[medusa] More performance ?'s

[Sam Rushing]

Mike writes:
> I read in the archives a few posts about perfomance. One of the
> posts mentions that medusa isn't as fast as thttpd or zeus and that
> medusa can't handle 1000 connections per second. My question is
> what -can- medusa handle?

I haven't done any real testing recently, so it's hard to give real
performance numbers. And of course, numbers will mean different
things to different people; depending on the application, etc...

> Basically, I need to compare it to apache with mod_fastcgi for
> using Zope. I'm having some trouble with mod_fastcgi and Zope that
> I don't have while using medusa in place of apache, so I'm
> pondering just giving up and using medusa.

The reason I hem-haw is that folks are often comparing apples and
oranges. For many things, apache will be more than fast enough. It's
when you try to bend it into something that it is not that you'll run
into trouble. It's a question of design. For building a complex web
server with lots of state, using apache to fire up cgi programs that
make separate connections to a database for every hit is just
fundamentally the wrong way to solve the problem.

I would suggest taking your existing system, writing a simple handler
for it and then benchmarking with your own code.

> Since apache isn't the world's fastest web server, I assume that
> medusa is at least comparable.

For the delivery of static pages, it's quite likely that apache will
be able to handle a higher load than Medusa 'out of the box'.

However, by incrementally replacing bits of medusa with C modules, it
should be possible to make it incrementally as fast as thttpd (since
they share the same design). Why hasn't this been done yet? Because
no one has needed it.

> While I'm at it, how stable is medusa in the long run? I read on
> the web page that medusa is currently used in mission-critical
> applications, but can examples be provided (in terms of using it as
> a web server, which is my goal)?

I can think of two applications at eGroups that exposed the Medusa
HTTP server to the outside world (the main site still uses PyApache):

1) the chat server
2) the ad servers

The ad servers have recently been replaced with a coroutine
implementation, but the chat server still uses medusa. [though it may
get rewritten soon]

Other folks may have more interesting examples. For my own purposes I
usually use Medusa's HTTP server only for status/control of a system
that does some other job.

> One last question: this will eventually be a commercial
> application, so I'll be purchasing a license for single server use.
> Other than the right to use medusa, are there any other benefits?
> Any support? Is it possible to purchase support? Who do I sue if
> it breaks? (kidding)

I'm more likely to Jump when folks ask; I do my best to help with
problems and give advice.

> Okay, one more question: since I'm a python and medusa newbie, this
> may seem like a dumb question, but how secure is medusa? Does it
> deal decently with buffers (ie, low likelihood of buffer overflow
> attacks) and can it stand up to a denial of service attack (many
> more connections than it can handle) without falling over (this may
> be more of a function of the OS, though)?

Python itself is immune from all the classic buffer overflows. DoS is 
another matter. There are not defenses against DoS in the stock
Medusa; but I guarantee you that whatever approach you take to
handling DoS will be easier to implement in Python than in C.

In several projects I have used explicit queues to limit the number of
descriptors; this approach works well.

-Sam