Performance

The chapter describes performance benchmarks, the results itself as well as scenarios to reproduce the results.

1. HTTP cache performance
2. Tempesta TLS handshakes performance
3. HTTP transactions performance under KVM with no vAPIC

Opposite to traditional user-space HTTP proxies like HAproxy or Nginx, Tempesta FW works in kernel space, so it doesn’t pay the price for heavyweight prevention of Meltdown and MDS (aka ZombieLoad) Intel vulnerabilities.

The most price for the user-space daemons comes from Kernel page table isolation (KPTI) which degrades Nginx performance up to 20%.

There are no context switches for Tempesta FW, so there is no extra cost to be Metdown and MDS safe.

• turn on CONFIG_PREEMPT_NONE to eliminate preemption management overhead.
• switch off CONFIG_FRAME_POINTER
• Switch off debugging facilities, e.g. CONFIG_DEBUG_KMEMLEAK and CONFIG_KASAN. Check all the CONFIG_DEBUG options in your .config.

• Set /sys/devices/system/cpu/cpuX/cpufreq/scaling_governor for all CPUs to performance
• Set processor.max_cstate=0 intel_idle.max_cstate=0 for the Linux kernel boot parameters
• Disable Turbo Boost, Hyper Threading and Enhanced Intel Speedstep Tech in BIOS
• All the CPUs participating in the workload must be in isolcpus

• If you have a Mellanox ConnectX network adapter, the make sure you use a EN or OFED driver.

• Turn off IRQbalance
• Turn off Network manager

• Brendan Gregg’s blog: Linux performance
• Optimizing web servers for high throughput and low latency, Dropbox, 2017.
• Intelpocalypse: goodbye fast system calls
• Benchmarking Methodology for Network Security Device Performance (an RFC draft).
• Linux ACL Performance Analysis
• NVIDIA performance tuning for Mellanox adapters