[squid-users] security_file_certgen I/O
Amos Jeffries
squid3 at treenet.co.nz
Thu Dec 2 02:06:30 UTC 2021
On 2/12/21 07:55, Jason Spashett wrote:
> On Wed, 1 Dec 2021 at 18:29, Alex Rousskov
> <rousskov at measurement-factory.com> wrote:
>>
>> On 12/1/21 12:06 PM, David Touzeau wrote:
>>>
>>> Hi
>>>
>>> We used Squid 5.2 and we see that security_file_certgen consume I/O
>>> Is there any way to put the ssldb in memory without need to mount a tmpfs ?
>>
>> Yes, there are at least two other ways to reduce disk I/O related to
>> certificate generation:
>>
>> 1) Tell the official certificate generator helper not to cache the
>> generated certificates. See sslcrtd_program documentation for details.
>>
>> 2) Write your own certificate generator helper.
>>
>> Alex.
>
> We have found that the certificate helpers perform strictly worse with
> the disk cache turned on, over approximately 3 processes. It is
> something that perhaps one day, with luck, we may be able to
> contribute something. The problems are the way in which the disk cache
> is stored and accessed.
The "file" in the helper name means one file per object, which is quite
crude type of storage but very easy to implement as a proof of concept
helper.
As Alex mentioned there are a lot of optimizations that can still be
made (and bugs to fix) with the current helper code - and still not be
best possible performance still due to the "file" nature of storage and
relatively slow nature of disk I/O.
Improvements here and/or new helper implementations with better forms of
storage are welcome.
Cheers
Amos
More information about the squid-users
mailing list