Onjiniyela abavela ku-Cloudflare mayelana nokwenza umsebenzi wokuthuthukisa ukusebenza kokubethela kwediski ku-Linux kernel. Ngenxa yalokho, babezilungiselele yesistimu engaphansi kanye ne-Crypto API, eyenze kwaba nokwenzeka ukuba ngaphezu kokuphindwe kabili ukufunda nokubhala okudlulele ekuhlolweni kokwenziwa, kanye nokubambezeleka ngohhafu. Lapho ihlolwa ku-hardware yangempela, ukubethela phezulu kwehliswa kwacishe kwaba izinga elibonwa lapho kusetshenzwa ngediski ngaphandle kokubethela kwedatha.
I-Cloudflare isebenzisa i-dm-crypt ukuze ibethele idatha kumadivayisi okulondoloza asetshenziselwa ukugcina inqolobane yokuqukethwe ku-CDN. I-Dm-crypt isebenza kuleveli yedivayisi evinjiwe futhi ibhala ngemfihlo bhala izicelo ze-I/O futhi isuse ukubethela kwezicelo ezifundwe, esebenza njengesendlalelo phakathi kwedivayisi yokuvimba kanye nomshayeli wesistimu yefayela.
Ukuze uhlole ukusebenza kwe-dm-crypt usebenzisa iphakheji Silinganise isivinini sokusebenza ngezihlukanisi ezibethelwe nezingabhaliwe kudiski ye-RAM etholakala ku-RAM ukuze sisuse ukushintshashintsha kokusebenza kwediski futhi sigxile ekusebenzeni kwekhodi. Ezingxenyeni ezingabetheliwe, ukusebenza kokufunda nokubhala kuhlala ku-1126 MB/s, kodwa isivinini siye sehla lapho ukubethela kunikwe amandla. ngezikhathi ze-7 futhi ifinyelele ku-147 MB/s.
Ekuqaleni, kwavela izinsolo mayelana nokusetshenziswa kwe-algorithms engasebenzi kahle ku-kernel cryptosystem. Kodwa ukuhlola kusebenzise i-algorithm eshesha kakhulu, i-aes-xts, enokhiye bokubethela abangu-256, ukusebenza kwayo lapho kusetshenziswa i-"cryptsetup benchmark" ephakeme ngokuphindwe kabili kunomphumela otholwe lapho kuhlolwa idiski ye-RAM. Ukuhlolwa okunamafulege e-dm-crypt yokushuna ukusebenza akuzange kuveze imiphumela: uma usebenzisa ifulegi elithi β--perf-same_cpu_cryptβ, ukusebenza kwehle kwaze kwaba ngu-136 MB/s, futhi lapho kucaciswa ifulegi elithi β--perf-submit_from_crypt_cpusβ kwanda kuphela. kuze kufike ku-166 MB/s.
Ukuhlaziywa okujulile kwe-logic yokusebenza kubonise ukuthi i-dm-crypt ayilula njengoba ibonakala - uma isicelo sokubhala sifika kumshayeli we-FS, i-dm-crypt ayiyicubunguli ngokushesha, kodwa iyibeka kulayini "kcryptd", okuyinto ayicutshungulwa ngokushesha, kodwa uma isikhathi esikahle. Kusuka kulayini, isicelo sithunyelwa ku-Linux Crypto API ukuze kwenziwe ukubhala ngemfihlo. Kodwa njengoba i-Crypto API isebenzisa imodeli yokukhipha engavumelaniyo, ukubethela nakho akwenziwa ngokushesha, kodwa kudlula omunye ulayini. Ngemuva kokuthi ukubethela sekuqediwe, i-dm-crypt ingase izame ukuhlunga izicelo zokubhala ezilindile kusetshenziswa isihlahla sokusesha . Ekugcineni, intambo ehlukile ye-kernel futhi, ngokubambezeleka okuthile, ithatha izicelo eziqoqiwe ze-I/O bese izithumela kusitaki sedivayisi yokuvimba.
Lapho ufunda, i-dm-crypt iqala yengeza isicelo kumugqa othi βkcryptd_ioβ ukuze uthole idatha kudrayivu. Ngemva kwesikhathi esithile, idatha iyatholakala futhi ibekwe kulayini βwe-kcryptdβ ukuze isuswe ukubethela.
I-Kcryptd ithumela isicelo ku-Linux Crypto API, esusa ukubethela kolwazi ngendlela esynchronously. Izicelo azihlali zidlula kuyo yonke imigqa, kodwa esimweni esibi kakhulu, isicelo sokubhala sigcina sisemigqeni izikhathi ezi-4, futhi isicelo sokufunda kufika izikhathi ezi-3. Ukushaya ngakunye komugqa kubangela ukubambezeleka, okuyisizathu esiyinhloko sokwehla okuphawulekayo kokusebenza kwe-dm-crypt.
Ukusetshenziswa kolayini kungenxa yesidingo sokusebenza ezimeni lapho kwenzeka khona ukuphazamiseka. Ngo-2005, lapho imodeli yokusebenza esekelwe kulayini ye-dm-crypt yamanje isetshenziswa, i-Crypto API yayingakabi yi-asynchronous. Ngemuva kokuthi i-Crypto API idluliselwe kumodeli yokubulawa engavumelanisiwe, ukuvikela okuphindwe kabili kwaqala ukusetshenziswa. Olayini babuye bethulwa ukuze kongiwe ukusetshenziswa kwesitaki se-kernel, kodwa ngemva kokwenyuka kwaso ngo-2014, lokhu kulungiselelwa kwalahlekelwa ukubaluleka kwakho. Ulayini owengeziwe othi "kcryptd_io" wethulwa ukuze unqobe ibhodlela eliphumela ekulindeni ukunikezwa kwenkumbulo lapho inani elikhulu lezicelo lifika. Ngo-2015, kwasungulwa isigaba esengeziwe sokuhlunga, njengoba izicelo zokubethela ezinhlelweni eziningi zingaqedwa ngaphandle kokuhleleka (esikhundleni sokufinyelela okulandelanayo kudiski, ukufinyelela kwenziwa ngokungahleliwe, futhi umhleli we-CFQ akazange asebenze kahle). Njengamanje, uma usebenzisa amadrayivu e-SSD, ukuhlunga kulahlekelwe incazelo, futhi isihleli se-CFQ asisasetshenziswa ku-kernel.
Uma kucatshangelwa ukuthi ukushayela kwesimanje sekushesha futhi kuhlakaniphe ngokwengeziwe, uhlelo lokusabalalisa izinsiza ku-Linux kernel lubuyekeziwe futhi ezinye izinhlelo ezingaphansi zenziwe kabusha, onjiniyela be-Cloudflare. I-dm-crypt inemodi entsha yokusebenza eqeda ukusetshenziswa kolayini okungadingekile namakholi asynchronous. Imodi inikwe amandla ifulege elihlukile elithi βforce_inlineβ futhi iletha i-dm-crypt ohlotsheni lommeleli olula olubethela futhi lususe ukubethela kwezicelo ezingenayo. Ukusebenzisana ne-Crypto API kuthuthukiswe ngokukhetha ngokucacile ama-algorithms wokubethela asebenza ngemodi yokuvumelanisa futhi angasebenzisi imigqa yezicelo. Ukusebenza ngokuhambisana ne-Crypto API bekukhona imojula ekuvumela ukuthi usebenzise i-FPU/AES-NI ukusheshisa futhi idlulisele phambili ngokuqondile izicelo zokubethela nokususa ukubethela.
Ngenxa yalokho, lapho kuhlolwa i-RAM disk, kwakungenzeka ukuthi kube ngaphezu kokuphindwe kabili ukusebenza kwe-dm-crypt - ukusebenza kukhuphuke kusuka ku-294 MB/s (2 x 147 MB/s) kuya ku-640 MB/s, okusondele kakhulu ukusebenza kokubethela okungenalutho (696 MB / s).
Lapho kuhlolwa umthwalo kumaseva wangempela, ukusetshenziswa okusha kubonise ukusebenza okusondele kakhulu ekucushweni okusebenza ngaphandle kokubethela, futhi ukunika amandla ukubethela kumaseva anenqolobane ye-Cloudflare akuzange kube nomthelela esivinini sokuphendula. Ngokuzayo, i-Cloudflare ihlela ukudlulisa ama-patches alungisiwe ku-Linux kernel enkulu, kodwa ngaphambi kwalokho azodinga ukusetshenzwa kabusha, ngoba enzelwe umthwalo othile futhi awafaki zonke izindawo zohlelo lokusebenza, ngokwesibonelo, ukubethela kuphansi. -Amadivayisi ashumekiwe amandla.
Source: opennet.ru