Hi
Here is a patch for the latest polygraph version to perform Kerberos based
performance testing.
Apply attached patch and rebuild configure and other files with:
aclocal
autoheader
automake -a
autoreconf -f -i
Now run ./configure ...
Four new options are introduced:
1) kerberos_auth = true;
Selects Kerberos over NTLM in Negotiate requests
2) kerberos_config_path = "krb5_WINDOWS.conf";
Defines the Kerberos configuration file to use
3) kerberos_clear_cache = true;
Do not cache credentials but re-authenticate user for every HTTP
request. Creates high amount of Keberos traffic to
kdc or Active Directory and not recommended
4) kerberos_proxy_spn = "HTTP/<fqdn>" ( and kerberos_server_spn =
"HTTP/<fqdn> for testing web server performance)
Setting the spn avoids DNS resolution of the proxy or web server
hotsname to IP address and vice versa.
Simple Polygraph configuration
/*
* A very simple "Hello, World!" workload
*/
// this is just one of the simplest workloads that can produce hits
// never use this workload for benchmarking
// SimpleContent defines properties of content that the server generates;
// if you get no hits, set SimpleContent.obj_life_cycle to cntStatic, which
// is defined in workloads/include/contents.pg
Content SimpleContent = {
size = exp(13KB); // response sizes distributed exponentially
cachable = 80%; // 20% of content is uncachable
};
// a primitive server cleverly labeled "S101"
// normally, you would specify more properties,
// but we will mostly rely on defaults for now
Server S = {
kind = "S101";
contents = [ SimpleContent ];
direct_access = contents;
addresses = [ '192.168.1.12:9090' ]; // where to create these server
agents
};
DnsResolver dr = {
servers = [ '127.0.0.1:53' ];
timeout = 5sec;
};
AddrMap M = {
addresses = [ '192.168.1.10' ,'192.168.1.11', '192.168.1.12' ];
names = [ 'client.suse.home' , 'proxy.suse.home', 'server.suse.home' ];
};
// a primitive robot
Robot R1 = {
kind = "R101";
pop_model = { pop_distr = popUnif(); };
recurrence = 55% / SimpleContent.cachable; // adjusted to get 55%
DHR
origins = S.addresses; // where the origin servers are
addresses = [ '192.168.1.10' ]; // where these robot agents will be
created
// kerberos_clear_cache = true;
kerberos_auth = true;
kerberos_config_path = "krb5_SUSE.conf";
kerberos_proxy_spn = "HTTP/proxy.suse.home";
credentials = [ "user1:user1" ];
dns_resolver = dr;
};
// a primitive robot
Robot R2 = {
kind = "R101";
pop_model = { pop_distr = popUnif(); };
recurrence = 55% / SimpleContent.cachable; // adjusted to get 55%
DHR
origins = S.addresses; // where the origin servers are
addresses = [ '192.168.1.10' ]; // where these robot agents will be
created
// kerberos_clear_cache = true;
kerberos_auth = true;
kerberos_config_path = "krb5_WINDOWS.conf";
// user can be the same as in Robot R1 as the default domain in krb5 will
differentiate them as user1@<WINDOWS-DOMAIN> and user1@<SUSE-DOMAIN>
kerberos_proxy_spn = "HTTP/proxy.suse.home";
credentials = [ "user1:user1" ];
dns_resolver = dr;
};
// commit to using these servers and robots
use(M);
use(S, R1, R2);
Run the client with:
/opt/polygraph-4.0.11/bin/polygraph-client --proxy
192.168.1.11:3128 --config
/home/markus/mysources/polygraph/simple_proxy.pg --verb_lvl 10 --log
client.log
Simple Kerberos configuration file
[libdefaults]
default_realm = WIN2003R2.HOME
default_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
#Heimdal settings
default_etypes = arcfour-hmac-md5 des3-cbc-sha1 des-cbc-crc
des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
# DNS settings to reduce DNS traffic and rely on below settings
dns_lookup_kdc = no
dns_lookup_realm = no
[realms]
WIN2003R2.HOME = {
kdc = 192.168.1.10
admin_server = 192.168.1.10
}
[domain_realm]
.win2003r2.home = WIN2003R2.HOME
win2003r2.home = WIN2003R2.HOME
[logging]
Using IP-addresses reduces the load on DNS !!
In the case of a high number of connections you may see errors 1765328228
from krb5_get_init_creds_password. This can happen when more than
FD_SETSIZE file descriptors are open. The only way to avoid this is to
recompile the Kerberos library after setting with sysctl ( on Linux) a file
max file descriptor number and changing the header file define for
FD_SETSIZE in typesizes.h (depending on OS it is defined inother header
files).
Any feedback is appreciated.
Regards
Markus
http://www.mail-archive.com/squid-dev@squid-cache.org/msg14948/polygraph-4.0.11-kerberos-v7.patch
Received on Sun Feb 13 2011 - 12:57:49 MST
This archive was generated by hypermail 2.2.0 : Mon Feb 14 2011 - 12:00:01 MST