Traditionally, BSD has been a high-end server platform prized for its stability, interoperability, and scalability. These points have all come into question recently as commercial Unix vendors such as HP and Sun tout their products as an "enterprise solution" offering scalability superior to free systems such as Linux and BSD.
OpenBSD specifically has suffered from this label, accented by its lack of SMP support and other high-end hardware compatibility issues. However, my investigations into OpenBSD's use in high traffic environments uncovered the wiretapped.net server, run by Grant Bayley, which serves security, cryptographic, and steganographic data to the Australian community (including the fastest full mirror of OpenBSD in Australia). I took this machine as a case study into OpenBSD in a datacenter scale environment, and after speaking to Grant, I was surprised by the performance of OpenBSD.
The wiretapped.net archives transmit a daily average of roughly 10GB of FTP traffic on top of Apache traffic for several domains and a large EZ-MLM-based mailing list. This makes it one of the largest FTP servers in Australia, yet by far the most poorly funded. All other servers performing that kind of throughput are large Sun servers operated by universities or corporations. The wiretapped.net machine is a mere K-6 450Mhz/128 MB RAM machine operating off an IDE disk archive.
Grant and the team had previously used Red Hat Linux on a smaller machine before load forced the hardware upgrade. When questioned on his choice of operating systems, Grant replied, "Prior to deployment of this new system, I'd always been a proponent of Linux-based systems for network performance reasons, but over time the number of security concerns that were raised with the software packaged by vendors such as Red Hat left a lot to be desired. As I did more and more testing with OpenBSD on my development machines, I was satisfied it could handle both the inherent security challenges a machine such as the one also hosting www.2600.org.au would face and the network load generated by the software archive."
This said, performance concerns were still high when implementing OpenBSD 2.6 on the new machine. "It matched up well enough in testing -- I just wasn't immediately sure about deploying the system with the sort of load the machine would be expected to handle. The concerns evaporated soon enough after installation, though". Grant claims that a few simple configuration tweaks were all that was needed to prepare OpenBSD for the high disk I/O load. To allow for the frequent disk I/O on low-speed IDE, the kernel parameter
/usr/src/sys/arch/i386/conf/GENERIC was changed to read:
Unused SCSI drivers were also commented out to enhance performance:
#sea0 at isa? iomem 0xc8000 irq 5 # Seagate ST0 SCSI controllers #scsibus* at sea? #uha0 at isa? port 0x330 irq ? drq ? # UltraStor 4f SCSI controllers #uha1 at isa? port 0x334 irq ? drq ? # UltraStor 4f SCSI controllers #uha* at eisa? slot ? # UltraStor 24f SCSI controllers
And so forth for all unused SCSI options.Once the kernel was recompiled (a kernel compiled on the host system offers performance enhancements in its own right), all patches were applied to the system from the OpenBSD 2.6 release errata and patch list.
The new wiretapped.net system now complete, testing was done from cable modem users only a few hops away from the backbone. "We were able to get a number of cable modem users to hit the site with both http and ftp downloads, and it performed admirably," Grant commented. When asked about the future of wiretapped.net and where his hardware and software choices would sway in future, Grant replied, "I'll likely stick with x86, but if and when funds are available, may move to some type of RAID instead of the ATA-66 drives the essentially zero budget we've had till now have dictated. That's the only real concern -- being able to maintain network speeds with essentially cheap drives. OpenBSD has matched everything we've been able to throw at the machine so far -- I see no reason to change my choice of software beyond a possible version upgrade".
The wiretapped.net setup serves as a fine example of OpenBSD's (and BSD's in general) scalability and high-end performance. In this situation, OpenBSD was able to provide the correct balance between robust Unix performance and the tight security that a high profile archive demands, a prime neccesity in the e-commerce world emerging these days. Could we see OpenBSD as the Internet super server of the future? I'd like to say so.
Thanks to Grant Bayley for his assistance with this article. The wiretapped.net archives can be found via the web or by ftp.
David Jorm has been involved with open source and security projects for several years, originally with OpenBSD and Debian GNU/Linux, now with the development team at wiretapped.net.
Read more OpenBSD Explained columns.
Discuss this article in the Operating Systems Forum.
Return to the BSD DevCenter.
Copyright © 2009 O'Reilly Media, Inc.