computerの日記

Cisco,SHELL,C,Qt,C++,Linux,ネットワーク,Windows Scriptなどの発言です

Spectre & Meltdown Patch 適用前、適用後、nopti による、UnixBench の結果。

Spectre & Meltdown Patch 適用前、適用後、nopti による、UnixBench の結果。

OS: CentOS 6.9

古いカーネル
2.6.32-696.el6

BYTE UNIX Benchmarks (Version 5.1.3)

System: localhost.localdomain: GNU/Linux
OS: GNU/Linux -- 2.6.32-696.el6.x86_64 -- #1 SMP Tue Mar 21 19:29:05 UTC
2017
Machine: x86_64 (x86_64)
Language: en_US.utf8 (charmap="UTF-8", collate="UTF-8")
CPU 0: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz (5184.1 bogomips)
x86-64, MMX, Physical Address Ext, SYSENTER/SYSEXIT, SYSCALL/SYSRET
21:58:20 up 29 min, 2 users, load average: 0.21, 0.08, 0.02; runlevel
2018-02-20

------------------------------------------------------------------------
Benchmark Run: 火 2月 20 2018 21:58:20 - 22:26:29
1 CPU in system; running 1 parallel copy of tests

Dhrystone 2 using register variables 40858230.7 lps (10.0 s, 7 samples)
Double-Precision Whetstone 4610.9 MWIPS (9.8 s, 7 samples)
Execl Throughput 5350.3 lps (29.9 s, 2 samples)
File Copy 1024 bufsize 2000 maxblocks 1172325.8 KBps (30.0 s, 2 samples)
File Copy 256 bufsize 500 maxblocks 311188.0 KBps (30.0 s, 2 samples)
File Copy 4096 bufsize 8000 maxblocks 2578243.0 KBps (30.0 s, 2 samples)
Pipe Throughput 1954746.6 lps (10.0 s, 7 samples)
Pipe-based Context Switching 418002.3 lps (10.0 s, 7 samples)
Process Creation 14349.6 lps (30.0 s, 2 samples)
Shell Scripts (1 concurrent) 6546.5 lpm (60.0 s, 2 samples)
Shell Scripts (8 concurrent) 884.9 lpm (60.0 s, 2 samples)
System Call Overhead 3074144.1 lps (10.0 s, 7 samples)

System Benchmarks Index Values BASELINE RESULT INDEX
Dhrystone 2 using register variables 116700.0 40858230.7 3501.1
Double-Precision Whetstone 55.0 4610.9 838.3
Execl Throughput 43.0 5350.3 1244.2
File Copy 1024 bufsize 2000 maxblocks 3960.0 1172325.8 2960.4
File Copy 256 bufsize 500 maxblocks 1655.0 311188.0 1880.3
File Copy 4096 bufsize 8000 maxblocks 5800.0 2578243.0 4445.2
Pipe Throughput 12440.0 1954746.6 1571.3
Pipe-based Context Switching 4000.0 418002.3 1045.0
Process Creation 126.0 14349.6 1138.9
Shell Scripts (1 concurrent) 42.4 6546.5 1544.0
Shell Scripts (8 concurrent) 6.0 884.9 1474.8
System Call Overhead 15000.0 3074144.1 2049.4
========
System Benchmarks Index Score 1743.4

 

 Spectre & Meltdown patched カーネル
2.6.32-696.18.7

BYTE UNIX Benchmarks (Version 5.1.3)

System: localhost.localdomain: GNU/Linux
OS: GNU/Linux -- 2.6.32-696.18.7.el6.x86_64 -- #1 SMP Thu Jan 4 17:31:22 UTC
2018
Machine: x86_64 (x86_64)
Language: en_US.utf8 (charmap="UTF-8", collate="UTF-8")
CPU 0: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz (5184.1 bogomips)
x86-64, MMX, Physical Address Ext, SYSENTER/SYSEXIT, SYSCALL/SYSRET
23:57:53 up 1 min, 2 users, load average: 1.24, 0.53, 0.20; runlevel
2018-02-20

------------------------------------------------------------------------
Benchmark Run: 火 2月 20 2018 23:57:53 - 00:26:02
1 CPU in system; running 1 parallel copy of tests

Dhrystone 2 using register variables 37888385.8 lps (10.0 s, 7 samples)
Double-Precision Whetstone 4506.9 MWIPS (10.0 s, 7 samples)
Execl Throughput 3336.3 lps (29.9 s, 2 samples)
File Copy 1024 bufsize 2000 maxblocks 341121.1 KBps (30.0 s, 2 samples)
File Copy 256 bufsize 500 maxblocks 90343.2 KBps (30.0 s, 2 samples)
File Copy 4096 bufsize 8000 maxblocks 1180761.0 KBps (30.0 s, 2 samples)
Pipe Throughput 492884.3 lps (10.0 s, 7 samples)
Pipe-based Context Switching 150710.6 lps (10.0 s, 7 samples)
Process Creation 11108.0 lps (30.0 s, 2 samples)
Shell Scripts (1 concurrent) 4923.0 lpm (60.0 s, 2 samples)
Shell Scripts (8 concurrent) 682.2 lpm (60.0 s, 2 samples)
System Call Overhead 431462.7 lps (10.0 s, 7 samples)

System Benchmarks Index Values BASELINE RESULT INDEX
Dhrystone 2 using register variables 116700.0 37888385.8 3246.6
Double-Precision Whetstone 55.0 4506.9 819.4
Execl Throughput 43.0 3336.3 775.9
File Copy 1024 bufsize 2000 maxblocks 3960.0 341121.1 861.4
File Copy 256 bufsize 500 maxblocks 1655.0 90343.2 545.9
File Copy 4096 bufsize 8000 maxblocks 5800.0 1180761.0 2035.8
Pipe Throughput 12440.0 492884.3 396.2
Pipe-based Context Switching 4000.0 150710.6 376.8
Process Creation 126.0 11108.0 881.6
Shell Scripts (1 concurrent) 42.4 4923.0 1161.1
Shell Scripts (8 concurrent) 6.0 682.2 1136.9
System Call Overhead 15000.0 431462.7 287.6
========
System Benchmarks Index Score 824.5

 

 同カーネルで、カーネルオプションに、nopti を追加して実施した結果

BYTE UNIX Benchmarks (Version 5.1.3)

System: localhost.localdomain: GNU/Linux
OS: GNU/Linux -- 2.6.32-696.18.7.el6.x86_64 -- #1 SMP Thu Jan 4 17:31:22 UTC
2018
Machine: x86_64 (x86_64)
Language: en_US.utf8 (charmap="UTF-8", collate="UTF-8")
CPU 0: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz (5184.1 bogomips)
x86-64, MMX, Physical Address Ext, SYSENTER/SYSEXIT, SYSCALL/SYSRET
03:50:07 up 1 min, 2 users, load average: 1.08, 0.44, 0.16; runlevel
2018-02-21

------------------------------------------------------------------------
Benchmark Run: 水 2月 21 2018 03:50:07 - 04:18:15
1 CPU in system; running 1 parallel copy of tests

Dhrystone 2 using register variables 38510363.9 lps (10.0 s, 7 samples)
Double-Precision Whetstone 4467.9 MWIPS (9.8 s, 7 samples)
Execl Throughput 4413.4 lps (29.9 s, 2 samples)
File Copy 1024 bufsize 2000 maxblocks 870529.3 KBps (30.0 s, 2 samples)
File Copy 256 bufsize 500 maxblocks 255228.5 KBps (30.0 s, 2 samples)
File Copy 4096 bufsize 8000 maxblocks 2259120.5 KBps (30.0 s, 2 samples)
Pipe Throughput 1494173.8 lps (10.0 s, 7 samples)
Pipe-based Context Switching 216663.0 lps (10.0 s, 7 samples)
Process Creation 12555.5 lps (30.0 s, 2 samples)
Shell Scripts (1 concurrent) 6162.9 lpm (60.0 s, 2 samples)
Shell Scripts (8 concurrent) 802.3 lpm (60.0 s, 2 samples)
System Call Overhead 1684728.3 lps (10.0 s, 7 samples)

System Benchmarks Index Values BASELINE RESULT INDEX
Dhrystone 2 using register variables 116700.0 38510363.9 3299.9
Double-Precision Whetstone 55.0 4467.9 812.4
Execl Throughput 43.0 4413.4 1026.4
File Copy 1024 bufsize 2000 maxblocks 3960.0 870529.3 2198.3
File Copy 256 bufsize 500 maxblocks 1655.0 255228.5 1542.2
File Copy 4096 bufsize 8000 maxblocks 5800.0 2259120.5 3895.0
Pipe Throughput 12440.0 1494173.8 1201.1
Pipe-based Context Switching 4000.0 216663.0 541.7
Process Creation 126.0 12555.5 996.5
Shell Scripts (1 concurrent) 42.4 6162.9 1453.5
Shell Scripts (8 concurrent) 6.0 802.3 1337.2
System Call Overhead 15000.0 1684728.3 1123.2
========
System Benchmarks Index Score 1388.7

 

 Page Table Isolation が効いたことにより、性能低下が認められました。
nopti により、かなり戻ったかも。
もっとも、それがいいかは別問題として。

 

spectre_meltdown_checker をかけてみた(2/15最新版)

Variant 1 -3 まで、Not Vulnerable になったけど、マイクロコードがなぁ。。

f:id:intrajp:20180215024152p:plain

spectre_meltdown_checker をかけてみた(32bit版)

最新カーネルでも、全て Vulnerable になりました。

いやなら、64bit に鞍替えしろ、ということみたいですね。

CentOS 7系 で firewalld ではなく iptables を使う

CentOS 7系では、firewalld がデフォルトですが、iptables を使うこともできます。

以下、手順となります。

 

1. iptables-services パッケージをインストールする

# yum install iptables-services

ls -la /etc/sysconfig/iptables

設定ファイルが、既にファイル化されていました。

 

2.  firewalld が吐いたポリシを、iptables のポリシに変換する

# iptables -S | tee ~/firewalld_iptables_rules
# ip6tables -S | tee ~/firewalld_ip6tables_rules

 以下のようなコマンドで、firewalld のポリシを /etc/sysconfig/iptables にコピペできるようになると思います。これでひっかからないものでも、作成したものを忘れずにコピーしましょう。

grep 'ACCEPT\|DROP\|QUEUE\|RETURN\|REJECT\|LOG' ~/firewalld_iptables_rules > firewalld_iptables_rules_x

適宜、firewalld のポリシルールを /etc/sysconfig/iptables にコピーします。

 

3. サービス起動の設定

firewalld が立ち上がらないようにして、iptables が立ち上がるようにしましょう。

# systemctl disable firewalld.service

# systemctl mask firewalld.service

# systemctl enable iptables.service

システム再起動

 

4. 調整

# systemctl status iptables.service

うまく立ち上がっていなかったら、ログを見て、調整してください。

たぶん、firewalld 特有の設定をコピーしているのかもしれませんので、適宜直してください。

 

(参考)
https://www.digitalocean.com/community/tutorials/how-to-migrate-from-firewalld-to-iptables-on-centos-7

spectre_meltdown_checker をかけてみた(最新版)

表示が詳しくなって、対策が進んでいる事がわかります。

 CPU には脆弱性があるが、kernel の Mitigation でなんとかこらえている感じか。。

# ./spectre_meltdown_checker.sh
Spectre and Meltdown mitigation detection tool v0.34+

Checking for vulnerabilities on current system
Kernel is Linux 4.14.14-300.fc27.x86_64 #1 SMP Fri Jan 19 13:19:54 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: YES
* CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: YES
* CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: YES
* CPU indicates STIBP capability: YES
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU microcode is known to cause stability problems: YES (model 94 stepping 3 ucode 0xc2)

The microcode your CPU is running on is known to cause instability problems,
such as intempestive reboots or random crashes.
You are advised to either revert to a previous microcode version (that might not have
the mitigations for Spectre), or upgrade to a newer one if available.

* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
* Kernel has array_index_mask_nospec: NO
* Checking count of LFENCE instructions following a jump in kernel: NO (only 5 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS: VULNERABLE (Kernel source needs to be patched to mitigate the vulnerability)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Retpoline enabled: YES
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer

Spectre 対策の進捗について

急いては事を仕損じる、と。fedoramagazine.org

spectre_meltdown_checker をかけてみた

ノートPC

# ./spectre_meltdown_checker.sh
Spectre and Meltdown mitigation detection tool v0.31

Checking for vulnerabilities against running kernel Linux 4.14.13-300.fc27.x86_64 #1 SMP Thu Jan 11 04:00:01 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface: NO (kernel confirms your system is vulnerable)
> STATUS: VULNERABLE (Vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface: NO (kernel confirms your system is vulnerable)
> STATUS: VULNERABLE (Vulnerable: Minimal generic ASM retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer
------------------------

AWS の貧弱なサーバ

# ./spectre_meltdown_checker.sh
Spectre and Meltdown mitigation detection tool v0.31

Checking for vulnerabilities against running kernel Linux 4.14.11-300.fc27.x86_64 #1 SMP Wed Jan 3 13:52:28 UTC 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 25 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: YES
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Checking if we're running under Xen PV (64 bits): NO
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

--------

古いカーネルでやってみた。

 

$ ./spectre_meltdown_checker.sh
Spectre and Meltdown mitigation detection tool v0.31

Note that you should launch this script with root privileges to get accurate information.
We'll proceed but you might see permission denied errors.
To run it as root, you can try the following command: sudo ./spectre_meltdown_checker.sh

Checking for vulnerabilities against running kernel Linux 4.14.8-300.fc27.x86_64 #1 SMP Wed Dec 20 19:00:18 UTC 2017 x86_64
CPU is Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 25 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: NO
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Checking if we're running under Xen PV (64 bits): NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

spectre の点検

https://gist.github.com/intrajp/ae240cc69b37537957eadb29103bd9be

[ae240cc69b37537957eadb29103bd9be-a7ac31bcd12657a3d8dfa868b4c23e39ee68b137]$ ./spectre
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdffac0... Unclear: 0x54=’T’ score=976 (second best: 0x01 score=806)
Reading at malicious_x = 0xffffffffffdffac1... Unclear: 0x68=’h’ score=999 (second best: 0x01 score=778)
Reading at malicious_x = 0xffffffffffdffac2... Unclear: 0x65=’e’ score=998 (second best: 0x01 score=803)
Reading at malicious_x = 0xffffffffffdffac3... Unclear: 0x20=’ ’ score=999 (second best: 0x01 score=811)
Reading at malicious_x = 0xffffffffffdffac4... Unclear: 0x4D=’M’ score=999 (second best: 0x01 score=818)
Reading at malicious_x = 0xffffffffffdffac5... Unclear: 0x61=’a’ score=999 (second best: 0x01 score=823)
Reading at malicious_x = 0xffffffffffdffac6... Unclear: 0x67=’g’ score=999 (second best: 0x01 score=802)
Reading at malicious_x = 0xffffffffffdffac7... Unclear: 0x69=’i’ score=999 (second best: 0x01 score=825)
Reading at malicious_x = 0xffffffffffdffac8... Unclear: 0x63=’c’ score=999 (second best: 0x01 score=808)
Reading at malicious_x = 0xffffffffffdffac9... Unclear: 0x20=’ ’ score=999 (second best: 0x01 score=833)
Reading at malicious_x = 0xffffffffffdffaca... Unclear: 0x57=’W’ score=998 (second best: 0x01 score=792)
Reading at malicious_x = 0xffffffffffdffacb... Unclear: 0x6F=’o’ score=999 (second best: 0x01 score=793)
Reading at malicious_x = 0xffffffffffdffacc... Unclear: 0x72=’r’ score=999 (second best: 0x01 score=789)
Reading at malicious_x = 0xffffffffffdffacd... Unclear: 0x64=’d’ score=999 (second best: 0x01 score=824)
Reading at malicious_x = 0xffffffffffdfface... Unclear: 0x73=’s’ score=999 (second best: 0x01 score=769)
Reading at malicious_x = 0xffffffffffdffacf... Unclear: 0x20=’ ’ score=999 (second best: 0x01 score=812)
Reading at malicious_x = 0xffffffffffdffad0... Unclear: 0x61=’a’ score=999 (second best: 0x01 score=810)
Reading at malicious_x = 0xffffffffffdffad1... Unclear: 0x72=’r’ score=999 (second best: 0x01 score=792)
Reading at malicious_x = 0xffffffffffdffad2... Unclear: 0x65=’e’ score=998 (second best: 0x01 score=799)
Reading at malicious_x = 0xffffffffffdffad3... Unclear: 0x20=’ ’ score=999 (second best: 0x01 score=802)
Reading at malicious_x = 0xffffffffffdffad4... Unclear: 0x53=’S’ score=999 (second best: 0x01 score=793)
Reading at malicious_x = 0xffffffffffdffad5... Unclear: 0x71=’q’ score=998 (second best: 0x01 score=809)
Reading at malicious_x = 0xffffffffffdffad6... Unclear: 0x75=’u’ score=999 (second best: 0x01 score=824)
Reading at malicious_x = 0xffffffffffdffad7... Unclear: 0x65=’e’ score=999 (second best: 0x01 score=819)
Reading at malicious_x = 0xffffffffffdffad8... Unclear: 0x61=’a’ score=999 (second best: 0x01 score=801)
Reading at malicious_x = 0xffffffffffdffad9... Unclear: 0x6D=’m’ score=999 (second best: 0x01 score=783)
Reading at malicious_x = 0xffffffffffdffada... Unclear: 0x69=’i’ score=999 (second best: 0x01 score=821)
Reading at malicious_x = 0xffffffffffdffadb... Unclear: 0x73=’s’ score=999 (second best: 0x01 score=803)
Reading at malicious_x = 0xffffffffffdffadc... Unclear: 0x68=’h’ score=999 (second best: 0x01 score=801)
Reading at malicious_x = 0xffffffffffdffadd... Unclear: 0x20=’ ’ score=997 (second best: 0x01 score=832)
Reading at malicious_x = 0xffffffffffdffade... Unclear: 0x4F=’O’ score=999 (second best: 0x01 score=771)
Reading at malicious_x = 0xffffffffffdffadf... Unclear: 0x73=’s’ score=999 (second best: 0x01 score=818)
Reading at malicious_x = 0xffffffffffdffae0... Unclear: 0x73=’s’ score=999 (second best: 0x01 score=821)
Reading at malicious_x = 0xffffffffffdffae1... Unclear: 0x69=’i’ score=999 (second best: 0x01 score=837)
Reading at malicious_x = 0xffffffffffdffae2... Unclear: 0x66=’f’ score=998 (second best: 0x01 score=770)
Reading at malicious_x = 0xffffffffffdffae3... Unclear: 0x72=’r’ score=998 (second best: 0x01 score=820)
Reading at malicious_x = 0xffffffffffdffae4... Unclear: 0x61=’a’ score=996 (second best: 0x01 score=795)
Reading at malicious_x = 0xffffffffffdffae5... Unclear: 0x67=’g’ score=986 (second best: 0x01 score=755)
Reading at malicious_x = 0xffffffffffdffae6... Unclear: 0x65=’e’ score=951 (second best: 0x01 score=760)
Reading at malicious_x = 0xffffffffffdffae7... Unclear: 0x2E=’.’ score=995 (second best: 0x01 score=802)

自分のサーバを自分で作った sar-analyzer で評価する

 ということで、やってみました。

AWS の貧弱なマシンになります。

#### Report by sar-analyzer ####

-- Report of CPU utilization --

Highest Average value of '%usr(%user)' for CPU all is 21.07 (01/10/18)
Lowest Average value of '%usr(%user)' for CPU all is 0.02 (01/02/18)
Highest Average value of '%sys(%system)' for CPU all is 33.84 (01/10/18)
Lowest Average value of '%sys(%system)' for CPU all is 0.05 (01/02/18)
Highest Average value of '%iowait' for CPU all is 0.20 (01/10/18)
Lowest Average value of '%iowait' for CPU all is 0.05 (01/02/18)
Highest Average value of '%idle' for CPU all is 99.82 (01/02/18)
Lowest Average value of '%idle' for CPU all is 43.98 (01/10/18)

Highest Average value of '%usr(%user)' for CPU 0 is 21.07 (01/10/18)
Lowest Average value of '%usr(%user)' for CPU 0 is 0.02 (01/02/18)
Highest Average value of '%sys(%system)' for CPU 0 is 33.84 (01/10/18)
Lowest Average value of '%sys(%system)' for CPU 0 is 0.05 (01/02/18)
Highest Average value of '%iowait' for CPU 0 is 0.20 (01/10/18)
Lowest Average value of '%iowait' for CPU 0 is 0.05 (01/02/18)
Highest Average value of '%idle' for CPU 0 is 99.82 (01/02/18)
Lowest Average value of '%idle' for CPU 0 is 43.98 (01/10/18)
--------
Each CPU can be in one of four states: user, sys, idle, iowait.
If '%usr' is over 60%, applications are in a busy state. Check with ps command which application is busy.
If '%sys' is over '%usr', kernel is in a busy state. Check cswch is high or not.
If '%iowait' is high, cpu is working for other task more. Note that iowait sometimes meaningless, at all.
Check swap statistics or high disk I/O would be the cause. Also check process or memory statistics.
If %idle is lower than 30%, you would need new CPU or cores.
Check not only 'CPU all', but each CPU values. And if some of their values are high, check the sar file of that date.

-- Report of queue length and load averages --

Highest Average value of 'runq-sz' is 1 (12/30/17)
Lowest Average value of 'runq-sz' is 0 (01/01/18)
Highest Average value of 'plist-sz' is 357 (01/03/18)
Lowest Average value of 'plist-sz' is 293 (01/10/18)
Highest Average value of 'ldavg-1' is 0.56 (01/10/18)
Lowest Average value of 'ldavg-1' is 0.00 (01/01/18)
Highest Average value of 'ldavg-5' is 1.40 (01/10/18)
Lowest Average value of 'ldavg-5' is 0.00 (01/01/18)
Highest Average value of 'ldavg-15' is 0.77 (01/10/18)
Lowest Average value of 'ldavg-15' is 0.00 (01/01/18)
--------
If 'runq-sz' is over 2, the box is cpu bound.
If that is the case, you might need more cpu power to do the task.
If 'plist-sz' is higher than 10,000 for example, there are waits.
If 'ldavg-<minites>' exceeds number of cores, cpu load is high.
Check number of cores with, $cat /proc/cpuinfo | grep 'cpu cores'.
Check number of physical cpu with, $cat /proc/cpuinfo | grep 'pysical id'.
Check if hyperthreading is enabled with, $cat /proc/cpuinfo | grep 'siblings'.
Devide the result of above command and if it is not same as core, hyperthreading is enabled.
So, if you have 8 cores, highest value is 800.00 and above 70% of this value would be a trouble.

-- Report task creation and system switching activity --

Highest Average value of '%proc/s' is 758.82 (01/10/18)
Lowest Average value of '%proc/s' is 0.20 (01/02/18)
Highest Average value of '%cswch/s' is 10015.51 (01/10/18)
Lowest Average value of '%cswch/s' is 80.21 (01/06/18)
--------
proc/s shows number of tasks which was created per second.
Check the order. Depends on cores, but under 100 would be fine.
cswch/s shows number of context switching activity of CPU per second.
Check the order. Depends on cores, but under 10000 would be fine.

-- Report paging statistics --

Highest Average value of '%fault/s' is 48092.51 (01/10/18)
Lowest Average value of '%fault/s' is 86.95 (01/11/18)
Highest Average value of '%majflt/s' is 0.35 (01/10/18)
Lowest Average value of '%majflt/s' is 0.00 (01/01/18)
Highest Average value of '%vmeff/s' is 100.00 (01/12/18)
Lowest Average value of '%vmeff/s' is 0.00 (01/06/18)
--------
If fault/s is high, programs may requiring memory. Check with, say '# ps -o min_flt,maj_flt <PID>'.
If majflt/s is high, some big program had been started somehow on that day.
If vmeff/s is 0, no worry on memory, if vmeff/s is not 0 and over 90.00, it is good.
If vmeff/s is under 30.00, somethig is wrong.

-- Report memory utilization statistics --

Highest Average value of '%memused/s' is 85.49 (01/01/18)
Lowest Average value of '%memused/s' is 33.22 (01/10/18)
Highest Average value of 'kbcommit' is 2620525 (01/03/18)
Lowest Average value of 'kbcommit' is 2048996 (01/10/18)
Highest Average value of '%commit/s' is 258.92 (01/03/18)
Lowest Average value of '%commit/s' is 203.63 (01/10/18)
--------
Even if %memused is around 99.0%, it's OK with Linux.
Check the highest value of kbcommit. This amount of memory is needed for the system. If lacking, consider adding more memory.
If %commit is over 100%, memory shortage is occurring. Gain swap or add more memory.

-- Report I/O and transfer rate statistics --

Highest Average value of 'tps' is 5.70 (01/10/18)
Lowest Average value of 'tps' is 1.79 (01/11/18)
Highest Average value of 'bread/s' is 106.29 (01/10/18)
Lowest Average value of 'bread/s' is 0.04 (01/08/18)
Highest Average value of 'bwrtn/s' is 104.01 (01/10/18)
Lowest Average value of 'bwrtn/s' is 42.03 (01/06/18)
--------
tps is total number of transfers per second that were issued to physical devices.
A transfer is an I/O request to a physical device.
Multiple logical requests can be combined into a single I/O request to the device.
A transfer is of indeterminate size.
bread/s is Total amount of data read from the devices in blocks per second.
Blocks are equivalent to sectors and therefore have a size of 512 bytes.
bwrtn/s is Total amount of data written to devices in blocks per second.
If these values are, say over 10000 or some, I/O was heavy on that day. Chech the sar file related.
Check iowait on CPU, also.

-- Report activity for each block device --

Highest Average value of 'areq-sz' of dev202-0 is 18.44 (01/10/18)
Lowest Average value of 'areq-sz' of dev202-0 is 8.49 (01/01/18)
Highest Average value of '%util' of dev202-0 is 0.13 (01/10/18)
Lowest Average value of '%util' of dev202-0 is 0.05 (01/06/18)
--------
'areq-sz' is the average size (in kilobytes) of the I/O requests that were issued to the device.
Note: In previous versions, this field was known as avgrq-sz and was expressed in sectors.
'%util'is percentage of elapsed time during which I/O requests were issued to the device
(bandwidth utilization for the device). Device saturation occurs when this value
is close to 100% for devices serving requests serially. But for devices serving requests in
parallel, such as RAID arrays and modern SSDs, this number does not reflect their performance limits.

-- Report swap space utilization statistics --

Highest Average value of '%swpused' is 0.00 (01/01/18)
Lowest Average value of '%swpused' is 0.00 (01/01/18)
--------
%swpused percentage of used swap space.
If it's high, the system is memory bound.
--------

やっぱ、メモリ足りんかな。

 

github.com

 

sar-analyzer の開発状況

元気ですか?

sar-analyzer の開発ですが、結構進みました。DEVICE のところの仕組みができたので、これを皮切りに、ネットワークデバイスも解析できそうです。

いまでも結構便利だと思いますよ。日々の業務に役立ててみてください。

github.com

もう少し頑張ります。では。。

Meltdown 関連パッチ適用後のベンチマーク結果

カーネルをアップデートしてしまったのですが、どの程度の機能低下?が見られるようになったかを、知りたいです。
そこで、UnixBench をやってみることにしました。
まずは、最新カーネルのままで実行してみました。

# grubby --default-kernel
/boot/vmlinuz-4.14.11-300.fc27.x86_64

# grubby --default-index
0

# grubby --info=ALL
index=0
kernel=/boot/vmlinuz-4.14.11-300.fc27.x86_64
args="ro rd.lvm.lv=fedora/root rd.lvm.lv=fedora/swap nomodeset rhgb quiet LANG=ja_JP.UTF-8"
root=/dev/mapper/fedora-root
initrd=/boot/initramfs-4.14.11-300.fc27.x86_64.img
title=Fedora (4.14.11-300.fc27.x86_64) 27 (Twenty Seven)
index=1
kernel=/boot/vmlinuz-4.14.8-300.fc27.x86_64
args="ro rd.lvm.lv=fedora/root rd.lvm.lv=fedora/swap nomodeset rhgb quiet LANG=ja_JP.UTF-8"
root=/dev/mapper/fedora-root
initrd=/boot/initramfs-4.14.8-300.fc27.x86_64.img
title=Fedora (4.14.8-300.fc27.x86_64) 27 (Twenty Seven)
index=2
kernel=/boot/vmlinuz-4.14.7-300.fc27.x86_64
args="ro rd.lvm.lv=fedora/root rd.lvm.lv=fedora/swap nomodeset rhgb quiet LANG=ja_JP.UTF-8"
root=/dev/mapper/fedora-root
initrd=/boot/initramfs-4.14.7-300.fc27.x86_64.img
title=Fedora (4.14.7-300.fc27.x86_64) 27 (Twenty Seven)
index=3
kernel=/boot/vmlinuz-0-rescue-341f3defedb547699a016a1a9e6e6da8
args="ro rd.lvm.lv=fedora/root rd.lvm.lv=fedora/swap nomodeset rhgb quiet"
root=/dev/mapper/fedora-root
initrd=/boot/initramfs-0-rescue-341f3defedb547699a016a1a9e6e6da8.img
title=Fedora (0-rescue-341f3defedb547699a016a1a9e6e6da8) 25 (Twenty Five)
index=4
non linux entry

一つ前のカーネルに設定してみます。
# grubby --set-default /boot/vmlinuz-4.14.8-300.fc27.x86_64
# grubby --default-index
1

# shutdown -r now

$ ./Run -i 1

以下、結果となります。

Linux gns3-iouvm 4.14.11-300.fc27.x86_64 #1 SMP Wed Jan 3 13:52:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Benchmark Run: 月 1月 08 2018 16:19:46 - 16:26:35
8 CPUs in system; running 1 parallel copy of tests

Dhrystone 2 using register variables 40574757.7 lps (10.0 s, 1 samples)
Double-Precision Whetstone 4203.7 MWIPS (11.9 s, 1 samples)
Execl Throughput 4855.8 lps (29.8 s, 1 samples)
File Copy 1024 bufsize 2000 maxblocks 975107.0 KBps (30.0 s, 1 samples)
File Copy 256 bufsize 500 maxblocks 260045.0 KBps (30.0 s, 1 samples)
File Copy 4096 bufsize 8000 maxblocks 2497555.0 KBps (30.0 s, 1 samples)
Pipe Throughput 1395146.1 lps (10.0 s, 1 samples)
Pipe-based Context Switching 222524.1 lps (10.0 s, 1 samples)
Process Creation 11913.3 lps (30.0 s, 1 samples)
Shell Scripts (1 concurrent) 7391.3 lpm (60.0 s, 1 samples)
Shell Scripts (8 concurrent) 3107.5 lpm (60.0 s, 1 samples)
System Call Overhead 1022589.9 lps (10.0 s, 1 samples)

System Benchmarks Index Values BASELINE RESULT INDEX
Dhrystone 2 using register variables 116700.0 40574757.7 3476.8
Double-Precision Whetstone 55.0 4203.7 764.3
Execl Throughput 43.0 4855.8 1129.3
File Copy 1024 bufsize 2000 maxblocks 3960.0 975107.0 2462.4
File Copy 256 bufsize 500 maxblocks 1655.0 260045.0 1571.3
File Copy 4096 bufsize 8000 maxblocks 5800.0 2497555.0 4306.1
Pipe Throughput 12440.0 1395146.1 1121.5
Pipe-based Context Switching 4000.0 222524.1 556.3
Process Creation 126.0 11913.3 945.5
Shell Scripts (1 concurrent) 42.4 7391.3 1743.2
Shell Scripts (8 concurrent) 6.0 3107.5 5179.1
System Call Overhead 15000.0 1022589.9 681.7
========
System Benchmarks Index Score 1542.6

------------------------------------------------------------------------
Benchmark Run: 月 1月 08 2018 16:26:35 - 16:33:24
8 CPUs in system; running 8 parallel copies of tests

Dhrystone 2 using register variables 185141692.8 lps (10.0 s, 1 samples)
Double-Precision Whetstone 32704.8 MWIPS (10.0 s, 1 samples)
Execl Throughput 21620.1 lps (29.3 s, 1 samples)
File Copy 1024 bufsize 2000 maxblocks 1232533.0 KBps (30.0 s, 1 samples)
File Copy 256 bufsize 500 maxblocks 324473.0 KBps (30.0 s, 1 samples)
File Copy 4096 bufsize 8000 maxblocks 3280739.0 KBps (30.0 s, 1 samples)
Pipe Throughput 7777059.3 lps (10.0 s, 1 samples)
Pipe-based Context Switching 1677078.9 lps (10.0 s, 1 samples)
Process Creation 61386.3 lps (30.0 s, 1 samples)
Shell Scripts (1 concurrent) 25670.6 lpm (60.0 s, 1 samples)
Shell Scripts (8 concurrent) 4065.0 lpm (60.0 s, 1 samples)
System Call Overhead 6014480.6 lps (10.0 s, 1 samples)

System Benchmarks Index Values BASELINE RESULT INDEX
Dhrystone 2 using register variables 116700.0 185141692.8 15864.8
Double-Precision Whetstone 55.0 32704.8 5946.3
Execl Throughput 43.0 21620.1 5027.9
File Copy 1024 bufsize 2000 maxblocks 3960.0 1232533.0 3112.5
File Copy 256 bufsize 500 maxblocks 1655.0 324473.0 1960.6
File Copy 4096 bufsize 8000 maxblocks 5800.0 3280739.0 5656.4
Pipe Throughput 12440.0 7777059.3 6251.7
Pipe-based Context Switching 4000.0 1677078.9 4192.7
Process Creation 126.0 61386.3 4871.9
Shell Scripts (1 concurrent) 42.4 25670.6 6054.4
Shell Scripts (8 concurrent) 6.0 4065.0 6774.9
System Call Overhead 15000.0 6014480.6 4009.7
========
System Benchmarks Index Score 5144.8

---------------------------------------------------------
Linux gns3-iouvm 4.14.8-300.fc27.x86_64 #1 SMP Wed Dec 20 19:00:18 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Benchmark Run: 月 1月 08 2018 17:03:43 - 17:10:32
8 CPUs in system; running 1 parallel copy of tests

Dhrystone 2 using register variables 38787410.5 lps (10.0 s, 1 samples)
Double-Precision Whetstone 4715.0 MWIPS (9.4 s, 1 samples)
Execl Throughput 5127.7 lps (29.4 s, 1 samples)
File Copy 1024 bufsize 2000 maxblocks 1234002.0 KBps (30.0 s, 1 samples)
File Copy 256 bufsize 500 maxblocks 367602.0 KBps (30.0 s, 1 samples)
File Copy 4096 bufsize 8000 maxblocks 2770317.0 KBps (30.0 s, 1 samples)
Pipe Throughput 2403210.0 lps (10.0 s, 1 samples)
Pipe-based Context Switching 246422.0 lps (10.1 s, 1 samples)
Process Creation 13904.1 lps (30.0 s, 1 samples)
Shell Scripts (1 concurrent) 8324.7 lpm (60.0 s, 1 samples)
Shell Scripts (8 concurrent) 3414.6 lpm (60.0 s, 1 samples)
System Call Overhead 3717750.5 lps (10.1 s, 1 samples)

System Benchmarks Index Values BASELINE RESULT INDEX
Dhrystone 2 using register variables 116700.0 38787410.5 3323.7
Double-Precision Whetstone 55.0 4715.0 857.3
Execl Throughput 43.0 5127.7 1192.5
File Copy 1024 bufsize 2000 maxblocks 3960.0 1234002.0 3116.2
File Copy 256 bufsize 500 maxblocks 1655.0 367602.0 2221.2
File Copy 4096 bufsize 8000 maxblocks 5800.0 2770317.0 4776.4
Pipe Throughput 12440.0 2403210.0 1931.8
Pipe-based Context Switching 4000.0 246422.0 616.1
Process Creation 126.0 13904.1 1103.5
Shell Scripts (1 concurrent) 42.4 8324.7 1963.4
Shell Scripts (8 concurrent) 6.0 3414.6 5691.1
System Call Overhead 15000.0 3717750.5 2478.5
========
System Benchmarks Index Score 1999.6

------------------------------------------------------------------------
Benchmark Run: 月 1月 08 2018 17:10:32 - 17:17:22
8 CPUs in system; running 8 parallel copies of tests

Dhrystone 2 using register variables 194870992.0 lps (10.0 s, 1 samples)
Double-Precision Whetstone 32731.0 MWIPS (10.0 s, 1 samples)
Execl Throughput 24319.6 lps (29.4 s, 1 samples)
File Copy 1024 bufsize 2000 maxblocks 1240097.0 KBps (30.0 s, 1 samples)
File Copy 256 bufsize 500 maxblocks 327270.0 KBps (30.0 s, 1 samples)
File Copy 4096 bufsize 8000 maxblocks 3724579.0 KBps (30.0 s, 1 samples)
Pipe Throughput 10678393.5 lps (10.0 s, 1 samples)
Pipe-based Context Switching 1837741.4 lps (10.0 s, 1 samples)
Process Creation 67289.8 lps (30.0 s, 1 samples)
Shell Scripts (1 concurrent) 29604.7 lpm (60.0 s, 1 samples)
Shell Scripts (8 concurrent) 4406.6 lpm (60.1 s, 1 samples)
System Call Overhead 8087883.0 lps (10.0 s, 1 samples)

System Benchmarks Index Values BASELINE RESULT INDEX
Dhrystone 2 using register variables 116700.0 194870992.0 16698.5
Double-Precision Whetstone 55.0 32731.0 5951.1
Execl Throughput 43.0 24319.6 5655.7
File Copy 1024 bufsize 2000 maxblocks 3960.0 1240097.0 3131.6
File Copy 256 bufsize 500 maxblocks 1655.0 327270.0 1977.5
File Copy 4096 bufsize 8000 maxblocks 5800.0 3724579.0 6421.7
Pipe Throughput 12440.0 10678393.5 8583.9
Pipe-based Context Switching 4000.0 1837741.4 4594.4
Process Creation 126.0 67289.8 5340.5
Shell Scripts (1 concurrent) 42.4 29604.7 6982.2
Shell Scripts (8 concurrent) 6.0 4406.6 7344.4
System Call Overhead 15000.0 8087883.0 5391.9
========
System Benchmarks Index Score 5748.3


Pipe-based Context Switching で、約 10% の低下、総じて、10 〜 20 % は低下している感じですかね。

(参考)
https://docs.fedoraproject.org/f27/system-administrators-guide/kernel-module-driver-configuration/Working_with_the_GRUB_2_Boot_Loader.html
https://qiita.com/tenn25/items/6fb0d846b28a06bec204

最新カーネル ( kernel-core-4.14.7-300.fc27.x86_64 ) インストールで VirtualBox の起動エラー

# /sbin/vboxconfig

Makefile:946: *** "Cannot generate ORC metadata for CONFIG_UNWINDER_ORC=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel". 中止.
make: *** [/tmp/vbox.0/Makefile.include.footer:101: vboxdrv] エラー 2

対処

# dnf install elfutils-libelf-devel
# /sbin/vboxconfig

sar の解析ツール

sar の解析ツールを作り始めました。

 

github.com

Switch の SVI インターフェースの down down を解決する

SWITCH の設定をしていて、SVI インターフェースが up しない、という事がよくあると思います。

この理由について、考え、解決します。

今、以下のようなトポロジを考えます。

f:id:intrajp:20171216114443p:plain

SW1(config)#vlan 111
SW1(config-vlan)#
SW1#show vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et0/0, Et0/1, Et0/2, Et0/3
Et1/0, Et1/1, Et1/2, Et1/3
Et2/0, Et2/1, Et2/2, Et2/3
Et3/0, Et3/1, Et3/2, Et3/3
111 VLAN0111 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
111 enet 100111 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

 

 

SW1(config)#int vlan 111
SW1(config-if)#ip address 1.1.1.111 255.255.255.0
SW1(config-if)#no shut
SW1#show ip int brief


Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset up up
Ethernet0/3 unassigned YES unset up up
...(snip)...
Vlan1 unassigned YES unset administratively down down
Vlan111 1.1.1.111 YES NVRAM down down

 

Vlan 111 のインターフェースを no shut したはずなのに、Status が down、Protocol が down のままです。

これは、Vlan 111 に接続されているインターフェースがないからです。

SW1(config)#int range e0/0 -3
SW1(config-if-range)#switchport access vlan
SW1(config-if-range)#switchport access vlan 111


*Dec 16 09:53:01.364: %LINK-3-UPDOWN: Interface Vlan111, changed state to up
*Dec 16 09:53:02.364: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan111, changed state to up

 

お、アップしたようです。

SW1#show ip int bri


Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset up up
Ethernet0/3 unassigned YES unset up up
...(snip)...
Vlan1 unassigned YES unset up up
Vlan111 1.1.1.111 YES NVRAM up up

 

アップしました。
結局、当該 Vlan にアクセスするポートが 1つ以上ないと、SVI インターフェースは、アップしない、ということのようです。

portfast, uplinkfast, backbonefastその2

このセクションでは、802.1d スパニングツリーのトポロジの変更プロセスとSTPタイマーへの影響を確認します。
SW3 の fa1/0 の portfast 機能を無効にしなさい。
--------

f:id:intrajp:20171205053028p:plain


まずは、現在の設定を確認します。

SW3#show spanning-tree active | begin FastEthernet1/0
Port 41 (FastEthernet1/0) of VLAN3 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.41.
Designated root has priority 8192, address c207.153c.0000
Designated bridge has priority 32768, address c201.1621.0000
Designated port id is 128.41, designated path cost 18
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 4694, received 0
The port is in the portfast mode <--------portfast が有効になっています。

では、fa1/0 上で portfast を無効にします。

SW3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#interface fa1/0
SW3(config-if)#no spanning-tree portfast

確認します。
SW3#show spanning-tree interface fa1/0 portfast
VLAN3 disabled

SW3 上で、portfast を無効にしました。portfast を無効にしたので、learning, forwarding, blocking になり、スパニングツリー変更のお知らせを、ルートブリッジ
に送信するはずです。
それを確認します。
SW3 で、デバッグモードにします。そのうえで、fa1/0 をシャットダウンして、トポロジの変更を見てみます。また、fa1/0 を再度有効に(no shut)してみます。

SW3#debug spanning-tree events
Spanning Tree event debugging is on
SW3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#interface fa1/0
SW3(config-if)#shutdown
SW3(config-if)#
*Mar 1 03:24:37.159: STP: VLAN3 sent Topology Change Notice on Fa1/15
*Mar 1 03:24:37.159: STP: VLAN3 Fa1/0 -> blocking
SW3(config-if)#
*Mar 1 03:24:39.171: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Mar 1 03:24:40.171: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
SW3(config-if)#no shutdown
SW3(config-if)#
*Mar 1 03:24:46.759: STP: VLAN3 Fa1/0 -> listening
SW3(config-if)#
*Mar 1 03:24:49.735: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
SW3(config-if)#
*Mar 1 03:25:01.767: STP: VLAN3 Fa1/0 -> learning
SW3(config-if)#
*Mar 1 03:25:16.779: STP: VLAN3 sent Topology Change Notice on Fa1/15
*Mar 1 03:25:16.779: STP: VLAN3 Fa1/0 -> forwarding

では、portfast を有効にして、もう一度やってみます。

SW3(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single host.
Connecting hubs, concentrators, switches, bridges, etc.to this interface
when portfast is enabled, can cause temporary spanning tree loops.
Use with CAUTION

%Portfast has been configured on FastEthernet1/0 but will only
have effect when the interface is in a non-trunking mode.

SW3#show spanning-tree active | begin FastEthernet1/0
from FastEthernet1/0
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0, aging 300

Port 41 (FastEthernet1/0) of VLAN3 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.41.
Designated root has priority 8192, address c207.153c.0000
Designated bridge has priority 32768, address c201.1621.0000
Designated port id is 128.41, designated path cost 18
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 129, received 0
The port is in the portfast mode

SW3(config)#interface fa1/0
SW3(config-if)#
SW3(config-if)#
SW3(config-if)#
SW3(config-if)#shutdown
SW3(config-if)#
*Mar 1 03:30:18.591: STP: VLAN3 Fa1/0 -> blocking
SW3(config-if)#
*Mar 1 03:30:20.535: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Mar 1 03:30:21.535: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
SW3(config-if)#no shutdown
SW3(config-if)#
*Mar 1 03:30:33.683: STP: VLAN3 Fa1/0 ->jump to forwarding from blocking
SW3(config-if)#
*Mar 1 03:30:36.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
SW3(config-if)#end
SW3#show s
*Mar 1 03:32:04.683: %SYS-5-CONFIG_I: Configured from console by console
SW3#show spanning-tree vlan 3 brief

VLAN3
Spanning tree enabled protocol ieee
Root ID Priority 8192
Address c207.153c.0000
Cost 18
Port 56 (FastEthernet1/15)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32768
Address c201.1621.0000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Designated
Name Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet1/0 128.41 128 19 FWD 18 32768 c201.1621.0000 128.41
...

デバッグモードを元に戻します。
SW3#undebug all

お疲れさまです。次回をお楽しみに。