SlideShare ist ein Scribd-Unternehmen logo

PHP at Density and Scale (Lone Star PHP 2014)

David Timothy Strauss
David Timothy Strauss

Mixing performance, configurability, density, and security at scale has, historically, been hard with PHP. Early approaches have involved CGIs, suhosin, or multiple Apache instances. Then came PHP-FPM. At Pantheon, we've taken PHP-FPM, integrated it with cgroups, namespaces, and systemd socket activation. We use it to deliver all of our goals at unheard-of densities: thousands and thousands of isolated pools per box.

Technologie
1 von 23
Downloaden Sie, um offline zu lesen
PHP at Density and Scale ...with security and consistent performance
About Me ● Four Kitchens ● Drupal.org ● Pressflow ● Pantheon ● systemd
Broadly Defining Security Your data... 1. Is accessible to the right people (access) 2. Isn’t to anyone else (access) 3. Is usable (quality of service)
Topics ● Performance ○ Socket activation ○ Automount/autofs ○ cgroups ○ “Customer Experience Monitor” ○ Migration ● Security ○ Users ○ Namespaces ○ Defense-in-depth ○ Non-disruptive fixes
Challenge: PHP-FPM Overhead ● Using a full PHP-FPM instance per stack ○ Isolated opcode cache space ○ Defense-in-depth against PHP issues ○ Low-impact reconfiguration ● Idle PHP-FPMs take ~0.5% of a core each ○ At 10k dense, that’s over six cores ● Initial solution used error capture in nginx ○ Masked real failures to connect to PHP-FPM ○ Slower than necessary ○ Production use of HTTP 418 (arguably a bonus)
Traditional server sockets: overview ... nginx TCP 80 Client nginx TCP 81 If you want a service available, the daemon has to be running.
Socket activation: overview systemd TCP 80 Client TCP 81 nginxfd=3 Only a socket in systemd has to run for service availability.
Socket activation: details ● systemd squats on all listeners ○ Looks for incoming traffic with EPOLL ○ Starts the services/containers on-demand ○ Passes socket to daemon as fd=3+ ● Not a proxy (same performance) ● No client awareness ● No CPU or memory overhead when idle
Socket activation: Pantheon’s use ● nginx and PHP-FPM ● MariaDB soon ○ Using an alternative now ● Allows 90%+ containers to be idle ● Makes bootup sensible ● Reconfiguration pattern is stop, not restart
Socket Activation Demo Demoed this at NYC Camp a few weeks ago
Automount/autofs ● Like socket activation for file system mounts ○ Kernel squats on mount path and looks for traffic ○ Brings up file mount lazily ● Used for FuseDAV (Valhalla client)
Automount Demo
Challenge: Resource Availability ● Per-site load isn’t predictable ● Different sites compete for resources ○ Between customers ○ Among customers’ own sites ● Traditional prioritization isn’t adequate ○ VMs are too heavyweight ○ Tools like “nice” can cause starvation ○ Generally want burstability
cgroups ● Many options ○ Pantheon uses CPUShares and BlockIOWeight ● Keeps things fair under contention ○ Kind of like adding purple ropes when people are queueing
Contention with cgroups Demo
Customer Experience Monitor ● Runs a representative Drupal site on every container host ● Reports scores to the API and monitoring ● Influences migration and container placement
Migration ● At density, rebalancing is important ● Keep state lightweight ○ No OS ○ No runtime ● Mutiny: migration as replication + promotion
Challenge: Security Isolation ● Many users ● One kernel ● VMs too heavyweight ● Users run their own code ● Can’t betray expectations ○ Many users develop locally and push code ○ Some customers import existing, working sites
Isolation for security ● Users ● Namespaces ● Seccomp filters
Defense in depth ● Application ○ Drupal ● Runtime ○ nginx, PHP-FPM, FuseDAV ● Container: “binding” certificate ○ Linux user, namespaces, etc. ● Container host: “endpoint” certificate ○ Only trusted for the containers assigned ● Platform: root certificate
Challenge: Security Responses ● Traditional approach too big a hammer ○ Rebooting hundreds of hosts with 10k+ containers each would be a fail-over storm ○ Basic customers don’t have fail-over ○ Not going to pack it less dense ● Customers can run own code ○ May load executables and libraries themselves
Non-disruptive fixes ● Kernel upgrades via migration ● Rolling daemon and library upgrades ○ Heartbleed
Heartbleed Fix Demo

Empfohlen

Effective service and resource management with systemd
Effective service and resource management with systemdEffective service and resource management with systemd
Effective service and resource management with systemdDavid Timothy Strauss
 
Basic of Systemd
Basic of SystemdBasic of Systemd
Basic of SystemdPraveen Kumar
 
Full system roll-back and systemd in SUSE Linux Enterprise 12
Full system roll-back and systemd in SUSE Linux Enterprise 12Full system roll-back and systemd in SUSE Linux Enterprise 12
Full system roll-back and systemd in SUSE Linux Enterprise 12Gábor Nyers
 
Kernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureKernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureAnne Nicolas
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking MechanismsKernel TLV
 
Linux Kernel Init Process
Linux Kernel Init ProcessLinux Kernel Init Process
Linux Kernel Init ProcessKernel TLV
 
protothread and its usage in contiki OS
protothread and its usage in contiki OSprotothread and its usage in contiki OS
protothread and its usage in contiki OSSalah Amean
 
Linux fundamental - Chap 08 proc
Linux fundamental - Chap 08 procLinux fundamental - Chap 08 proc
Linux fundamental - Chap 08 procKenny (netman)
 

Empfohlen

Effective service and resource management with systemd
Effective service and resource management with systemdEffective service and resource management with systemd
Effective service and resource management with systemdDavid Timothy Strauss
 
Basic of Systemd
Basic of SystemdBasic of Systemd
Basic of SystemdPraveen Kumar
 
Full system roll-back and systemd in SUSE Linux Enterprise 12
Full system roll-back and systemd in SUSE Linux Enterprise 12Full system roll-back and systemd in SUSE Linux Enterprise 12
Full system roll-back and systemd in SUSE Linux Enterprise 12Gábor Nyers
 
Kernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureKernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureAnne Nicolas
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking MechanismsKernel TLV
 
Linux Kernel Init Process
Linux Kernel Init ProcessLinux Kernel Init Process
Linux Kernel Init ProcessKernel TLV
 
protothread and its usage in contiki OS
protothread and its usage in contiki OSprotothread and its usage in contiki OS
protothread and its usage in contiki OSSalah Amean
 
Linux fundamental - Chap 08 proc
Linux fundamental - Chap 08 procLinux fundamental - Chap 08 proc
Linux fundamental - Chap 08 procKenny (netman)
 
Multicore
MulticoreMulticore
MulticoreMark Veltzer
 
Linux logging
Linux loggingLinux logging
Linux loggingMark Veltzer
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawnGábor Nyers
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
 
Barcamp presentation
Barcamp presentationBarcamp presentation
Barcamp presentationVachagan Balayan
 
LXC on Ganeti
LXC on GanetiLXC on Ganeti
LXC on Ganetikawamuray
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroupsKernel TLV
 
Cuda 2
Cuda 2Cuda 2
Cuda 2Anshul Sharma
 
Kernel Recipes 2018 - KernelShark 1.0; What's new and what's coming - Steven ...
Kernel Recipes 2018 - KernelShark 1.0; What's new and what's coming - Steven ...Kernel Recipes 2018 - KernelShark 1.0; What's new and what's coming - Steven ...
Kernel Recipes 2018 - KernelShark 1.0; What's new and what's coming - Steven ...Anne Nicolas
 
Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneAnne Nicolas
 
Driver_linux
Driver_linuxDriver_linux
Driver_linuxSayanton Vhaduri
 
Linux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgLinux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgKenny (netman)
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaXKernel TLV
 
Modern net bsd kernel module
Modern net bsd kernel moduleModern net bsd kernel module
Modern net bsd kernel moduleMasaru Oki
 
Contiki introduction I.
Contiki introduction I.Contiki introduction I.
Contiki introduction I.Dingxin Xu
 
How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...
How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...
How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...Red Hat Developers
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratchjoshuasoundcloud
 
SDE TP 4 - Processus
SDE TP 4 - ProcessusSDE TP 4 - Processus
SDE TP 4 - ProcessusAlexandru Radovici
 
DOXLON November 2016: Facebook Engineering on cgroupv2
DOXLON November 2016: Facebook Engineering on cgroupv2DOXLON November 2016: Facebook Engineering on cgroupv2
DOXLON November 2016: Facebook Engineering on cgroupv2Outlyer
 
Kernel Recipes 2018 - New GPIO interface for linux user space - Bartosz Golas...
Kernel Recipes 2018 - New GPIO interface for linux user space - Bartosz Golas...Kernel Recipes 2018 - New GPIO interface for linux user space - Bartosz Golas...
Kernel Recipes 2018 - New GPIO interface for linux user space - Bartosz Golas...Anne Nicolas
 
Scalable Drupal Infrastructure
Scalable Drupal InfrastructureScalable Drupal Infrastructure
Scalable Drupal InfrastructureDavid Timothy Strauss
 
Integrating Drupal into your Enterprise Architecture
Integrating Drupal into your Enterprise ArchitectureIntegrating Drupal into your Enterprise Architecture
Integrating Drupal into your Enterprise ArchitectureAcquia
 

Weitere ähnliche Inhalte

Was ist angesagt?

Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawnGábor Nyers
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
 
LXC on Ganeti
LXC on GanetiLXC on Ganeti
LXC on Ganetikawamuray
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroupsKernel TLV
 
Kernel Recipes 2018 - KernelShark 1.0; What's new and what's coming - Steven ...
Kernel Recipes 2018 - KernelShark 1.0; What's new and what's coming - Steven ...Kernel Recipes 2018 - KernelShark 1.0; What's new and what's coming - Steven ...
Kernel Recipes 2018 - KernelShark 1.0; What's new and what's coming - Steven ...Anne Nicolas
 
Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneAnne Nicolas
 
Linux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgLinux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgKenny (netman)
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaXKernel TLV
 
Modern net bsd kernel module
Modern net bsd kernel moduleModern net bsd kernel module
Modern net bsd kernel moduleMasaru Oki
 
Contiki introduction I.
Contiki introduction I.Contiki introduction I.
Contiki introduction I.Dingxin Xu
 
How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...
How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...
How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...Red Hat Developers
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratchjoshuasoundcloud
 
DOXLON November 2016: Facebook Engineering on cgroupv2
DOXLON November 2016: Facebook Engineering on cgroupv2DOXLON November 2016: Facebook Engineering on cgroupv2
DOXLON November 2016: Facebook Engineering on cgroupv2Outlyer
 
Kernel Recipes 2018 - New GPIO interface for linux user space - Bartosz Golas...
Kernel Recipes 2018 - New GPIO interface for linux user space - Bartosz Golas...Kernel Recipes 2018 - New GPIO interface for linux user space - Bartosz Golas...
Kernel Recipes 2018 - New GPIO interface for linux user space - Bartosz Golas...Anne Nicolas
 

Was ist angesagt? (20)

Multicore
MulticoreMulticore
Multicore
 
Linux logging
Linux loggingLinux logging
Linux logging
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
 
Barcamp presentation
Barcamp presentationBarcamp presentation
Barcamp presentation
 
LXC on Ganeti
LXC on GanetiLXC on Ganeti
LXC on Ganeti
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroups
 
Cuda 2
Cuda 2Cuda 2
Cuda 2
 
Kernel Recipes 2018 - KernelShark 1.0; What's new and what's coming - Steven ...
Kernel Recipes 2018 - KernelShark 1.0; What's new and what's coming - Steven ...Kernel Recipes 2018 - KernelShark 1.0; What's new and what's coming - Steven ...
Kernel Recipes 2018 - KernelShark 1.0; What's new and what's coming - Steven ...
 
Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyone
 
Driver_linux
Driver_linuxDriver_linux
Driver_linux
 
Linux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgLinux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkg
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaX
 
Modern net bsd kernel module
Modern net bsd kernel moduleModern net bsd kernel module
Modern net bsd kernel module
 
Contiki introduction I.
Contiki introduction I.Contiki introduction I.
Contiki introduction I.
 
How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...
How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...
How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratch
 
SDE TP 4 - Processus
SDE TP 4 - ProcessusSDE TP 4 - Processus
SDE TP 4 - Processus
 
DOXLON November 2016: Facebook Engineering on cgroupv2
DOXLON November 2016: Facebook Engineering on cgroupv2DOXLON November 2016: Facebook Engineering on cgroupv2
DOXLON November 2016: Facebook Engineering on cgroupv2
 
Kernel Recipes 2018 - New GPIO interface for linux user space - Bartosz Golas...
Kernel Recipes 2018 - New GPIO interface for linux user space - Bartosz Golas...Kernel Recipes 2018 - New GPIO interface for linux user space - Bartosz Golas...
Kernel Recipes 2018 - New GPIO interface for linux user space - Bartosz Golas...
 

Andere mochten auch

Integrating Drupal into your Enterprise Architecture
Integrating Drupal into your Enterprise ArchitectureIntegrating Drupal into your Enterprise Architecture
Integrating Drupal into your Enterprise ArchitectureAcquia
 
Mobile-izing Your Organization with Drupal: Acquia webinar
Mobile-izing Your Organization with Drupal: Acquia webinarMobile-izing Your Organization with Drupal: Acquia webinar
Mobile-izing Your Organization with Drupal: Acquia webinarTom Deryckere
 
Iksula Drupal Solutions
Iksula Drupal SolutionsIksula Drupal Solutions
Iksula Drupal SolutionsIksula
 
Scalable PHP Applications With Cassandra
Scalable PHP Applications With CassandraScalable PHP Applications With Cassandra
Scalable PHP Applications With CassandraAndrea De Pirro
 
Amazon Web Services Building Blocks for Drupal Applications and Hosting
Amazon Web Services Building Blocks for Drupal Applications and HostingAmazon Web Services Building Blocks for Drupal Applications and Hosting
Amazon Web Services Building Blocks for Drupal Applications and HostingAcquia
 
Arquitectura de las nuevas aplicaciones web: Como lograr escalabilidad, alta ...
Arquitectura de las nuevas aplicaciones web: Como lograr escalabilidad, alta ...Arquitectura de las nuevas aplicaciones web: Como lograr escalabilidad, alta ...
Arquitectura de las nuevas aplicaciones web: Como lograr escalabilidad, alta ...Miguel Gallardo
 
¿Es tu aplicación robusta? Cómo definir la mejor arquitectura para tu aplicac...
¿Es tu aplicación robusta? Cómo definir la mejor arquitectura para tu aplicac...¿Es tu aplicación robusta? Cómo definir la mejor arquitectura para tu aplicac...
¿Es tu aplicación robusta? Cómo definir la mejor arquitectura para tu aplicac...Raona
 
WCM-5 WCM Solutions with Drupal and Alfresco
WCM-5 WCM Solutions with Drupal and AlfrescoWCM-5 WCM Solutions with Drupal and Alfresco
WCM-5 WCM Solutions with Drupal and AlfrescoAlfresco Software
 
e-Commerce web app Architecture and Scalability
e-Commerce web app Architecture and Scalabilitye-Commerce web app Architecture and Scalability
e-Commerce web app Architecture and ScalabilityAryashree Pritikrishna
 

Andere mochten auch (11)

Scalable Drupal Infrastructure
Scalable Drupal InfrastructureScalable Drupal Infrastructure
Scalable Drupal Infrastructure
 
Integrating Drupal into your Enterprise Architecture
Integrating Drupal into your Enterprise ArchitectureIntegrating Drupal into your Enterprise Architecture
Integrating Drupal into your Enterprise Architecture
 
Mobile-izing Your Organization with Drupal: Acquia webinar
Mobile-izing Your Organization with Drupal: Acquia webinarMobile-izing Your Organization with Drupal: Acquia webinar
Mobile-izing Your Organization with Drupal: Acquia webinar
 
Iksula Drupal Solutions
Iksula Drupal SolutionsIksula Drupal Solutions
Iksula Drupal Solutions
 
Scalable PHP Applications With Cassandra
Scalable PHP Applications With CassandraScalable PHP Applications With Cassandra
Scalable PHP Applications With Cassandra
 
Amazon Web Services Building Blocks for Drupal Applications and Hosting
Amazon Web Services Building Blocks for Drupal Applications and HostingAmazon Web Services Building Blocks for Drupal Applications and Hosting
Amazon Web Services Building Blocks for Drupal Applications and Hosting
 
Liferay with xebia
Liferay with xebiaLiferay with xebia
Liferay with xebia
 
Arquitectura de las nuevas aplicaciones web: Como lograr escalabilidad, alta ...
Arquitectura de las nuevas aplicaciones web: Como lograr escalabilidad, alta ...Arquitectura de las nuevas aplicaciones web: Como lograr escalabilidad, alta ...
Arquitectura de las nuevas aplicaciones web: Como lograr escalabilidad, alta ...
 
¿Es tu aplicación robusta? Cómo definir la mejor arquitectura para tu aplicac...
¿Es tu aplicación robusta? Cómo definir la mejor arquitectura para tu aplicac...¿Es tu aplicación robusta? Cómo definir la mejor arquitectura para tu aplicac...
¿Es tu aplicación robusta? Cómo definir la mejor arquitectura para tu aplicac...
 
WCM-5 WCM Solutions with Drupal and Alfresco
WCM-5 WCM Solutions with Drupal and AlfrescoWCM-5 WCM Solutions with Drupal and Alfresco
WCM-5 WCM Solutions with Drupal and Alfresco
 
e-Commerce web app Architecture and Scalability
e-Commerce web app Architecture and Scalabilitye-Commerce web app Architecture and Scalability
e-Commerce web app Architecture and Scalability
 

Ähnlich wie PHP at Density and Scale (Lone Star PHP 2014)

Server fleet management using Camunda by Akhil Ahuja
Server fleet management using Camunda by Akhil AhujaServer fleet management using Camunda by Akhil Ahuja
Server fleet management using Camunda by Akhil Ahujacamunda services GmbH
 
WebCamp Ukraine 2016: Instant messenger with Python. Back-end development
WebCamp Ukraine 2016: Instant messenger with Python. Back-end developmentWebCamp Ukraine 2016: Instant messenger with Python. Back-end development
WebCamp Ukraine 2016: Instant messenger with Python. Back-end developmentViach Kakovskyi
 
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...WebCamp
 
Cloud storage: the right way OSS EU 2018
Cloud storage: the right way OSS EU 2018Cloud storage: the right way OSS EU 2018
Cloud storage: the right way OSS EU 2018Orit Wasserman
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at DecisivTeleport
 
SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0Mike Belshe
 
SANDcamp 2014 - A Perfect Launch, Every Time
SANDcamp 2014 - A Perfect Launch, Every TimeSANDcamp 2014 - A Perfect Launch, Every Time
SANDcamp 2014 - A Perfect Launch, Every TimeJon Peck
 
Load testing in Zonky with Gatling
Load testing in Zonky with GatlingLoad testing in Zonky with Gatling
Load testing in Zonky with GatlingPetr Vlček
 
2021.02 new in Ceph Pacific Dashboard
2021.02 new in Ceph Pacific Dashboard2021.02 new in Ceph Pacific Dashboard
2021.02 new in Ceph Pacific DashboardCeph Community
 
NODE JS OC Meetup 1
NODE JS OC Meetup 1NODE JS OC Meetup 1
NODE JS OC Meetup 1eddify
 
Web performance optimization - MercadoLibre
Web performance optimization - MercadoLibreWeb performance optimization - MercadoLibre
Web performance optimization - MercadoLibrePablo Moretti
 
NetflixOSS Meetup S6E1 - Titus & Containers
NetflixOSS Meetup S6E1 - Titus & ContainersNetflixOSS Meetup S6E1 - Titus & Containers
NetflixOSS Meetup S6E1 - Titus & Containersaspyker
 
Kernel Recipes 2014 - Performance Does Matter
Kernel Recipes 2014 - Performance Does MatterKernel Recipes 2014 - Performance Does Matter
Kernel Recipes 2014 - Performance Does MatterAnne Nicolas
 

Ähnlich wie PHP at Density and Scale (Lone Star PHP 2014) (20)

PHP at Density and Scale
PHP at Density and ScalePHP at Density and Scale
PHP at Density and Scale
 
PHP at Density and Scale
PHP at Density and ScalePHP at Density and Scale
PHP at Density and Scale
 
Server fleet management using Camunda by Akhil Ahuja
Server fleet management using Camunda by Akhil AhujaServer fleet management using Camunda by Akhil Ahuja
Server fleet management using Camunda by Akhil Ahuja
 
WebCamp Ukraine 2016: Instant messenger with Python. Back-end development
WebCamp Ukraine 2016: Instant messenger with Python. Back-end developmentWebCamp Ukraine 2016: Instant messenger with Python. Back-end development
WebCamp Ukraine 2016: Instant messenger with Python. Back-end development
 
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
 
Netty training
Netty trainingNetty training
Netty training
 
Netty training
Netty trainingNetty training
Netty training
 
Cloud storage: the right way OSS EU 2018
Cloud storage: the right way OSS EU 2018Cloud storage: the right way OSS EU 2018
Cloud storage: the right way OSS EU 2018
 
Working with Asynchronous Events
Working with Asynchronous EventsWorking with Asynchronous Events
Working with Asynchronous Events
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
 
SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0
 
SANDcamp 2014 - A Perfect Launch, Every Time
SANDcamp 2014 - A Perfect Launch, Every TimeSANDcamp 2014 - A Perfect Launch, Every Time
SANDcamp 2014 - A Perfect Launch, Every Time
 
Load testing in Zonky with Gatling
Load testing in Zonky with GatlingLoad testing in Zonky with Gatling
Load testing in Zonky with Gatling
 
SNIA SDC 2016 final
SNIA SDC 2016 finalSNIA SDC 2016 final
SNIA SDC 2016 final
 
2021.02 new in Ceph Pacific Dashboard
2021.02 new in Ceph Pacific Dashboard2021.02 new in Ceph Pacific Dashboard
2021.02 new in Ceph Pacific Dashboard
 
NODE JS OC Meetup 1
NODE JS OC Meetup 1NODE JS OC Meetup 1
NODE JS OC Meetup 1
 
Web performance optimization - MercadoLibre
Web performance optimization - MercadoLibreWeb performance optimization - MercadoLibre
Web performance optimization - MercadoLibre
 
nebulaconf
nebulaconfnebulaconf
nebulaconf
 
NetflixOSS Meetup S6E1 - Titus & Containers
NetflixOSS Meetup S6E1 - Titus & ContainersNetflixOSS Meetup S6E1 - Titus & Containers
NetflixOSS Meetup S6E1 - Titus & Containers
 
Kernel Recipes 2014 - Performance Does Matter
Kernel Recipes 2014 - Performance Does MatterKernel Recipes 2014 - Performance Does Matter
Kernel Recipes 2014 - Performance Does Matter
 

Mehr von David Timothy Strauss

Container Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security SummitContainer Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security SummitDavid Timothy Strauss
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...David Timothy Strauss
 

Mehr von David Timothy Strauss (10)

Advanced Drupal 8 Caching
Advanced Drupal 8 CachingAdvanced Drupal 8 Caching
Advanced Drupal 8 Caching
 
LCache DrupalCon Dublin 2016
LCache DrupalCon Dublin 2016LCache DrupalCon Dublin 2016
LCache DrupalCon Dublin 2016
 
Container Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security SummitContainer Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security Summit
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
 
Valhalla at Pantheon
Valhalla at PantheonValhalla at Pantheon
Valhalla at Pantheon
 
Cassandra-Powered Distributed DNS
Cassandra-Powered Distributed DNSCassandra-Powered Distributed DNS
Cassandra-Powered Distributed DNS
 
Planning LAMP infrastructure
Planning LAMP infrastructurePlanning LAMP infrastructure
Planning LAMP infrastructure
 
Is Drupal Secure?
Is Drupal Secure?Is Drupal Secure?
Is Drupal Secure?
 
Cassandra queuing
Cassandra queuingCassandra queuing
Cassandra queuing
 

Kürzlich hochgeladen

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Kürzlich hochgeladen (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

PHP at Density and Scale (Lone Star PHP 2014)

  • 1. PHP at Density and Scale ...with security and consistent performance
  • 2. About Me ● Four Kitchens ● Drupal.org ● Pressflow ● Pantheon ● systemd
  • 3. Broadly Defining Security Your data... 1. Is accessible to the right people (access) 2. Isn’t to anyone else (access) 3. Is usable (quality of service)
  • 4. Topics ● Performance ○ Socket activation ○ Automount/autofs ○ cgroups ○ “Customer Experience Monitor” ○ Migration ● Security ○ Users ○ Namespaces ○ Defense-in-depth ○ Non-disruptive fixes
  • 5. Challenge: PHP-FPM Overhead ● Using a full PHP-FPM instance per stack ○ Isolated opcode cache space ○ Defense-in-depth against PHP issues ○ Low-impact reconfiguration ● Idle PHP-FPMs take ~0.5% of a core each ○ At 10k dense, that’s over six cores ● Initial solution used error capture in nginx ○ Masked real failures to connect to PHP-FPM ○ Slower than necessary ○ Production use of HTTP 418 (arguably a bonus)
  • 6. Traditional server sockets: overview ... nginx TCP 80 Client nginx TCP 81 If you want a service available, the daemon has to be running.
  • 7. Socket activation: overview systemd TCP 80 Client TCP 81 nginxfd=3 Only a socket in systemd has to run for service availability.
  • 8. Socket activation: details ● systemd squats on all listeners ○ Looks for incoming traffic with EPOLL ○ Starts the services/containers on-demand ○ Passes socket to daemon as fd=3+ ● Not a proxy (same performance) ● No client awareness ● No CPU or memory overhead when idle
  • 9. Socket activation: Pantheon’s use ● nginx and PHP-FPM ● MariaDB soon ○ Using an alternative now ● Allows 90%+ containers to be idle ● Makes bootup sensible ● Reconfiguration pattern is stop, not restart
  • 10. Socket Activation Demo Demoed this at NYC Camp a few weeks ago
  • 11. Automount/autofs ● Like socket activation for file system mounts ○ Kernel squats on mount path and looks for traffic ○ Brings up file mount lazily ● Used for FuseDAV (Valhalla client)
  • 13. Challenge: Resource Availability ● Per-site load isn’t predictable ● Different sites compete for resources ○ Between customers ○ Among customers’ own sites ● Traditional prioritization isn’t adequate ○ VMs are too heavyweight ○ Tools like “nice” can cause starvation ○ Generally want burstability
  • 14. cgroups ● Many options ○ Pantheon uses CPUShares and BlockIOWeight ● Keeps things fair under contention ○ Kind of like adding purple ropes when people are queueing
  • 16. Customer Experience Monitor ● Runs a representative Drupal site on every container host ● Reports scores to the API and monitoring ● Influences migration and container placement
  • 17. Migration ● At density, rebalancing is important ● Keep state lightweight ○ No OS ○ No runtime ● Mutiny: migration as replication + promotion
  • 18. Challenge: Security Isolation ● Many users ● One kernel ● VMs too heavyweight ● Users run their own code ● Can’t betray expectations ○ Many users develop locally and push code ○ Some customers import existing, working sites
  • 19. Isolation for security ● Users ● Namespaces ● Seccomp filters
  • 20. Defense in depth ● Application ○ Drupal ● Runtime ○ nginx, PHP-FPM, FuseDAV ● Container: “binding” certificate ○ Linux user, namespaces, etc. ● Container host: “endpoint” certificate ○ Only trusted for the containers assigned ● Platform: root certificate
  • 21. Challenge: Security Responses ● Traditional approach too big a hammer ○ Rebooting hundreds of hosts with 10k+ containers each would be a fail-over storm ○ Basic customers don’t have fail-over ○ Not going to pack it less dense ● Customers can run own code ○ May load executables and libraries themselves
  • 22. Non-disruptive fixes ● Kernel upgrades via migration ● Rolling daemon and library upgrades ○ Heartbleed