nginx/perf

edwintorok · edwintorok · commit 39d12ab4ddac · 2025-06-03T18:18:14.000+01:00
diff --git a/scripts/stunnel-perf/.gitignore b/scripts/stunnel-perf/.gitignore
@@ -0,0 +1 @@
+tmp/
diff --git a/scripts/stunnel-perf/benchmark.sh b/scripts/stunnel-perf/benchmark.sh
@@ -0,0 +1,113 @@
+#!/bin/bash
+# Set a machine into benchmarking mode.
+#
+# For native Linux, and Intel-only for now (AMD has a different way of disabling turbo)
+# 
+# References: https://llvm.org/docs/Benchmarking.html
+
+# This is for Fedora 42, adapt for your own OS
+declare -a packages=(
+  "cpupower" "tuned" "ss" "turbostat" "lscpu" "lspci" "ip" "ethtool" "jq" "nginx" "hitch" "stunnel" "iperf3" "nuttcp" "httperf" "git" "hyperfine" "varnish" "socat" "curl"
+)
+
+# httperf --server $OTHER_IP --port 8080 --num-calls 3000 --num-conns=1 --uri /hello
+
+install_packages()
+{
+  sudo dnf install "${packages[@]}"
+}
+
+stop_services()
+{
+  sudo cp /lib/systemd/system/rescue.target /lib/systemd/system/benchmark.target
+  sudo systemctl add-wants benchmark.target sshd.service
+  sudo systemctl isolate benchmark.target
+  sudo systemctl list-units --state=running
+}
+
+start_services()
+{
+  sudo systemctl isolate multi-user.target
+}
+
+set_cpu()
+{
+  # Prevent frequency-scaling
+  sudo cpupower frequency-set -g performance
+
+  # Prevent entering deep C-states to reduce latency and avoid menu governor bugs (there was one recently)
+  # Although if we completely disable C1 then we are going to hit RAPL power limits immediately,
+  # which results in a 30% perf hit on single-stream iperf
+  # Disable just deeper C states, which avoids the big perf hit (although now we're exposed to menu governor bugs)
+  sudo cpupower idle-set -D 2
+
+  # Disable Turbo Boost for more stable measurements
+  # cpupower set --turbo-boost 0 doesn't work when the driver is intel_pstate instead of cpufreq
+  sudo sh -c 'echo 1 >/sys/devices/system/cpu/intel_pstate/no_turbo'
+
+  # AMD
+  sudo cpupower set -m passive
+  sudo cpupower set --turbo-boost 0
+
+  sudo cpupower -c all set --perf-bias 0
+
+  # Bring system into a consistent state
+  sudo tuned-adm profile network-throughput
+  
+  # we could use tuned-adm verify, but there is a bug where it tries to read non-existent hung_task_timeout_secs
+  # that only fails on network-latency, not network-throughput though
+  sudo tuned-adm verify
+}
+
+describe()
+{
+  # Check all the settings we've changed above
+
+  # List running processes
+  set -x
+  sudo systemctl list-units --state=running
+  LIBPROC_HIDE_KERNEL=1 ps -ejH
+
+  sudo cpupower -c all frequency-info
+  sudo cpupower -c all idle-info
+  sudo cpupower -c all info
+  sudo cat /sys/devices/system/cpu/intel_pstate/no_turbo
+  sudo tuned-adm profile_info
+  sudo ss -neopatium
+
+  lscpu
+  sudo turbostat true
+  sudo lspci -k
+  sudo ip a
+
+  for P in /sys/class/net/*; do
+    IFACE=$(basename "${P}")
+    sudo ethtool "${IFACE}"
+    sudo ethtool -k "${IFACE}"
+  done
+
+  sudo sos report --batch
+
+  set +x
+}
+
+open_ports()
+{
+  # iperf3, nuttcp
+  for P in 5201 5000 5101 9080 9443 9444 9445 9446; do
+    sudo firewall-cmd --add-port "${P}/tcp"
+  done
+}
+
+iperf3_server()
+{
+  iperf3 -s
+}
+
+iperf3_client()
+{
+  # TODO: autodetect IP
+  iperf3 --json --logfile iperf3.json -c  10.70.58.43
+  iperf3 --json --logfile iperf3_2.json -c  10.70.58.43 -P2 
+  iperf3 --json --logfile iperf3_4.json -c  10.70.58.43 -P4
+}
diff --git a/scripts/stunnel-perf/l b/scripts/stunnel-perf/l
@@ -0,0 +1,170 @@
++ set -eu
++ TLS_CIPHERS=ECDHE-RSA-AES256-GCM-SHA384
++ TLS_PROTO=TLSv1.2
++ NGINX_PORT=9080
++ NGINX_TLS_PORT=9443
++ STUNNEL_TLS_PORT=9444
++ HITCH_TLS_PORT=9445
++ SOCAT_TLS_PORT=9446
++ REPEAT=1
++ TEST_SIZE=1MiB
++ PEM=stunnel.pem
++ TESTDIR=/home/edvint/git/xen-api/scripts/stunnel-perf/tmp
++ RAMDIR=/dev/shm/stunnel-test
++ mkdir -p /dev/shm/stunnel-test /home/edvint/git/xen-api/scripts/stunnel-perf/tmp
++ cd /home/edvint/git/xen-api/scripts/stunnel-perf/tmp
++ test -f stunnel.pem
++ cat
++ truncate --size 1MiB /dev/shm/stunnel-test/1MiB
++ cat
++ cat
++ killall -v -9 stunnel nginx hitch socat
+Killed nginx(944325) with signal 9
+Killed nginx(944326) with signal 9
+Killed socat(944327) with signal 9
+Killed stunnel(944330) with signal 9
+Killed hitch(944334) with signal 9
+Killed hitch(944335) with signal 9
+Killed hitch(944337) with signal 9
+Killed stunnel(944340) with signal 9
+Killed socat(944343) with signal 9
+Killed stunnel(944347) with signal 9
+Killed socat(944350) with signal 9
+Killed stunnel(944354) with signal 9
+Killed socat(944356) with signal 9
+Killed stunnel(944361) with signal 9
+Killed socat(944363) with signal 9
++ nginx -c /home/edvint/git/xen-api/scripts/stunnel-perf/tmp/nginx.conf
+nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
++ stunnel /home/edvint/git/xen-api/scripts/stunnel-perf/tmp/stunnel.conf
++ socat -b65536 OPENSSL-LISTEN:9446,fork,reuseaddr,cert=stunnel.pem,verify=0,cipher=ECDHE-RSA-AES256-GCM-SHA384,compress=none,reuseport TCP4:127.0.0.1:9080
++ hitch --config /home/edvint/git/xen-api/scripts/stunnel-perf/tmp/hitch.conf
+20250603T180955.914523 [944519] {core} hitch 1.7.2 starting
+20250603T180955.914555 [944519] WARNING: {core} OpenSSL version mismatch; hitch was compiled with 30000010, now using 30200020.
+20250603T180955.917361 [944519] {core} Loading certificate pem files (1)
++ DEST=127.0.0.1
++ for PORT in ${NGINX_TLS_PORT} ${STUNNEL_TLS_PORT} ${HITCH_TLS_PORT} ${SOCAT_TLS_PORT}
++ PORT2=19443
++ cat
++ stunnel /home/edvint/git/xen-api/scripts/stunnel-perf/tmp/stunnel-client-9443.conf
++ PORT3=29443
++ for PORT in ${NGINX_TLS_PORT} ${STUNNEL_TLS_PORT} ${HITCH_TLS_PORT} ${SOCAT_TLS_PORT}
++ PORT2=19444
++ cat
++ socat -b65536 TCP4-LISTEN:29443,fork,bind=127.0.0.1,reuseport OPENSSL:127.0.0.1:9443,cipher=ECDHE-RSA-AES256-GCM-SHA384,verify=0
++ stunnel /home/edvint/git/xen-api/scripts/stunnel-perf/tmp/stunnel-client-9444.conf
++ PORT3=29444
++ for PORT in ${NGINX_TLS_PORT} ${STUNNEL_TLS_PORT} ${HITCH_TLS_PORT} ${SOCAT_TLS_PORT}
++ PORT2=19445
++ cat
++ socat -b65536 TCP4-LISTEN:29444,fork,bind=127.0.0.1,reuseport OPENSSL:127.0.0.1:9444,cipher=ECDHE-RSA-AES256-GCM-SHA384,verify=0
++ stunnel /home/edvint/git/xen-api/scripts/stunnel-perf/tmp/stunnel-client-9445.conf
++ PORT3=29445
++ for PORT in ${NGINX_TLS_PORT} ${STUNNEL_TLS_PORT} ${HITCH_TLS_PORT} ${SOCAT_TLS_PORT}
++ PORT2=19446
++ cat
++ socat -b65536 TCP4-LISTEN:29445,fork,bind=127.0.0.1,reuseport OPENSSL:127.0.0.1:9445,cipher=ECDHE-RSA-AES256-GCM-SHA384,verify=0
++ stunnel /home/edvint/git/xen-api/scripts/stunnel-perf/tmp/stunnel-client-9446.conf
++ PORT3=29446
++ measure nginx http://127.0.0.1:9080 '' plain
++ echo
++ echo 'plain: curl --> nginx http://127.0.0.1:9080 '
++ socat -b65536 TCP4-LISTEN:29446,fork,bind=127.0.0.1,reuseport OPENSSL:127.0.0.1:9446,cipher=ECDHE-RSA-AES256-GCM-SHA384,verify=0
+++ seq 1
++ for i in $(seq "${REPEAT}")
++ curl -k -o /dev/null http://127.0.0.1:9080/1MiB --write-out '%{url},%{scheme},%{http_code},%{size_download},%{speed_download},%{time_pretransfer},%{time_total}\n'
++ tee -a plain.csv
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0100 1024k  100 1024k    0     0  1000M      0 --:--:-- --:--:-- --:--:-- 1000M
++ python3
++ NGINX_URL=http://127.0.0.1:9080
++ measure nginx-ssl https://127.0.0.1:9443 '' nginx-ssl
++ echo
++ echo 'nginx-ssl: curl --> nginx-ssl https://127.0.0.1:9443 '
+++ seq 1
++ for i in $(seq "${REPEAT}")
++ curl -k -o /dev/null https://127.0.0.1:9443/1MiB --write-out '%{url},%{scheme},%{http_code},%{size_download},%{speed_download},%{time_pretransfer},%{time_total}\n'
++ tee -a nginx-ssl.csv
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0100 1024k  100 1024k    0     0  45.4M      0 --:--:-- --:--:-- --:--:-- 47.6M
++ python3
++ measure stunnel https://127.0.0.1:9444 '-> nginx http://127.0.0.1:9080' stunnel_server
++ echo
++ echo 'stunnel_server: curl --> stunnel https://127.0.0.1:9444 -> nginx http://127.0.0.1:9080'
+++ seq 1
++ for i in $(seq "${REPEAT}")
++ curl -k -o /dev/null https://127.0.0.1:9444/1MiB --write-out '%{url},%{scheme},%{http_code},%{size_download},%{speed_download},%{time_pretransfer},%{time_total}\n'
++ tee -a stunnel_server.csv
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0100 1024k  100 1024k    0     0  71.4M      0 --:--:-- --:--:-- --:--:-- 71.4M
++ python3
++ measure hitch https://127.0.0.1:9445 '-> nginx http://127.0.0.1:9080' hitch_server
++ echo
++ echo 'hitch_server: curl --> hitch https://127.0.0.1:9445 -> nginx http://127.0.0.1:9080'
+++ seq 1
++ for i in $(seq "${REPEAT}")
++ tee -a hitch_server.csv
++ curl -k -o /dev/null https://127.0.0.1:9445/1MiB --write-out '%{url},%{scheme},%{http_code},%{size_download},%{speed_download},%{time_pretransfer},%{time_total}\n'
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0100 1024k  100 1024k    0     0  71.4M      0 --:--:-- --:--:-- --:--:-- 71.4M
++ python3
++ measure socat https://127.0.0.1:9446 '-> nginx http://127.0.0.1:9080' socat_server
++ echo
++ echo 'socat_server: curl --> socat https://127.0.0.1:9446 -> nginx http://127.0.0.1:9080'
+++ seq 1
++ for i in $(seq "${REPEAT}")
++ curl -k -o /dev/null https://127.0.0.1:9446/1MiB --write-out '%{url},%{scheme},%{http_code},%{size_download},%{speed_download},%{time_pretransfer},%{time_total}\n'
++ tee -a socat_server.csv
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0100 1024k  100 1024k    0     0  17.8M      0 --:--:-- --:--:-- --:--:-- 18.1M
++ python3
++ measure 'stunnel(client)' http://127.0.0.1:19444 '-> stunnel https://127.0.0.1:9444 -> nginx http://127.0.0.1:9080' stunnel_client_nginx
++ echo
++ echo 'stunnel_client_nginx: curl --> stunnel(client) http://127.0.0.1:19444 -> stunnel https://127.0.0.1:9444 -> nginx http://127.0.0.1:9080'
+++ seq 1
++ for i in $(seq "${REPEAT}")
++ curl -k -o /dev/null http://127.0.0.1:19444/1MiB --write-out '%{url},%{scheme},%{http_code},%{size_download},%{speed_download},%{time_pretransfer},%{time_total}\n'
++ tee -a stunnel_client_nginx.csv
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0100 1024k  100 1024k    0     0   166M      0 --:--:-- --:--:-- --:--:--  166M
++ python3
++ measure 'stunnel(client)' http://127.0.0.1:19445 '-> hitch https://127.0.0.1:9445 -> nginx http://127.0.0.1:9080' stunnel_client_hitch
++ echo
++ echo 'stunnel_client_hitch: curl --> stunnel(client) http://127.0.0.1:19445 -> hitch https://127.0.0.1:9445 -> nginx http://127.0.0.1:9080'
+++ seq 1
++ for i in $(seq "${REPEAT}")
++ tee -a stunnel_client_hitch.csv
++ curl -k -o /dev/null http://127.0.0.1:19445/1MiB --write-out '%{url},%{scheme},%{http_code},%{size_download},%{speed_download},%{time_pretransfer},%{time_total}\n'
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0100 1024k  100 1024k    0     0   166M      0 --:--:-- --:--:-- --:--:--  166M
++ python3
++ measure 'stunnel(client)' http://127.0.0.1:19446 '-> socat https://127.0.0.1:9446 -> nginx http://127.0.0.1:9080' stunnel_client_socat
++ echo
++ echo 'stunnel_client_socat: curl --> stunnel(client) http://127.0.0.1:19446 -> socat https://127.0.0.1:9446 -> nginx http://127.0.0.1:9080'
+++ seq 1
++ for i in $(seq "${REPEAT}")
++ curl -k -o /dev/null http://127.0.0.1:19446/1MiB --write-out '%{url},%{scheme},%{http_code},%{size_download},%{speed_download},%{time_pretransfer},%{time_total}\n'
++ tee -a stunnel_client_socat.csv
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0100 1024k  100 1024k    0     0   125M      0 --:--:-- --:--:-- --:--:--  125M
++ python3
++ measure 'socat(client)' http://127.0.0.1:29444 '-> stunnel https://127.0.0.1:9444 -> nginx http://127.0.0.1:9080' socat_client_stunnel
++ echo
++ echo 'socat_client_stunnel: curl --> socat(client) http://127.0.0.1:29444 -> stunnel https://127.0.0.1:9444 -> nginx http://127.0.0.1:9080'
+++ seq 1
++ for i in $(seq "${REPEAT}")
++ curl -k -o /dev/null http://127.0.0.1:29444/1MiB --write-out '%{url},%{scheme},%{http_code},%{size_download},%{speed_download},%{time_pretransfer},%{time_total}\n'
++ tee -a socat_client_stunnel.csv
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0100 1024k  100 1024k    0     0  55.5M      0 --:--:-- --:--:-- --:--:-- 55.5M
++ python3
+2025/06/03 18:10:16 socat[944798] E write(6, 0x7f6e16887000, 16384): Broken pipe
diff --git a/scripts/stunnel-perf/server.sh b/scripts/stunnel-perf/server.sh
