DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th December 2013
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
cybernetic organism
 
Join Date: Oct 2013
Location: Oak Ridge, TN
Posts: 31
Thanked 0 Times in 0 Posts
Default softraid crypto compared to geom_eli (geli)

Encrypted file-system characterizations were performed with bonnie++ on the same machine with the same disk configuration (of course).

OpenBSD-5.4-amd64 softraid crypto (dmesg)

Code:
Version  1.97       ------Sequential Output------ --Sequential Input- --Random-
Concurrency   1     -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Machine        Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  /sec %CP
colossus.bohemi 16G   283  99 34870  98  7577  25   359  99  9910   3 158.1  29
Latency             55202us   24219us   40287us   39418us   36989us     492ms
Version  1.97       ------Sequential Create------ --------Random Create--------
colossus.bohemia.ne -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete--
              files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
                 16   795  60 +++++ +++  1631  66   799  59 +++++ +++  1599  68
Latency             79681us     168us     885us   27069us     161us    1008us
FreeBSD-9.2-amd64 geom_eli (dmesg)

Code:
Version  1.97       ------Sequential Output------ --Sequential Input- --Random-
Concurrency   1     -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Machine        Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  /sec %CP
colossus        16G   339  99 100724  25 12540   7   628  99 57999   8 449.2  15
Latency             25403us     413ms    2993ms   18898us     391ms     333ms
Version  1.97       ------Sequential Create------ --------Random Create--------
colossus            -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete--
              files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
                 16   630   3 +++++ +++  1086   3   629   3 +++++ +++  1066   4
Latency              9551us     207us    1142us   28115us     178us    1170us
Reply With Quote
  #2   (View Single Post)  
Old 20th December 2013
s0xxx's Avatar
s0xxx s0xxx is offline
Package Pilot
 
Join Date: May 2008
Posts: 194
Thanked 47 Times in 22 Posts
Default

@hanzer

Could you try converting the results through bon_csv2html (comes with bonnie++) and post it here? It would be more readable than the output you posted.
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD
Reply With Quote
  #3   (View Single Post)  
Old 20th December 2013
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Post the output of mount(8) specifying no options.

Soft updates (see Section 14.6 of the FAQ...) may help with your performance concerns.
Reply With Quote
  #4   (View Single Post)  
Old 21st December 2013
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
cybernetic organism
 
Join Date: Oct 2013
Location: Oak Ridge, TN
Posts: 31
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by s0xxx View Post
@hanzer

Could you try converting the results through bon_csv2html (comes with bonnie++) and post it here? It would be more readable than the output you posted.
Forum HTML code is Off it seems, though I might have missed something. Next week I will install a four-disk RAID5 array (on the test machine) in addition to the existing two-disk RAID0 array. I would like to evaluate PostgreSQL performance - on both arrays, on encrypted and unencrypted partitions - for both FreeBSD and OpenBSD. I've been rebuilding often while exploring the various characteristics of different configurations. If I don't explicitly save data then it's lost. If anyone has any recommendations for specific tests, configurations, and/or data that should be collected, let me know and I'll do what I can to collect it and present it in a reasonable fashion.
Reply With Quote
  #5   (View Single Post)  
Old 21st December 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

I understand encrypted hard disks can be useful on a laptop that because of it's use is difficult to secure physically.

But why would you want to put a database on a encrypted RAID5? Please enlighten me
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #6   (View Single Post)  
Old 21st December 2013
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
cybernetic organism
 
Join Date: Oct 2013
Location: Oak Ridge, TN
Posts: 31
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
...why would you want to put a database on a encrypted RAID5
A question I find more interesting is - why wouldn't you want to put a database on an encrypted RAID5?
Reply With Quote
  #7   (View Single Post)  
Old 21st December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,711
Thanked 214 Times in 189 Posts
Default

  • Each layer between a block to be read or written and the read or write adds both complexity and a possibility for an error.
  • RAID and/or encryption/decryption both add to this complexity. It does not matter if you are using software or hardware implementations of these.
  • An error will most commonly occur through human error. The more complexity, the greater the risk of human error.
  • Less commonly, an error/failure will occur through software error. The same relative level of risk is involved if this is "software RAID / software encryption" or if these are "hardware" implementations. The only difference is where the software is executed.
  • There will always be hardware failures with storage devices; which is why manfuacturers publish MTBF and related specifications.
Depending on the types of errors that occur, and errors will occur -- human, software, or hardware -- the risk of data loss is of critical concern. Every layer of complexity increases the risk of data loss. The prudent storage infrastructure architect will endeavor to mitigate these risks.

---

I spent several decades in IT infrastructure consulting, sales, marketing and management, specializing in data storage infrastructures . For whatever that may be worth.
Reply With Quote
  #8   (View Single Post)  
Old 21st December 2013
Martillo Martillo is offline
Semper deinceps corda
 
Join Date: Apr 2013
Location: Madrid, Spain
Posts: 65
Thanked 0 Times in 0 Posts
Default

I am quite happy with the RAID1 performance, even if my disks are not the better to be paired. I wrote a post weeks about it. I even encrypted a partition on this RAID1. I can say that what I like of softraid is its consistent performace.

A note about encryption on laptops or frequency variable processors: The CPU frequency affects largely to encryption performance.
Reply With Quote
  #9   (View Single Post)  
Old 22nd December 2013
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
cybernetic organism
 
Join Date: Oct 2013
Location: Oak Ridge, TN
Posts: 31
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Martillo View Post
...The CPU frequency affects largely to encryption performance.
softraid crypto does seem to be CPU intensive (unnecessarily?). I've been surprised recently to see (on one particular machine) that geom_eli has a significantly lower CPU load with [overall] significantly better performance.
Reply With Quote
Old 22nd December 2013
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
cybernetic organism
 
Join Date: Oct 2013
Location: Oak Ridge, TN
Posts: 31
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post
Each layer between a block to be read or written and the read or write adds both complexity and a possibility for an error.
The goals of mission-critical, safety-critical and security-critical systems are not necessarily achieved through Luddism

Joking aside, I hear what you're saying. Software is fundamentally fragile; competence is fickle and fleeting. Strategies for probable contingencies can mitigate risk but there is a point at which we all just have to roll the dice and deal with what comes to us.

Whoa, shove me into the shallow water.
Reply With Quote
Old 26th December 2013
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
cybernetic organism
 
Join Date: Oct 2013
Location: Oak Ridge, TN
Posts: 31
Thanked 0 Times in 0 Posts
Default

The test results with six 146GB 10kRPM U320 SCSI disks in a RAID5 array (with HP Smart Array 6404 RAID controller):

Code:
| initialize DB     | set scaling factor: 70  |
|-------------------+-------------------------|
| pgbench -i bench1 | pgbench -i -s 70 bench1 |


| Test         | command                            |
|--------------+------------------------------------|
| Read-Write   | pgbench -c 4 -j 2 -T 600 bench1    |
| Read-Only    | pgbench -c 4 -j 2 -T 600 -S bench1 |
| Simple Write | pgbench -c 4 -j 2 -T 600 -N bench1 |

Number of transactions processed:

| OS / Partition    | Read-Write | Read-Only | Simple Write |
|-------------------+------------+-----------+--------------|
| FreeBSD uncrypted |     207699 |   3037812 |       233599 |
| FreeBSD encrypted |     138485 |   2816533 |       201539 |
| OpenBSD uncrypted |      91896 |    135979 |        94823 |
| OpenBSD encrypted |      72809 |    137021 |        76443 |
bonnie++ file-system characterizations.

64GB partitions were used for all tests. Default configurations for Postgresql, softraid-crypto, and geli were used (basic recipes from the handbook or FAQ).

Conclusion: I think there might be something wrong with OpenBSD's ciss(4) driver.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD adds boot(8) support for keydisk-based softraid crypto volumes J65nko News 0 12th November 2013 09:24 AM
geli attach during boot problems libertas FreeBSD Installation and Upgrading 2 9th April 2013 01:45 PM
ZFS stability compared to Solaris tanked FreeBSD General 5 26th October 2008 05:43 PM
FreeBSD + Geli graudeejs Guides 9 26th October 2008 10:03 AM
SOFTRAID(4) revzalot OpenBSD Installation and Upgrading 3 27th July 2008 08:40 PM


All times are GMT. The time now is 05:29 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick