Re: [chrony-users] Pros and Cons of acquisitionport directive

[Bryan Christianson <bryan@xxxxxxxxxxxxx>]

> On 10/08/2016, at 10:27 PM, Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:
> 
> On Wed, Aug 10, 2016 at 08:04:20PM +1200, Bryan Christianson wrote:
>> I have been observing chronyd with a profiler (Apple Instruments - gui to dtrace) and noticed that open/close operations on the client sockets was responsible for 80% of the time used. It seems to take the kernel a while to cleanup a socket on close.
>> 
>> I have specified acquisitionport in the config and resource use is significantly better.
> 
> How much is that as a percentage of CPU time

With acquisitionport:		0.42s in 1800s => 0.02% CPU
Without acquisitionport:	0.51s in 600s => 0.08% CPU

i.e. about factor of 4 difference in cpu usage.

My usage is probably extreme and not optimal - 5 servers (all on the lan) each being polled every 16 seconds. This is a useful configuration for testing chrony and ChronyControl.

> 
>> What are the disadvantages of using a non-random port? Security is my first guess (i.e. I have opened up a listening port for use as an attack surface) but are there any other disadvantages?
> 
> I think it's just security.
> 

Thanks for the detailed explanation.
Since the Mac on my lan is not internet facing, security is not an issue.
For the majority of users the poll rates won’t be as high as what I have and the open/close overhead will be lower.
I guess mostly I was surprised to see how expensive it is to close then reopen a socket on the darwin kernel. 

Bryan Christianson
bryan@xxxxxxxxxxxxx




--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.