Jump to content
Калькуляторы

PF на FreeBSD под Xen тормоз системы

Приветствую всех Наговцев!

Поднят VPS. На одной из виртуалок есть проблема:

При включении pf очень жестко тормозит система, даже консоль по ssh подвисает.

Пробовал включать при

pass all no state

Флушал все через и делал отключение и включение pf

pfctl -F all
pfctl -d
pfctl -e

Ситуация не изменилась.

Т.е. неважно есть ли какие то правила или нет, включение PF вводит систему в коматозное состояние.

 

Родительская ОС - CentOS 5.5. Поднят Xen 3.4.3.

Виртуальная машина (HWM) поднята FreeBSD 8.1-RELEASE-p2 #1 amd64

Ядро

cpu             HAMMER
ident           XENHVM

# To statically compile in device wiring instead of /boot/device.hints
#hints          "GENERIC.hints"         # Default places to look for devices.

# Use the following to compile in values accessible to the kernel
# through getenv() (or kenv(1) in userland). The format of the file
# is 'variable=value', see kenv(1)
#
# env           "GENERIC.env"

makeoptions     DEBUG=-g                # Build kernel with gdb(1) debug symbols
#makeoptions    MODULES_OVERRIDE=""

options         SCHED_ULE               # ULE scheduler
options         PREEMPTION              # Enable kernel thread preemption
options         INET                    # InterNETworking
options         INET6                   # IPv6 communications protocols
options         SCTP                    # Stream Control Transmission Protocol
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         UFS_ACL                 # Support for access control lists
options         UFS_DIRHASH             # Improve performance on big directories
options         UFS_GJOURNAL            # Enable gjournal-based UFS journaling
options         MD_ROOT                 # MD is a potential root device
options         NFSCLIENT               # Network Filesystem Client
options         NFSSERVER               # Network Filesystem Server
options         NFSLOCKD                # Network Lock Manager
options         NFS_ROOT                # NFS usable as /, requires NFSCLIENT
options         MSDOSFS                 # MSDOS Filesystem
options         CD9660                  # ISO 9660 Filesystem
options         PROCFS                  # Process filesystem (requires PSEUDOFS)
options         PSEUDOFS                # Pseudo-filesystem framework
options         GEOM_PART_GPT           # GUID Partition Tables.
options         GEOM_LABEL              # Provides labelization
options         COMPAT_43TTY            # BSD 4.3 TTY compat (sgtty)
options         COMPAT_FREEBSD32        # Compatible with i386 binaries
options         COMPAT_FREEBSD4         # Compatible with FreeBSD4
options         COMPAT_FREEBSD5         # Compatible with FreeBSD5
options         COMPAT_FREEBSD6         # Compatible with FreeBSD6
options         COMPAT_FREEBSD7         # Compatible with FreeBSD7
options         SCSI_DELAY=5000         # Delay (in ms) before probing SCSI
options         KTRACE                  # ktrace(1) support
options         STACK                   # stack(9) support
options         SYSVSHM                 # SYSV-style shared memory
options         SYSVMSG                 # SYSV-style message queues
options         SYSVSEM                 # SYSV-style semaphores
options         _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options         KBD_INSTALL_CDEV        # install a CDEV entry in /dev
options         HWPMC_HOOKS             # Necessary kernel hooks for hwpmc(4)
options         AUDIT                   # Security event auditing
#options        KDTRACE_FRAME           # Ensure frames are compiled in
#options        KDTRACE_HOOKS           # Kernel DTrace hooks
options         NO_ADAPTIVE_MUTEXES
options         NO_ADAPTIVE_RWLOCKS
#options         IPFIREWALL             # IPFW on
#options         IPFIREWALL_VERBOSE     # Record recive log<--->
#options         IPFIREWALL_VERBOSE_LIMIT=10    # Limit line log<------>
#options         IPFIREWALL_FORWARD     # Forward packets
#options         IPFIREWALL_DEFAULT_TO_ACCEPT # allow all on crash ipfw

### PF
device pf
device pflog
### FOR MPD
options         NETGRAPH
options         NETGRAPH_ETHER
options         NETGRAPH_SOCKET
options         NETGRAPH_TEE

# Debugging for use in -current
#options        KDB                     # Enable kernel debugger support.
#options        DDB                     # Support DDB.
#options        GDB                     # Support remote GDB.
#options        INVARIANTS              # Enable calls of extra sanity checking
#options        INVARIANT_SUPPORT       # Extra sanity checks of internal structures, required by INVARIANTS
#options        WITNESS                 # Enable checks to detect deadlocks and cycles
#options        WITNESS_SKIPSPIN        # Don't run witness on spinlocks for speed

# Make an SMP-capable kernel by default
options         SMP                     # Symmetric MultiProcessor Kernel

# CPU frequency control
device          cpufreq

# Bus support.
device          acpi
device          pci

# Floppy drives
device          fdc

# Xen HVM support
options         XENHVM
device          xenpci

# ATA and ATAPI devices
device          ata
device          atadisk         # ATA disk drives
device          ataraid         # ATA RAID drives
device          atapicd         # ATAPI CDROM drives
device          atapifd         # ATAPI floppy drives
device          atapist         # ATAPI tape drives
options         ATA_STATIC_ID   # Static device numbering

# SCSI peripherals
device          scbus           # SCSI bus (required for SCSI)
device          ch              # SCSI media changers
device          da              # Direct Access (disks)
device          sa              # Sequential Access (tape etc)
device          cd              # CD
device          pass            # Passthrough device (direct SCSI access)
device          ses             # SCSI Environmental Services (and SAF-TE)


# atkbdc0 controls both the keyboard and the PS/2 mouse
device          atkbdc          # AT keyboard controller
device          atkbd           # AT keyboard
device          psm             # PS/2 mouse

device          kbdmux          # keyboard multiplexer

device          vga             # VGA video card driver

device          splash          # Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device          sc

device          agp             # support several AGP chipsets

# Serial (COM) ports
device          uart            # Generic UART driver

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device          miibus          # MII bus support
device          re              # RealTek 8139C+/8169/8169S/8110S

# Pseudo devices.
device          loop            # Network loopback
device          random          # Entropy device
device          ether           # Ethernet support
device          tun             # Packet tunnel.
device          pty             # BSD-style compatibility pseudo ttys
device          md              # Memory "disks"
device          gif             # IPv6 and IPv4 tunneling
device          faith           # IPv6-to-IPv4 relaying (translation)
device          firmware        # firmware assist module

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device          bpf             # Berkeley packet filter

 

loader.conf

vfs.root.mountfrom="zfs:tank0"
zfs_load="YES"
hw.clflush_disable="2"

 

Других изменений вроде не делалось..

Если что-то еще нужно выложить - говорите...

 

P.S. Заранее спасибо за помощь!!

Share this post


Link to post
Share on other sites

Сколько процов видно в виртуалке? Надо один, т.к. pf и altq не рассчитаны на SMP.

Share this post


Link to post
Share on other sites

Проца видна два

last pid: 49410;  load averages:  0.23,  0.33,  0.32                                                                                                up 5+18:02:45  11:47:02
161 processes: 3 running, 143 sleeping, 15 waiting
CPU 0:  0.0% user,  0.0% nice,  1.9% system,  1.5% interrupt, 96.6% idle
CPU 1:  0.0% user,  0.0% nice,  1.1% system,  4.9% interrupt, 94.0% idle
Mem: 350M Active, 44M Inact, 383M Wired, 16K Cache, 206M Free
Swap: 1024M Total, 1024M Free

  PID USERNAME PRI NICE   SIZE    RES STATE   C   TIME   WCPU COMMAND
   11 root     171 ki31     0K    32K CPU0    0  92.4H 98.00% {idle: cpu0}
   11 root     171 ki31     0K    32K RUN     1  92.4H 90.28% {idle: cpu1}
   12 root     -32    -     0K   240K WAIT    1  11:05  1.27% {swi4: clock}
   12 root     -52    -     0K   240K WAIT    0  45:55  0.59% {irq28: xenpci0}
   12 root     -32    -     0K   240K WAIT    1  11:30  0.20% {swi4: clock}

 

Но не думаю, что проблема в этом.

По крайней мере на другом серваке (не виртуальном),

стоит двухядерный проц, на FreeBSD 8.1 с SMP и все работает нормально...

Share this post


Link to post
Share on other sites

Запустился на одном CPU, перекомпилил ядро.

Ситуация не изменилась :(

Share this post


Link to post
Share on other sites

Какая сетевая карта установлена в физический сервер?

Кроме FreeBSD, ею точно никто не пользуется?

 

Share this post


Link to post
Share on other sites
Какая сетевая карта установлена в физический сервер?

Кроме FreeBSD, ею точно никто не пользуется?

Сетевая в физическом сервере под виртуальные серваки - Intel Desctop Pro 1000MT (сетевая нагрузка не большая, ее вполне хватает).

Для управлению - другая...

А На виртуально машине под FreeBSD светится виртуальная сетевая xn0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this