[jira] [Commented] (HADOOP-15743) Jetty and SSL tunings to stabilize KMS performance

[Wei-Chiu Chuang (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-15743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773587#comment-16773587
 ] 

Wei-Chiu Chuang commented on HADOOP-15743:
------------------------------------------

Note: https://bugs.openjdk.java.net/browse/JDK-8210985
In JDK12, default javax.net.ssl.sessionCacheSize is reduced to 20480

Reducing SSL session cache size doesn't seem to improve throughput, even though 
it's probably a good idea to do it.

I reduced max thread to 16 or 32 and they seem to give me better performance 
than the default.
We set idle timeout = 1s.

I saw as many as 7k open file descriptors on KMS server when it had ~2.9k 
decrypt_eek per second.

It seems  LowResourceMonitor thread is not created by default. At least in 
Hadoop 3, KMS server doesn't have this thread.



> Jetty and SSL tunings to stabilize KMS performance 
> ---------------------------------------------------
>
>                 Key: HADOOP-15743
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15743
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.8.0
>            Reporter: Daryn Sharp
>            Priority: Major
>
> The KMS has very low throughput with high client failure rates.  The 
> following config options will "stabilize" the KMS under load:
>  # Disable ECDH algos because java's SSL engine is inexplicably HORRIBLE.
>  # Reduce SSL session cache size (unlimited) and ttl (24h).  The memory cache 
> has very poor performance and causes extreme GC collection pressure. Load 
> balancing diminishes the effectiveness of the cache to 1/N-hosts anyway.
>  ** -Djavax.net.ssl.sessionCacheSize=1000
>  ** -Djavax.net.ssl.sessionCacheTimeout=6
>  # Completely disable thread LowResourceMonitor to stop jetty from 
> immediately closing incoming connections during connection bursts.  Client 
> retries cause jetty to remain in a low resource state until many clients fail 
> and cause thousands of sockets to linger in various close related states.
>  # Set min/max threads to 4x processors.   Jetty recommends only 50 to 500 
> threads.  Java's SSL engine has excessive synchronization that limits 
> performance anyway.
>  # Set https idle timeout to 6s.
>  # Significantly increase max fds to at least 128k.  Recommend using a VIP 
> load balancer with a lower limit.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org