PHP at Density and Scale

1,395 views

Published on

Mixing performance, configurability, density, and security at scale has, historically, been hard with PHP. Early approaches have involved CGIs, suhosin, or multiple Apache instances. Then came PHP-FPM. At Pantheon, we've taken PHP-FPM, integrated it with cgroups, namespaces, and systemd socket activation. We use it to deliver all of our goals at unheard-of densities: thousands and thousands of isolated pools per box.

Watch how it's configured and see PHP-FPM pools start real-time to serve different Drupal sites as requests come into a server.

All of our tools for this are open-source and usable on your own virtual machines and hardware.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,395
On SlideShare
0
From Embeds
0
Number of Embeds
34
Actions
Shares
0
Downloads
6
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

PHP at Density and Scale

  1. 1. PHP at Density and Scale How Pantheon sees the future of computing.
  2. 2. About Me ● Four Kitchens ● Drupal.org ● Pressflow ● Pantheon ● systemd
  3. 3. Topics ● Performance ○ Socket activation ○ Automount/autofs ○ cgroups ○ “Customer Experience Monitor” ○ Migration ● Security ○ Users ○ Namespaces ○ Defense-in-depth ○ Non-disruptive fixes
  4. 4. Traditional server sockets: overview ... nginx TCP 80 Client nginx TCP 81 If you want a service available, the daemon has to be running.
  5. 5. Socket activation: overview systemd TCP 80 Client TCP 81 nginxfd=3 Only a socket in systemd has to run for service availability.
  6. 6. Socket activation: details ● systemd squats on all listeners ○ Looks for incoming traffic with EPOLL ○ Starts the services/containers on-demand ○ Passes socket to daemon as fd=3 ● Not a proxy (same performance) ● No client awareness
  7. 7. Socket activation: Pantheon’s use ● nginx and PHP-FPM ● MariaDB soon ○ Using an alternative now ● Allows 90%+ containers to be idle ● Makes bootup sensible ● Reconfiguration pattern is stop, not restart
  8. 8. Socket Activation Demo
  9. 9. Automount/autofs ● Like socket activation for file system mounts ○ Kernel squats on mount path and looks for traffic ○ Brings up file mount lazily ● Used for FuseDAV (Valhalla client)
  10. 10. Automount Demo
  11. 11. cgroups ● Many options ○ Pantheon uses CPUShares and BlockIOWeight ● Keeps things fair under contention ○ Kind of like adding purple ropes when people are queueing
  12. 12. Contention with cgroups Demo
  13. 13. Customer Experience Monitor ● Runs a representative Drupal site on every container host ● Reports scores to the API and monitoring ● Influences migration and container placement
  14. 14. Migration ● At density, rebalancing is important ● Keep state lightweight ○ No OS ○ No runtime ● Mutiny: migration as replication + promotion
  15. 15. Isolation for security ● Users ● Namespaces
  16. 16. Defense in depth ● Application ○ Drupal ● Runtime ○ nginx, PHP-FPM, FuseDAV ● Container: “binding” certificate ○ Linux user, namespaces, etc. ● Container host: “endpoint” certificate ○ Only trusted for the containers assigned ● Platform: root certificate
  17. 17. Non-disruptive fixes ● Kernel upgrades via migration ● Rolling daemon and library upgrades ○ Heartbleed
  18. 18. Heartbleed Fix Demo

×