[RADIATOR] Radiator restart time & memory consumption

Jan Tomasek jan at tomasek.cz
Fri Jul 20 14:19:26 UTC 2018 

Hello,

I'm running Radiator as Czech eduroam proxy. At this point I've 173 
RadSec peers and restart time starts to worry me. We are running on 
Debian GNU/Linux Stretch, Intel(R) Xeon(R) CPU E5-2637 v4 @ 3.50GHz. 
Radiator version is 4.20 with patchset 1.2232. Restart takes about 
30seconds. Log:
   http://tomasek.cz/stuff/radiator.restart.txt
you can see that TERM signal was received at 15:39:27 and the server 
started respond at 15:39:53 - 26 seconds.

I think that this is caused by opening all RadSec connections on 
startup. I do not want to use ConnectOnDemand, I want to have connection 
open and ready. Is there any chance how to make start of all RadSec 
connections asynchronous? I see in AuthRADSEC::activate that 
stream_connect is called:

sub activate
{
...
     $self->stream_connect() unless $self->{ConnectOnDemand};

and it seams to be blocking call. Is there any chance to postpone it?


And note about memory consumption. When you look at my log file, it 
contains sections like:
> Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/244b5494.r0'
> Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/2c543cd1.r0'
> Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/2e5ac55d.r0'
> Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/3513523f.r0'
> Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/4d12be1d.r0'
> Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/53f3e569.r0'
> Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/578d5c04.r0'
> Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/5a5c01b6.r0'
> Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/7a491995.r0'
> Fri Jul 20 15:39:28 2018: DEBUG: (Re)loading CRL file '/etc/ssl/crl/7f8496de.r0'

repeated about 173 times. This causes quite solid memory consuption:

root at radius1mng4:/etc/radiator# ps aux |grep radius
root     20274 36.2 14.8 5006348 4888736 ?     S    15:39   6:51 
/usr/bin/perl /usr/bin/radiusd -daemon -config_file /etc/radiator/radius.cfg

especialy when comparing to process which is serving just our own users:

ldap21:RADIUS:~# ps aux |grep radius
root     30026  0.6  0.9 150704 48080 ?        S    14:18   0:42 
/usr/bin/perl /usr/bin/radiusd

I think it should be possible to implement sort of shared SSL context, 
but I must admit I didn't try to look at SSL functions. Memory 
consumption isn't that big issue. I recently stopped adding new CAs so 
after certs at my peers expire and renew I will be able to remove most 
of CRLs.


Best regards
-- 
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/

More information about the radiator mailing list