be recreated when the server is restarted, and for a large DB cache that can take a noticeable amount of time.
  
  
• Backup Files -- Directory Server backups involve sequential disk I/O, both when reading the current DB and when writing the backup files. Binary backups (those created by db2bak or db2bak.pl) can saturate the underlying storage both for reads and for writes. For LDIF backups, the act of reading the DB will generally be sequential and should only cause problems if there's a lot of disk I/O in the DB to support other operations that may be going on, but in that case it can be disruptive. Writing to the LDIF file will always be sequential and usually not enough to saturate the underlying storage.

• You should always use the nslapd-db-home-directory configuration attribute to relocate the database cache backing files to tmpfs or a memory-backed filesystem. This is a completely free optimization (because the mmap process won't cause the files to consume the memory twice) and there's just no reason to not do it.
  
  
• If you have the ability to use at least two different disk subsystems for Directory Server components, then you should dedicate one of them for use by the main database files with the nsslapd-directory attribute. Note that this needs to be set not only in the "cn=config,cn=ldbm database,cn=plugins,cn=config" entry, but also in the configuration entry for each backend (e.g., "cn=userRoot,cn=ldbm database,cn=plugins,cn=config").
  
  
• If you have the ability to use at least three different disk subsystems for Directory Server components, then you should dedicate the second for use by the transaction log files with the nsslapd-db-logdirectory attribute.
  
  
• If you have audit logging enabled, then it's probably a good idea to try to isolate the server log files onto their own storage. This can be done using the nsslapd-accesslog, nsslapd-errorlog, and nsslapd-auditlog attributes in cn=config, and also if you've enabled the referential integrity plugin then the log for it may be specified using the nsslapd-pluginarg1 attribute of the cn=Referential Integrity Postoperation,cn=plugins,cn=config entry.

• We've got an EMC storage array, so this doesn't apply to me, right? -- This question comes up pretty frequently, and it does less frequently get asked for storage solutions from other vendors, but EMC customers in general seem to think that their storage is some kind of magical device with the ability to circumvent the laws of physics (maybe it's because of how expensive they are). But the fact is that because of the way the server interacts with each of its components, the various types of accesses in a busy directory do have the ability to saturate almost any kind of underlying storage. Unless you can guarantee that all writes will be sequential (like ZFS can), then you'll probably find that it's better to isolate these components to avoid cases where I/O targeted at one component won't interfere with I/O for another.
  
  
• Why should I use UFS instead of VxFS or QFS or {other filesystem here}? -- If you're on Solaris (at least, Solaris 9 after update 2 or any version of Solaris 10), then UFS with logging is generally faster than VxFS for Directory Server operations (and in fact, for many common access patterns). Sun has spent a lot of time optimizing UFS and in most cases it is now faster than the alternatives. It's also quite a bit faster than QFS, but that's more of a specialty filesystem for clusters and not really ideal for use with Directory Server.
  
  On Linux, the question of which filesystem to use may also have some relevance. The default filesystem on Red Hat (and often the only one available by default) is EXT3, but our testing has shown that both JFS and XFS are usually quite a bit faster. Although we haven't tested Reiser4, earlier versions of ReiserFS were found to be quite a bit slower than EXT3 in most cases.
  
  
• Can I use NFS? -- No, you can't. In many cases, NFS doesn't support the appropriate type of locking required by our underlying database. There is some question as to whether or not Solaris NFS does offer the appropriate locking, but the bottom line is that it is not supported and if you care about the integrity of your data, then you should stay away from it. The fact that we don't support NFS or other network filesystems for use with the Directory Server is documented here in the Directory Server deployment guide. Technically, there shouldn't be any problems backing up to or restoring from NFS, but generally your best bet is to avoid it.
  
  
• What about using the forcedirectio mount option? -- The forcedirectio mount option basically turns off the filesystem cache for any volume on which it is enabled. If you've got caching configured such that everything fits into both the entry cache and the DB cache, then there shoudn't be any actual disk reads for the main database. However, this doesn't apply to the transaction logs or the referential integrity log file. Further, you'll find that performance is degraded after the server is restarted and before the caches have been primed. As a result, it's almost always a good idea to not use the forcedirectio option. If you are benchmarking and want to start with empty filesystem caches, then you can simply unmount and remount all the filesystems, which will invalidate anything from those volumes that may have been in the filesystem cache.

Thursday December 15, 2005

Sun T2000 vs Dell 6850: LDAP AuthRate

• The Sun Fire™ T2000 server usually ships with a 1.2 GHz UltraSPARC T1 processor. However, as this was a pre-release system we only had a 1.0 GHz processor.
• The Dell PowerEdge™ 6850 was actually observed to draw in excess of 640 Watts under load. However, for the purpose of the SWaP calculation, a value of 600 Watts was used.
• The Dell PowerEdge™ 6850 was actually observed to draw in excess of 640 Watts under load. However, for the purpose of the SWaP calculation, a value of 600 Watts was used. It should also be noted that this system requires 200-240VAC power.
• The Sun Fire™ T2000 was actually observed to draw around 240 Watts under load. However, the system spec sheet lists a maximum consumption of 267 Watts, and therefore that value was used for our SWaP calculations.
• The provided list price for the Sun Fire™ T2000 server is for a system with a 1.2 GHz CPU whereas the system we were testing had only a 1.0 GHz processor.

• The Sun Fire™ T2000 server delivers over 2.8 times better LDAP authentication performance than the Dell PowerEdge™ 6850, even when you consider that the Sun system only had a 1.0 GHz processor whereas the T2000 normally comes with a 1.2 GHz processor.
• The list price for the Sun Fire™ T2000 server is $7657 less than the list price for the Dell PowerEdge™ 6850 server, even when you consider that the price for the Sun system includes a faster CPU than the one that we were able to test.
• The Dell PowerEdge™ 6850 requires twice as much rack space as the Sun Fire™ T2000 server.
• The Dell PowerEdge™ 6850 consumes nearly 1.5 times as much power (measured in Watts) than the Sun Fire™ T2000 server when both systems are idle.
• The Dell PowerEdge™ 6850 consumes 2.25 times as much power (measured in Watts) under load as the Sun Fire™ T2000 server, even with an optimistic estimate for the Dell system and a pessimistic estimate for the Sun system.
• The Dell PowerEdge™ 6850 system requires 200-240VAC power, which is less commonly-available than 110V power, particularly in environments that typically run on x86/x64 systems. The Sun Fire™ T2000 server accepts 100-240VAC power and therefore can use standard 110V circuits.

Wednesday December 14, 2005

I need to follow my own advice

Tuesday December 13, 2005

Real-time Directory Server performance monitoring

./dsstat.d 1234

# ./dsstat.d 2906
TOTAL   BIND    SEARCH  COMPARE ADD     DELETE  MODIFY  MODDN   UNBIND
92      0       69      0       4       1       18      0       0
454     0       369     0       11      10      65      0       0
441     0       352     0       22      6       60      0       0
485     0       405     0       18      10      52      0       0
391     0       317     0       18      6       50      0       0
529     0       433     0       17      9       68      0       0
528     0       432     0       17      15      60      0       0

Sunday December 11, 2005

Forget your roots

• It requires that the user have root access in order to be able to start the server. This is possible when a system boots through startup scripts (or an SMF profile in Solaris 10), but if you need to start the server at a time other than system boot then you need to be root. There is a way to work around this problem using RBAC, but I'll describe a better alternative below (and it still doesn't solve the next issue).
• If you want to do something in the server process that would require root access after the startup has completed and setuid is called (e.g., start listening on another privileged port), then that operation would fail.

ppriv -lv

ppriv $$

• net_privaddr -- Controls the ability to bind to privileged ports (i.e., port 1024 and below).
• sys_resource -- Controls the ability to modify resource limits, including the number of available file descriptors.
• dtrace_proc -- Controls the ability to use DTrace against processes that the user can control.
• dtrace_user -- Controls the ability to use DTrace for things outside the kernel (i.e., "user space" code).
• proc_info -- Controls the ability to see any processes on the system other than those that the user can control.
• file_link_any -- Controls the ability to create hard links to files owed by anyone other than the current user.

roleadd -d /export/home/dirsrv -m -s /usr/bin/bash -K defaultpriv=basic,net_privaddr,sys_resource,dtrace_proc,dtrace_user,-proc_info,-file_link_any dirsrv

Saturday December 10, 2005

The role Directory Server was meant to play

• A role cannot be used to directly log into the system. Rather, you must first log in as a normal user and then use su to assume the role (after providing the appropriate password). Not only does this provide a first line of defense, it can also help provide an audit trail because you can see exactly who is assuming that role and what they are doing.
• Only authorized users are allowed to assume a role. If you're not a member of a given role, then you won't be allowed to assume that role even if you know the passowrd for it.

roleadd -d /export/home/dirsrv -m -s /usr/bin/bash dirsrv

usermod -K type=role dirsrv

usermod -R dirsrv john

Friday December 09, 2005

Decoding LDAP communication

• It can handle SSL-based communication (using server authentication only -- client authentication is not available).
• It can handle cases where the client and server are on the same machine and the underlying OS does not allow packet captures over the loopback interface.
• It does not require root or otherwise privileged access to the machine if you configure the proxy to listen on a port greater than 1024. Packet captures virtually always require root access.
• It is easier to handle cases in which the payload of the network packets does not contain exactly one complete LDAP message. If an LDAP message is split into multiple packets, or if multiple complete or partial messages are placed into the same packet, then it can be more difficult to interpret them.

java -jar LDAPDecoder.jar -h {serverAddress} -p {serverPort} -L {listenPort}

java -jar LDAPDecoder.jar -p {serverPort} -i {captureFile}

Thursday December 08, 2005

Little-known performance enhancements #2: Solaris tuning

# Use the fixed-priority scheduler.
priocntl -s -c FX $$

# Use the libumem memory manager.
LD_PRELOAD=/usr/lib/libumem.so
LD_PRELOAD_64=/usr/lib/64/libumem.so
export LD_PRELOAD LD_PRELOAD_64

# Use the alternate thread library.
LD_LIBRARY_PATH=/usr/lib/lwp
LD_LIBRARY_PATH_64=/usr/lib/lwp/64
export LD_LIBRARY_PATH LD_LIBRARY_PATH_64

Wednesday December 07, 2005

Little-known performance enhancements #1: Transaction batching

• Directories are becoming more heavily used. As they need to handle higher and higher numbers of requests, even a relatively low percentage of write operatiosn can start to add up.
• Directory data is becoming more dynamic. The percentage of write operations is increasing, and some popular directory-enabled apps include a write in most sequences of operations.
• The amount of data synchronization is increasing. Products like Identity Synchronization for Windows, Identity Manager, and home-grown applications can merge data from multiple repositories, so a change in one is reflected in the other.
• Although it happens less frequently, if large companies or organizations merge together, they've often got a flurry of activity combining their data into a single repository.

• The configured transaction batch value. If you've configured a batch value of N, then the server will call fsync whenever the Nth oustanding change is performed, meaning that at most N-1 changes may be at risk.
• An internal timer that will commit any outstanding changes if it has been 1000 milliseconds since the last fsync.
• The transaction log buffer size. This buffer is used to hold the set of outstanding changes before they are committed. If this buffer gets full, then the changes will be immediately flushed to disk.

Tuesday December 06, 2005

I've put it off long enough