Maria Arrea
2011-Apr-12 09:15 UTC
[Dovecot] Intermitent ldap auth problems benchmarking dovecot
Hello
We are using SLAMD (Distributed Load Generation Engine, www.slamd.com) to
benchmark our dovecot server (ldap auth). We are simulating 2.000 simultaneous
logins and 20% of them fail. We saw the following errors in the log:
Apr 12 09:40:07 buzon dovecot: auth: Error: ldap(correo,192.168.4.153): Request
queue is full (oldest added 1 secs ago)
Apr 12 09:40:07 buzon dovecot: auth: Error: ldap(correo,192.168.4.153): Request
queue is full (oldest added 1 secs ago)
Apr 12 09:40:07 buzon dovecot: auth: Error: ldap(correo,192.168.4.153): Request
queue is full (oldest added 1 secs ago)
We increased auth_worker_max_count from 350 to 3500 (10x increase). Now we see
the following errors (still 20% of logins fail):
Apr 12 10:14:45 buzon dovecot: imap-login: Internal login failure (pid=29016
id=24783) (auth failed, 1 attempts): user=<correo>, method=PLAIN,
rip=192.168.4.153, lip=192.168.4.80, mpid=21284
Apr 12 10:14:45 buzon dovecot: imap-login: Internal login failure (pid=29016
id=24784) (auth failed, 1 attempts): user=<correo>, method=PLAIN,
rip=192.168.4.153, lip=192.168.4.80, mpid=21286
What are we doing wrong? We expect 1000 simultaneous imap sessions, we have
65.000 mailboxes.
This is our doveconf -n output
# 2.0.11: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-238.5.1.el5 x86_64 Red Hat Enterprise Linux Server release
5.6 (Tikanga) ext4
auth_debug = yes
auth_master_user_separator = *
auth_mechanisms = plain login
auth_worker_max_count = 3500
base_dir = /var/run/dovecot/
default_client_limit = 5000
default_process_limit = 6500
disable_plaintext_auth = no
imap_client_workarounds = tb-extra-mailbox-sep delay-newmail
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_fsync = never
mail_gid = entrega
mail_home = /buzones/%2.26Hn/%2.200Hn/%n/
mail_location =
mdbox:/buzones/%2.26Hn/%2.200Hn/%n:INDEX=/indices_dovecot/indices/%2.26Hn/%2.200Hn/%n
mail_max_userip_connections = 15000
mail_plugins = " zlib acl"
mail_uid = entrega
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date
mdbox_rotate_interval = 1 days
mdbox_rotate_size = 60 M
passdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
passdb {
args = /etc/usuario_maestro.txt
driver = passwd-file
master = yes
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
plugin/acl = vfile
plugin/quota = dict:Cuota de usuario::file:/buzones/cuotas/%n
plugin/quota_rule2 = Trash:storage=+10%%
plugin/quota_warning = storage=95%% /usr/local/bin/quota-warning.sh 95
plugin/quota_warning2 = storage=80%% /usr/local/bin/quota-warning.sh 80
plugin/sieve = /buzones/%2.26Hn/%2.200Hn/%n/dovecot.sieve
plugin/sieve_dir = /buzones//%2.26Hn/%2.200Hn/%n/sieve/
plugin/zlib_save = gz
plugin/zlib_save_level = 9
protocols = pop3 imap sieve
service anvil {
client_limit = 25000
}
service auth {
client_limit = 28000
unix_listener auth-master {
user = entrega
}
unix_listener auth-userdb {
user = entrega
}
user = root
}
service imap-login {
executable = /usr/libexec/dovecot/imap-login
group = dovenull
service_count = 0
}
service imap {
executable = /usr/libexec/dovecot/imap
process_limit = 6000
}
service managesieve-login {
executable = /usr/libexec/dovecot/managesieve-login
inet_listener sieve {
port = 2000
}
process_limit = 2000
}
service managesieve {
executable = /usr/libexec/dovecot/managesieve
process_limit = 5000
}
service pop3-login {
executable = /usr/libexec/dovecot/pop3-login
process_limit = 4000
service_count = 0
}
service pop3 {
executable = /usr/libexec/dovecot/pop3
process_limit = 4000
}
ssl_ca = </etc/pki/generico/cacert.crt.pem
ssl_cert = </etc/pki/generico/wildcard.crt
ssl_key = </etc/pki/generico/wildcard-key.pem
userdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
userdb {
args = /etc/dovecot/dovecot-ldap-userdb.conf
driver = ldap
}
verbose_proctitle = yes
protocol sieve {
managesieve_implementation_string = dovecot
managesieve_logout_format = bytes=%i/%o
managesieve_max_line_length = 65536
}
protocol lda {
hostname = us.es
info_log_path log_path mail_fsync = optimized
mail_plugins = sieve zlib
postmaster_address = evcorreo at domain.es
syslog_facility = mail
}
protocol imap {
mail_plugins = zlib
}
protocol pop3 {
mail_plugins = zlib
pop3_enable_last = yes
pop3_uidl_format = %g
}
Antonio Perez-Aranda
2011-Apr-12 12:11 UTC
[Dovecot] Intermitent ldap auth problems benchmarking dovecot
Have you test with auth cache? I get very good results with this options: auth_cache_size = 10M auth_cache_ttl = 60 auth_cache_negative_ttl = 180 2011/4/12 Maria Arrea <maria_arrea at gmx.com>:> Hello > > ?We are using SLAMD (Distributed Load Generation Engine, www.slamd.com) to benchmark our dovecot server (ldap auth). We are simulating 2.000 simultaneous logins and 20% of them fail. We saw the following errors in the log: > > > Apr 12 09:40:07 buzon dovecot: auth: Error: ldap(correo,192.168.4.153): Request queue is full (oldest added 1 secs ago) > ?Apr 12 09:40:07 buzon dovecot: auth: Error: ldap(correo,192.168.4.153): Request queue is full (oldest added 1 secs ago) > ?Apr 12 09:40:07 buzon dovecot: auth: Error: ldap(correo,192.168.4.153): Request queue is full (oldest added 1 secs ago) > > > ?We increased auth_worker_max_count from 350 to 3500 (10x increase). Now we see the following errors (still 20% of logins fail): > > > ?Apr 12 10:14:45 buzon dovecot: imap-login: Internal login failure (pid=29016 id=24783) (auth failed, 1 attempts): user=<correo>, method=PLAIN, rip=192.168.4.153, lip=192.168.4.80, mpid=21284 > ?Apr 12 10:14:45 buzon dovecot: imap-login: Internal login failure (pid=29016 id=24784) (auth failed, 1 attempts): user=<correo>, method=PLAIN, rip=192.168.4.153, lip=192.168.4.80, mpid=21286 > > > ?What are we doing wrong? We expect 1000 simultaneous imap sessions, we have 65.000 mailboxes. > > > ?This is our doveconf -n output > > ?# 2.0.11: /etc/dovecot/dovecot.conf > ?# OS: Linux 2.6.18-238.5.1.el5 x86_64 Red Hat Enterprise Linux Server release 5.6 (Tikanga) ext4 > ?auth_debug = yes > ?auth_master_user_separator = * > ?auth_mechanisms = plain login > ?auth_worker_max_count = 3500 > ?base_dir = /var/run/dovecot/ > ?default_client_limit = 5000 > ?default_process_limit = 6500 > ?disable_plaintext_auth = no > ?imap_client_workarounds = tb-extra-mailbox-sep delay-newmail > ?lda_mailbox_autocreate = yes > ?lda_mailbox_autosubscribe = yes > ?mail_fsync = never > ?mail_gid = entrega > ?mail_home = /buzones/%2.26Hn/%2.200Hn/%n/ > ?mail_location = mdbox:/buzones/%2.26Hn/%2.200Hn/%n:INDEX=/indices_dovecot/indices/%2.26Hn/%2.200Hn/%n > ?mail_max_userip_connections = 15000 > ?mail_plugins = " zlib acl" > ?mail_uid = entrega > ?managesieve_notify_capability = mailto > ?managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date > ?mdbox_rotate_interval = 1 days > ?mdbox_rotate_size = 60 M > ?passdb { > ?args = /etc/dovecot/dovecot-ldap.conf > ?driver = ldap > ?} > ?passdb { > ?args = /etc/usuario_maestro.txt > ?driver = passwd-file > ?master = yes > ?} > ?passdb { > ?args = /etc/dovecot/dovecot-ldap.conf > ?driver = ldap > ?} > ?plugin/acl = vfile > ?plugin/quota = dict:Cuota de usuario::file:/buzones/cuotas/%n > ?plugin/quota_rule2 = Trash:storage=+10%% > ?plugin/quota_warning = storage=95%% /usr/local/bin/quota-warning.sh 95 > ?plugin/quota_warning2 = storage=80%% /usr/local/bin/quota-warning.sh 80 > ?plugin/sieve = /buzones/%2.26Hn/%2.200Hn/%n/dovecot.sieve > ?plugin/sieve_dir = /buzones//%2.26Hn/%2.200Hn/%n/sieve/ > ?plugin/zlib_save = gz > ?plugin/zlib_save_level = 9 > ?protocols = pop3 imap sieve > ?service anvil { > ?client_limit = 25000 > ?} > ?service auth { > ?client_limit = 28000 > ?unix_listener auth-master { > ?user = entrega > ?} > ?unix_listener auth-userdb { > ?user = entrega > ?} > ?user = root > ?} > ?service imap-login { > ?executable = /usr/libexec/dovecot/imap-login > ?group = dovenull > ?service_count = 0 > ?} > ?service imap { > ?executable = /usr/libexec/dovecot/imap > ?process_limit = 6000 > ?} > ?service managesieve-login { > ?executable = /usr/libexec/dovecot/managesieve-login > ?inet_listener sieve { > ?port = 2000 > ?} > ?process_limit = 2000 > ?} > ?service managesieve { > ?executable = /usr/libexec/dovecot/managesieve > ?process_limit = 5000 > ?} > ?service pop3-login { > ?executable = /usr/libexec/dovecot/pop3-login > ?process_limit = 4000 > ?service_count = 0 > ?} > ?service pop3 { > ?executable = /usr/libexec/dovecot/pop3 > ?process_limit = 4000 > ?} > ?ssl_ca = </etc/pki/generico/cacert.crt.pem > ?ssl_cert = </etc/pki/generico/wildcard.crt > ?ssl_key = </etc/pki/generico/wildcard-key.pem > ?userdb { > ?args = /etc/dovecot/dovecot-ldap.conf > ?driver = ldap > ?} > ?userdb { > ?args = /etc/dovecot/dovecot-ldap-userdb.conf > ?driver = ldap > ?} > ?verbose_proctitle = yes > ?protocol sieve { > ?managesieve_implementation_string = dovecot > ?managesieve_logout_format = bytes=%i/%o > ?managesieve_max_line_length = 65536 > ?} > ?protocol lda { > ?hostname = us.es > ?info_log_path > ?log_path > ?mail_fsync = optimized > ?mail_plugins = sieve zlib > ?postmaster_address = evcorreo at domain.es > ?syslog_facility = mail > ?} > ?protocol imap { > ?mail_plugins = zlib > ?} > ?protocol pop3 { > ?mail_plugins = zlib > ?pop3_enable_last = yes > ?pop3_uidl_format = %g > ?} >-- Antonio P?rez-Aranda Alcaide aperezaranda at yaco.es Yaco Sistemas S.L. http://www.yaco.es/ C/ Rioja 5, 41001 Sevilla Tel?fono +34 954 50 00 57 Fax ? ? ?+34 954 50 09 29
Timo Sirainen
2011-Apr-12 13:55 UTC
[Dovecot] Intermitent ldap auth problems benchmarking dovecot
On Tue, 2011-04-12 at 09:15 +0000, Maria Arrea wrote:> Hello > > We are using SLAMD (Distributed Load Generation Engine, www.slamd.com) to benchmark our dovecot server (ldap auth). We are simulating 2.000 simultaneous logins and 20% of them fail. We saw the following errors in the log: > > > Apr 12 09:40:07 buzon dovecot: auth: Error: ldap(correo,192.168.4.153): Request queue is full (oldest added 1 secs ago) > Apr 12 09:40:07 buzon dovecot: auth: Error: ldap(correo,192.168.4.153): Request queue is full (oldest added 1 secs ago) > Apr 12 09:40:07 buzon dovecot: auth: Error: ldap(correo,192.168.4.153): Request queue is full (oldest added 1 secs ago)Hmm. This is a hard coded limit. I didn't really think people wanted >1k logins per second.. In src/auth/db-ldap.h: /* Maximum number of requests in queue. After this new requests are dropped. */ #define DB_LDAP_MAX_QUEUE_SIZE 1024 Maybe that limit should be dynamic. Like only >30sec old requests actually get dropped when the limit gets over 1k.> We increased auth_worker_max_count from 350 to 3500 (10x increase). Now we see the following errors (still 20% of logins fail):LDAP doesn't use auth workers, so that change shouldn't have affected anything.
Possibly Parallel Threads
- Problem after migration dovecot 1.2 -> dovecot 2.0
- Question about index reset in dovecot 2.0.15
- Dot Lock timestmap, users disconnections from roundcube
- Error logs with virtual folder after upgrading to 2.3.4
- Mailbox INBOX: Opening INBOX failed: Mailbox doesn't exist: INBOX. Maybe master user + namespace problem?