PHP at Density and Scale
18
PHP at Density and Scale How Pantheon sees the future of computing.
-
Upload
david-strauss -
Category
Technology
-
view
989 -
download
1
description
Mixing performance, configurability, density, and security at scale has, historically, been hard with PHP. Early approaches have involved CGIs, suhosin, or multiple Apache instances. Then came PHP-FPM. At Pantheon, we've taken PHP-FPM, integrated it with cgroups, namespaces, and systemd socket activation. We use it to deliver all of our goals at unheard-of densities: thousands and thousands of isolated pools per box. Watch how it's configured and see PHP-FPM pools start real-time to serve different Drupal sites as requests come into a server. All of our tools for this are open-source and usable on your own virtual machines and hardware.
Transcript of PHP at Density and Scale
PHP at Density and ScaleHow Pantheon sees the future of computing.
About Me
● Four Kitchens● Drupal.org● Pressflow● Pantheon● systemd
Topics● Performance
○ Socket activation○ Automount/autofs○ cgroups○ “Customer Experience Monitor”○ Migration
● Security○ Users○ Namespaces○ Defense-in-depth○ Non-disruptive fixes
Traditional server sockets: overview
...
nginxTCP80Client
nginxTCP81If you want a service
available, the daemon has to be running.
Socket activation: overview
systemd
TCP80Client
TCP81
nginxfd=3
Only a socket in systemd has to run for service availability.
Socket activation: details
● systemd squats on all listeners○ Looks for incoming traffic with EPOLL○ Starts the services/containers on-demand○ Passes socket to daemon as fd=3
● Not a proxy (same performance)● No client awareness
Socket activation: Pantheon’s use
● nginx and PHP-FPM● MariaDB soon
○ Using an alternative now● Allows 90%+ containers to be idle● Makes bootup sensible● Reconfiguration pattern is stop, not restart
Socket Activation
Demo
Automount/autofs
● Like socket activation for file system mounts○ Kernel squats on mount path and looks for traffic○ Brings up file mount lazily
● Used for FuseDAV (Valhalla client)
Automount Demo
cgroups
● Many options○ Pantheon uses CPUShares and BlockIOWeight
● Keeps things fair under contention○ Kind of like adding purple ropes when people are
queueing
Contentionwith cgroups Demo
Customer Experience Monitor
● Runs a representative Drupal site on every container host
● Reports scores to the API and monitoring● Influences migration and container
placement
Migration
● At density, rebalancing is important● Keep state lightweight
○ No OS○ No runtime
● Mutiny: migration as replication + promotion
Isolation for security
● Users● Namespaces
Defense in depth● Application
○ Drupal● Runtime
○ nginx, PHP-FPM, FuseDAV● Container: “binding” certificate
○ Linux user, namespaces, etc.● Container host: “endpoint” certificate
○ Only trusted for the containers assigned● Platform: root certificate
Non-disruptive fixes
● Kernel upgrades via migration● Rolling daemon and library upgrades
○ Heartbleed
Heartbleed Fix Demo
