PHP at Density and Scale (Lone Star PHP 2014)

50 %
50 %
Information about PHP at Density and Scale (Lone Star PHP 2014)

Published on April 26, 2014

Author: warpforge



Mixing performance, configurability, density, and security at scale has, historically, been hard with PHP. Early approaches have involved CGIs, suhosin, or multiple Apache instances. Then came PHP-FPM. At Pantheon, we've taken PHP-FPM, integrated it with cgroups, namespaces, and systemd socket activation. We use it to deliver all of our goals at unheard-of densities: thousands and thousands of isolated pools per box.

PHP at Density and Scale ...with security and consistent performance

About Me ● Four Kitchens ● ● Pressflow ● Pantheon ● systemd

Broadly Defining Security Your data... 1. Is accessible to the right people (access) 2. Isn’t to anyone else (access) 3. Is usable (quality of service)

Topics ● Performance ○ Socket activation ○ Automount/autofs ○ cgroups ○ “Customer Experience Monitor” ○ Migration ● Security ○ Users ○ Namespaces ○ Defense-in-depth ○ Non-disruptive fixes

Challenge: PHP-FPM Overhead ● Using a full PHP-FPM instance per stack ○ Isolated opcode cache space ○ Defense-in-depth against PHP issues ○ Low-impact reconfiguration ● Idle PHP-FPMs take ~0.5% of a core each ○ At 10k dense, that’s over six cores ● Initial solution used error capture in nginx ○ Masked real failures to connect to PHP-FPM ○ Slower than necessary ○ Production use of HTTP 418 (arguably a bonus)

Traditional server sockets: overview ... nginx TCP 80 Client nginx TCP 81 If you want a service available, the daemon has to be running.

Socket activation: overview systemd TCP 80 Client TCP 81 nginxfd=3 Only a socket in systemd has to run for service availability.

Socket activation: details ● systemd squats on all listeners ○ Looks for incoming traffic with EPOLL ○ Starts the services/containers on-demand ○ Passes socket to daemon as fd=3+ ● Not a proxy (same performance) ● No client awareness ● No CPU or memory overhead when idle

Socket activation: Pantheon’s use ● nginx and PHP-FPM ● MariaDB soon ○ Using an alternative now ● Allows 90%+ containers to be idle ● Makes bootup sensible ● Reconfiguration pattern is stop, not restart

Socket Activation Demo Demoed this at NYC Camp a few weeks ago

Automount/autofs ● Like socket activation for file system mounts ○ Kernel squats on mount path and looks for traffic ○ Brings up file mount lazily ● Used for FuseDAV (Valhalla client)

Automount Demo

Challenge: Resource Availability ● Per-site load isn’t predictable ● Different sites compete for resources ○ Between customers ○ Among customers’ own sites ● Traditional prioritization isn’t adequate ○ VMs are too heavyweight ○ Tools like “nice” can cause starvation ○ Generally want burstability

cgroups ● Many options ○ Pantheon uses CPUShares and BlockIOWeight ● Keeps things fair under contention ○ Kind of like adding purple ropes when people are queueing

Contention with cgroups Demo

Customer Experience Monitor ● Runs a representative Drupal site on every container host ● Reports scores to the API and monitoring ● Influences migration and container placement

Migration ● At density, rebalancing is important ● Keep state lightweight ○ No OS ○ No runtime ● Mutiny: migration as replication + promotion

Challenge: Security Isolation ● Many users ● One kernel ● VMs too heavyweight ● Users run their own code ● Can’t betray expectations ○ Many users develop locally and push code ○ Some customers import existing, working sites

Isolation for security ● Users ● Namespaces ● Seccomp filters

Defense in depth ● Application ○ Drupal ● Runtime ○ nginx, PHP-FPM, FuseDAV ● Container: “binding” certificate ○ Linux user, namespaces, etc. ● Container host: “endpoint” certificate ○ Only trusted for the containers assigned ● Platform: root certificate

Challenge: Security Responses ● Traditional approach too big a hammer ○ Rebooting hundreds of hosts with 10k+ containers each would be a fail-over storm ○ Basic customers don’t have fail-over ○ Not going to pack it less dense ● Customers can run own code ○ May load executables and libraries themselves

Non-disruptive fixes ● Kernel upgrades via migration ● Rolling daemon and library upgrades ○ Heartbleed

Heartbleed Fix Demo

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Academic Calendar - Lone Star College – Tomorrow Starts ...

The Lone Star College Academic Calendar lists important dates ... 2014 Bond Updates; Business ... Lone Star College is conducting information sessions for ...
Read more


Lone Star College System; Student Health Plan FAQs; Valuable Benefits; Blue 365 Flyer; Texas Pediatric Dental; Texas Pediatric Vision; 24/7 Nurseline ...
Read more

Lone Star Rally 2015 in Galveston: What you need to know ... ... the Lone Star Rally, Friday, Nov. 7 ...
Read more

BioOne Online Journals - Lone Star Tick (Acari: Ixodidae ...

Lone star ticks were more frequent in the southeast portion of the ... Journal of Medical Entomology 52 ... (2015) County Scale Distribution of ...
Read more

EBT Program Page - Texas Health and Human Services Commission

EBT PROGRAM : RESOURCES: Documents : Statistics ... The Lone Star Card is swiped at a retailer location for payment in the same way that a ...
Read more

Facebook - Log In or Sign Up

Create an account or log into Facebook. Connect with friends, family and other people you know. Share photos and videos, send messages and get updates.
Read more

Wholesale Sports Nutrition Products - Lone Star Distribution

Lone Star Distribution Proudly Represents the Following Premium Brands. Ask about our 60 day Guarantee on All Orders.
Read more

Lone Star Emmy Awards - National Academy of Television ...

13th Annual Lone Star EMMY Awards. Lone Star EMMY Awards turned out to be a spectacular night! We got the show completed in four hours, ...
Read more