LI Nick X.com
Blog |Follow Nick on Twitter| About
 

The holy grail of computing is security and performance, it's all well and good having the most secure system in the world, but if it's rubbish at doing the job it's supposed to do then you've kinda missed the point. Tools like psad and denyhosts provide excellent security, but to do so actively use resource. Let's take the example of a mail server, if some unsociable person starts heavily scanning your machine, and the above two applications slow down the delivery of mail, your users won't be happy. That's where "nice" comes into effect; nice allows you to add priorities to the applications that are important to you. Now I hear what you're saying, psad and denyhosts are so light how could they possibly consume resource ? So let's look at a real world example....

I like many, run open source applications on, how to put it politely, not exactly top end kit ;) I run, Nagios, Cacti, and Splunk all on a Pentium III with 256Mb RAM, so here's the deal, the main purpose of this box is to monitor kit ( with nagios ), cacti & splunk are useful extras, and the box also has to support my basic security stuff (monit, psad, tripwire, denyhosts, etc) . As you can see my box is quite heavily loaded, the real world impact was that splunk's indexing, and nightly tripwire checks staved nagios of resources, which in turn cause checks to fail, sending me false alerts ... *cry* ... Enter "nice" to save the day! By Adding a nice priority to nagios, I was able to give nagios what it needed to function correctly; the impact on the other applications wasn't that they couldn't run, they just had to run a little slower.

If you've read the man page I linked to above you'll see that processes priorities range from -20 to 20 (-20 being the very best), if you watch top for a little while you'll see that generally processes have no nice setting (they are all zero), so by simply setting nagios to -1 it'll instantly jump to the top of the cue !

So how to set the nagios nice, infact this applies to any service being called from /etc/init.d. To get started vi /etc/inid.d/nagios and add the following line near the top (below #!/bin/bash - obviously)

NICE="/bin/nice -n -1"

Now look for the start() function, for nagios there's a line called $NagiosBin which starts nagios, but other services have deamon $prog or similar, simply insert $NICE infront of $NagiosBin (or deamon $NICE $prog), and restart your service. Now open top, and do something to use the application, so I opened the nagios web page, you'll see your serice shoot straight to the top !

Now perhaps that was not very clear, so let's look at doing the same of httpd, again, edit /etc/init.d/httpd (near the top), make yours look like...

# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/sbin/apachectl
NICE="/bin/nice -n -3"
httpd=${HTTPD-/usr/sbin/httpd}

Now fix "start"...

start() {
        echo -n $"Starting $prog: "
        check13 || exit 1
        LANG=$HTTPD_LANG daemon $NICE $httpd $OPTIONS
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && touch ${lockfile}
        return $RETVAL
}

Making sense, now ?

One of the problems to point out is that /etc/init.d files with redhat based systems get over-written when updates happen, so you may have to change this every time :( fortunately some services, like mysql for example support "nice" settings in there config files, so my /etc/my.cnf looks like...

[mysqld_safe]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
nice = -1

On "top end" equipment, to be honest, you probably won't even notice the difference, but on older kit the impact is dramatic ! :D

 

 
Nick Bettison ©