PHP at Density and Scale
-
Upload
david-strauss -
Category
Technology
-
view
991 -
download
1
description
Transcript of PHP at Density and Scale
![Page 1: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/1.jpg)
PHP at Density and ScaleHow Pantheon sees the future of computing.
![Page 2: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/2.jpg)
About Me
● Four Kitchens● Drupal.org● Pressflow● Pantheon● systemd
![Page 3: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/3.jpg)
Topics● Performance
○ Socket activation○ Automount/autofs○ cgroups○ “Customer Experience Monitor”○ Migration
● Security○ Users○ Namespaces○ Defense-in-depth○ Non-disruptive fixes
![Page 4: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/4.jpg)
Traditional server sockets: overview
...
nginxTCP80Client
nginxTCP81If you want a service
available, the daemon has to be running.
![Page 5: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/5.jpg)
Socket activation: overview
systemd
TCP80Client
TCP81
nginxfd=3
Only a socket in systemd has to run for service availability.
![Page 6: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/6.jpg)
Socket activation: details
● systemd squats on all listeners○ Looks for incoming traffic with EPOLL○ Starts the services/containers on-demand○ Passes socket to daemon as fd=3
● Not a proxy (same performance)● No client awareness
![Page 7: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/7.jpg)
Socket activation: Pantheon’s use
● nginx and PHP-FPM● MariaDB soon
○ Using an alternative now● Allows 90%+ containers to be idle● Makes bootup sensible● Reconfiguration pattern is stop, not restart
![Page 8: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/8.jpg)
Socket Activation
Demo
![Page 9: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/9.jpg)
Automount/autofs
● Like socket activation for file system mounts○ Kernel squats on mount path and looks for traffic○ Brings up file mount lazily
● Used for FuseDAV (Valhalla client)
![Page 10: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/10.jpg)
Automount Demo
![Page 11: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/11.jpg)
cgroups
● Many options○ Pantheon uses CPUShares and BlockIOWeight
● Keeps things fair under contention○ Kind of like adding purple ropes when people are
queueing
![Page 12: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/12.jpg)
Contentionwith cgroups Demo
![Page 13: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/13.jpg)
Customer Experience Monitor
● Runs a representative Drupal site on every container host
● Reports scores to the API and monitoring● Influences migration and container
placement
![Page 14: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/14.jpg)
Migration
● At density, rebalancing is important● Keep state lightweight
○ No OS○ No runtime
● Mutiny: migration as replication + promotion
![Page 15: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/15.jpg)
Isolation for security
● Users● Namespaces
![Page 16: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/16.jpg)
Defense in depth● Application
○ Drupal● Runtime
○ nginx, PHP-FPM, FuseDAV● Container: “binding” certificate
○ Linux user, namespaces, etc.● Container host: “endpoint” certificate
○ Only trusted for the containers assigned● Platform: root certificate
![Page 17: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/17.jpg)
Non-disruptive fixes
● Kernel upgrades via migration● Rolling daemon and library upgrades
○ Heartbleed
![Page 18: PHP at Density and Scale](https://reader033.fdocuments.net/reader033/viewer/2022051611/54b7787f4a7959e6038b45f0/html5/thumbnails/18.jpg)
Heartbleed Fix Demo