'Re: ipfilter and backup software?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: ipfilter and backup software?
From:       "Jeff A. Earickson" <jaearick () colby ! edu>
Date:       2006-10-07 11:58:27
Message-ID: Pine.GSO.4.64.0610070756400.7669 () feldspar
[Download RAW message or body]

Thank you, that is a relief to know.  I'm going to yank out the public
domain version of ipfilter and pfil (ie, pkgrm) from my netbackup
servers and see what happens in thruput for backups.

Jeff Earickson
Colby College

On Fri, 6 Oct 2006, Andrew Wenlang Zhu wrote:

> Date: Fri, 06 Oct 2006 17:13:08 -0700
> From: Andrew Wenlang Zhu <azhu@adaranet.com>
> To: Jeff A. Earickson <jaearick@colby.edu>
> Cc: ipfilter@coombs.anu.edu.au
> Subject: Re: ipfilter and backup software?
> 
> Jeff,
>
> I checked the pfil shipped with Solaris 10, and I did not see
> pfil_printmchain( ) symbol in pfil driver. It seems Sun indeed turned
> off the PFILEDEBUG flag for the release.
>
> Andrew
>
>
> On Fri, 2006-10-06 at 14:31 -0400, Jeff A. Earickson wrote:
>> Andrew,
>>
>> Thanks, I'll experiment with this.  I wonder if this is also true for
>> the Solaris 10 release version of pfil as well.  Despite the fact that
>> I'm the guy who wrote the "how-to upgrade ipfilter for Solaris 10",
>>
>> http://www.colby.edu/personal/j/jaearick/sysadmin/sol10.ipfilter.upgrade
>>
>> I am starting to move away from doing this.  Any machine that I have
>> cold-installed with Solaris 10 6/06 I left alone, and I use the Sun-shipped
>> version of ipfilter/pfil on those machines.
>>
>> Unfortunately, both of my backup servers have pfil 2.1.10 and ipfilter
>> 4.1.13 installed.  Even if I have done "svcadm -v disable" on pfil and
>> ipfilter, I still see the modules loaded via modload.  I'll guess that
>> if the kernel module is loaded, is it still slowing me down?
>>
>> Jeff Earickson
>> Colby College
>>
>> On Fri, 6 Oct 2006, Andrew Wenlang Zhu wrote:
>>
>>> Date: Fri, 06 Oct 2006 11:09:48 -0700
>>> From: Andrew Wenlang Zhu <azhu@adaranet.com>
>>> To: Jeff A. Earickson <jaearick@colby.edu>
>>> Cc: ipfilter@coombs.anu.edu.au
>>> Subject: Re: ipfilter and backup software?
>>>
>>> Jeff,
>>>
>>> Whenever the PFILDEBUG is set in Make file, Pfil will include
>>> pfil_printmchain( ) in the data path, and the damage is done. This is a
>>> time consuming function. You did not see log messages because the value
>>> of "external int pfildebug"
>>>
>>> Read the code in pfilstream.c you will get a better idea.
>>>
>>> I do not know what OS you are running, but you may find some tools to
>>> identify what function the system spends most time on.
>>>
>>> Andrew
>>>
>>>
>>> On Fri, 2006-10-06 at 08:47 -0400, Jeff A. Earickson wrote:
>>>> Andrew,
>>>>
>>>> Thanks for the tip.  In my case, I've got pfil 2.1.10, and I too found
>>>> the PFILDEBUG flag in the Makefiles.  However, I see zilch in my syslogs
>>>> from pfil, and I'm logging at "*.info" facility in /etc/syslog.conf.
>>>>
>>>> Darren,
>>>>
>>>> Any comments here?  Is the PFILDEBUG thing in the Makefile a "bug"?
>>>>
>>>> Jeff Earickson
>>>> Colby College
>>>>
>>>> On Thu, 5 Oct 2006, Andrew Wenlang Zhu wrote:
>>>>
>>>>> Date: Thu, 05 Oct 2006 11:17:42 -0700
>>>>> From: Andrew Wenlang Zhu <azhu@adaranet.com>
>>>>> To: Jeff A. Earickson <jaearick@colby.edu>
>>>>> Cc: ipfilter@coombs.anu.edu.au
>>>>> Subject: Re: ipfilter and backup software?
>>>>>
>>>>> Jeff,
>>>>>
>>>>> Did you look at the syslog? If you find a lot of ipfilter related log,
>>>>> pfil could be the culprit.
>>>>>
>>>>> I downloaded pfil 2.1.11 to use with ipf 4.1.13, and encountered
>>>>> performance problem similar to yours. Later I found the Makefile came
>>>>> with pfil set the DEBUG flag by default, which caused overwhelming log
>>>>> messages under heavy traffic.
>>>>>
>>>>> PFILDEBUG=-DPFILDEBUG
>>>>>
>>>>> You can try to remove -DPFILDEBUG and recompile and reload pfil driver.
>>>>>
>>>>> Andrew
>>>>>
>>>>>
>>>>> On Thu, 2006-10-05 at 09:12 -0400, Jeff A. Earickson wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Does anybody else run ipfilter on a system that does network
>>>>>> based backups, like Netbackup or Legato?  Have you ever tested
>>>>>> your backup performance with and without ipfilter?
>>>>>>
>>>>>> We run Netbackup 6.0 MP3 on two systems (with two robots), a
>>>>>> V490 (4 cpus) with an ADIC i2000, and a V210 (2 cpus) with an
>>>>>> ADIC i500.  Both robots are hooked to their hosts via fibre.
>>>>>> Both hosts run Solaris 10 with ipf 4.1.13.
>>>>>>
>>>>>> I've noticed that shutting off ipfilter on the host makes a big
>>>>>> difference (30% or more) in terms of robot thruput, as measured
>>>>>> by iostat and Netbackup statistics.   As a result, I have to
>>>>>> keep ipfilter disabled on these two hosts.
>>>>>>
>>>>>> Anybody else seen this?
>>>>>>
>>>>>> Jeff Earickson
>>>>>> Colby College
>>>>>
>>>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic