[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Phoronix] Ubuntu 9.04 vs. Fedora 11 Performance



On Fri, Jun 12, 2009 at 9:31 AM, Rahul
Sundaram<sundaram fedoraproject org> wrote:
> On 06/12/2009 06:42 PM, Kyle McMartin wrote:
>
>> It's almost certainly attributable to the default install using audit.
>> Roland and various others have done a lot of work improving things, but
>> there is always going to be a per-syscall overhead to this kind of
>> thing. A few extra usec a syscall adds up after a few hundred thousand
>> calls...
>
> Is there a benefit to running audit by default? Is it worth the cost?

What percentage of users do you think need even a small fraction of
the raw http transaction rate fedora can provide?

Obviously people do run a lot of CPU heavy CGIs, but since those
generally spend time processing rather than just making syscalls they
won't be as impacted as this.

Anyone needing to handle thousands of small HTTP transactions
per-second is doing something fairly specialized.  They should be
quite capable of performing whatever performance tweaks are required.

For everyone else, and even many of the high performance shops, even a
modest security gain is 'worth the cost' of a pretty substantial loss
in peak http request rate. Even for small users the 'cost' of dealing
with even one security breach in, say, 10 years would easily pay for a
second CPU in the few cases where serving thousands of requests per
second is material.

Obviously you want to extract as much performance as possible, and
don't want to take a loss for no gain.  But if after fixing any bugs
Fedora is slower because of a security feature then that needs to be
touted as a *benefit* of fedora. From a marketing perspective people
are more likely to believe advantages when you couple them with a
negative in any case:

"Furthermore, Fedora is more secure than other alternatives. Features
like X, Y, and Z make Fedora robust against even unforeseen attacks.
These features do result in a performance hit, for example 5,000 HTTP
requests per second vs 10,000, the impact is negligible on normal
workloads. Since some of the worlds largest websites only do 60,000
req/sec[1] (and have hundreds of servers), we think your time and
security should take precedence. Of course, these security features
can be disabled if your requirements dictate."

[1] http://www.nedworks.org/~mark/reqstats/reqstats-daily.png


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]