On Mon, Apr 16, 2018 at 5:41 PM, Russ Allbery <[email protected]> wrote:
> Sergei Gerasenko <[email protected]> writes: > > > Will keeping an access log slow me down much, do you know? > > Yes, you may want to tune syslog or whatever you're using for your KDC > logging, although MIT is a lot better than Heimdal in that regard (Heimdal > is very verbose). I generally disabled sync to disk on the syslog log > file that the KDC logging was routed to. > Agree with disabling sync logging to local disk. The problem I've run into is TCP syslog where the remote system can't keep up. Ask me how I know... Always better to write to local log file asynchronously, then have an agent (filebeat, splunk) follow that file and forward on, as it will still be more reliable than any flavor of remote syslog. > > > For that matter, is there a benchmarking tool for KDCs? > > Not that I'm aware of. I usually just rolled my own by calling kinit with > a keytab and then kvno to get service tickets. > I wrote this a while back to help track down a TCP syslog bottleneck, which later turned out to be very useful for isolating other performance issues and general capacity planning. Also currently using it to demonstrate how much faster MIT Kerberos is compared to AD, even when not using workers (on modern-ish CPUs, without workers enabled krb5kdc can do ~4000 rps. I can share more details if folks are interested). https://github.com/acobaugh/krb5perf It is worth noting that when load testing a single KDC, you pretty much have to take DNS out of the equation somehow. Initially I was testing the performance of my local unbound caching nameserver... -- andy ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
