[Users] pre-built i686 kernel flavors
Solar Designer
solar at openwall.com
Sat Jul 10 16:26:26 EDT 2010
Kir,
Here's a suggestion for you to consider: discontinue -ent and non-PAE
kernels. Non-PAE on i686 makes little sense. The performance impact
of PAE is hardly even measurable on real-world usage, but PAE buys us NX
bit support. So recommending PAE only for 4 GB RAM or more is "wrong".
Now, I've heard that some older Pentium M and Celeron M CPUs (found in
some laptops) don't do PAE, but do we care about those all that much (in
pre-built kernels)? Sure, experimenting with OpenVZ on a laptop makes
sense, but modern laptops support PAE fine. Other than that, PAE dates
back to Pentium Pro (mid-1990s).
As to -ent, it has a huge performance impact. The
http://wiki.openvz.org/Kernel_flavors page somehow says that it's better
with a larger number of containers, but I think that's wrong. It was a
hack to allow for large multi-threaded, mmap'ing and caching enterprisey
apps (mostly Oracle?) to run on 4 GB RAM 32-bit x86 servers from some
years ago (when x86-64 was not around). When you have many small apps
(or many containers with such apps), you do not need this hack - the
system will likely be faster without it. Ironically, this hack also
improved kernel security (mitigating the impact of the kernel
inadvertently dereferencing a user pointer or NULL), but very few users
would be willing to pay a 30% performance penalty for that.
Even if/when you stop providing -ent and non-PAE builds, perhaps you
should still be making test builds with such configs - to make sure the
kernel builds with a variety of settings.
Thanks,
Alexander
More information about the Users
mailing list