Vagadziri kubva kuCloudflare nezve kuita basa rekugadzirisa mashandiro edhisiki encryption muLinux kernel. Somugumisiro, vakanga vakagadzirira ye subsystem uye Crypto API, iyo yakaita kuti zvikwanise kudarika zvakapetwa kaviri kuverenga nekunyora kuburikidza muyedzo yekugadzira, pamwe nehafu latency. Pakuyedzwa pane chaiyo hardware, encryption pamusoro yakaderedzwa kusvika kunenge nhanho inocherechedzwa kana uchishanda ne diski isina encryption yedata.
Cloudflare inoshandisa dm-crypt encrypt data pamidziyo yekuchengetedza inoshandiswa kuchengetedza zvirimo paCDN. Dm-crypt inoshanda padanho rekuvhara mudziyo uye encrypts nyora I / O zvikumbiro uye decrypts kuverenga zvikumbiro, ichiita senge pakati pechivharo mudziyo nemutyairi wefaira system.
Kuongorora mashandiro e dm-crypt uchishandisa package Isu takayera kumhanya kwekushanda neakavharidzirwa uye asina kuvharirwa partitions pane RAM dhisiki iri muRAM kubvisa kushanduka kwekuita kwedhisiki uye kutarisa pakuita kwekodhi. Kune zvikamu zvisina kuvharwa, kuverenga nekunyora kuita kwakaramba kuri pa1126 MB/s, asi kumhanya kwakadzikira kana encryption yakagoneswa. 7 nguva uye yakasvika ku147 MB/s.
Pakutanga, kunyumwa kwakamuka pamusoro pekushandiswa kwealgorithms isingabatsiri mu kernel cryptosystem. Asi bvunzo dzakashandisa algorithm inokurumidza, aes-xts, ine 256 encryption kiyi, iyo mashandiro ayo pakumhanyisa "cryptsetup benchmark" inodarika zvakapetwa kaviri kupfuura mhedzisiro yakawanikwa pakuyedza RAM disk. Kuedza ne dm-crypt mireza yekuita tuning hakuna kuburitsa mhedzisiro: kana uchishandisa "--perf-same_cpu_crypt" mureza, kuita kwakadzikira kusvika 136 MB/s, uye pakutsanangura "--perf-submit_from_crypt_cpus" mureza wakawedzera chete. kusvika ku166 MB/s.
Kuongorora kwakadzama kwemaitiro ekushandisa kwakaratidza kuti dm-crypt haisi nyore sezvazvinoratidzika - kana chikumbiro chekunyora chasvika kubva kumutyairi weFS, dm-crypt haigadzirise nekukurumidza, asi inoiisa mumutsara we "kcryptd", iyo haina kupepetwa pakarepo, asi kana nguva yakanakira. Kubva pamutsetse, chikumbiro chinotumirwa kuLinux Crypto API kuita encryption. Asi sezvo Crypto API inoshandisa asynchronous execution modhi, encryption hainawo kuitwa nekukurumidza, asi nekupfuura imwe mutsara. Mushure mekunge encryption yapera, dm-crypt inogona kuedza kugadzirisa zvakamirira kunyora zvikumbiro uchishandisa muti wekutsvaga . Pakupedzisira, tambo yakaparadzana yekernel zvakare, nekumwe kunonoka, inotora yakaunganidzwa I / O zvikumbiro uye inotumira kune block mudziyo stack.
Pakuverenga, dm-crypt inotanga yawedzera chikumbiro kumutsara we "kcryptd_io" kuti ugamuchire data kubva kudhiraivha. Mushure menguva yakati, iyo data inowanikwa uye inoiswa mu "kcryptd" mutsara we decryption.
Kcryptd inotumira chikumbiro kuLinux Crypto API, iyo inobvisa ruzivo asynchronously. Zvikumbiro hazviiti nguva dzose kuburikidza nemitsara yose, asi mumamiriro ezvinhu akaipisisa, chikumbiro chekunyora chinopera mumitsara kusvika ku4 nguva, uye chikumbiro chekuverenga kusvika ku3 nguva. Kurova kwega kwega pamutsetse kunokonzeresa kunonoka, chiri chikonzero chakakosha chekudzikira kwakakosha kwekuita kwedm-crypt.
Kushandiswa kwemitsara kunokonzerwa nekudiwa kwekushanda mumamiriro ezvinhu apo kukanganisa kunoitika. Muna 2005, pakaitwa dm-crypt yazvino queue-based operating modhi yakashandiswa, Crypto API yakanga isati yakwana. Mushure mekunge Crypto API yaendeswa kune asynchronous execution modhi, zvakanyanya kudzivirira kaviri kwakatanga kushandiswa. Mitsetse yakaunzwawo kuchengetedza kernel stack kushandiswa, asi mushure mekuwedzera kwayo muna 2014, izvi optimizations zvakarasikirwa nekukosha kwavo. Imwezve mutsara "kcryptd_io" yakaunzwa kukunda iyo bhodhoro zvichikonzera kumirira kugoverwa kwendangariro kana nhamba huru yezvikumbiro yasvika. Muna 2015, imwe nhanho yekurongedza yakaunzwa, sezvo zvikumbiro zvekuvharira pane multiprocessor masisitimu zvaigona kupedzwa kunze kwekurongeka (panzvimbo yekutevedzana kwekuwana dhisiki, kuwana kwaiitwa zvisina kurongeka, uye CFQ scheduler haina kushanda nemazvo). Parizvino, kana uchishandisa SSD madhiraivha, kuronga kwarasa zvazvinoreva, uye iyo CFQ scheduler haichashandiswa mukernel.
Tichifunga kuti madhiraivha emazuva ano ave kukurumidza uye kungwara, iyo sisitimu yekugovera sisitimu muLinux kernel yakagadziridzwa uye mamwe ma subsystems akagadziridzwa, Cloudflare mainjiniya. dm-crypt ine nyowani yekushandisa modhi inobvisa kushandiswa kweasina kufanira mitsara uye asynchronous mafoni. Iyo modhi inogoneswa neyakasiyana mureza "force_inline" uye inounza dm-crypt kumhando yeakareruka proxy inovhara uye decrypts zvikumbiro zvinouya. Kudyidzana neCrypto API kwakagadziridzwa nekusarudza zvakajeka encryption algorithms inoshanda musynchronous mode uye isingashandise mitsetse yekukumbira. Kushanda synchronously neCrypto API yaivepo module inobvumidza iwe kushandisa FPU/AES-NI yekumhanyisa uye yakananga mberi encryption uye decryption zvikumbiro.
Nekuda kweizvozvo, pakuyedza RAM dhisiki, zvaigoneka kudarika kaviri kuita kwedm-crypt - kuita kwakawedzera kubva pa294 MB/s (2 x 147 MB/s) kuenda ku640 MB/s, iri padyo ne kuita kwekuvharika kwakavharika (696 MB / s).
Paunenge uchiyedza kurodha pamaseva chaiwo, kuita kutsva kwakaratidza kuita padhuze nekumisikidza kunomhanya pasina encryption, uye kugonesa encryption pamaseva ane Cloudflare cache kwaisava nemhedzisiro yekumhanya kwekupindura. Mune ramangwana, Cloudflare inoronga kuendesa zvigamba zvakagadzirirwa kuLinux kernel, asi zvisati zvaitika ivo vanozoda kugadziridzwa zvakare, sezvo ivo vakagadziridzwa kune yakatarwa mutoro uye havavharise nzvimbo dzese dzekushandisa, semuenzaniso, encryption pazasi. -simba rakaiswa zvigadziriso.
Source: opennet.ru