svn+ssh <-> svnserve <= speed concerns

[Marko Käning <mk...@mch.osram.de>]

Hi,

I just wondered whether using svnserve might be slower than svn+ssh...

Am I wrong?

(Unfortunately I can't test this myself yet, since I am still unable to 
get svnserve up and running as expected, see thread "SVN+SSH tunneling 
problem".)

Regards,
Marko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: svn+ssh <-> svnserve <= speed concerns

[Christian Michallek <ch...@e-tecture.com>]

keep in mind, that the windows svn client is horribly slow compared to
the linux client, so if your using svnserve with windows clients, this
can slow you down even more.

greetings

christian

Am Montag, den 28.07.2008, 18:39 +0200 schrieb Marko Käning:
> Hi,
> 
> I just wondered whether using svnserve might be slower than svn+ssh...
> 
> Am I wrong?
> 
> (Unfortunately I can't test this myself yet, since I am still unable to 
> get svnserve up and running as expected, see thread "SVN+SSH tunneling 
> problem".)
> 
> Regards,
> Marko
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: svn+ssh <-> svnserve <= speed concerns

[Alan Barrett <ap...@cequrux.com>]

On Tue, 29 Jul 2008, Ryan Schmidt wrote:
>> But still I have the impression, that operations run quite slow.
>
> It probably has less to do with starting and stopping svnserve all
> the time, and more to do with the cost of starting up one or more ssh
> connections for each svn command.

Yes, that's very likely.  Many people use ssh connection sharing to
mitigate this problem.  If you use openssh, see the documentation for
the the ControlMaster and ControlPath configuration options.

--apb (Alan Barrett)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: svn+ssh <-> svnserve <= speed concerns

[Marko Käning <mk...@mch.osram.de>]

Thanks John for your valuable input (concerning thread safety, speed, 
authentication, encryption)! That verified that my setup is not totally 
insane. :)

I just tested the speed issue and came out with the expected result. By 
defining the tunnel with the specific svn user I'm no faster. :)

So it looks like I'll simply stick with my existing ssh infrastructure 
since I need it for other still existing CVS repos anyway.

Will check out apache at some stage, I guess. I avoided this up to now due 
to the simplicity with my few users here.

Regards,
Marko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: svn+ssh <-> svnserve <= speed concerns

[John Peacock <jo...@havurah-software.org>]

Marko Käning wrote:
> What I in fact only gain is ISOLATION of my repos from direct access due 
> to many ssh users on a file-basis. Instead only svnserve accesses the 
> repos.

Correct, except that last bit is also true of running svnserve as a 
server.  In both the Apache server and svnserve (as server) cases, the 
repository is accessed by a single account.  You can also accomplish 
that using the svn+ssh with a shared authorized_keys file, but you don't 
have to do it that way.

> Still there can be many users accessing the repos at a time, but that will 
> spawn also many svnserve processes which will handle the access to the 
> repos in a much safer way.

All multiprocess repository access is handled in a safe manner, whether 
you are using Apache, svnserve, local (i.e. file://) access or in fact 
all of the above.  Don't get distracted by this point; Subversion was 
written to be multi-process (e.g. threadsafe) from the very beginning.

What you really need to focus on is:

1) How many users will be accessing the repository total?
2) How many users will be accessing the repository at a single time?
3) How much infrastructure do you want to maintain to handle both 
authentication and authorization?

There isn't One True Answer(TM) to these questions.  With a small group 
of slowly changing users who have complete access to the entire 
repository, svn+ssh:// is a perfectly acceptable solution.  However, a 
large number of users, with a high turnover rate, who each need rights 
to only a small portion of the total repository, svn+ssh:// will not 
work for you and Apache would be much easier to manage.  Only you can 
make those determinations...

John

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: svn+ssh <-> svnserve <= speed concerns

[Marko Käning <mk...@mch.osram.de>]

Well, so what you say is that by using a single user with an appropriately 
set up authorized_keys file I do not get a speed-up.

What I in fact only gain is ISOLATION of my repos from direct access due 
to many ssh users on a file-basis. Instead only svnserve accesses the 
repos.

Still there can be many users accessing the repos at a time, but that will 
spawn also many svnserve processes which will handle the access to the 
repos in a much safer way.

Did I get this right, eventually?

I guess I am a little dumb... :(

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: svn+ssh <-> svnserve <= speed concerns

[Ulf Seltmann <se...@digitalzone.de>]

John Peacock schrieb:
> It all depends on what you want.  If you want high performance *and* 
> high security, you should probably be using Apache with SSL certificates 
> (client and server).
I don't agree with that. I used apache2+ssl+httpauth, which is nearly 
the same except for the certificates. i experienced a poor performance 
in all svn-actions especially in merging where it took over 45minutes, 
where svn+ssh (what i use now) takes fewer than a minute. The 
server-usage decreased too. So my advice for performance and security is 
undisputable svn+ssh

ciao

Ulf

[1]http://subversion.tigris.org/servlets/ReadMsg?listName=users&msgNo=80302

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: svn+ssh <-> svnserve <= speed concerns

[John Peacock <jo...@havurah-software.org>]

Marko Käning wrote:
> Well, so this slow-down is still present, even if I use svnserve? Of 
> course... I do use svn+ssh...

As I said, when you use svn+ssh, you are not running svnserve as a server 
process, but rather once per connection.  This mode of operation is actually 
much more like using file:// protocol, just remotely.

> So, the only way to make it significantly faster is actually to avoid ssh 
> at all. Is that what you want to say?

It depends on what you are trying to really accomplish:

In terms of performance, svnserve (as a server) has lower overhead (because the 
protocol is simpler) but Apache/DAV using serf on the client can be faster 
overall (because it is more efficient in the reuse of connections).

On the other hand, svnserve has very little in the way of support for fancy 
authentication, whereas in Apache the skies the limit.

In terms of security, svn+ssh is probably most secure, since the traffic is 
encrypted and you can (as you have already done) require the use of client 
certificates to access the repo which is additionally owned by a single user. 
On the other hand, if what you are most concerned with is over-the-wire 
security, you can accomplish the same thing with https:// and client certificates.

It all depends on what you want.  If you want high performance *and* high 
security, you should probably be using Apache with SSL certificates (client and 
server).

John

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: svn+ssh <-> svnserve <= speed concerns

[Marko Käning <mk...@mch.osram.de>]

> >Guess that's because svnserve dies after every operation.
> >
> >I think I need to run svnserve continuously...
> 
> It probably has less to do with starting and stopping svnserve all the time,
> and more to do with the cost of starting up one or more ssh connections for
> each svn command.

Well, so this slow-down is still present, even if I use svnserve? Of 
course... I do use svn+ssh...

So, the only way to make it significantly faster is actually to avoid ssh 
at all. Is that what you want to say?

Anyway, having John's comment in mind I might be already somewhat faster 
using svnserve now. Perhaps I'll work out a test case one day to proove 
this.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: svn+ssh <-> svnserve <= speed concerns

[Ryan Schmidt <su...@ryandesign.com>]

On Jul 29, 2008, at 04:19, Marko Käning wrote:

>> I'll try the one-liner now...
>>
>> I guess that's exactly where my error lies... :)
>
> Thanks again!!! That was it!
>
> Well, another important point was that there must not be any spaces in
> between the commas sperating the options at the beginning of the line.
>
> But still I have the impression, that operations run quite slow.
>
> Guess that's because svnserve dies after every operation.
>
> I think I need to run svnserve continuously...

It probably has less to do with starting and stopping svnserve all  
the time, and more to do with the cost of starting up one or more ssh  
connections for each svn command.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: svn+ssh <-> svnserve <= speed concerns

[Marko Käning <mk...@mch.osram.de>]

Hi John,

> I'll try the one-liner now...
> 
> I guess that's exactly where my error lies... :) 

Thanks again!!! That was it!

Well, another important point was that there must not be any spaces in 
between the commas sperating the options at the beginning of the line.

But still I have the impression, that operations run quite slow.

Guess that's because svnserve dies after every operation.

I think I need to run svnserve continuously...

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: svn+ssh <-> svnserve <= speed concerns

[Marko Käning <mk...@mch.osram.de>]

> I would be *extremely* surprised if svnserve were not /significantly/ faster
> because for every transaction under svn+ssh, you have to:

Oh, I see. Thanks for this info!

> Did you put all of the authorized_keys stuff on a *single line* as you were
> told to?  I use this feature all the time and have no problems whatsoever...

No, because following some example I used "\"'s to break that long line 
up into smaller pieces...

I'll try the one-liner now...

I guess that's exactly where my error lies... :) 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: svn+ssh <-> svnserve <= speed concerns

[John Peacock <jo...@havurah-software.org>]

Marko Käning wrote:
> I just wondered whether using svnserve might be slower than svn+ssh...

I would be *extremely* surprised if svnserve were not /significantly/ 
faster because for every transaction under svn+ssh, you have to:

1) open up an ssh connection
2) spawn a one-time svnserve connection on the remote box
3) shutdown the ssh connection (actually kill it to be precise)

It's worse than that, though, since certain svn actions require multiple 
connections, which multiplies those three steps rapidly.

In addition, it is a known bug that svn doesn't reuse existing ssh 
sessions (which ssh2 supports through multiple channels), so even that 
minor improvement is unavailable...

> (Unfortunately I can't test this myself yet, since I am still unable to 
> get svnserve up and running as expected, see thread "SVN+SSH tunneling 
> problem".)

Did you put all of the authorized_keys stuff on a *single line* as you 
were told to?  I use this feature all the time and have no problems 
whatsoever...

John

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org