Performance issues with krb5-1.9.1

Greg Hudson ghudson at MIT.EDU
Mon Aug 8 14:21:58 EDT 2011 

On Mon, 2011-08-08 at 11:22 -0400, Jonathan Reams wrote:
> I did some performance testing on our test KDC and was able to
> reproduce the performance issue with 1.9.1.

I found a regression which would affect these tests, but I'm not sure it
accounts for your global performance issues.

The KDC in krb5 1.9 isn't supposed to be using an on-disk replay cache,
but due to a bug, it is actually opening and reading a replay cache for
every TGS request, which is significantly less efficient than the 1.8
behavior (using a replay cache which stays open for the lifetime of the
KDC).

In a test which runs in under five minutes, this regression produces
visible O(n^2) performance characteristics.  This would not necessarily
account for performance degradation over hours, as the performance drag
of the replay cache should become stable after five minutes.  It's
possible that the constant drag was enough to cause the KDC to fall
behind on the request load, but it's also possible that there's a second
problem which isn't so easily reproduced.

I've attached a patch.  Note that there is a second, in-memory
"lookaside" cache with O(n^2) performance characteristics in the short
term, which holds queries for up to two minutes.  You may see a slight
degradation in performance in test cases due to this.  You can
temporarily rebuild the kdc directory with "make clean;
CPPFLAGS=-DNOCACHE" if you want to remove this variable from your
performance tests.

-------------- next part --------------
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index fbf963e..bfc48c5 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -245,6 +245,10 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
     if ((retval = krb5_auth_con_init(kdc_context, &auth_context)))
         goto cleanup;
 
+    /* Don't use a replay cache. */
+    if ((retval = krb5_auth_con_setflags(kdc_context, auth_context, 0)))
+        goto cleanup;
+
     if ((retval = krb5_auth_con_setaddrs(kdc_context, auth_context, NULL,
                                          from->address)) )
         goto cleanup_auth_context;

More information about the Kerberos mailing list