[SR-Users] Kamailio best performance

Daniel-Constantin Mierla miconda at gmail.com
Wed Nov 23 08:57:59 CET 2011


Hello,

On 11/22/11 8:56 PM, Ricardo Martinez wrote:
>
> Hello list.
>
> I'm having some issues with the Kamailio versión 3.2.0.
>
> I want to ask if someone could give some hints how to optimize the 
> performance of my kamailio server.  For some reason and  from time to 
> time the kamailio process start to answer slower than usual, making 
> calls fail and register expires.  I'm still unable to detect the 
> problem, but I want to know of maybe i´m running my kamailio not under 
> the best conditions.
>
> This is part of my configuration :
>
> #!KAMAILIO
>
> #!define FLT_NATS 5
>
> #!define FLB_NATB 6
>
> #!define FLB_NATSIPPING 7
>
> # ----------- global configuration parameters ------------------------
>
> debug=2  # debug level (cmd line: -dddddddddd)
>
> fork=yes
>
> log_stderror=no    # (cmd line: -E)
>
> log_facility=LOG_LOCAL0
>
> children=16
>
> port=5060
>
> memdbg=9
>
> memlog=9
>
> listen=udp:10.0.10:5060
>
> disable_tcp=yes
>
> server_signature=0
>
> port=5060
>
> # ----------------- setting module-specific parameters ---------------
>
> ## modparam("registrar", "received_avp", "$avp(s:rcv)")
>
> modparam("usrloc", "db_mode", 1)
>
> modparam("auth_db", "calculate_ha1", 1)
>
> modparam("auth_db", "password_column", "password")
>
> modparam("rr", "enable_full_lr", 1)
>
> modparam("auth_db|permissions|uri_db|usrloc","db_url","mysql://openser:openserrw@localhost/openser")
>
> modparam("permissions", "db_mode", 1)
>
> modparam("permissions", "trusted_table", "trusted")
>
> modparam("avpops", "db_url", 
> "mysql://openser:openserrw@localhost/openser")
>
> modparam("avpops", "avp_table", "usr_preferences")
>
> modparam("domain", "db_mode", 1)
>
> # ----- nathelper params -----
>
> modparam("nathelper", "natping_interval", 20)
>
> modparam("nathelper", "ping_nated_only", 1)
>
> modparam("nathelper", "sipping_bflag", FLB_NATSIPPING)
>
> modparam("nathelper", "sipping_from", "sip:pinger at kamailio.org 
> <mailto:sip%3Apinger at kamailio.org>")
>
> # params needed for NAT traversal in other modules
>
> modparam("nathelper|registrar", "received_avp", "$avp(RECEIVED)")
>
> modparam("usrloc", "nat_bflag", FLB_NATB)
>
> modparam("nathelper","natping_interval", 20)
>
> ## modparam("nathelper","received_avp", "$avp(i:42)")
>
> modparam("mediaproxy","mediaproxy_socket", 
> "/var/run/mediaproxy/dispatcher.sock")
>
> modparam("mediaproxy", "signaling_ip_avp", "$avp(s:signaling_ip)")
>
> modparam("registrar|nathelper", "received_avp", "$avp(i:80)")
>
> modparam("mi_fifo", "fifo_name", "/tmp/kamailio_fifo")
>
> #modparam("tm", "fr_timer", 3)
>
> # ------ dialog params -------
>
> modparam("dialog", "dlg_flag", 4)
>
> modparam("dialog", "profiles_with_value", "caller")
>
> # ------ pike params --------
>
> modparam("pike", "sampling_time_unit", 2)
>
> modparam("pike", "reqs_density_per_unit", 25)
>
> modparam("pike", "remove_latency", 4)
>
> # ------ rr params --------
>
> modparam("rr", "enable_full_lr", 1)
>
> # ----- misc_radius params -----
>
> modparam("misc_radius", "radius_config", 
> "/usr/local/etc/radiusclient-ng/radiusclient.conf")
>
> modparam("misc_radius", "caller_service_type", 18)
>
> modparam("misc_radius", "callee_service_type", 19)
>
> modparam("misc_radius", "caller_extra", "Called-Station-Id=$ru")
>
> modparam("misc_radius", "callee_extra", "Called-Station-Id=$fu")
>
> # ---- htable param ---------
>
> modparam("htable", "htable", "a=>size=8;")
>
> modparam("htable", "htable", "ipban=>size=8;autoexpire=300;")
>
> modparam("rtimer", "timer", "name=tst;interval=300;mode=1;")
>
> modparam("rtimer", "exec", "timer=tst;route=STATS")
>
> modparam("sqlops","sqlcon",
>
>          "ca=>mysql://openser:openserrw@localhost/openser")
>
> #------ uac ---------------
>
> modparam("uac","rr_store_param","my_param")
>
> modparam("uac","from_restore_mode","auto")
>
> modparam("uac","auth_realm_avp","$avp(i:10)")
>
> modparam("uac","auth_username_avp","$avp(i:11)")
>
> modparam("uac","auth_password_avp","$avp(i:12)")
>
> Beside of this I have syslogd in asyn mode...
>
> This is the info of the kamailio --V
>
> version: kamailio 3.2.0 (x86_64/linux) 639f0a
>
> flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS, TLS_HOOKS, 
> USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, 
> SHM_MMAP, PKG_MALLOC, DBG_QM_MALLOC, USE_FUTEX, 
> FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, 
> USE_DST_BLACKLIST, HAVE_RESOLV_RES
>
> ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, 
> MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 4MB
>
> poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
>
> id: 639f0a
>
> compiled on 11:35:43 Oct 28 2011 with gcc 4.5.1
>
> I'm using pike to check flood alerts, but I have a white list stored 
> in the "user_preference" table :
>
> I'm using it like this :
>
> route[REQINIT]  {
>
>         # flood dection from same IP and traffic ban for a while
>
>         # be sure you exclude checking trusted peers, such as pstn 
> gateways
>
>         # - local host excluded (e.g., loop to self)
>
>         if( !(avp_db_load("pike", "$avp(ip_origen)") && 
> avp_check("$avp(ip_origen)", "eq/$src_ip/gi")) )
>
> #+---------+----------+--------+-----------+----------------+------+---------------------+
>
> #| uuid    | username | domain | attribute | value          | type | 
> modified            |
>
> #+---------+----------+--------+-----------+----------------+------+---------------------+
>
> #| pike    |          |        | ip_origen | 10.0.0.44      |    0 | 
> 2008-01-04 13:24:14 |
>
> #| pike    |          |        | ip_origen | 10.0.0.66      |    0 | 
> 2008-01-04 17:28:59 |
>
>         {
>
>                 if($sht(ipban=>$si)!=$null)
>
>                 {
>
>                         # ip is already blocked
>
>                         xdbg("request from blocked IP - $rm from $fu 
> (IP:$si:$sp)\n");
>
>                         exit;
>
>                 }
>
>                 if (!pike_check_req())
>
>                 {
>
>                         xlog("L_ALERT","ALERT: pike blocking $rm from 
> $fu (IP:$si:$sp)\n");
>
>                         xlog("L_INFO","ALERT: pike blocking from $si\n");
>
>                         $sht(ipban=>$si) = 1;
>
>                         exit;
>
>                 }
>
>         }
>
> Is this check method too slow? Or intensive in mysql access request??
>
database access can be a reason for becoming slower. The above operation 
does a select of the ip addresses in memory and then an iteration to 
match them with source ip.

You can use benchmark module to try to detect what is slower there -- 
you can wrap the cfg snipped above in benchmark execution time counting.

IMO, this is not a good solution for preventing DoS, since you hit 
database even for each malicious request. I would recommend to use 
permissions module with address table to match trusted IP addresses -- 
this is doing caching in memory for the list of addresses, thus being 
very fast and safe in case of attacks. You can reload the list of ip 
addresses at runtime via MI/RPC without a need to restart the sip server.

Cheers,
Daniel

-- 
Daniel-Constantin Mierla -- http://www.asipto.com
Kamailio Advanced Training, Dec 5-8, Berlin: http://asipto.com/u/kat
http://linkedin.com/in/miconda -- http://twitter.com/miconda

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20111123/6cdf4638/attachment-0001.htm>


More information about the sr-users mailing list