Problem with mupdate/sasl and random entropy [Re: Setting multiples acls in cyrus/murder slows down to a crawl]

Farzad FARID ffarid at pragmatic-source.com
Mon Oct 16 12:09:25 EDT 2006 

Hi,

So, once again I'll anwser my own question ;) The cyradm session slows
down suddenly because the numerous sasl authentications the imap server
does when connecting to the mupdate server completely drain the
/dev/random entropy generator... Because I don't want to recompile
cyrus-sasl (and the hardware random number generator on my Dell servers
doesn't seem to work), I made a symlink from /dev/urandom to /dev/random
and it solved the problem.

Yet I have 2 other questions:

    * Why isn't the RNG used by cyrus-sasl configurable at runtime, but
      only at compile-time? OpenLDAP has a config option called
      "TLSRandFile" for this.
    * Why does the imap server (on which I'm connected with cyradm)
      establish a new connection to mupdate for *every single call* to
      "setaclmailbox user.XXXX cyrus kxa"? Because I change the ACL of
      400 mailboxes, imap must reauthenticate 400 times in a row.


Regards


Farzad FARID wrote:
> Hi,
>
> I write a script for cyradm to set the ACLs for all the users, like this:
>
> setaclmailbox user.perez cyrus kxa
> setaclmailbox user.pirat cyrus kxa
> setaclmailbox user.plouvier cyrus kxa
> setaclmailbox user.pruche cyrus kxa
> setaclmailbox user.seltani cyrus kxa
> setaclmailbox user.serre cyrus kxa
> setaclmailbox user.solers cyrus kxa
> ...[400 accounts]...
>
> I  then feed the script to cyradm. But after 10 lines, the execution
> suddenly slows down to a crawl, and only one "setaclmailbox" every 10 or
> 20 seconds is executed.
>
> I'm running a unified  cyrus murder 2.3.7, with 2 imap servers and 1
> mupdate server. I ran the script only on one imap server, and all the
> accounts belong to this server.
> These are the logs I see on the mupdate server. The imap server keeps
> connecting/disconnecting from the mupdate server, and the mupdate server
> seems to spend a lot of time in either cmd_find or cmd_set.
>
> Oct 13 12:19:04 oban cyrus/mupdate[23028]: login:
> aberlour.srv.in.karavel.com [10.12.17.44] aberlour DIGEST-MD5 User logged in
> Oct 13 12:19:04 oban cyrus/mupdate[23028]: cmd_set(fd:15, user.fboudali)
> Oct 13 12:19:04 oban cyrus/mupdate[23028]: cmd_find(fd:17, user.fboudali)
> Oct 13 12:19:05 oban cyrus/mupdate[23028]: accepted connection
> Oct 13 12:19:05 oban cyrus/mupdate[23028]: telling master 4
> Oct 13 12:19:05 oban cyrus/master[22804]: service mupdate pid 23028 in
> READY state: serving one more multi-threaded connection
> Oct 13 12:19:05 oban cyrus/master[22804]: service mupdate now has 1
> ready workers
> Oct 13 12:19:06 oban cyrus/mupdate[23028]: cmd_find(fd:14, user.fboudali)
> Oct 13 12:19:23 oban cyrus/mupdate[23028]: login:
> aberlour.srv.in.karavel.com [10.12.17.44] aberlour DIGEST-MD5 User logged in
> Oct 13 12:19:23 oban cyrus/mupdate[23028]: cmd_set(fd:15, user.bpincede)
> Oct 13 12:19:23 oban cyrus/mupdate[23028]: cmd_find(fd:17, user.bpincede)
> Oct 13 12:19:24 oban cyrus/mupdate[23028]: accepted connection
> Oct 13 12:19:24 oban cyrus/mupdate[23028]: telling master 4
> Oct 13 12:19:24 oban cyrus/master[22804]: service mupdate pid 23028 in
> READY state: serving one more multi-threaded connection
> Oct 13 12:19:24 oban cyrus/master[22804]: service mupdate now has 1
> ready workers
> Oct 13 12:19:26 oban cyrus/mupdate[23028]: cmd_find(fd:14, user.bpincede)
> Oct 13 12:19:29 oban cyrus/mupdate[23028]: login:
> aberlour.srv.in.karavel.com [10.12.17.44] aberlour DIGEST-MD5 User logged in
> Oct 13 12:19:29 oban cyrus/mupdate[23028]: cmd_set(fd:15, user.albonnefoy)
> Oct 13 12:19:29 oban cyrus/mupdate[23028]: cmd_find(fd:17, user.albonnefoy)
> Oct 13 12:19:29 oban cyrus/mupdate[23028]: accepted connection
> Oct 13 12:19:29 oban cyrus/mupdate[23028]: telling master 4
> Oct 13 12:19:29 oban cyrus/master[22804]: service mupdate pid 23028 in
> READY state: serving one more multi-threaded connection
> Oct 13 12:19:29 oban cyrus/master[22804]: service mupdate now has 1
> ready workers
> Oct 13 12:19:29 oban cyrus/mupdate[23028]: login:
> aberlour.srv.in.karavel.com [10.12.17.44] aberlour DIGEST-MD5 User logged in
>
> When I try to trace the mupdate threads, all I see is that the threads
> seem to spend a lot a time waiting on locks (futex on the linux
> implementation of threads), and very little time reading or writing any
> file.
>
> Can anybody explain this to me and help me debug it? Or is there another
> way to set hundreds of ACLs in a row?
>
>  Regards
>
>   


-- 
Farzad FARID <ffarid at pragmatic-source.com>
Architecte Open Source / Pragmatic Source
http://www.pragmatic-source.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20061016/53399e94/attachment.html

More information about the Info-cyrus mailing list