affine/nginx-profile-setup
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: affine:4acd439e8aaf84f5a103bdc55e9a93fb3c8da422
Branches Tags
affine:main
..
compare: affine:71990d39885309935ee62f48630e6a7a3e54e574
Branches Tags
affine:main

No commits in common. "4acd439e8aaf84f5a103bdc55e9a93fb3c8da422" and "71990d39885309935ee62f48630e6a7a3e54e574" have entirely different histories.
4acd439e8a ... 71990d3988

8 changed files with 48 additions and 412 deletions
Download patch file Download diff file Expand all files Collapse all files

282
compose.yaml
View file

@ -50,286 +50,6 @@ services:
<<: *kasvc <<: *kasvc
ports: ports:
- 8089:8080 - 8089:8080
kasvc-10:
<<: *kasvc
ports:
- 8090:8080
kasvc-11:
<<: *kasvc
ports:
- 8091:8080
kasvc-12:
<<: *kasvc
ports:
- 8092:8080
kasvc-13:
<<: *kasvc
ports:
- 8093:8080
kasvc-14:
<<: *kasvc
ports:
- 8094:8080
kasvc-15:
<<: *kasvc
ports:
- 8095:8080
kasvc-16:
<<: *kasvc
ports:
- 8096:8080
kasvc-17:
<<: *kasvc
ports:
- 8097:8080
kasvc-18:
<<: *kasvc
ports:
- 8098:8080
kasvc-19:
<<: *kasvc
ports:
- 8099:8080
kasvc-20:
<<: *kasvc
ports:
- 8100:8080
kasvc-21:
<<: *kasvc
ports:
- 8101:8080
kasvc-22:
<<: *kasvc
ports:
- 8102:8080
kasvc-23:
<<: *kasvc
ports:
- 8103:8080
kasvc-24:
<<: *kasvc
ports:
- 8104:8080
kasvc-25:
<<: *kasvc
ports:
- 8105:8080
kasvc-26:
<<: *kasvc
ports:
- 8106:8080
kasvc-27:
<<: *kasvc
ports:
- 8107:8080
kasvc-28:
<<: *kasvc
ports:
- 8108:8080
kasvc-29:
<<: *kasvc
ports:
- 8109:8080
kasvc-30:
<<: *kasvc
ports:
- 8110:8080
kasvc-31:
<<: *kasvc
ports:
- 8111:8080
kasvc-32:
<<: *kasvc
ports:
- 8112:8080
kasvc-33:
<<: *kasvc
ports:
- 8113:8080
kasvc-34:
<<: *kasvc
ports:
- 8114:8080
kasvc-35:
<<: *kasvc
ports:
- 8115:8080
kasvc-36:
<<: *kasvc
ports:
- 8116:8080
kasvc-37:
<<: *kasvc
ports:
- 8117:8080
kasvc-38:
<<: *kasvc
ports:
- 8118:8080
kasvc-39:
<<: *kasvc
ports:
- 8119:8080
kasvc-40:
<<: *kasvc
ports:
- 8120:8080
kasvc-41:
<<: *kasvc
ports:
- 8121:8080
kasvc-42:
<<: *kasvc
ports:
- 8122:8080
kasvc-43:
<<: *kasvc
ports:
- 8123:8080
kasvc-44:
<<: *kasvc
ports:
- 8124:8080
kasvc-45:
<<: *kasvc
ports:
- 8125:8080
kasvc-46:
<<: *kasvc
ports:
- 8126:8080
kasvc-47:
<<: *kasvc
ports:
- 8127:8080
kasvc-48:
<<: *kasvc
ports:
- 8128:8080
kasvc-49:
<<: *kasvc
ports:
- 8129:8080
kasvc-50:
<<: *kasvc
ports:
- 8130:8080
kasvc-51:
<<: *kasvc
ports:
- 8131:8080
kasvc-52:
<<: *kasvc
ports:
- 8132:8080
kasvc-53:
<<: *kasvc
ports:
- 8133:8080
kasvc-54:
<<: *kasvc
ports:
- 8134:8080
kasvc-55:
<<: *kasvc
ports:
- 8135:8080
kasvc-56:
<<: *kasvc
ports:
- 8136:8080
kasvc-57:
<<: *kasvc
ports:
- 8137:8080
kasvc-58:
<<: *kasvc
ports:
- 8138:8080
kasvc-59:
<<: *kasvc
ports:
- 8139:8080
kasvc-60:
<<: *kasvc
ports:
- 8140:8080
kasvc-61:
<<: *kasvc
ports:
- 8141:8080
kasvc-62:
<<: *kasvc
ports:
- 8142:8080
kasvc-63:
<<: *kasvc
ports:
- 8143:8080
kasvc-64:
<<: *kasvc
ports:
- 8144:8080
kasvc-65:
<<: *kasvc
ports:
- 8145:8080
kasvc-66:
<<: *kasvc
ports:
- 8146:8080
kasvc-67:
<<: *kasvc
ports:
- 8147:8080
kasvc-68:
<<: *kasvc
ports:
- 8148:8080
kasvc-69:
<<: *kasvc
ports:
- 8149:8080
kasvc-70:
<<: *kasvc
ports:
- 8150:8080
kasvc-71:
<<: *kasvc
ports:
- 8151:8080
kasvc-72:
<<: *kasvc
ports:
- 8152:8080
kasvc-73:
<<: *kasvc
ports:
- 8153:8080
kasvc-74:
<<: *kasvc
ports:
- 8154:8080
kasvc-75:
<<: *kasvc
ports:
- 8155:8080
kasvc-76:
<<: *kasvc
ports:
- 8156:8080
kasvc-77:
<<: *kasvc
ports:
- 8157:8080
kasvc-78:
<<: *kasvc
ports:
- 8158:8080
kasvc-79:
<<: *kasvc
ports:
- 8159:8080
kaproxy: kaproxy:
build: build:
@ -339,8 +59,6 @@ services:
- linux/x86_64 - linux/x86_64
platform: linux/x86_64 platform: linux/x86_64
privileged: true privileged: true
cap_add:
- SYS_PTRACE
ports: ports:
- 8079:8080 - 8079:8080
networks: networks:

15
kaclient/run.sh
View file

@ -1,7 +1,5 @@
#!/bin/bash #!/bin/bash
N=$(nproc --all)
function log_request_to () { function log_request_to () {
return_code=$(curl -Sikl -o /dev/null -w "%{http_code}" $1 2>/dev/null) return_code=$(curl -Sikl -o /dev/null -w "%{http_code}" $1 2>/dev/null)
case ${return_code:0:1} in case ${return_code:0:1} in
@ -15,6 +13,10 @@ function log_request_to () {
esac esac
} }
function do_wrk_on () {
/wrk/wrk -t1 -c10 $1 &
}
function sigint_handler() { function sigint_handler() {
jobs -p | xargs kill -9 jobs -p | xargs kill -9
exit exit
@ -24,13 +26,10 @@ trap 'sigint_handler' INT
# TODO: make this a more elegant item # TODO: make this a more elegant item
# maybe a while loop with curl # maybe a while loop with curl
sleep 2 sleep 0.5
echo "[+] client making request loop" for iter in {0.999}; do
for iter in {0..80}; do do_wrk_on "https://kaproxy:8080/$iter"
((i=i%N)); ((i++==0)) && wait
echo "request to $iter"
log_request_to "https://kaproxy:8080/$iter" &
done done
wait $(jobs -p) wait $(jobs -p)

7
kaproxy/Dockerfile
View file

@ -6,8 +6,8 @@ RUN echo "deb http://deb.debian.org/debian-debug/ bookworm-proposed-updates-debu
RUN apt update -y RUN apt update -y
RUN apt install libssl3 libssl3-dbgsym openssl openssl-dbgsym libssl-dev zlib1g-dev \ RUN apt install libssl3 libssl3-dbgsym openssl openssl-dbgsym libssl-dev zlib1g-dev \
libc6-dbg gcc make mk-configure valgrind libpcre2-dev libgcrypt20-dbgsym strace \ libc6-dbg gcc make mk-configure valgrind libpcre2-dev libgcrypt20-dbgsym \
procps --allow-downgrades -y --allow-downgrades -y
COPY nginx.conf / COPY nginx.conf /
WORKDIR / WORKDIR /
@ -24,9 +24,8 @@ WORKDIR /nginx
RUN auto/configure \ RUN auto/configure \
--with-debug \ --with-debug \
--with-http_ssl_module \ --with-http_ssl_module \
--with-file-aio \
--with-cc-opt="-gdwarf-4 -fno-omit-frame-pointer" --with-cc-opt="-gdwarf-4 -fno-omit-frame-pointer"
RUN make -j $(nproc --all) RUN make
RUN make install RUN make install
COPY run.sh / COPY run.sh /

19
kaproxy/gencerts.sh
View file

@ -1,8 +1,6 @@
#!/bin/bash #!/bin/bash
N=$(nproc --all) for iter in {0..999}; do
for iter in {0..79}; do
((i=i%N)); ((i++==0)) && wait
echo "minting cert $iter" echo "minting cert $iter"
openssl req -x509 \ openssl req -x509 \
-newkey rsa:4096 \ -newkey rsa:4096 \
@ -10,21 +8,18 @@ for iter in {0..79}; do
-out cert$iter.pem \ -out cert$iter.pem \
-sha256 -nodes \ -sha256 -nodes \
-days 3650 \ -days 3650 \
-subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=kaproxy-$iter" & -quiet \
done -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=kaproxy-$iter"
for iter in {0..79}; do upstr=$(($iter%10))
echo " echo '
location /$iter { location /$iter {
proxy_ssl_certificate /cert$iter.pem; proxy_ssl_certificate /cert$iter.pem;
proxy_ssl_certificate_key /key$iter.pem; proxy_ssl_certificate_key /key$iter.pem;
proxy_pass https://kasvc-$iter:8080; proxy_pass http://kasvc-$upstr:8080;
}" >> /nginx.conf }' >> /nginx.conf
done done
echo ' echo '
} }
} }
' >> /nginx.conf ' >> /nginx.conf
wait

11
kaproxy/nginx.conf
View file

@ -1,26 +1,19 @@
worker_processes 1; worker_processes 10;
error_log /dev/stdout debug; error_log /dev/stdout notice;
pid /tmp/pid; pid /tmp/pid;
# callgrind in worker processes must be able to do things
user root;
events { events {
worker_connections 10; worker_connections 10;
} }
http { http {
keepalive_timeout 300; keepalive_timeout 300;
aio on; # blocking io blocks tracing
directio 4m;
server { server {
listen 8080 ssl; listen 8080 ssl;
server_name www.example.com; server_name www.example.com;
ssl_certificate /www.example.com.crt; ssl_certificate /www.example.com.crt;
ssl_certificate_key /www.example.com.key; ssl_certificate_key /www.example.com.key;
ssl_certificate_cache max=1000;
ssl_session_cache shared:SSL:10m;
access_log /tmp/access.log; access_log /tmp/access.log;
proxy_socket_keepalive on; proxy_socket_keepalive on;

14
kaproxy/run.sh
View file

@ -3,10 +3,10 @@
function p_invoke() { function p_invoke() {
valgrind --tool=callgrind \ valgrind --tool=callgrind \
--trace-children=yes \ --trace-children=yes \
--callgrind-out-file=/tmp/callgrind.out.%p \ --callgrind-out-file=/tmp/callgrind.output \
--cache-sim=yes \ --cache-sim=yes \
--instr-atstart=no \
/nginx/objs/nginx \ /nginx/objs/nginx \
-p /tmp \
-e /tmp/error.log \ -e /tmp/error.log \
-c /nginx.conf \ -c /nginx.conf \
-g "daemon off;" -g "daemon off;"
@ -14,6 +14,7 @@ function p_invoke() {
function invoke() { function invoke() {
/nginx/objs/nginx \ /nginx/objs/nginx \
-p /tmp \
-e /tmp/error.log \ -e /tmp/error.log \
-c /nginx.conf \ -c /nginx.conf \
-g "daemon off;" \ -g "daemon off;" \
@ -34,14 +35,7 @@ function sigcont_handler() {
trap 'sigint_handler' INT trap 'sigint_handler' INT
trap 'sigcont_handler' CONT trap 'sigcont_handler' CONT
# enable tracing
echo 1 > /proc/sys/kernel/yama/ptrace_scope
p_invoke & p_invoke &
wait wait
echo "NGINX down. waiting to find it again" echo "NGINX down. waiting until signalled..."
sleep 0.5
wait $(cat /tmp/pid)
echo "NGINX is GONE. waiting until signalled"
sleep infinity sleep infinity

85
keepalive-svc.go
View file

@ -1,95 +1,32 @@
package main package main
import ( import (
"bytes"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"encoding/pem"
"math/big"
"net"
"net/http"
"os"
"time"
"fmt" "fmt"
"net"
"net/http"
"time"
) )
func generateSelfSignedCert(host string) (tls.Certificate, error) {
cert := &x509.Certificate{
SerialNumber: big.NewInt(0),
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(10, 0, 0),
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature,
BasicConstraintsValid: true,
}
cert.DNSNames = []string{host}
certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return tls.Certificate{}, err
}
certBytes, err := x509.CreateCertificate(rand.Reader, cert, cert, &certPrivKey.PublicKey, certPrivKey)
if err != nil {
return tls.Certificate{}, err
}
certPEM := new(bytes.Buffer)
pem.Encode(certPEM, &pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
})
certPrivKeyPEM := new(bytes.Buffer)
pem.Encode(certPrivKeyPEM, &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
})
serverCert, err := tls.X509KeyPair(certPEM.Bytes(), certPrivKeyPEM.Bytes())
if err != nil {
return tls.Certificate{}, err
}
return serverCert, err
}
type myHandler struct{ type myHandler struct{
nreq int nreq int
} }
func (h myHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { func (h myHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
fmt.Printf("accepted request number %d", h.nreq) fmt.Printf("accepted request number %d", h.nreq)
fmt.Fprintf(w, "request number: %d", h.nreq) fmt.Fprintf(w, "request number: %d", h.nreq)
} }
func main() { func main() {
hostname, err := os.Hostname()
if err != nil {
fmt.Println(err)
os.Exit(1)
}
cert, err := generateSelfSignedCert(hostname)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
ClientAuth: tls.RequireAnyClientCert,
}
srv := &http.Server{ srv := &http.Server{
Addr: ":8080", Addr: ":8080",
Handler: myHandler{nreq: 0}, Handler: myHandler{nreq: 0},
ReadTimeout: 5 * time.Minute, ReadTimeout: 5 * time.Second,
WriteTimeout: 5 * time.Minute, WriteTimeout: 10 * time.Second,
IdleTimeout: 5 * time.Minute, IdleTimeout: 300 * time.Second,
ConnState: func(conn net.Conn, event http.ConnState) { ConnState: func(conn net.Conn, event http.ConnState) {
fmt.Printf("addr: %s, changed state to: %s", conn.RemoteAddr(), event.String()) fmt.Printf("addr: %s, changed state to: %s", conn.RemoteAddr(), event.String())
}, },
TLSConfig: tlsConfig,
} }
srv.ListenAndServeTLS("", "") srv.ListenAndServe()
} }

27
run.sh
View file

@ -35,35 +35,36 @@ echo "[+] building and deploying containers"
go build keepalive-svc.go go build keepalive-svc.go
mv keepalive-svc kasvc/ mv keepalive-svc kasvc/
rsync -avz $1 kaproxy/ rsync -avz $1 kaproxy/
docker-compose up --build -d sudo docker-compose up --build -d
sudo docker exec -it $KAPROXY callgrind_control -i off
docker wait $KACLIENT sudo docker wait $KACLIENT
echo "[+] client finished, triggering reload" echo "[+] client finished, triggering reload"
docker exec $KAPROXY callgrind_control -i on sudo docker exec -it $KAPROXY callgrind_control -i on
docker kill -s CONT $KAPROXY sudo docker kill -s CONT $KAPROXY
echo "[+] wait five seconds for reload complete" echo "[+] wait five seconds for reload complete"
sleep 5 sleep 5
sudo docker exec -it $KAPROXY callgrind_control -i off
echo " > restarting client" echo " > restarting client"
docker-compose restart kaclient sudo docker-compose restart kaclient
docker wait $KACLIENT sudo docker wait $KACLIENT
echo "[+] client finished again. reloading NGINX and fetching profile data" echo "[+] client finished again. Killing NGINX and fetching profile data"
docker kill -s CONT $KAPROXY sudo docker kill -s INT $KAPROXY
#docker exec $KAPROXY callgrind_control -i off sudo docker exec -it $KAPROXY callgrind_control -d
docker kill -s INT $KAPROXY
sleep 10
echo "[+] building profiling report" echo "[+] building profiling report"
docker exec $KAPROXY bash -c "find /tmp -iname \"callgrind.out*\"" | while read file sudo docker exec $KAPROXY bash -c "find /tmp -iname \"callgrind.out*\"" | while read file
do do
echo " > processing: " $file echo " > processing: " $file
F=$(basename $file) F=$(basename $file)
docker cp $KAPROXY:$file $F; sudo docker cp $KAPROXY:$file $F;
sudo chmod 777 $F sudo chmod 777 $F
echo "Output file: $F" >> $PROFILE_OUTPUT echo "Output file: $F" >> $PROFILE_OUTPUT
callgrind_annotate \ callgrind_annotate \
--include=kaproxy \
--auto=yes \ --auto=yes \
$F >> $PROFILE_OUTPUT $F >> $PROFILE_OUTPUT
echo "End of profile: $F\n\n\n" >> $PROFILE_OUTPUT echo "End of profile: $F\n\n\n" >> $PROFILE_OUTPUT