mochiweb https/ssl
Locked
 
|
Hello,
First of all, I apologize if this question occurs twice. I have tried submitting it couple of hours ago via google groups, but it didn't show up, so I'm trying via e-mail now. I am trying to develop https comet (long polling) server using mochiweb. I have already written one such http server which is in production for couple of months and serves no more than 1000 concurrent users, sending broadcast message to all concurrent users at an average rate of 0.3 broadcast/sec When I added ssl support, it essentially works when smaller number of users (about 100-200) are connected. With larger number, it stops responding correctly i.e. some connection attempts are refused, requests time out etc. Only ssl/https part seems to be affected by this behavior. To better test this, I developed small test mochiweb app which works as follows: 1. Spawn and register singleton broadcast process 2. For each request, the erlang process sends its pid to the broadcast process. Then it waits for the message from the broadcast process 3. Every 5 seconds broadcast process notifies all registered https response processes from 2, then it clears its list of registered processes 4. When process from 2 receives notification, it responds and finishes. In this test implementation, the response is hardcoded short string. For the sake of brevity, I didn't include the test app code, but if necessary I can do so. I then deployed this test app to the server, and set up two client machines to load test the server. The load testing code is also written in erlang, and is using ibrowse for making https requests, since I had some problems with httpc. The test client basically adheres to the protocol described above. It spawns request processes, with each process making the requests in an infinite loop. I gather success/failure stats in a singleton erlang process and print them out in regular intervals. As in the production system, with http, the test server performs correctly. With https, when number of concurrent requests reaches some treshold (about 1000), many requests are not served. On the client machine, I occasionally receive following errors: =ERROR REPORT==== ** State machine <0.17592.0> terminating ** Reason for termination = ** {badarg,[{erlang,byte_size,[undefined]}, {ssl_tls1,split_secret,1}, {ssl_tls1,prf,4}, {ssl_handshake,master_secret,4}, {ssl_connection,handle_resumed_session,2}, {ssl_connection,next_state,3}, {gen_fsm,handle_msg,7}, {proc_lib,init_p_do_apply,3}]} While on the server I occasionally notice following errors: =SUPERVISOR REPORT==== 5-May-2011::11:06:33 === Supervisor: {local,ssl_connection_sup} Context: child_terminated Reason: {{badmatch,{resumed,undefined}}, [{ssl_handshake,hello,4}, {ssl_connection,hello,2}, {ssl_connection,next_state,3}, {gen_fsm,handle_msg,7}, {proc_lib,init_p_do_apply,3}]} Offender: [{pid,<0.7044.2>}, {name,undefined}, {mfargs,{ssl_connection,start_link,undefined}}, {restart_type,temporary}, {shutdown,4000}, {child_type,worker}] I have tried to tweak some OS parameters, as well as erlang parameters, but without success. After three days of experimenting, I am out of ideas and need some help or pointers. I am using Erlang R14B02 on 64 bit Ubuntu 10.04, all the machines are on the EC2 cloud. Following are sysctl.conf settings (I tried some more combinations without success): net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_mem = 50576 64768 98152 net.core.netdev_max_backlog = 2500 net.ipv4.netfilter.ip_conntrack_max = 1048576 net.ipv4.ip_local_port_range = 1024 65535 net.ipv4.tcp_fin_timeout = 10 Following is ulimit -a output: core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 20 file size (blocks, -f) unlimited pending signals (-i) 16382 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) unlimited open files (-n) 32000 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) unlimited virtual memory (kbytes, -v) unlimited file locks (-x) unlimited These are mochiweb parameters: [ {port, 9999}, {name, https_test}, {ssl, true}, {ssl_opts, [ {cacertfile, "keys/cacert.pem"}, {certfile, "keys/cert.pem"}, {keyfile, "keys/cert.key"}, {depth, 0} ]} ] To use it on a 443 port, I have set up iptables port forwarding iptables -t nat -I PREROUTING --source 0/0 --destination 0/0 -p tcp --dport 443 -j REDIRECT --to-ports 9999 These are erl parameters: erl -P 268435456 -env ERL_MAX_PORTS 100000 If anybody has any idea, I would be most grateful. Best regards, Sasa _______________________________________________ erlang-questions mailing list [hidden email] http://erlang.org/mailman/listinfo/erlang-questions |
|
Hi,
To rule out any issues with the implementation of ssl, I would suggest you use stunnel (http://www.stunnel.org) to firstly do the SSL handling for you. If your https tests work properly with that, then we know it is an issue with the OTP implementation of SSL. If you still have the same problems, it could be a problem with your setup. cheers Chandru On 5 May 2011 23:02, sasa <[hidden email]> wrote:
_______________________________________________ erlang-questions mailing list [hidden email] http://erlang.org/mailman/listinfo/erlang-questions |
|
|
Hello,
thank you for the reply. It helped me move in the right direction, but I still can't figure out the underlying problem. I have configured stunnel on the test server. The stunnel acted as a https proxy to the http erlang server on the same machine. The behavior was somewhat better - the load test of about 2000 requests would work correctly for about 30 seconds, then all subsequent requests would fail. When using erlang ssl, such load test would fail immediately. I have then moved stunnel proxy to a separate server, and then it worked perfectly. Currently, I am suspecting that cpu load might be the problem. When I had stunnel on the same machine as erlang server, cpu load was going high. The same thing happened when I used erlang ssl. When stunnel is on a separate machine, the cpu load on both machines is fairly low. I cannot explain why it works better with stunnel. Do I have to manually configure ssl sessions when using erlang? As I mentioned earlier, the client does long polling i.e. it sends an request, and as soon as the request is responded, the new one is made. Is it possible that ssl handhsake occurs for every request? Any other ideas? Best regards, Sasa On Fri, May 6, 2011 at 5:51 AM, Chandru <[hidden email]> wrote: > Hi, > > To rule out any issues with the implementation of ssl, I would suggest you > use stunnel (http://www.stunnel.org) to firstly do the SSL handling for you. > If your https tests work properly with that, then we know it is an issue > with the OTP implementation of SSL. If you still have the same problems, it > could be a problem with your setup. > > cheers > Chandru > erlang-questions mailing list [hidden email] http://erlang.org/mailman/listinfo/erlang-questions |
Re: mochiweb https/ssl
|
Hi!
2011/5/6 sasa <[hidden email]>: > Hello, > thank you for the reply. It helped me move in the right direction, but > I still can't figure out the underlying problem. > > I have configured stunnel on the test server. The stunnel acted as a > https proxy to the http erlang server on the same machine. > > The behavior was somewhat better - the load test of about 2000 > requests would work correctly for about 30 seconds, then all > subsequent requests would fail. When using erlang ssl, such load test > would fail immediately. Where you using the old or the new erlang ssl implementation? Old ssl scales poorly. > I have then moved stunnel proxy to a separate server, and then it > worked perfectly. > > Currently, I am suspecting that cpu load might be the problem. When I > had stunnel on the same machine as erlang server, cpu load was going > high. The same thing happened when I used erlang ssl. When stunnel is > on a separate machine, the cpu load on both machines is fairly low. > > I cannot explain why it works better with stunnel. Do I have to > manually configure ssl sessions when using erlang? As I mentioned > earlier, the client does long polling i.e. it sends an request, and as > soon as the request is responded, the new one is made. Is it possible > that ssl handhsake occurs for every request? If you use new ssl and not make any special configuration it will always automatically try to reuse sessions. (The server can refuse to reuse a session if it wants to) How the old implementation works I can not remember from the top of my head but if you are using the old one I recomend upgrading to the new one. The new one is default in R14* and before that the old one is default. I recomend R14. Regards Ingela Erlang/OTP team - Ericsson AB _______________________________________________ erlang-questions mailing list [hidden email] http://erlang.org/mailman/listinfo/erlang-questions |
|
|
Hello,
On Fri, 2011-05-06 at 21:30 +0200, Ingela Andin wrote: Where you using the old or the new erlang ssl implementation? Old ssl scales poorly. If you use new ssl and not make any special configuration it will always automatically try to reuse sessions. (The server can refuse to reuse a session if it wants to) How the old implementation works I can not remember from the top of my head but if you are using the old one I recomend upgrading to the new one. The new one is default in R14* and before that the old one is default. I recomend R14. I am using erlang R14B02, so I suppose it is the new ssl. Is there any way I can verify which implementation is actually used? Could it be that I was missing some dependency during the compilation of the erlang and the old ssl is actually used even though it is the version R14? Sasa _______________________________________________ erlang-questions mailing list [hidden email] http://erlang.org/mailman/listinfo/erlang-questions |
|
|
In reply to this post by sasa
Hi Sasa,
On 6 May 2011 15:17, sasa <[hidden email]> wrote: Hello, Which side do you think they failed? Server or client? I have then moved stunnel proxy to a separate server, and then it
That is quite strange. What is the spec of the machine? This might be a peculiarity of the virtual instances you get on EC2. Is there any chance you can repeat this test on dedicated hardware? When running both on the same machine, have you monitored which process eats more CPU? beam or stunnel? I remember a similar situation in the past trying to run load tests on EC2. It was hard to get a predictable set of results when load testing because the performance for the same test used to fluctuate. I cannot explain why it works better with stunnel. Do I have to I doubt the handshake occurs for every request. It might have something to do with the fact that stunnel is written in C so is likely to benefit in terms of performance. You could try hipe compilation of the ssl application to see if that gives you any better performance. cheers Chandru
_______________________________________________ erlang-questions mailing list [hidden email] http://erlang.org/mailman/listinfo/erlang-questions |
|
|
Oops, I have accidentally replied to sender, rather than to the group. Sorry :-(
Here goes again for the group... Hello Chandru, thank you for taking the time to read my posts and respond! On Fri, 2011-05-06 at 21:30 +0100, Chandru wrote: The behavior was somewhat better - the load test of about 2000 It's a very good question, since you use the word think :-) I strongly suspect it is the server. There are couple of reasons, most significant one being that the client works perfectly in the configuration where stunnel is on the separate machine. I have then moved stunnel proxy to a separate server, and then it It is the "large" EC2 instance with two cores and 7.5 GB of memory. The same type of instance sustained 12 hours of http load testing with 20 000 clients and is running the production system serving about 700 http users on average (about 1000 at the peak) since January this year. Unfortunately I don't have dedicated hardware available. On monday I will try to test it again using four cores instance on the server. As for your last question, I didn't do exact measuring, but from what I have noticed, the beam was doing some more work. Also, when they were on the separate machines, cpu load of the beam server was 2x higher than the stunnel one. Both combined were significantly smaller (about 10x) then the cpu load which occurred when they were on the same machine. The beam server code is very simple. Unfortunately I don't have it here right now, as I am posting this from my home, but I can post the code on Monday if necessary. I remember a similar situation in the past trying to run load tests on EC2. It was hard to get a predictable set of results when load testing because the performance for the same test used to fluctuate. Yes, I also suspect it is hard to get the exact results on the cloud, which is why I originally mentioned I am using it. However, from the load tests I did couple of months ago, and from the current batch, I feel I can get approximation which is good enough. The tests seemed to work or fail consistently so far. I cannot explain why it works better with stunnel. Do I have to Well it is the erlang client, and in fact, I'm using the ibrowse library and not httpc. There is no explicit ssl connection, but rather an infinite loop of https requests. At the client side, on what level is the SSL session being maintained: OS, erlang or the http(s) library? I will try to hipe compile it, thank you for the suggestion. Are there any instructions out there, which you could recommend, or should I google it myself?
Thank you again for taking the time to help me. Best regards, Sasa _______________________________________________ erlang-questions mailing list [hidden email] http://erlang.org/mailman/listinfo/erlang-questions |
|
|
In reply to this post by Chandru-4
Hi Sasa,
On 6 May 2011 23:33, sasa <[hidden email]> wrote:
When you do this, try restricting the beam process to two cores and see if you get the same performance as using separate machines. You can do this using the '+S 2' option when starting the node.
ibrowse also uses the in built ssl application, so the SSL session is being maintained by the ssl application running within the beam process.
erl -man hipe :-) cheers Chandru _______________________________________________ erlang-questions mailing list [hidden email] http://erlang.org/mailman/listinfo/erlang-questions |
Re: mochiweb https/ssl
|
In reply to this post by sasa
Hi!
If you want to make sure that you run the new implementation you can use the option {ssl_imp, new} but if you run R14B02 and do not specify {ssl_imp, old} you should get the new one. When looking closer at your earlier post the occational error-report is from the new implementation, so I think that is not the issue. You mentioned that you could provide a test program, if you could send that to me so I can test it agaist the latest ssl code that would be great. All your problems might not have to do with erlang-ssl but it sure looks like there might be atleast one bug that needs fixing. Regards Ingela Erlang/OTP team - Ericsson AB 2011/5/6 sasa <[hidden email]>: > Hello, > > On Fri, 2011-05-06 at 21:30 +0200, Ingela Andin wrote: > > Where you using the old or the new erlang ssl implementation? Old ssl > scales poorly. > > If you use new ssl and not make any special configuration it will > always automatically > try to reuse sessions. (The server can refuse to reuse a session if it wants > to) > How the old implementation works I can not remember from the > top of my head but if you are using the old one I recomend upgrading > to the new one. > The new one is default in R14* and before that the old one is default. > I recomend R14. > > I am using erlang R14B02, so I suppose it is the new ssl. Is there any way I > can verify which implementation is actually used? Could it be that I was > missing some dependency during the compilation of the erlang and the old ssl > is actually used even though it is the version R14? > > Sasa > _______________________________________________ > erlang-questions mailing list > [hidden email] > http://erlang.org/mailman/listinfo/erlang-questions > > erlang-questions mailing list [hidden email] http://erlang.org/mailman/listinfo/erlang-questions |
|
|
Hello,
First of all I would like to say that I tested the server on a 4 cores instance and it works very nicely with 2000 users. The load average is about 0.3 (it was about 9-10 with 2 cores), so it looks very good. I'll test with a larger number of clients, but so far it's a very big improvement. Unfortunately, as I switched to a larger instance, I immediately configured erlang with --enable-hipe so I'm not sure if that caused an improvement or is it due to the more CPU power. I'll play some more to find out. In any case, below is the code for the server. I don't know if I can post attachments to the mailing list so I embedded the code inline. The client code is very untidy at the moment, so I didn't include it. Basically it amounts to N processes which do following: ibrowse:send_req(Url, The server is in the file ssl_server.erl. I also didn't provide the SSL keys.
-module(ssl_server). -export([start/0]). -define(HTTPS_OPTS, [ {port, 9999}, {name, https_test}, {ssl, true},
{ssl_opts, [ {ssl_imp, new}, {cacertfile, "keys/cacert.pem"}, {certfile, "keys/cert.pem"}, {keyfile, "keys/cert.key"},
{depth, 0} ]} ]). -define(HTTP_OPTS, [ {port, 8888}, {name, http_test} ]). start() -> application:start(crypto),
application:start(ssl), {ok, FeederPid} = start_feed(), Loop = fun(Req) -> dispatch(Req, FeederPid) end, {ok, Https} = mochiweb_http:start([{loop, Loop} | ?HTTPS_OPTS]),
{ok, Http} = mochiweb_http:start([{loop, Loop} | ?HTTP_OPTS]), wait_loop(). wait_loop() -> timer:sleep(60000), wait_loop(). % invoked from mochi web for each request
dispatch(Req, FeederPid) -> FeederPid ! {add, self()}, % register with the feeder receive {respond, Message} -> % on feeder signal Req:ok({"text/plain", Message})
after 10000 -> Req:not_found() % timeout end. start_feed() -> FeederPid = proc_lib:spawn_link(fun feeder/0), % start feeder process proc_lib:spawn_link(fun() -> heartbeat(FeederPid) end), % start heartbeat process
{ok, FeederPid}. % heartbeat - signal feeder in regular intervals heartbeat(Feeder) -> timer:sleep(5000), Feeder ! {broadcast, "message"},
heartbeat(Feeder). % feeder feeder() -> feeder([]). feeder(Children) -> NewChildren = receive {add, Child} -> % child registered
[Child | Children]; {broadcast, Message} -> % heartbeat signaled io:format("broadcasting to ~p processes~n", [length(Children)]), lists:foreach(fun(Child) -> Child ! {respond, Message} end, Children), [] end, feeder(NewChildren). Best regards, Sasa On Mon, May 9, 2011 at 9:59 AM, Ingela Andin <[hidden email]> wrote: > Hi! > > If you want to make sure that you run the new implementation you can use the > option {ssl_imp, new} but if you run R14B02 and do not specify {ssl_imp, old} > you should get the new one. When looking closer at your earlier post > the occational error-report > is from the new implementation, so I think that is not the issue. You > mentioned that you could > provide a test program, if you could send that to me so I can test it > agaist the latest ssl code > that would be great. All your problems might not have to do with > erlang-ssl but it sure looks like > there might be atleast one bug that needs fixing. > > Regards Ingela Erlang/OTP team - Ericsson AB > > 2011/5/6 sasa <[hidden email]>: >> Hello, >> >> On Fri, 2011-05-06 at 21:30 +0200, Ingela Andin wrote: >> >> Where you using the old or the new erlang ssl implementation? Old ssl >> scales poorly. >> >> If you use new ssl and not make any special configuration it will >> always automatically >> try to reuse sessions. (The server can refuse to reuse a session if it wants >> to) >> How the old implementation works I can not remember from the >> top of my head but if you are using the old one I recomend upgrading >> to the new one. >> The new one is default in R14* and before that the old one is default. >> I recomend R14. >> >> I am using erlang R14B02, so I suppose it is the new ssl. Is there any way I >> can verify which implementation is actually used? Could it be that I was >> missing some dependency during the compilation of the erlang and the old ssl >> is actually used even though it is the version R14? >> >> Sasa >> _______________________________________________ >> erlang-questions mailing list >> [hidden email] >> http://erlang.org/mailman/listinfo/erlang-questions >> >> > _______________________________________________ erlang-questions mailing list [hidden email] http://erlang.org/mailman/listinfo/erlang-questions |
|
|
In reply to this post by sasa
Hello,
I spent last week fighting with SSL problems without success. Eventually I switched to the stunnel based SSL which delegates to Erlang HTTP server. Following are the characteristics of the behavior I experienced last week. These are a bit different than the original ones, but I didn't want to open new topic. I am posting this in case someone is stuck with the similar behavior.
1. The mochiweb http server runs without problems since the beginning of the year. It also servers some small number of SSL users. The server is the same erlang application running on the same node.
2. Every day of the last week, in the morning, I would force the users to use SSL (https) rather than http. 3. The server then works fine for couple of hours. 4. At one point, the servers starts responding very slowly. Restart of the erlang application, node, or even the machine doesn't help.
5. At the same time, the http server (which is the same application on the same node) is working fine. 6. Kernel tuning didn't help. 7. I don't notice anything strange in erlang log or on the OS level.
8. In my application log, it seems as if most connections are not even established. The same thing is confirmed from netstat output. The number of connections is smaller than expected. It looks as if new requests are queued somewhere or some main accept/listen loop is processing them slowly.
9. The CPU usage is low as well as the memory usage. After forcing users back to http, the problems disappeared. The server could then normally serve smaller number of SSL users. It seems to me that the problem is somewhere in the mochiweb/erlang. After switching to stunnel, which is in front of that same mochiweb application, everything is working nicely. I should note that stunnel uses more CPU.
I am not quite sure why is it not working for me. I had load tests which performed fine. Maybe the problem is that my real users are constantly connecting/disconnecting, closing browsers during the request etc. I didn't load test this type of users.
In any case, the behavior described above occurred every day, and was resolved when switching to stunnel SSL. I am sorry it didn't work out for me. I would be happier to use erlang SSL, so I'll try again when the new version is released.
Regards, Sasa
On Fri, May 6, 2011 at 12:02 AM, sasa <[hidden email]> wrote:
_______________________________________________ erlang-questions mailing list [hidden email] http://erlang.org/mailman/listinfo/erlang-questions |
Re: mochiweb https/ssl
|
|
Hi!
I have investigated this and corrected a small bug when handling session invalidation that caused your occasional error printouts. But I think your main problem is that erlang ssl conforms to the standard and invalidates sessions when the peer closes a connection without sending a ssl protocol close notify message. However in TLS 1.1, failure to properly close a connection no longer requires that a session not be resumed. This is a change from TLS 1.0 to conform with widespread implementation practice. So we have decided to change erlang ssl to conform to widespread implementation practice. Regards Ingela Erlang/OTP team - Ericsson AB 2011/5/17 sasa <[hidden email]>: > Hello, > I spent last week fighting with SSL problems without success. Eventually I > switched to the stunnel based SSL which delegates to Erlang HTTP server. > Following are the characteristics of the behavior I experienced last week. > These are a bit different than the original ones, but I didn't want to open > new topic. I am posting this in case someone is stuck with the similar > behavior. > 1. The mochiweb http server runs without problems since the beginning of the > year. It also servers some small number of SSL users. The server is the same > erlang application running on the same node. > 2. Every day of the last week, in the morning, I would force the users to > use SSL (https) rather than http. > 3. The server then works fine for couple of hours. > 4. At one point, the servers starts responding very slowly. Restart of the > erlang application, node, or even the machine doesn't help. > 5. At the same time, the http server (which is the same application on the > same node) is working fine. > 6. Kernel tuning didn't help. > 7. I don't notice anything strange in erlang log or on the OS level. > 8. In my application log, it seems as if most connections are not even > established. The same thing is confirmed from netstat output. The number of > connections is smaller than expected. It looks as if new requests are queued > somewhere or some main accept/listen loop is processing them slowly. > 9. The CPU usage is low as well as the memory usage. > After forcing users back to http, the problems disappeared. The server could > then normally serve smaller number of SSL users. > It seems to me that the problem is somewhere in the mochiweb/erlang. After > switching to stunnel, which is in front of that same mochiweb application, > everything is working nicely. I should note that stunnel uses more CPU. > I am not quite sure why is it not working for me. I had load tests which > performed fine. Maybe the problem is that my real users are constantly > connecting/disconnecting, closing browsers during the request etc. I didn't > load test this type of users. > In any case, the behavior described above occurred every day, and was > resolved when switching to stunnel SSL. > I am sorry it didn't work out for me. I would be happier to use erlang SSL, > so I'll try again when the new version is released. > Regards, > Sasa > > On Fri, May 6, 2011 at 12:02 AM, sasa <[hidden email]> wrote: >> >> Hello, >> >> First of all, I apologize if this question occurs twice. I have tried >> submitting it couple of hours ago via google groups, but it didn't show up, >> so I'm trying via e-mail now. >> >> I am trying to develop https comet (long polling) server using mochiweb. I >> have already written one such http server which is in production for couple >> of months and serves no more than 1000 concurrent users, sending broadcast >> message to all concurrent users at an average rate of 0.3 broadcast/sec >> >> When I added ssl support, it essentially works when smaller number of >> users (about 100-200) are connected. With larger number, it stops responding >> correctly i.e. some connection attempts are refused, requests time out etc. >> Only ssl/https part seems to be affected by this behavior. >> >> To better test this, I developed small test mochiweb app which works as >> follows: >> 1. Spawn and register singleton broadcast process >> 2. For each request, the erlang process sends its pid to the broadcast >> process. Then it waits for the message from the broadcast process >> 3. Every 5 seconds broadcast process notifies all registered https >> response processes from 2, then it clears its list of registered processes >> 4. When process from 2 receives notification, it responds and finishes. >> >> In this test implementation, the response is hardcoded short string. For >> the sake of brevity, I didn't include the test app code, but if necessary I >> can do so. >> >> >> I then deployed this test app to the server, and set up two client >> machines to load test the server. The load testing code is also written in >> erlang, and is using ibrowse for making https requests, since I had some >> problems with httpc. The test client basically adheres to the protocol >> described above. It spawns request processes, with each process making the >> requests in an infinite loop. I gather success/failure stats in a singleton >> erlang process and print them out in regular intervals. >> >> As in the production system, with http, the test server performs >> correctly. With https, when number of concurrent requests reaches some >> treshold (about 1000), many requests are not served. >> >> On the client machine, I occasionally receive following errors: >> =ERROR REPORT==== >> ** State machine <0.17592.0> terminating >> >> ** Reason for termination = >> ** {badarg,[{erlang,byte_size,[undefined]}, >> {ssl_tls1,split_secret,1}, >> {ssl_tls1,prf,4}, >> {ssl_handshake,master_secret,4}, >> {ssl_connection,handle_resumed_session,2}, >> {ssl_connection,next_state,3}, >> {gen_fsm,handle_msg,7}, >> {proc_lib,init_p_do_apply,3}]} >> >> >> While on the server I occasionally notice following errors: >> =SUPERVISOR REPORT==== 5-May-2011::11:06:33 === >> Supervisor: {local,ssl_connection_sup} >> Context: child_terminated >> Reason: {{badmatch,{resumed,undefined}}, >> [{ssl_handshake,hello,4}, >> {ssl_connection,hello,2}, >> {ssl_connection,next_state,3}, >> {gen_fsm,handle_msg,7}, >> {proc_lib,init_p_do_apply,3}]} >> Offender: [{pid,<0.7044.2>}, >> {name,undefined}, >> {mfargs,{ssl_connection,start_link,undefined}}, >> {restart_type,temporary}, >> {shutdown,4000}, >> {child_type,worker}] >> >> >> I have tried to tweak some OS parameters, as well as erlang parameters, >> but without success. After three days of experimenting, I am out of ideas >> and need some help or pointers. >> >> I am using Erlang R14B02 on 64 bit Ubuntu 10.04, all the machines are on >> the EC2 cloud. >> >> Following are sysctl.conf settings (I tried some more combinations without >> success): >> net.core.rmem_max = 16777216 >> net.core.wmem_max = 16777216 >> net.ipv4.tcp_rmem = 4096 87380 16777216 >> net.ipv4.tcp_wmem = 4096 65536 16777216 >> net.ipv4.tcp_syncookies = 1 >> >> net.ipv4.tcp_mem = 50576 64768 98152 >> net.core.netdev_max_backlog = 2500 >> net.ipv4.netfilter.ip_conntrack_max = 1048576 >> >> net.ipv4.ip_local_port_range = 1024 65535 >> >> net.ipv4.tcp_fin_timeout = 10 >> >> >> >> Following is ulimit -a output: >> core file size (blocks, -c) 0 >> data seg size (kbytes, -d) unlimited >> scheduling priority (-e) 20 >> file size (blocks, -f) unlimited >> pending signals (-i) 16382 >> max locked memory (kbytes, -l) 64 >> max memory size (kbytes, -m) unlimited >> open files (-n) 32000 >> pipe size (512 bytes, -p) 8 >> POSIX message queues (bytes, -q) 819200 >> real-time priority (-r) 0 >> stack size (kbytes, -s) 8192 >> cpu time (seconds, -t) unlimited >> max user processes (-u) unlimited >> virtual memory (kbytes, -v) unlimited >> file locks (-x) unlimited >> >> >> >> These are mochiweb parameters: >> [ >> {port, 9999}, >> {name, https_test}, >> {ssl, true}, >> {ssl_opts, [ >> {cacertfile, "keys/cacert.pem"}, >> {certfile, "keys/cert.pem"}, >> {keyfile, "keys/cert.key"}, >> {depth, 0} >> ]} >> ] >> >> >> To use it on a 443 port, I have set up iptables port forwarding >> iptables -t nat -I PREROUTING --source 0/0 --destination 0/0 -p tcp >> --dport 443 -j REDIRECT --to-ports 9999 >> >> >> These are erl parameters: >> erl -P 268435456 -env ERL_MAX_PORTS 100000 >> >> >> >> If anybody has any idea, I would be most grateful. >> >> >> Best regards, >> Sasa > > _______________________________________________ > erlang-questions mailing list > [hidden email] > http://erlang.org/mailman/listinfo/erlang-questions > > erlang-questions mailing list [hidden email] http://erlang.org/mailman/listinfo/erlang-questions |
«
Return to Erlang Questions
|
1 view|%1 views
Loading...
| Powered by Nabble | Edit this page |