From owner-freebsd-performance@FreeBSD.ORG  Wed Feb 27 08:26:09 2008
Return-Path: <owner-freebsd-performance@FreeBSD.ORG>
Delivered-To: freebsd-performance@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 07268106566C
	for <freebsd-performance@freebsd.org>;
	Wed, 27 Feb 2008 08:26:09 +0000 (UTC)
	(envelope-from stas@ht-systems.ru)
Received: from smtp.ht-systems.ru (mr0.ht-systems.ru [78.110.50.55])
	by mx1.freebsd.org (Postfix) with ESMTP id 8496713C455
	for <freebsd-performance@freebsd.org>;
	Wed, 27 Feb 2008 08:26:08 +0000 (UTC)
	(envelope-from stas@ht-systems.ru)
Received: from [78.110.49.49] (helo=quasar.ht-systems.ru)
	by smtp.ht-systems.ru with esmtpa (Exim 4.62)
	(envelope-from <stas@ht-systems.ru>)
	id 1JUHc6-0003pE-Jo; Wed, 27 Feb 2008 11:26:06 +0300
Received: by quasar.ht-systems.ru (Postfix, from userid 1024)
	id 8B3107D11C8; Wed, 27 Feb 2008 11:26:05 +0300 (MSK)
Date: Wed, 27 Feb 2008 11:26:05 +0300
From: Stanislav Sedov <stas@FreeBSD.org>
To: Arkadi Shishlov <arkadi@mebius.lv>
Message-ID: <20080227082605.GL51827@dracon.ht-systems.ru>
References: <479B1185.8020604@quip.cz> <479D89C9.7060300@chistydom.ru>
	<479DD94C.7010409@mawer.org> <479DE578.7060202@quip.cz>
	<20080214163037.GA51014@dracon.ht-systems.ru>
	<47B478E6.8080902@mebius.lv>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <47B478E6.8080902@mebius.lv>
Organization: The FreeBSD Project
X-Voice: +7 916 849 20 23
X-XMPP: ssedov@jabber.ru
X-Yahoo: stanislav_sedov
X-PGP-Fingerprint: F21E D6CC 5626 9609 6CE2  A385 2BF5 5993 EB26 9581
X-University: MEPhI
X-Mailer: carrier-pigeon
X-Operating-System: FreeBSD quasar.ht-systems.ru 7.0-PRERELEASE FreeBSD
	7.0-PRERELEASE
Cc: freebsd-performance@freebsd.org
Subject: Re: PHP with open_basedir performance problem
X-BeenThere: freebsd-performance@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Performance/tuning <freebsd-performance.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-performance>,
	<mailto:freebsd-performance-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-performance>
List-Post: <mailto:freebsd-performance@freebsd.org>
List-Help: <mailto:freebsd-performance-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-performance>,
	<mailto:freebsd-performance-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2008 08:26:09 -0000

On Thu, Feb 14, 2008 at 07:22:46PM +0200 Arkadi Shishlov mentioned:
> Stanislav Sedov wrote:
>> I'd suggest you to disable open_basedir at all or roll out specialized
>> implementation. I had a lot of similar problems with open_basedir in
>> the past, so I just rewrote it to match our specific security policy.
> 
> Can you share a hint how exactly this specialized implementation may look like?
> The requirement is simple: php script working under apache mod_php can't 
> open files outside of virtual host document root whenever php safe mode is 
> enabled or disabled. Website owners can create symlinks.
> I understand the open_basedir is kinda flawed security measure, and 
> safe_mode is a primary safeguard with mod_php, but it would be nice to get 
> it working under FreeBSD too.

Well, my security mechanizms are pretty simple and use some combination of
MAC and bare uids/gid to enforce required permissions. The code is about
100 lines of code, much less then original open_basedir implementation.
In any case, the code won't be usuful to you as is, it works combined with
ad-hoc apache module, that sets required flags, variables, etc.

> 
>> Most basedir problems are linked with the fact it produce a lot of lstast/
>> readlinks on every require, include or open command. On Linux it pereforms
>> even worse, as they implemented readlink there by hand, and, of course,
>> their implementation isn't particulry good.
> 
> But there is no high sys cpu usage on Linux in contrary to FreeBSD, as 
> reported by original author of the thread..?
> Do you have numbers or benchmark ready? I see the number of syscalls 
> required is astonishing (on Linux) but doesn't cause any problem at first 
> look.
> 

I don't have specific benchmark numbers, and it's true, that top on Linux
don't show such sys time usage, as on FreeBSD boxes. However, the overall
performance of boxes on FreeBSD is 30-40% higher, that Linux ones. This numbers
is empirical, but I'm pretty sure in them: in past I migrated Linux hosting
to FreeBSD-based, and after that, I was able to add a bunch of new users to
that boxes without performance impact. In fact, the load average on these
boxes are MUCH lower, that was on Linux. Also, I notices, that stat() costs
much more on Linux, that FreeBSD. I don't certainly know, why Linux shows low
sys time usage, probably it's just bugs in accounting.

My basedir patches was implemented later on FreeBSD boxes, and I never returned
to Linux. Thus I can't say whether it impacts Linux performance, or nor...

-- 
Stanislav Sedov
ST4096-RIPE