Re: [Dovecot] Major CPU spike for SSL parameters?
I applied the patch to master-settings.c and the problem is still there Jan 19 20:01:51 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:13:02 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:21:33 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:33:17 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:42:03 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:52:12 foxmulder dovecot: SSL parameters regeneration completed foxmulder:~$ uname -srp FreeBSD 6.0-RELEASE-p3 i386 foxmulder:etc$ grep ssl dovecot.conf ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/private/dovecot.pem ssl_parameters_regenerate = 48 Timo Sirainen wrote:
On Wed, 2006-01-18 at 18:40 -0500, Todd Vierling wrote:
On Wed, 18 Jan 2006, Todd Vierling wrote:
After setting "ssl_parameters_regenerate" to the explicit value of 168, it's still happening this often. I now set it to 0 to disable regeneration for the moment. And it's still happening every 10-ish minutes. Thoughts?
Happens with 64bit systems. Fix in CVS and here:
Index: src/master/master-settings.c =================================================================== RCS file: /var/lib/cvs/dovecot/src/master/master-settings.c,v retrieving revision 1.105 diff -u -r1.105 master-settings.c --- src/master/master-settings.c 18 Jan 2006 23:14:45 -0000 1.105 +++ src/master/master-settings.c 19 Jan 2006 20:38:31 -0000 @@ -64,7 +64,7 @@ DEF(SET_STR, ssl_cert_file), DEF(SET_STR, ssl_key_file), DEF(SET_STR, ssl_key_password), - DEF(SET_STR, ssl_parameters_regenerate), + DEF(SET_INT, ssl_parameters_regenerate), DEF(SET_STR, ssl_cipher_list), DEF(SET_BOOL, ssl_verify_client_cert), DEF(SET_BOOL, disable_plaintext_auth),
On Thu, 2006-01-19 at 21:49 -0500, Peter Chiu wrote:
I applied the patch to master-settings.c and the problem is still there
Jan 19 20:01:51 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:13:02 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:21:33 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:33:17 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:42:03 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:52:12 foxmulder dovecot: SSL parameters regeneration completed
foxmulder:~$ uname -srp FreeBSD 6.0-RELEASE-p3 i386
foxmulder:etc$ grep ssl dovecot.conf ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/private/dovecot.pem ssl_parameters_regenerate = 48
Hmm. That patch fixed it with me. What happens if you set ssl_parameters_regenerate = 0?
On 01/22/2006 07:25:07 AM, Timo Sirainen wrote:
On Thu, 2006-01-19 at 21:49 -0500, Peter Chiu wrote:
I applied the patch to master-settings.c and the problem is still there
Jan 19 20:01:51 foxmulder dovecot: SSL parameters regeneration completed
foxmulder:~$ uname -srp FreeBSD 6.0-RELEASE-p3 i386
foxmulder:etc$ grep ssl dovecot.conf ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/private/dovecot.pem ssl_parameters_regenerate = 48
Hmm. That patch fixed it with me. What happens if you set ssl_parameters_regenerate = 0?
It is so strange - it certainly doesn't happen on all 64 bit machines - it doesn't on my opteron (even without your patch):
[root@athena ~]# grep "SSL parameters" /var/log/m*log* /var/log/maillog.1:Jan 16 19:10:43 athena dovecot: SSL parameters regeneration completed [root@athena ~]# uname -a Linux athena.riede.org 2.6.15-1.1826.2.10_FC5 #1 SMP Wed Jan 11 18:13:37 EST 2006 x86_64 x86_64 x86_64 GNU/Linux [root@athena ~]# egrep "ssl_(cer|key_f|para)" /etc/dovecot.conf ssl_cert_file = /etc/pki/dovecot/dovecot.pem ssl_key_file = /etc/pki/dovecot/private/dovecot.pem #ssl_parameters_regenerate = 168
Regards, Willem Riede.
i upgrade 1.0-beta1 to cvs version, i use openbsd/i386 i tried this 3 settings
ssl_parameters_regenerate = 0 ssl_parameters_regenerate = 68 #ssl_parameters_regenerate = 168 (default)
all setting have this problem too (every 10mins regen SSL)
head -3 ChangeLog
2006-01-22 13:29 Timo Sirainen tss@iki.fi
* README: Removed code section and did some updates.在 2006/1/22 的來信中,"Timo Sirainen" tss@iki.fi 提及:
On Thu, 2006-01-19 at 21:49 -0500, Peter Chiu wrote:
I applied the patch to master-settings.c and the problem is still there
Jan 19 20:01:51 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:13:02 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:21:33 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:33:17 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:42:03 foxmulder dovecot: SSL parameters regeneration completed Jan 19 20:52:12 foxmulder dovecot: SSL parameters regeneration completed
foxmulder:~$ uname -srp FreeBSD 6.0-RELEASE-p3 i386
foxmulder:etc$ grep ssl dovecot.conf ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/private/dovecot.pem ssl_parameters_regenerate = 48
Hmm. That patch fixed it with me. What happens if you set ssl_parameters_regenerate = 0?
On Sun, 2006-01-22 at 23:26 +0800, John Wong wrote:
i upgrade 1.0-beta1 to cvs version, i use openbsd/i386 i tried this 3 settings ----------------------------------------------------------------- ssl_parameters_regenerate = 0 ssl_parameters_regenerate = 68 #ssl_parameters_regenerate = 168 (default) ----------------------------------------------------------------- all setting have this problem too (every 10mins regen SSL)
Could you try what it writes to logs with this patch: diff -u -r1.21 ssl-init.c --- src/master/ssl-init.c 22 Jan 2006 10:50:54 -0000 1.21 +++ src/master/ssl-init.c 22 Jan 2006 16:16:14 -0000 @@ -98,6 +98,7 @@ are correct */ regen_time = set->ssl_parameters_regenerate == 0 ? ioloop_time : st.st_mtime + (time_t)(set->ssl_parameters_regenerate*3600); + i_info("ssl_parameters_regenerate = %d", set->ssl_parameters_regenerate); if (regen_time < ioloop_time || st.st_size == 0 || st.st_uid != master_uid || st.st_gid != getegid()) { if (foreground) {
this patch work for me, i use openbsd/i386
------------------------------------------------------------------------------
--- src/master/ssl-init.c.orig Mon Jan 23 10:04:56 2006
+++ src/master/ssl-init.c Mon Jan 23 17:05:17 2006
@@ -99,7 +99,7 @@
regen_time = set->ssl_parameters_regenerate == 0 ? ioloop_time :
(st.st_mtime +
(time_t)(set->ssl_parameters_regenerate*3600));
if (regen_time < ioloop_time || st.st_size == 0 ||
- st.st_uid != master_uid || st.st_gid != getegid()) {
+ st.st_uid != master_uid || st.st_gid !=
set->server->login_gid) {
if (foreground) {
i_info("Generating Diffie-Hellman parameters. "
"This may take a while..");
------------------------------------------------------------------------------
在 2006/1/22 的來信中,"Timo Sirainen"
On Sun, 2006-01-22 at 23:26 +0800, John Wong wrote:
i upgrade 1.0-beta1 to cvs version, i use openbsd/i386 i tried this 3 settings ----------------------------------------------------------------- ssl_parameters_regenerate = 0 ssl_parameters_regenerate = 68 #ssl_parameters_regenerate = 168 (default) ----------------------------------------------------------------- all setting have this problem too (every 10mins regen SSL)
Could you try what it writes to logs with this patch:
diff -u -r1.21 ssl-init.c --- src/master/ssl-init.c 22 Jan 2006 10:50:54 -0000 1.21 +++ src/master/ssl-init.c 22 Jan 2006 16:16:14 -0000 @@ -98,6 +98,7 @@ are correct */ regen_time = set->ssl_parameters_regenerate == 0 ? ioloop_time : st.st_mtime + (time_t)(set->ssl_parameters_regenerate*3600); + i_info("ssl_parameters_regenerate = %d", set->ssl_parameters_regenerate); if (regen_time < ioloop_time || st.st_size == 0 || st.st_uid != master_uid || st.st_gid != getegid()) { if (foreground) {
participants (4)
-
John Wong
-
Peter Chiu
-
Timo Sirainen
-
Willem Riede