rough estimate of kadmin addprinc performance?

Nico Williams nico at cryptonector.com
Tue Aug 14 12:25:23 EDT 2012


On Tue, Aug 14, 2012 at 3:53 AM, Chris Hecker <checker at d6.com> wrote:
> I have a pretty old centos machine, it's a dual core P4 2.8ghz with 1gb
> of ram, running krb5 1.9.x with and openldap backend.  I'm using
> Authen::Krb5::Admin to make a bunch (5000 right now) of princs, and the
> performance on this machine is about 10 princs created per second, with
> kadmind at 46% cpu, with slapd at 6%.
>
> Does this performance sound right for this level of machine?  Would it
> be much faster using libkadm5 in c?  Should I be getting hundreds of
> anks/sec or something?

Greg points to string2key() as the primary problem here, and I agree.
 The AES string2key is specifically intended to go slow for good
reasons (namely, to defend against dictionary attacks).  (Of course,
the AES string2key is not memory-hard, and we should be using FAST w/
anon PKINIT or other armor tickets...  but anyways.)

For -randkey the limiting factor will be disk random I/O performance,
particularly fsyn() performance.  You'll probably top out at ~100
fsync()s per-second.  The db2 backend requires about 2 fsync()s
per-write operation.  I don't know how many slapd requires.

> Basically, I'm just looking for a ballpark estimate from somebody with a
> clue of whether I'd get much out of optimizing this?
>
> The anks are all happening in a single thread, so they're serialized to
> the KDC right now.  Code snippet is below.

While fsync(2) is slow and the limiting factor for -randkey, multiple
threads can call fsync(2) simultaneously and result in higher rates of
fsync(2)s, BUT, the db2 backend will lock out all other writers, so
this doesn't help you for -randkey.  Multi-threading will likely help
if you have CPUs to spare because the write-locking happens after the
string2key operation.

Nico
--


More information about the Kerberos mailing list