[SR-Users] Kamailio best performance
Daniel-Constantin Mierla
miconda at gmail.com
Wed Nov 23 08:57:59 CET 2011
Hello,
On 11/22/11 8:56 PM, Ricardo Martinez wrote:
>
> Hello list.
>
> I'm having some issues with the Kamailio versión 3.2.0.
>
> I want to ask if someone could give some hints how to optimize the
> performance of my kamailio server. For some reason and from time to
> time the kamailio process start to answer slower than usual, making
> calls fail and register expires. I'm still unable to detect the
> problem, but I want to know of maybe i´m running my kamailio not under
> the best conditions.
>
> This is part of my configuration :
>
> #!KAMAILIO
>
> #!define FLT_NATS 5
>
> #!define FLB_NATB 6
>
> #!define FLB_NATSIPPING 7
>
> # ----------- global configuration parameters ------------------------
>
> debug=2 # debug level (cmd line: -dddddddddd)
>
> fork=yes
>
> log_stderror=no # (cmd line: -E)
>
> log_facility=LOG_LOCAL0
>
> children=16
>
> port=5060
>
> memdbg=9
>
> memlog=9
>
> listen=udp:10.0.10:5060
>
> disable_tcp=yes
>
> server_signature=0
>
> port=5060
>
> # ----------------- setting module-specific parameters ---------------
>
> ## modparam("registrar", "received_avp", "$avp(s:rcv)")
>
> modparam("usrloc", "db_mode", 1)
>
> modparam("auth_db", "calculate_ha1", 1)
>
> modparam("auth_db", "password_column", "password")
>
> modparam("rr", "enable_full_lr", 1)
>
> modparam("auth_db|permissions|uri_db|usrloc","db_url","mysql://openser:openserrw@localhost/openser")
>
> modparam("permissions", "db_mode", 1)
>
> modparam("permissions", "trusted_table", "trusted")
>
> modparam("avpops", "db_url",
> "mysql://openser:openserrw@localhost/openser")
>
> modparam("avpops", "avp_table", "usr_preferences")
>
> modparam("domain", "db_mode", 1)
>
> # ----- nathelper params -----
>
> modparam("nathelper", "natping_interval", 20)
>
> modparam("nathelper", "ping_nated_only", 1)
>
> modparam("nathelper", "sipping_bflag", FLB_NATSIPPING)
>
> modparam("nathelper", "sipping_from", "sip:pinger at kamailio.org
> <mailto:sip%3Apinger at kamailio.org>")
>
> # params needed for NAT traversal in other modules
>
> modparam("nathelper|registrar", "received_avp", "$avp(RECEIVED)")
>
> modparam("usrloc", "nat_bflag", FLB_NATB)
>
> modparam("nathelper","natping_interval", 20)
>
> ## modparam("nathelper","received_avp", "$avp(i:42)")
>
> modparam("mediaproxy","mediaproxy_socket",
> "/var/run/mediaproxy/dispatcher.sock")
>
> modparam("mediaproxy", "signaling_ip_avp", "$avp(s:signaling_ip)")
>
> modparam("registrar|nathelper", "received_avp", "$avp(i:80)")
>
> modparam("mi_fifo", "fifo_name", "/tmp/kamailio_fifo")
>
> #modparam("tm", "fr_timer", 3)
>
> # ------ dialog params -------
>
> modparam("dialog", "dlg_flag", 4)
>
> modparam("dialog", "profiles_with_value", "caller")
>
> # ------ pike params --------
>
> modparam("pike", "sampling_time_unit", 2)
>
> modparam("pike", "reqs_density_per_unit", 25)
>
> modparam("pike", "remove_latency", 4)
>
> # ------ rr params --------
>
> modparam("rr", "enable_full_lr", 1)
>
> # ----- misc_radius params -----
>
> modparam("misc_radius", "radius_config",
> "/usr/local/etc/radiusclient-ng/radiusclient.conf")
>
> modparam("misc_radius", "caller_service_type", 18)
>
> modparam("misc_radius", "callee_service_type", 19)
>
> modparam("misc_radius", "caller_extra", "Called-Station-Id=$ru")
>
> modparam("misc_radius", "callee_extra", "Called-Station-Id=$fu")
>
> # ---- htable param ---------
>
> modparam("htable", "htable", "a=>size=8;")
>
> modparam("htable", "htable", "ipban=>size=8;autoexpire=300;")
>
> modparam("rtimer", "timer", "name=tst;interval=300;mode=1;")
>
> modparam("rtimer", "exec", "timer=tst;route=STATS")
>
> modparam("sqlops","sqlcon",
>
> "ca=>mysql://openser:openserrw@localhost/openser")
>
> #------ uac ---------------
>
> modparam("uac","rr_store_param","my_param")
>
> modparam("uac","from_restore_mode","auto")
>
> modparam("uac","auth_realm_avp","$avp(i:10)")
>
> modparam("uac","auth_username_avp","$avp(i:11)")
>
> modparam("uac","auth_password_avp","$avp(i:12)")
>
> Beside of this I have syslogd in asyn mode...
>
> This is the info of the kamailio --V
>
> version: kamailio 3.2.0 (x86_64/linux) 639f0a
>
> flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS, TLS_HOOKS,
> USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM,
> SHM_MMAP, PKG_MALLOC, DBG_QM_MALLOC, USE_FUTEX,
> FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR,
> USE_DST_BLACKLIST, HAVE_RESOLV_RES
>
> ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
> MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 4MB
>
> poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
>
> id: 639f0a
>
> compiled on 11:35:43 Oct 28 2011 with gcc 4.5.1
>
> I'm using pike to check flood alerts, but I have a white list stored
> in the "user_preference" table :
>
> I'm using it like this :
>
> route[REQINIT] {
>
> # flood dection from same IP and traffic ban for a while
>
> # be sure you exclude checking trusted peers, such as pstn
> gateways
>
> # - local host excluded (e.g., loop to self)
>
> if( !(avp_db_load("pike", "$avp(ip_origen)") &&
> avp_check("$avp(ip_origen)", "eq/$src_ip/gi")) )
>
> #+---------+----------+--------+-----------+----------------+------+---------------------+
>
> #| uuid | username | domain | attribute | value | type |
> modified |
>
> #+---------+----------+--------+-----------+----------------+------+---------------------+
>
> #| pike | | | ip_origen | 10.0.0.44 | 0 |
> 2008-01-04 13:24:14 |
>
> #| pike | | | ip_origen | 10.0.0.66 | 0 |
> 2008-01-04 17:28:59 |
>
> {
>
> if($sht(ipban=>$si)!=$null)
>
> {
>
> # ip is already blocked
>
> xdbg("request from blocked IP - $rm from $fu
> (IP:$si:$sp)\n");
>
> exit;
>
> }
>
> if (!pike_check_req())
>
> {
>
> xlog("L_ALERT","ALERT: pike blocking $rm from
> $fu (IP:$si:$sp)\n");
>
> xlog("L_INFO","ALERT: pike blocking from $si\n");
>
> $sht(ipban=>$si) = 1;
>
> exit;
>
> }
>
> }
>
> Is this check method too slow? Or intensive in mysql access request??
>
database access can be a reason for becoming slower. The above operation
does a select of the ip addresses in memory and then an iteration to
match them with source ip.
You can use benchmark module to try to detect what is slower there --
you can wrap the cfg snipped above in benchmark execution time counting.
IMO, this is not a good solution for preventing DoS, since you hit
database even for each malicious request. I would recommend to use
permissions module with address table to match trusted IP addresses --
this is doing caching in memory for the list of addresses, thus being
very fast and safe in case of attacks. You can reload the list of ip
addresses at runtime via MI/RPC without a need to restart the sip server.
Cheers,
Daniel
--
Daniel-Constantin Mierla -- http://www.asipto.com
Kamailio Advanced Training, Dec 5-8, Berlin: http://asipto.com/u/kat
http://linkedin.com/in/miconda -- http://twitter.com/miconda
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20111123/6cdf4638/attachment-0001.htm>
More information about the sr-users
mailing list