Re: Extremely slow director on Centos

[Somsak Sriprayoonsakul <somsaks@xxxxxxxxx>]

Thank you very much for the explanation! That really clear the fog for me.

Anyways, I still have to enable the firewall rule since the customer 
will not be pleased if they acknowledge the absent of firewall. Somehow 
the connection/second is quite impressive already. Almost no overhead 
for 4 real servers.
Roberto Nibali wrote:
> > The problem has been solved. It's something related to iptables.
> >     
> As expected, it's netfilter and the connection tracking. If you want
> high performance load balancing, do _not_ use netfilter; especially the
> connection tracking. It just does not scale. Simply loading ip_conntrack
> into the kernel makes your packet rate drop by 60 kpps on a 1Gbit/s
> connection.
>
>  
> > Stopping iptables on director and the connection rate goes from 200 to
> > Nx2000, where N is the number of real server.
> >     
> Very well, so LVS works well for you.
>
>  
> > After that, I tried to
> > figure out which iptables rules conflict with ipvs and found that it's
> > default argument generated from system-config-securitylevel that cause
> > this. Replace "-m state --state NEW -m tcp -p tcp --dport 80" with just
> > "-m tcp -p tcp --dport 80" make everything works perfectly.
> >     
> It's not a conflict, it's the connection tracking core which is
> extremely slow. There's ongoing effort from the netfilter people to
> improve this state.
>
> Regards,
> Roberto Nibali, ratz
>   

--
----------------------------------------------------------------------------------- 

Somsak Sriprayoonsakul

Scalable Computing Lab
High Performance Computing and Networking Center
Kasetsart University
ssy@xxxxxxxxxxxxxxxxxx
-----------------------------------------------------------------------------------