Samba4 high cpu load
linux at kukkukk.com
Tue May 8 20:02:14 MDT 2012
On Monday 07 May 2012 19:23:05 steve wrote:
> On Friday 04 May 2012 08:53:25 steve wrote:
> > On 04/05/12 03:23, Günter Kukkukk wrote:
> > > On Monday 30 April 2012 16:04:37 steve wrote:
> > >> On 05/04/12 00:55, Günter Kukkukk wrote:
> > >>> On Wednesday 04 April 2012 15:33:46 steve wrote:
> > >>>> OpenSUSE 12.1
> > >>>> Version 4.0.0alpha19-GIT-7290a62
> > >
> > > I have started again to track that down.
> > > Will write a test applet to catch that as simple as possible, to
> > > it with the gnutls devs.
> > >
> > > As a workaround you can use
> > >
> > > tls enabled = no
> > >
> > > in the [global] section of smb.conf
> > >
> > > I'll keep you informed about my findings.
> > >
> > > Cheers, Günter
> > Thanks Günter
> > The workaround works fine. Please let me know if there is anything I can
> > test. I've switched to Ubuntu for the moment but have left this S4
> > install on openSUSE in case I can test anything.
> > Cheers,
> > Steve
> did some further investigations - intermediate results:
> The "samba4 hang with high cpu usage" happens during
> which calculates the Diffie-Hellman key.
> One can check/simulate the same behaviour with:
> certtool --generate-dh-params --bits 1024
> or to get a file
> certtool --generate-dh-params --bits 1024 --outfile dh1024.pem
> The time it takes to calculate this key depends at least on the used
> gnutls version! Using certtool -v
> opensuse 11.4 (GnuTLS) 2.8.6 fast
> opensuse 12.1 (GnuTLS) 3.0.3 slow
> ubuntu 12.04 (GnuTLS) 2.12.14 fast
> I'll do further investigations the next days.
> To use TLS with samba4 with those slow versions, one can generate
> this DH key with certool, as noted above.
> One must then add that param file to smb.conf in the [global] section:
> tls dh params file = /path/to/dh1024.pem
> I'm atm not quite sure whether this dh param file creation should
> be directed to cron to generate a new one - say every week ... (?)
> Cheers, Günter
> Some further readings:
> Also this bug is fixed in the 3.0.3 version:
> The opensuse 12.1 version only reads 32 bytes (256 bit) from /dev/urandom
> One can check this with:
> strace -e trace=open,read -s12 certtool --generate-dh-params --bits 1024
> Hi Günter,
> Thanks for this. Just thinking out loud. Would a bugzilla to openSUSE,
> quoting this thread, help us at all?
> As far as I can see, the TLS certs are generated only once, the first
> time you start S4 after a new build and provision. I don't know when
> they expire.
> With Kerberos, do we even need TLS?
i've contacted one of the gnutls developers (Nikos Mavrogiannopoulos).
He told me that when generating the Diffie-Hellman key, some (3.x.x)
versions used a very slow algorithm.
He recommends to use gnutls >= 3.0.9
Opensuse 12.1 uses gnutls 3.0.3 atm.
So i did a recent gnutls-3.0.19 build.
With gnutls 3.0.19
time certtool --generate-dh-params --bits 1024
is now down to 1 - 2 seconds, compared to 3 - 5 minutes (!!!)
with former version 3.0.3 (from opensuse 12.1)
Will contact the opensuse maintainers.
More information about the samba-technical