Skip to main content


Lessons from Memory

Started debugging an issue where Linux started calling OOM reaper despite tons of memory is used as Linux cached pages. My assumption was if there is a memory pressure, cache should shrink and leave way for the application to use. This is the documented and expected behavior. OOM reaper is called when few number of times page allocation has failed consequently. If for example mysql wants to grow its buffer and it asks for a page allocation and if the page allocation fails repeatedly, kernel invokes oom reaper. OOM reaper won't move out pages, it sleeps for some time and sees if kswapd or a program has freed up caches/application pages. If not it will start doing the dirty job of killing applications and freeing up memory. In our mysql setup, mysql is the application using most of the Used Memory, so no other application can free up memory for mysql to use. Cached pages are stored as 2 lists in Linux kernel viz active and inactive.
More details here…
Recent posts

How we have systematically improved the roads our packets travel to help data imports and exports flourish

This blog post is an account of how we have toiled over the years to improve the throughput of our interDC tunnels. I joined this company around 2012. We were scaling aggressively then. We quickly expanded to 4 DCs with a mixture of AWS and colocation. Our primary DC is connected to all these new DCs via IPSEC tunnels established from SRX. The SRX model we had, had an IPSEC throughput of 350Mbps. Around December 2015 we saturated the SRX. Buying SRX was an option on the table. Buying one with 2Gbps throughput would have cut the story short. The tech team didn't see it happening.

I don't have an answer to the question, "Is it worth spending time in solving a problem if a solution is already available out of box?" This project helped us in improving our critical thinking and in experiencing the theoretical network fundamentals on live traffic, but also caused us quite a bit of fatigue due to management overhead. Cutting short the philosophy, lets jump to the story.


The server, me and the conversation

We were moving a project from AWS to our co-located DC. We have setup KVMs scheduled by Cloudstack for each of the component in the architecture. The KVMs used local storage. The VMs are provisioned with more than required resources because we have the opinion that in our DC scaling during peak load and then downscaling doesn't offer much benefits financially as we are anyways paying for the hardware in advance and its also powered on. Its going to be idle if not used. Now we found something interesting our latency in co-located DC was 2 times more than in AWS. The time for first byte at our load balancer in aws was 60ms average and at our DC was 112ms. We started our debugging mission, Mission Conquer-AWS. All the servers are newer Dell hardwares. So the initially intuition was virtualisation is causing the issue.

Conversation with the Hypervisor We started with CPU optimisation, we started using the host-passthrough mode of CPU in libvirt so VMs dont see QEMU emulated CPUs, the…

IPTables Magic

Blog Post after a long long time. Will be trying to write most of the crazy stuffs done in the past 1.5 years at the sad server

This post is going to cover a bunch of hacks done with iptables to improve / make the most out of linux systems' network performance

IPTables Tee
We are building a packet analysis team which does deep inspection of packets and determine anomalies in the system and determine the slowest performing component in the pipeline. Now sending the raw packets to centralized packet analysis system without affecting the performance of the production system is one of our requirements. We decided to use the iptables tee feature which takes a copy of the packet matching the rule and pass it on to the requested gateway in the same network by just changing the mac address on the cloned packet. The original packet follows the normal process

So lets create a similar setup, my laptop is going to forward a copy of http traffic to raspberry pi in the same network. Make sure i…

Custom AdBlock

This is not something new I am writing today. AdBlocker Plus plugin for chrome, and other browsers blocks ad requests based on the request's domain name or url pattern or some css pattern. The problem with this method is Chrome has no idea of including plugin support for android and therefore ABP as it is wont work. They support a proxy method where all HTTP Requests from browser will alone be routed via the proxy. All ads will be scrubbed by the proxy before sending response to the browser. But ads that are HTTPS and ads on other apps will not be blocked.
So I made a domainlist from The domainlist is available at
Note: This might have duplicates and false positives.
Now my thought was to return a servfail while the browser/app tries to resolve these domains. As I said a bunch of people has wrote blogs about it, But they were using named as their dns server. In named …

OAUTH and Javascript

I am surprised to see the careless implementation of OAUTH by almost all providers like Google, Facebook. I am pretty much sure that I might not be the only person who would have noticed it. By this time there could be atleast thousands of botnets which impersonate as a regular site and spam users' walls or create a social network graph as good as facebook. Probably there will be a separate Real Time Bidding auction by the impersonators. In short OAUTH+Javascript is like locking your door and leaving the key under your doormat.
Lets discuss about the differences between the client based OAUTH flow and server based OAUTH flow As per Google's documentation, the server loads the page on client(browser) with the app id(public name). On initiating OAUTH with Google servers, the appid and redirection_uri is passed. The Google server calls the redirection_uri with a code.The app's server has to cross check the code with client_secret to get the access_token which has the required…

Java Garbage Collection

This week we got a plenty of out of heap memory exceptions in Java. So I started looking on Java Garbage Collection, a revision of System Software Internals theory again.  Java has its heap divided into new gen and old generation. Java's garbage collection tries to take advantage of the fact that new object will be deleted sooner(objects will have smaller life time). So Java's heap is divided into 1)Young Generation(smaller in size) 2)Old Generation (larger chunk)
Young Generation: Young Generation is smaller in size. Traditional Recursive Garbage collection will be faster if the size to be collected is smaller. New Objects are created in Eden part of the Heap. Garbage Collector runs frequently in this space and marks objects that are referenced.  Objects that are not not referenced are removed in the second pass and the live objects are moved to Survivor Space. Survivor Space has two regions Survivor 0 and Survivor 1 which uses an algorithm similar to Copying Garbage Collecto…