From: "Mark Schouten" <mark@tuxis.nl>
To: "Shannon Sterz" <s.sterz@proxmox.com>
Cc: Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>
Subject: Re: [pbs-devel] Authentication performance
Date: Mon, 16 Dec 2024 11:23:06 +0000 [thread overview]
Message-ID: <embeb48874-d400-4e69-ae0f-2cc56a39d592@93f95f61.com> (raw)
In-Reply-To: <D6D024F1JMI5.QDFXDKCQMUCJ@proxmox.com>
Hi,
>
>would you mind sharing either `authkey.pub` or the output of the
>following commands:
>
>head --lines=1 /etc/proxmox-backup/authkey.key
>cat /etc/proxmox-backup/authkey.key | wc -l
-----BEGIN RSA PRIVATE KEY-----
51
So that is indeed the legacy method. We are going to upgrade our PBS’es
on wednesday.
>
>The first should give the PEM header of the authkey whereas the second
>provides the amount of lines that the key takes up in the file. Both
>give an indication whether you are using the legacy RSA keys or newer
>Ed25519 keys. The later should provide more performance, security should
>not be affected much by this change. If the output of the commands look
>like this:
>
>-----BEGIN PRIVATE KEY-----
>3
>
>Then you are using the newer keys. There currently isn't a recommended
>way to upgrade the keys. However, in theory you should be able to remove
>the old keys, re-start PBS and it should just generate keys in the new
>format. Note that this will logout anyone that is currently
>authenticated and they'll have to re-authenticate.
Seems like a good moment to update those keys as well.
>In general, tokens should still be fater to authenticate so we'd
>recommend that you try to get your users to switch to token-based
>authentication where possible. Improving performance there is a bit
>trickier though, as it often comes with a security trade-off (in the
>background we use yescrypt fo the authentication there, that
>delibaretely adds a work factor). However, we may be able to improve
>performance a bit via caching methods or similar.
Yes, that might help. I’m also not sure if it actually is
authentication, or if it is the datastore-call that the PVE-environments
call. As you can see in your support issue 3153557, it looks like some
requests loop through all datastores, before responding with a limited
set of datastores.
For instance (and I’m a complete noob wrt Rust) but if I understand
https://git.proxmox.com/?p=proxmox-backup.git;a=blob;f=src/api2/admin/datastore.rs;h=11d2641b9ca2d2c92da1a85e4cb16d780368abd3;hb=HEAD#l1315
correcly, PBS loops through all the datastores, checks mount-status and
config, and only starts filtering at line 1347. If I understand that
correctly, in our case with over 1100 datastores, that might cause quite
some load?
Thanks,
—
Mark Schouten
CTO, Tuxis B.V.
+31 318 200208 / mark@tuxis.nl
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2024-12-16 11:23 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-13 16:21 Mark Schouten
2024-12-16 8:59 ` Shannon Sterz
2024-12-16 11:23 ` Mark Schouten [this message]
2024-12-16 11:51 ` Shannon Sterz
2024-12-16 13:01 ` Mark Schouten
2024-12-19 9:56 ` Mark Schouten
2024-12-20 13:22 ` Shannon Sterz
2025-01-06 19:07 ` Mark Schouten
2025-03-06 13:32 ` Mark Schouten
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=embeb48874-d400-4e69-ae0f-2cc56a39d592@93f95f61.com \
--to=mark@tuxis.nl \
--cc=pbs-devel@lists.proxmox.com \
--cc=s.sterz@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.