On 28/07/2014 11:54 πμ, Apollon Oikonomopoulos wrote:
> Hi Willy,
> 
> On 19:28 Fri 25 Jul     , Willy Tarreau wrote:
>>
>> Concerning the new features, no promises, but we know that we need to
>> progress in the following areas :
>>
>>   - multi-process : better synchronization of stats and health checks,
>>     and find a way to support peers in this mode. I'm still thinking a
>>     lot that due to the arrival of latency monsters that are SSL and
>>     compression, we could benefit from having a thread-based architecture
>>     so that we could migrate tasks to another CPU when they're going to
>>     take a lot of time. The issue I'm seeing with threads is that
>>     currently the code is highly dependent on being alone to modify any
>>     data. Eg: a server state is consistent between entering and leaving
>>     a health check function. We don't want to start adding huge mutexes
>>     everywhere.
> 
> How about using shared memory segments for stats, health checks and 
> peers?
> 
>>
>> If anyone has any comment / question / suggestion, as usual feel free to
>> keep the discussion going on.
> 
> Could I also add shared SSL session cache over multiple boxes (like 
> stud), to aid SSL scalability behind LVS directors? It has been asked 
> for before in the mailing list if I recall correctly.
> 

A bit off topic but sometimes tunning the cipher suite reduces the CPU
cost of encryption. Today, I managed to save 5% CPU by moving to ECDHE
cipher suite, see https://db.tt/N9auU9cg.

I just recompiled HAProxy against openSSL 1.0.1 where ECDHE is available
and the default cipher changed from DHE to ECDHE, which is a CPU
intensive cipher set but still much better than DHE. I have to mention
that the server uses Intel and OpenSSL Intel AES-NI engine is enabled by
default as openSSL 1.0.1 can detect processors that support AES-NI.

Cheers,
Pavlos






Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to