Earlier this year, Red Hat engineering took a close look at how to accelerate compression within applications by using 4th Gen Intel Xeon Scalable Processors that include Intel® QuickAssist Technology (Intel® QAT), which can accelerate both compression and encryption. Today we will examine the encryption capabilities and show how to achieve major performance improvements with leading load balancing applications. HAProxy and F5’s NGINX were tested running on Red Hat Enterprise Linux 9.2.
Setting up
We started with a RHEL 9.2 installation on a system with an Intel Xeon Platinum 8480+ processor. It’s important to ensure that intel_iommu=on
is set on the kernel command line, so that a physical QAT device can be exposed as Virtual Functions.
Test System for both applications
- Intel Xeon Platinum 8480+ processor
- 512 GB DDR4 Memory
- RHEL 9.2
Intel® QAT Engine for OpenSSL*
QAT_Engine is open source software that enables any application that uses OpenSSL to take advantage of cryptography acceleration technologies available on Intel processors, including Intel QAT, a hardware accelerator integrated in 4th Gen Intel Xeon Scalable processors. The only requirements for using hardware acceleration are:
- 4th Gen Intel Xeon Scalable Processors with Built-In Accelerators
- QAT_Engine is installed and configured.
- OpenSSL is configured to use QAT_Engine; either the user can configure it globally, or an application such as HAProxy can configure its use at runtime.
HAProxy
HAProxy is a popular reverse proxy application for TCP and HTTP traffic. One benefit of Intel QAT is that we can substantially improve HAProxy’s performance with TLS handshakes, which benefits systems that handle a large volume of new TLS connections. Example use cases where TLS handshake performance could make a difference include high-volume services on the public Internet, and services that handle requests from many edge and/or IoT devices that do not maintain persistent TCP connections.
To run the test, we started by installing a number of packages that come with RHEL:
dnf -y install haproxy qatengine httpd httpd-tools
Httpd, commonly known as the Apache web server, was used for the test as the HTTP service being proxied. It was configured to return a basic HTTP 200 response.
Turning on the use of Intel QAT only requires adding the following two lines to HAProxy’s configuration file, which makes this feature especially easy to use or experiment with on your own:
ssl-engine qatengine algo ALL ssl-mode-async
For some tests we introduced simulated network latency using Linux Traffic Control’s netem qdisc, which requires the kernel-modules-extra package.
Complete details of how the software was installed, configured and run can be viewed in the benchmark script found on GitHub: https://github.com/erig0/haproxy_benchmark
Performance
As you can see in the bar graph, introducing Intel QAT provides a major boost in performance when handling new TLS connections. TLS 1.2 showed a 69% improvement, while the newer TLS 1.3 showed a 51% improvement.
These tests were performed with HAProxy 2.4 pinned to 4 CPUs, simulated network latency of 50ms, jitter of 4ms, and packet loss of 0.1%. All tests used the TLS cipher ECDHE-RSA-AES256-GCM-SHA384.
F5 NGINX
NGINX is F5’s very popular open source web server that is used to deploy and run a wide variety of web services and sites. Today’s upstream NGINX project is not able to use Intel QAT, so engineers from Intel created a set of patches that enable NGINX to incorporate asynchronous elements into the request processing workflow. As a result, a number of optimizations including Intel QAT can now be introduced as part of handling each http request.
Cyrus Rafii Sr. Business Development Manager at F5 stated “Combining F5 NGINX using Intel’s QuickAssist Technology on Red Hat Enterprise Linux, gives you the accelerated security of your data regardless of where the data resides. This is the optimum solution to enhance the security of not only data in flight, but also deliver scalability and portability between hybrid cloud workloads.”
The patch authors are working upstream with the NGINX project. F5 has expressed the intent to incorporate the design changes into a future NGINX release. Until then, Intel’s changes can be viewed and utilized from a dedicated repository on GitHub: https://github.com/intel/asynch_mode_nginx
Introducing Intel QAT provides a major boost in performance when handling new TLS connections. TLS 1.2 showed a 78% improvement, while the newer TLS 1.3 showed a 67% improvement.
Compression can also be offloaded using Intel QAT with NGINX, which can further increase throughput or reduce the load on processor cores. HTTP traffic is commonly compressed using gzip in order to substantially reduce the amount of data being transmitted. NGINX compresses responses with MIME type “text/html” by default, but it can also be configured to compress other response types.
F5 will be showcasing NGINX using Intel QAT on RHEL in their demo booth # 327 at Intel Innovation this week in San Jose, CA on September 19th and 20th. Stop by and check out this leap forward in performance if you happen to be at the event.
Summary
These results demonstrate Red Hat’s commitment in collaboration with Intel to helping our OEMs and ISVs deliver high-performing solutions to our mutual customers and showcase customer value we jointly deliver into the market.
Intel QuickAssist Technology delivers a significant step forward in performance for OpenSSL use cases. Any application that uses OpenSSL on Red Hat Enterprise Linux could potentially benefit from hardware acceleration of cryptography using Intel QAT and achieve similarly impressive performance gains as we saw with HAProxy and NGINX.
Additional articles
Sugli autori
Eric has been at Red Hat since 2016. In his tenure he has contributed to many open source projects: Linux, Open vSwitch, nftables and firewalld. He has been the upstream maintainer of firewalld since 2017.
Altri risultati simili a questo
Ricerca per canale
Automazione
Novità sull'automazione IT di tecnologie, team e ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Hybrid cloud open source
Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Serie originali
Raccontiamo le interessanti storie di leader e creatori di tecnologie pensate per le aziende
Prodotti
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servizi cloud
- Scopri tutti i prodotti
Strumenti
- Formazione e certificazioni
- Il mio account
- Supporto clienti
- Risorse per sviluppatori
- Trova un partner
- Red Hat Ecosystem Catalog
- Calcola il valore delle soluzioni Red Hat
- Documentazione
Prova, acquista, vendi
Comunica
- Contatta l'ufficio vendite
- Contatta l'assistenza clienti
- Contatta un esperto della formazione
- Social media
Informazioni su Red Hat
Red Hat è leader mondiale nella fornitura di soluzioni open source per le aziende, tra cui Linux, Kubernetes, container e soluzioni cloud. Le nostre soluzioni open source, rese sicure per un uso aziendale, consentono di operare su più piattaforme e ambienti, dal datacenter centrale all'edge della rete.
Seleziona la tua lingua
Red Hat legal and privacy links
- Informazioni su Red Hat
- Opportunità di lavoro
- Eventi
- Sedi
- Contattaci
- Blog di Red Hat
- Diversità, equità e inclusione
- Cool Stuff Store
- Red Hat Summit