Performance
The chapter describes performance benchmarks, the results itself as well as scenarios to reproduce the results.
Benchmarks
- HTTP cache performance
- Tempesta TLS handshakes performance
- HTTP transactions performance under KVM with no vAPIC
Intelpocalypse
Opposite to traditional user-space HTTP proxies like HAproxy or Nginx, Tempesta FW works in kernel space, so it doesn’t pay the price for heavyweight prevention of Meltdown and MDS (aka ZombieLoad) Intel vulnerabilities.
The most price for the user-space daemons comes from Kernel page table isolation (KPTI) which degrades Nginx performance up to 20%.
There are no context switches for Tempesta FW, so there is no extra cost to be Metdown and MDS safe.
Tips for Linux performance settings
Kernel configuration
CONFIG_PREEMPT_NONE
to eliminate preemtion management overhead.- Switch off debugging facilities, e.g.
CONFIG_DEBUG_KMEMLEAK
andCONFIG_KASAN
. Check all theCONFIG_DEBUG
options in your.config
.
CPU
- Set
/sys/devices/system/cpu/cpuX/cpufreq/scaling_governor
for all CPUs toperformance
- Set
processor.max_cstate=0 intel_idle.max_cstate=0
for the Linux kernel boot parameters - Disable Turbo Boost, Hyper Threading and Enhanced Intel Speedstep Tech in BIOS
- All the CPUs participating in the workload must be in
isolcpus
NIC
Linux services
- Turn off IRQbalance
- Turn off Network manager
Resources
- Brendan Gregg’s blog: Linux performance
- Optimizing web servers for high throughput and low latency, Dropbox, 2017.
- Intelpocalypse: goodbye fast system calls
- Benchmarking Methodology for Network Security Device Performance (an RFC draft).
- Linux ACL Performance Analysis
- NVIDIA performance tuning for Mellanox adapters