Re: speeding up zfs send | recv (update)

On Feb 23, 2023 at 11:15 AM, Chris Watson <bsdunix44@gmail.com> wrote:
[Sorry miroslav, I hit send without checking the To: this was meant to be public] 

I’m a bit late, but I mentioned this to someone on this thread privately, I’m curious why ‘spiped’ hasn’t been mentioned in this thread. I’ve seen everything from VPN’s to nc. VPNs would be, imo, grossly unwarranted/massively overly complex/hard to secure just to simply have a secure pipe for doing ZFS send|recv. 

Simply configuring an spiped PtP pipe between A and B seems the simplest, most secure, performant option here. At least considering all the other options tossed out in this thread. 

No one’s using spiped? O.o

Thoughts? 

Has anyone compared ssh to spiped regarding overhead and throughput in this scenario?

Chris

On Wed, Feb 22, 2023 at 9:29 PM Sysadmin Lists <sysadmin.lists@mailfence.com> wrote:

On Feb 22, 2023 at 1:43 PM, Freddie Cash <fjwcash@gmail.com> wrote:
[Sorry for top part, GMail sucks for replies.]

If this is a LAN or private WAN where you trust the network, piping the send stream through netcat will remove ssh from the equation.

That's what we switched to using once it became almost impossible to get the "none" cipher working with ssh on FreeBSD.

We use ssh to connect to the remote server and enable a netcat listener on port X, then pipe the send through netcat to the remote system on port X. That way it's logged and uses ssh for authentication.

We easily saturate gigabit links between our ZFS systems using netcat.

Cheers,
Freddie

Typos due to smartphone keyboard.

On Wed., Feb. 22, 2023, 1:31 p.m. Miroslav Lachman, <000.fbsd@quip.cz> wrote:

On 22/02/2023 22:08, mike tancsa wrote:
> On 2/22/2023 4:03 PM, Miroslav Lachman wrote:
>> Interresting numbers. I think I am the only one who get best speed 
>> with chacha20-poly1305@openssh.com
>>
>>
>> It seems the speed of SSH is limited by single core performance which 
>> is very poor on this machine (Intel(R) Pentium(R) Dual  CPU E2160). 
>> Even if CPU has 50% idle, ssh runs on 99.8% of single core.
> 
> The CPU I have has
> aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS> on motherboard
> 
> which probably helps.

That explains it
aesni0: No AES or SHA support.

>> I know there were some HPN patches to ssh, beside that is there any 
>> option I can try to use less CPU?
>>
>> I will play with cpuset to pin ssh on one core and everything else on 
>> the other core.
> 
> It looks like you are running into a CPU bottleneck TBH

Yes. Pinning on cores with cpuset helps a bit (about +3MiB/s) but 
without some tweaks on ssh I will not gain more speed :(

Thank you for your help!

Miroslav Lachman

You could pipe the stream through an encrypting program before piping to
netcat, then decrypt on the recieving end.

$ zfs send | crypt | netcat ipaddr 2222
$ netcat -vl 2222 | crypt | zfs recv

I don't know if zfs can handle that, but worth a try.

$ man crypt
    The enigma utility, also known as crypt is a very simple encryption
     program, working on a “secret-key” basis.  It operates as a filter, i.e.,
     it encrypts or decrypts a stream of data from standard input, and writes
     the result to standard output.  Since its operation is fully symmetrical,
     feeding the encrypted data stream again through the engine (using the
     same secret key) will decrypt it.

-- Sent with https://mailfence.com  Secure and private email

I've used it before, but forgot about it. But it's not part of base, and there
are tools in base which together perform a similar task, so that probably
explains why many people haven't heard about it or forgot they had.

Most everyone has at some point needed to transfer a couple files to a local
machine with a LAN connection but borked authentication services. In steps
nc and optionally crypt or openssl to encrypt the data. Simple.

-- Sent with https://mailfence.com  Secure and private email