You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Jonathan Hung (Jira)" <ji...@apache.org> on 2020/03/26 18:32:00 UTC
[jira] [Commented] (HADOOP-15743) Jetty and SSL tunings to
stabilize KMS performance
[ https://issues.apache.org/jira/browse/HADOOP-15743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17067936#comment-17067936 ]
Jonathan Hung commented on HADOOP-15743:
----------------------------------------
[~daryn] where did you find the config {{javax.net.ssl.sessionCacheTimeout}}? I didn't see anything online related to this config, or any references to it in openjdk. I only see the {{setSessionTimeout}} api (which takes seconds) and no associated java property.
> Jetty and SSL tunings to stabilize KMS performance
> ---------------------------------------------------
>
> Key: HADOOP-15743
> URL: https://issues.apache.org/jira/browse/HADOOP-15743
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
> Affects Versions: 2.8.0
> Reporter: Daryn Sharp
> Priority: Major
>
> The KMS has very low throughput with high client failure rates. The following config options will "stabilize" the KMS under load:
> # Disable ECDH algos because java's SSL engine is inexplicably HORRIBLE.
> # Reduce SSL session cache size (unlimited) and ttl (24h). The memory cache has very poor performance and causes extreme GC collection pressure. Load balancing diminishes the effectiveness of the cache to 1/N-hosts anyway.
> ** -Djavax.net.ssl.sessionCacheSize=1000
> ** -Djavax.net.ssl.sessionCacheTimeout=6
> # Completely disable thread LowResourceMonitor to stop jetty from immediately closing incoming connections during connection bursts. Client retries cause jetty to remain in a low resource state until many clients fail and cause thousands of sockets to linger in various close related states.
> # Set min/max threads to 4x processors. Jetty recommends only 50 to 500 threads. Java's SSL engine has excessive synchronization that limits performance anyway.
> # Set https idle timeout to 6s.
> # Significantly increase max fds to at least 128k. Recommend using a VIP load balancer with a lower limit.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org