Required Priorities (Security) = slow server
I recently moved my server from:
3.2.11-hardened Security Level (Hardened Gentoo [server]) to: 3.4.5-hardened Configuration Method (Automatic) Usage Type (Server) Virtualization Type (None) Required Priorities (Security) and http became extremely slow. Some pages that would normally execute in 1 second would take 10 seconds or more. There is a lot of php and perl server-side stuff so the slowdown may have been rooted in that. I changed to Required Priorities (Performance) and everything sped back up to normal. My laptop was moved to the following at the same time and I didn't notice any performance change: 3.4.5-hardened Configuration Method (Automatic) Usage Type (Desktop) Virtualization Type (None) Required Priorities (Security) Is this sort of behavior expected from a server? - Grant |
Required Priorities (Security) = slow server
> I recently moved my server from:
> > 3.2.11-hardened > Security Level (Hardened Gentoo [server]) > > to: > > 3.4.5-hardened > Configuration Method (Automatic) > Usage Type (Server) > Virtualization Type (None) > Required Priorities (Security) > > and http became extremely slow. Some pages that would normally > execute in 1 second would take 10 seconds or more. There is a lot of > php and perl server-side stuff so the slowdown may have been rooted in > that. I changed to Required Priorities (Performance) and everything > sped back up to normal. My laptop was moved to the following at the > same time and I didn't notice any performance change: > > 3.4.5-hardened > Configuration Method (Automatic) > Usage Type (Desktop) > Virtualization Type (None) > Required Priorities (Security) > > Is this sort of behavior expected from a server? > > - Grant This may have been a false alarm. I think I've been having intermittent network problems to part of the internet. Can anyone confirm that the above config shouldn't slow down an http server? - Grant |
Required Priorities (Security) = slow server
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 17.08.2012 08:56, Grant wrote: >> I recently moved my server from: >> >> 3.2.11-hardened Security Level (Hardened Gentoo [server]) >> >> to: >> >> 3.4.5-hardened Configuration Method (Automatic) Usage Type >> (Server) Virtualization Type (None) Required Priorities >> (Security) >> >> and http became extremely slow. Some pages that would normally >> execute in 1 second would take 10 seconds or more. There is a >> lot of php and perl server-side stuff so the slowdown may have >> been rooted in that. I changed to Required Priorities >> (Performance) and everything sped back up to normal. My laptop >> was moved to the following at the same time and I didn't notice >> any performance change: >> >> 3.4.5-hardened Configuration Method (Automatic) Usage Type >> (Desktop) Virtualization Type (None) Required Priorities >> (Security) >> >> Is this sort of behavior expected from a server? >> >> - Grant > > This may have been a false alarm. I think I've been having > intermittent network problems to part of the internet. Can anyone > confirm that the above config shouldn't slow down an http server? > > - Grant > It's hard to make any generalisations but I have some servers with similar grsec-autoconfig (server instead of desktop) and no noticable slowdown (I'd say nothing more that 10%). I'd recommend to use 3.5.1-r2 (testing) or 3.2.27 (stable), though. WKR Hinnerk -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQLf1fAAoJEJwwOFaNFkYcZ98IAJ1RUmreIf 0HW7AqyNl9LjUA 5sHkDKnepkmdwdUBA61VBJXjicfreBi+I3g9GmIrm6SY2pYseN ogi92YYqRHNi9c cxHHr7z2M/fLjApFE9JqAZpKcSBzr4fwUECS7qzFz16XXrNxOFnmdbBY9ewx dHxB QeQnWBNaem/1qrzdifOE9nCZgkhDaZ2X+1EgYcGA3yPh6fNwNDL/mfkVCyU2jhra zZbB5v9QzSrWe4Her8KPPTnaUrtQsukLZGI3g4IulrBLxkuqsh 8StCA0A4cyokJ4 Vl+AjykYEvtxzWE1mVy4bCNSWlLCmmLOVlZ3hEWRQ701CL2lXg YTS/PWHJ9mjwI= =YPvF -----END PGP SIGNATURE----- |
Required Priorities (Security) = slow server
>>> I recently moved my server from:
>>> >>> 3.2.11-hardened Security Level (Hardened Gentoo [server]) >>> >>> to: >>> >>> 3.4.5-hardened Configuration Method (Automatic) Usage Type >>> (Server) Virtualization Type (None) Required Priorities >>> (Security) >>> >>> and http became extremely slow. Some pages that would normally >>> execute in 1 second would take 10 seconds or more. There is a >>> lot of php and perl server-side stuff so the slowdown may have >>> been rooted in that. I changed to Required Priorities >>> (Performance) and everything sped back up to normal. My laptop >>> was moved to the following at the same time and I didn't notice >>> any performance change: >>> >>> 3.4.5-hardened Configuration Method (Automatic) Usage Type >>> (Desktop) Virtualization Type (None) Required Priorities >>> (Security) >>> >>> Is this sort of behavior expected from a server? >>> >>> - Grant >> >> This may have been a false alarm. I think I've been having >> intermittent network problems to part of the internet. Can anyone >> confirm that the above config shouldn't slow down an http server? >> >> - Grant >> > > It's hard to make any generalisations but I have some servers with > similar grsec-autoconfig (server instead of desktop) and no noticable > slowdown (I'd say nothing more that 10%). > I'd recommend to use 3.5.1-r2 (testing) or 3.2.27 (stable), though. > > WKR > Hinnerk 3.4.5 is the latest stable, right? http://packages.gentoo.org/package/sys-kernel/hardened-sources I'm using Server too. I'm using Desktop on my laptop. - Grant |
Required Priorities (Security) = slow server
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 17.08.2012 11:47, Grant wrote: >>>> I recently moved my server from: >>>> >>>> 3.2.11-hardened Security Level (Hardened Gentoo [server]) >>>> >>>> to: >>>> >>>> 3.4.5-hardened Configuration Method (Automatic) Usage Type >>>> (Server) Virtualization Type (None) Required Priorities >>>> (Security) >>>> >>>> and http became extremely slow. Some pages that would >>>> normally execute in 1 second would take 10 seconds or more. >>>> There is a lot of php and perl server-side stuff so the >>>> slowdown may have been rooted in that. I changed to Required >>>> Priorities (Performance) and everything sped back up to >>>> normal. My laptop was moved to the following at the same >>>> time and I didn't notice any performance change: >>>> >>>> 3.4.5-hardened Configuration Method (Automatic) Usage Type >>>> (Desktop) Virtualization Type (None) Required Priorities >>>> (Security) >>>> >>>> Is this sort of behavior expected from a server? >>>> >>>> - Grant >>> >>> This may have been a false alarm. I think I've been having >>> intermittent network problems to part of the internet. Can >>> anyone confirm that the above config shouldn't slow down an >>> http server? >>> >>> - Grant >>> >> >> It's hard to make any generalisations but I have some servers >> with similar grsec-autoconfig (server instead of desktop) and no >> noticable slowdown (I'd say nothing more that 10%). I'd recommend >> to use 3.5.1-r2 (testing) or 3.2.27 (stable), though. >> >> WKR Hinnerk > > 3.4.5 is the latest stable, right? > > http://packages.gentoo.org/package/sys-kernel/hardened-sources > > I'm using Server too. I'm using Desktop on my laptop. > > - Grant > Sorry, I misread the part about the laptop. As far as I remember the only supported versions by Upstream are 2.6.32.59 and 3.2.27 as stable and 3.5.2 as testing (the versions on grsecurity.net, right now). Other versions aren't supported by upstream. Actually I'm not sure what is stable for gentoo since I'm using ~arch myself. - - Hinnerk -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQLhWiAAoJEJwwOFaNFkYcvy8IANEV6my1np ZhaoWYPcZ8Yt65 sdZIKkcbOmkT4ApEaf3p5BuvNU0FFpnCEKbyrw+40M98WNgKYe wuOgVJcHMl0aWq fEJKuGTr9KVavgmnUfudSwh12Fyp9huJ9XzakoFsbjidxqM70U 5C1H8AS251ml6F ITvG/9erhB+FnZpBhtb4GCFAYb+VP1fnP1SP4ZZvVHuFRk1OOpxiRJz uNn53M6JD 5HQQdOM/6dJYNIPp+7ynTyK+lHYqVkrDDId3pBoLzp9dZxMzTbgAKLfBba DNm3Uh EXYfi8XvjhDvptJWDV4x9AZghishkseyJDoZwRislAR1pQqG7y pu3iYD7euVM8s= =nv9x -----END PGP SIGNATURE----- |
Required Priorities (Security) = slow server
> I misread the part about the laptop. As far as I remember the only
> supported versions by Upstream are 2.6.32.59 and 3.2.27 as stable and > 3.5.2 as testing (the versions on grsecurity.net, right now). > Other versions aren't supported by upstream. Interesting, I would have thought Gentoo would keep hardened-sources in sync with upstream's recommendation/support. - Grant |
Required Priorities (Security) = slow server
El 17/08/12 19:06, Grant escribió:
> Interesting, I would have thought Gentoo would keep hardened-sources > in sync with upstream's recommendation/support. There are a few reasons for that not being the case but of them I'd go for the fact that in order to get stabilished a package must have been on ~arch for some time and have no known bugs. Then the arch teams have to test the packages and then the packages get finally stabilished. We can't, for obvious reasons, try to stabilize all the packages we get since that would saturate the arch teams' resources, as a result we generaly ask for the stabilization in the case of gentoo-sources of those that have proved to be quite stable for some time. |
Required Priorities (Security) = slow server
That is exactly what hardened sources package maintainers do.
There's always a tiny time difference between the latest grsecurity patch showing up on the homepage and the respective kernel ebuild appears. *hardened-sources-3.5.1-r2 (16 Aug 2012) 16 Aug 2012; Anthony G. Basile (blueness) +hardened-sources-3.5.1-r2.ebuild: vanilla-3.5.1 + genpatches-3.5-2 + grsecurity-2.9.1-3.5.1-201208132030 They are doing a good job. So: big thanks. Dw. -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057 2012.Augusztus 17.(P) 19:06 idÅ‘pontban Grant ezt Ã*rta: >> I misread the part about the laptop. As far as I remember the only >> supported versions by Upstream are 2.6.32.59 and 3.2.27 as stable and >> 3.5.2 as testing (the versions on grsecurity.net, right now). >> Other versions aren't supported by upstream. > > Interesting, I would have thought Gentoo would keep hardened-sources > in sync with upstream's recommendation/support. > > - Grant > |
Required Priorities (Security) = slow server
On Fri, Aug 17, 2012 at 11:19 PM, "Tóth Attila" <atoth@atoth.sote.hu> wrote:
> That is exactly what hardened sources package maintainers do. > There's always a tiny time difference between the latest grsecurity patch > showing up on the homepage and the respective kernel ebuild appears. First, I would like to note that I appreciate very much Anthony's dedication to maintaining hardened-sources. The situation with stabilizing hardened-sources versions, as I see it, is problematic because grsecurity / PaX upstream only supports a couple of kernels they consider stable (currently, 2.6.32 and 3.2), and the very latest kernel as unstable (currently, 3.5). They don't release patches for interim kernels [1]. So the issue with stabilizing those versions (say, 3.4) is moot — the upstream kernel might be stable, but grsecurity / PaX patches are frozen in time. This results in a weird situation if you want, e.g., a stable kernel that's more modern than 3.2, but don't want EFI-related bugs [2] that were fixed by grsecurity after they switched to 3.5 series for testing. Ideally, grsecurity could release patches for each kernel series after latest stable (currently, 3.2), but that would probably require too much resources. [1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2980 [2] https://bugs.gentoo.org/428726, https://bugs.gentoo.org/430122 -- Maxim Kammerer Liberté Linux: http://dee.su/liberte |
Required Priorities (Security) = slow server
On 08/17/2012 04:19 PM, "Tóth Attila" wrote:
That is exactly what hardened sources package maintainers do. There's always a tiny time difference between the latest grsecurity patch showing up on the homepage and the respective kernel ebuild appears. I try to get most of upstream's releases into portage so we can test them as ~arch and give upstream feedback. After a while, I see what issues came up in the last "batch" of kernels. I then pick the one that is least problematic. Typical upstream cycle goes: 1) introduced new feature, 2) bad breakage, 2) still breakage, 3) not so bad, 4) fixed. I try catch it at #4 before they start the cycle all over again. Hope this helps to explain my release policy. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197 |
| All times are GMT. The time now is 01:02 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.