|

taint mode: insecure dependency in connect

View: New views

5 Messages — Rating Filter: Alert me

	taint mode: insecure dependency in connect by Jeff McCarrell :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message taint mode: insecure dependency in connect Hi folks I want to increase the number of memcache servers in our Cache::Memcached app as my timing suggests we are seeing contention for the memcache in high load situations. So I changed the code to start several servers using unix sockets. The previous code started one memcache instance using a single unix socket. And in fact, the memcache instances are up and running. Netstat shows the listening sockets. But when I try to connect to them with Cache::Memcached, I see this error: [Wed Jun 11 20:05:57 2008] [error] Insecure dependency in connect while running setgid at /usr/lib/perl5/site_perl/5.8.5/Cache/Memcached.pm line 203.\n I dumped out the hash ref I’m passing to the Memcached constructor. It is: $VAR1 = { 'debug' => 1, 'servers' => [ '/tmp/memd_sock_Q2mgpEt3PG', '/tmp/memd_sock_uU9zYPViTl', '/tmp/memd_sock_uBAK41gg1K', '/tmp/memd_sock_RT4iK1FHTs', '/tmp/memd_sock_YnOzI5Co8b', '/tmp/memd_sock_VU4h3ThToE', '/tmp/memd_sock_L4FPMPkr8r', '/tmp/memd_sock_kcL6bXBam6' ] }; which looks good to me. The sockets were created by memcached, and are owned by apache, which is the uid of the client. E.g.: srwxr-xr-x 1 apache apache 0 Jun 11 17:22 /tmp/memd_sock_Q2mgpEt3PG which looks good to me. Any pointers on what taint mode wants here? I’m puzzled. -- jeff
	Re: taint mode: insecure dependency in connect by Jeff McCarrell :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Re: taint mode: insecure dependency in connect Ok, I needed to keep reading perlsec. They are tainted because I read them from a file. -- jeff
	Re: taint mode: insecure dependency in connect by Dormando :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message contention on memcached, over localhost? That's a little bizarre. Ignoring that you've corrected yourself already... :) Can you test over localhost:11211 instead of a unix domain socket, and see if there's any performance difference? Multithreaded memcached maybe? It's pretty hard to actually contend on memcached. -Dormando Jeff McCarrell wrote: > Hi folks > > I want to increase the number of memcache servers in our > Cache::Memcached app as my timing suggests we are seeing contention for > the memcache in high load situations. > So I changed the code to start several servers using unix sockets. > The previous code started one memcache instance using a single unix socket. > > And in fact, the memcache instances are up and running. Netstat shows > the listening sockets. > > But when I try to connect to them with Cache::Memcached, I see this error: > > [Wed Jun 11 20:05:57 2008] [error] Insecure dependency in connect while > running setgid at /usr/lib/perl5/site_perl/5.8.5/Cache/Memcached.pm line > 203.\n > > I dumped out the hash ref I’m passing to the Memcached constructor. It is: > > $VAR1 = { > 'debug' => 1, > 'servers' => [ > '/tmp/memd_sock_Q2mgpEt3PG', > '/tmp/memd_sock_uU9zYPViTl', > '/tmp/memd_sock_uBAK41gg1K', > '/tmp/memd_sock_RT4iK1FHTs', > '/tmp/memd_sock_YnOzI5Co8b', > '/tmp/memd_sock_VU4h3ThToE', > '/tmp/memd_sock_L4FPMPkr8r', > '/tmp/memd_sock_kcL6bXBam6' > ] > }; > > which looks good to me. > > The sockets were created by memcached, and are owned by apache, which is > the uid of the client. > E.g.: > srwxr-xr-x 1 apache apache 0 Jun 11 17:22 /tmp/memd_sock_Q2mgpEt3PG > which looks good to me. > > Any pointers on what taint mode wants here? I’m puzzled. > > -- jeff
	Re: mc performance tuning; was: taint mode: insecure dependency in connect by Jeff McCarrell :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message re: contention for memcache Well, we don't have a very standard kind of web app. The data show that running 8 memcaches is better for us than 1: http://www.emptech.com/mc/image003.png The graph shows the avg time to process the complete request. The X axis shows concurrent streams of requests being sent to apache. Each request makes several to small tens of memcache gets, and 1 multi-get. My next set of tests will compare 8 vs 16 memcaches and scale up the number of concurrent requests. re: localhost:12211 vs unix domain sockets Um, yes, I can test tcp sockets vs. unix domain sockets if there is a good reason to. My belief is that unix domain sockets are the fastest in general; is there something specific to memcache that suggests otherwise? re: multi-threaded memcache I read about multi-threaded mc with interest. In general, I'm leery of threading, but I would be willing to look further into it with a little encouragement. :-) We are running LAMP on linux 2.6 64-bit where the p is perl 5.8.5. Is there a consensus view that memcache threading works well on that platform? TIA, -- jeff On 6/12/08 12:31 AM, "dormando" <dormando@...> wrote: > contention on memcached, over localhost? That's a little bizarre. > > Can you test over localhost:11211 instead of a unix domain socket, and > see if there's any performance difference? Multithreaded memcached > maybe? It's pretty hard to actually contend on memcached.
	Re: mc performance tuning; was: taint mode: insecure dependency in connect by Dormando :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Jeff McCarrell wrote: > re: contention for memcache > Well, we don't have a very standard kind of web app. > The data show that running 8 memcaches is better for us than 1: > > http://www.emptech.com/mc/image003.png No no, I believe you see benefit when doing so :) I'm just not positive something else isn't going on here :) I've yet to see a single instance host actually overpower a memcached instance and not have it be some weirdo bug. It might be those multiget's, I guess. > The graph shows the avg time to process the complete request. > The X axis shows concurrent streams of requests being sent to apache. > Each request makes several to small tens of memcache gets, and 1 multi-get. > My next set of tests will compare 8 vs 16 memcaches and scale up the number > of concurrent requests. > > re: localhost:12211 vs unix domain sockets > Um, yes, I can test tcp sockets vs. unix domain sockets if there is a good > reason to. My belief is that unix domain sockets are the fastest in > general; is there something specific to memcache that suggests otherwise? They're actually the same speed on linux these days, or thereabouts. Was curious to rule it out, is all. > re: multi-threaded memcache > I read about multi-threaded mc with interest. > In general, I'm leery of threading, but I would be willing to look further > into it with a little encouragement. :-) > We are running LAMP on linux 2.6 64-bit where the p is perl 5.8.5. > Is there a consensus view that memcache threading works well on that > platform? Threaded mode is the new default. It works well enough for most of us. Should be more (memory) efficient for you than multiple independent caches. -Dormando