GBase 8a 在生产环境安装,升级等操作,大于不到10分钟就完成了,而在笔记本虚拟机下,耗时明显长,一般需要15-20分钟以上。经排查,排除硬件性能差异部分,与sshd的配置有关,导致ssh远程连接时耗时长。
目录导航
参考
http://www.cnitblog.com/201/archive/2020/09/02/92336.html
排查
查看安装和升级日志gcinstall.log 发现在检查阶段,发送文件等阶段,在正式服务器上极快,而在虚拟机上要几秒甚至10几秒才能完成。
手工测试了下ssh性能,发现ssh到其它节点,有明显等待,于是执行了ssh -v 参数,看卡在了哪里?
[gbase@gbase_rh7_003 gcinstall]$ ssh -v 2001::103
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /home/gbase/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 2001::103 [2001::103] port 22.
debug1: Connection established.
debug1: identity file /home/gbase/.ssh/id_rsa type 1
debug1: identity file /home/gbase/.ssh/id_rsa-cert type -1
debug1: identity file /home/gbase/.ssh/id_dsa type -1
debug1: identity file /home/gbase/.ssh/id_dsa-cert type -1
debug1: identity file /home/gbase/.ssh/id_ecdsa type -1
debug1: identity file /home/gbase/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/gbase/.ssh/id_ed25519 type -1
debug1: identity file /home/gbase/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16
debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 18:cd:92:ce:4c:19:2c:55:7b:35:aa:e8:60:4a:f3:84
debug1: Host '2001::103' is known and matches the ECDSA host key.
debug1: Found key in /home/gbase/.ssh/known_hosts:5
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/gbase/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/gbase/.ssh/id_dsa
debug1: Trying private key: /home/gbase/.ssh/id_ecdsa
debug1: Trying private key: /home/gbase/.ssh/id_ed25519
debug1: Next authentication method: password
gbase@2001::103's password:
原因
确认是Unspecified GSS failure 这一行导致,查看资料,确认是sshd配置原因。
- 开启了UseDNS
- 开启了GSSAPIAuthentication
解决方案
如果能修改sshd配置,可以关闭如上2个参数
如果不能或者不想修改,可以在ssh、scp等命令里增加如下参数
-o GSSAPIAuthentication=no
效果
经过测试,关闭这个参数后,升级耗时从之前的27分钟,降低到6分钟。