Last Modified: Nov 22, 2021
Affected Product(s):
iApps TMOS
Opened: Mar 21, 2018 Severity: 4-Minor
External monitor scripts often use the versatile "curl" program to automatically make connections to various network resources (e.g., pool members) as a health check. This use of curl can unexpectedly impair the overall performance of the BIG-IP instance.
If curl is frequently invoked, as by a monitor script, a significant performance impact in the control plane may be observed, involving consumption of disk-I/O bandwidth, processor cycles, and memory.
When beginning execution, the curl program by default will read a file containing a "bundle" of Certificate-Authority public keys, a file found at this location: "/etc/pki/tls/certs/ca-bundle.crt". Beginning with BIG-IP 12.1.2-HF1, the size of this file became much larger, with a much more noticeable impact. The curl program may sometimes be invoked via an alias, such as "curl-apd".
The reading of the CA-bundle file is not disabled by specifying the '-k' option with curl, nor is it disabled by using curl's '--insecure' option. However, if certificates are not actually necessary to complete the health-check connections, then it is possible to prevent curl from reading the CA-bundle file by changing the script where it is invoked. In the command line, specify the option '--cacert', along with the other necessary parameters. For example: curl -k --cacert /shared/tmp/empty-ca.crt http://example.com 2>&1 > /dev/null In this case, the specified file is can be instantaneously read by curl, because it was created as an empty file, as by this command: touch /shared/tmp/empty-ca.crt
None
