[OpenSIPS-Users] Long reload time for mi tls_reload for 200 tls/ssl certs

[Liviu Chircu]

Hi Denys,

The report shows OpenSSL library doing small SHM allocations (4, 10, 
608, 24... bytes), which seem to frequently take place inside the 
PEM_read_bio_X509() loop (as part of the load_certificate_db() 
function).  Such a sequence of allocations could be stress-testing the 
allocator in a way that could justify 250 ms per certificate in total, 
as it is fragmenting the memory.  The effect can be more pronounced the 
*less* stuff is going on in your OpenSIPS instance, as the process of 
breaking up the big memory chunk into smaller units may use up to 
hundreds of cycles on each allocation.  For example:  testing box with 
no SIP traffic, or 'tls_reload' after a fresh restart, etc.

Please try the following:

- still using F_MALLOC, try doing more 'tls_reload' operations in a 
row.  Does performance improve?

- try using the "-a HP_MALLOC" allocator when booting your OpenSIPS - 
that one favors memory fragmentation a bit more, so subsequent reloads 
should be faster

Best regards,

Liviu Chircu
www.twitter.com/liviuchircu | www.opensips-solutions.com

On 14.05.2024 16:47, Denys Pozniak wrote:
> I disabled logging and added some resources to the virtual machine.
> On a working OpenSIPS, I reloaded the tls several times and in 
> parallel ran a trap.
> #opensips-cli -x mi tls_reload
> #opensips-cli -x trap
>
> If possible, please analyze it again, maybe you could find something 
> interesting:
> https://github.com/denyspozniak/opensips_tls_debug/tree/main
>
> Thanks in advance!