Quelques digressions sous GPL...

Aller au contenu | Aller au menu | Aller à la recherche

Netfilter workshop at Fosscon 2012: the slides

Par Julien Vehent, le jeudi, août 23 2012 (Debian)

A couple of weeks ago, I gave a 2H workshop at Fosscon Philadelphia on Advanced Netfilter features. The workshop went well, and I will probably do it again. In the meantime, I posted the slides below. There is a video too, but the quality isn't great, and filming a workshop isn't as good as I hoped it would be.

The goal of the workshop is to demonstrate how netfilter, iptables, ipset and other tools available in Linux, can be used to build complex firewall policies for dynamic environments. I mentionned, at the end, some of the work i've done with Chef and the AFW cookbook. It's good stuff, so check it out.

Netfilter and Iptables talk at AWeber

Par Julien Vehent, le mercredi, août 1 2012 (Debian)

Every tuesday, at AWeber, we have a Tutorial Tuesday. Engineers submit topics they would live to present, and everyone vote for the ones they are interested in. A few weeks ago, I presented on Netfilter and Iptables. The goal was to give a quick overview of the firewall of Linux, show some basic and advanced features, and give some tools to help developers debug firewall issues.

I will present some of this material again at FOSSCON Philadelphia, on August 11th. So if you are in the area, come to the workshop: http://fosscon.org/

Netfilter-JulienVehent-AWeber from Julien Vehent on Vimeo.

FFmpeg MP4 encoding

Par Julien Vehent, le mercredi, août 1 2012 (General)

Encoding video is hard. I've been poking around Final Cut Pro X for the last 2 days, trying to find a good way to encode the video of a Talk I gave, and couldn't get to a reasonable size (~300MB) without terrible image and sound quality. Until I found this discussion: http://flowplayer.org/forum/7/12671

FFmpeg is, as always, the way to go. So to convert a 5GB H264 video into a 200MB video of decent quality, use this magic command:

ffmpeg -i InputVideo.mov -threads 6  -ar 44100 -ab 96k \
-vcodec libx264 -level 41 -crf 20 -bufsize 20000k \
-maxrate 25000k -g 250 -r 20 -s 1280x544 -coder 1 \
-flags +loop -cmp +chroma -subq 7 -me_range 16 \
-keyint_min 25 -sc_threshold 40 -i_qfactor 0.71 -bf 16 \
-b_strategy 1 -bidir_refine 1 -refs 6 -deblockalpha 0 \
-deblockbeta 0 OutputVideo.mp4

TCP tuning for the LAN

Par Julien Vehent, le mercredi, juin 6 2012 (Debian)

Recently we had conntrack drop connection on one of our memcache node at work. Turns out we were receiving a lot more traffic than usual, but nothing that should have stressed the network stack that badly. We were in the thousand established connections. We got bitten because of the count of TIME_WAIT connections that filled up the conntrack buckets. So what follows is the analysis of what happened and how we fixed it.

When two nodes communicate, they have to perform 3 steps:
  1. TCP handshake: client sends TCP SYN, server responds TCP ACK, client sends TCP SYN/ACK
  2. Data exchange: client sends its request in TCP PUSH/ACK (1 or several packets), server responds in TCP PUSH/ACK (1 or several packets)
  3. Connection closing: client sends TCP/FIN to server, server sends TCP/ACK to client, server sends TCP/FIN to client, client sends TCP/ACK to server
So, for a classic memcache request from a client to a server, we will have at least 10 packets exchanges, and possibly around 15 packets total if we query webforms. 
Under high load, the average RTT between a client and a memcache node is ~0.6 milliseconds. Thus, a connection from beginning to end should take ~9 ms. That's 0.009 seconds. 
In the default kernel configuration, the connection will stay in TIME_WAIT state for 60 seconds. In case a packet got lost and the kernel needs to send a RST for it. But in the case of a gigabit LAN, with a RTT that should be way below the milliseconds, it's just impossible that a packet would get lost in routers for 60 seconds. 
The side effect of using a TIME_WAIT of 60 seconds is that conntrack must keep track of the connection during that time. So a connection will take 0.009s to process, and then be tracked for 60s. During that time, the conntrack bucket fill up, and potentially overflows.
In the kernel, a recycle parameter exists for this very purpose:
tcp_tw_reuse - BOOLEAN
Allow to reuse TIME-WAIT sockets for new connections when it is
safe from protocol viewpoint. Default value is 0.
It should not be changed without advice/request of technical
experts.
It can be activated as follow:
# echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse
Or to make it permanent, add this to sysctl.conf 
net.ipv4.tcp_tw_reuse = 1
 Some explanation from the Haproxy mailing list: http://marc.info/?l=haproxy&m=132784701528003&w=4
This kernel parameter should be enabled everywhere. It's just a smart reuse of network ressources.

Note on Conntrack

While I do not believe it is necessary to increase the current hashsize from its 65536 value, we could very safely do so. A conntrack consumes 400 bytes in the kernel (see /proc/slabinfo), which means tracking 1,000,000 connections would consume 400MBytes of RAM: 
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536 
# cat /sys/module/nf_conntrack/parameters/hashsize
16384 
ip_conntrack_max represents the maximum number of tracked connection, while hashsize is the size of the hash table storing the list of conntrack entries. A conntrack entry is stored in a node of a linked list, and there are several lists, each list being an element in a hash table. So each hash table entry (also called a bucket) contains a linked list of conntrack entries. source: http://wiki.khnet.info/index.php/Conntrack_tuning
Each hash will contain ~8 connections: (ip_conntrack_max = hashsize * 8). But to be conservative, the kernel sets those value to (ip_conntrack_max = hashsize * 4) by default. We can safely augment those by a factor of 8: ip_conntrack_max=524288 hashsize=131072 
# echo 524288 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max 
# echo 131072 > /sys/module/nf_conntrack/parameters/hashsize
 Or, to make them permanent, modify /etc/sysctl.conf instead:
net.ipv4.netfilter.ip_conntrack_max = 524288
net.ipv4.netfilter.ip_conntrack_buckets = 131072

Note on local ports

When a client connect to a server, it needs a source ip, a source port, a destination ip and a destination port. The source ip, destination ip and destination port are static. But the source port is taken in the range made available by the kernel: 
$ sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768	61000
By default, this range is limited to the ports between 32768 and 61000. That means that one client will be able to open a maximum of (61000 - 32768) = 28232 connections to a server. This limit can safely be increased in sysctl.conf to use the range 5000 to 65000. Add this line to sysctl.conf
net.ipv4.ip_local_port_range = 5000	65000

Online Ads Revenue ? Bullshit !

Par Julien Vehent, le samedi, juin 2 2012 (General)

For many years now I have been wondering if I should put ads on the Linuxwall's Wiki. Last month, I ran an experiment, created a google adsense account, and gave it a shot.

This website doesn't get crazy traffic. Roughly ~7,500 pages views per month, and almost 5,000 unique visitors. Its goal is not to generate traffic, but to serve high quality content: Articles that I and a few friends write on Linux and Open Source technology. We have some good stuff available there, like a documentation of the QoS in LinuxOracle on CentosNginx performances tipsNagios, etc etc... I'm always happy to see more people reaching those pages, because we spend a lot of times researching and writing them, and we publish it under Creative Common.

Below is the monthly visits graph, generated by piwik.

stats_wiki.png
So Why do I call bullshit on Adsense ? Because, out of those 5,000 unique visitors who have viewed the ads, I receive from Google the amazing amount of... $1.30. That one point three dollars of revenue for one month worth of ads.

The reason ? Out of those same 5,000 people and 7,500 page views. Only 4 have clicked on the ad ! That's a conversion ratio of 0.00053% !

adsense_wiki.png

I have not removed the ad yet, so you can see it when clicking on the link. it's a 728x90 Text/image, the default recommended by Google. I put it on the best possible location: on top of my articles.

I'll remove the ad in a few days. Quite frankly, I don't care about the revenue generated by Adsense. I have a good job at AWeber, and it pays the bills. But when I started this experiment, I somehow imagined that I would receive $40/50 per month from Adsense. Something that could pay for the server I'm using, and would justify adding that big ugly banner on top of my wiki. It doesn't. I'm removing it.

I have a feeling that this whole ads business became so huge, that nobody is ever looking or clicking on them anymore. Advertisers will keep pushing for more ads and thus more ways to track people to better target those ads. This stuff will probably collapse when businesses realize how little they get from online ads. General Motors did. Will we see a major ads bubble collapse in a few years ? I don't know. But I'm happy to stay away from it.

- page 2 de 28 -