Puppet users - Nov 2007 - mod_proxy_balancer under heavy load.

So I''m still working on a ''perfect'' setup so I can
document it on the wiki,
and will submit some puppet patches against 0.23.2 next week, but
here''s
what I''ve done that has made a big difference to stability here.
in puppetmasterd at line 261, I''ve modified the Mongrel instantiation
from:

server = Mongrel::HttpServer.new(addr, Puppet[:masterport])

to

webserver = Mongrel::HttpServer.new(addr, Puppet[:masterport], timeout=4)

timeout is a throttling parameter for Mongrel in hundredths of a second
between socket.accept() calls.

I''m planning to submit some patches that let you configure more mongrel
parameters as puppetmasterd config settings.

My apache virtual host config looks like this. Note some odd differences
here with the RequestHeaders, as I''ve got a setup here that can either
have
Pound or Apache in front of it at the moment, but haven''t got anything
to
report regarding Pound under heavy load as yet:

I''m also still running Webrick as the CA on another port.

<Proxy balancer://puppetmaster>
  BalancerMember http://127.0.0.1:8160 keepalive=on max=10 retry=30
  BalancerMember http://127.0.0.1:8161 keepalive=on max=10 retry=30
  BalancerMember http://127.0.0.1:8162 keepalive=on max=10 retry=30
  BalancerMember http://127.0.0.1:8163 keepalive=on max=10 retry=30
  BalancerMember http://127.0.0.1:8164 keepalive=on max=10 retry=30
  BalancerMember http://127.0.0.1:8165 keepalive=on max=10 retry=30
  BalancerMember http://127.0.0.1:8166 keepalive=on max=10 retry=30
  BalancerMember http://127.0.0.1:8167 keepalive=on max=10 retry=30
</Proxy>

<VirtualHost xxx.xxx.xxx:8140>
    SSLEngine on
    SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
    SSLCertificateFile /path/to/certfile.pem
    SSLCertificateKeyFile /path/to/certkeyfile.pem
    SSLCertificateChainFile /path/to/certchainfile.pem
    SSLCACertificateFile /path/to/cacertfile.pem
    SSLCARevocationFile /path/to/carevocfile.pem
    SSLVerifyClient require
    SSLVerifyDepth  1
    SSLOptions +StdEnvVars
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
    <Location />
        SetHandler balancer-manager
        Order allow,deny
        Allow from all
    </Location>

    DocumentRoot /path/to/www

    <Directory "/path/to/www/">
        Options FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

    ServerAdmin xxx@xxx.com

    ProxyPass / balancer://puppetmaster:8140/ timeout=120
    ProxyPassReverse / balancer://puppetmaster:8140/
    ProxyPreserveHost on
    SetEnv force-proxy-request-1.0 1
    SetEnv proxy-nokeepalive 1

    ErrorLog /blah
    CustomLog /blah
</VirtualHost>

This is coping with clients checking in at about the rate of one a second.
The piling up of CLOSE_WAITs has stopped. I get the odd proxy error with an
individual puppet operation, usually fileserver.describe, but clients almost
always complete their checkin successfully. The proxy errors occur about
once every half an hour.



-- 
Nigel Kersten
MacOps @ Google
"Two kinds of Kool-Aid"


_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

On Nov 21, 2007, at 10:49 AM, Nigel Kersten wrote:
> So I''m still working on a ''perfect'' setup so I
can document it on
> the wiki, and will submit some puppet patches against 0.23.2 next  
> week, but here''s what I''ve done that has made a big
difference to
> stability here.
>
> in puppetmasterd at line 261, I''ve modified the Mongrel  
> instantiation from:
>
> server = Mongrel::HttpServer.new (addr, Puppet[:masterport])
>
> to
>
> webserver = Mongrel::HttpServer.new(addr, Puppet[:masterport],  
> timeout=4)
>
> timeout is a throttling parameter for Mongrel in hundredths of a  
> second between socket.accept() calls.
>
> I''m planning to submit some patches that let you configure more  
> mongrel parameters as puppetmasterd config settings.
Assuming I can get the current list of tickets closed on time, I''m  
roughly on track for the release of 0.24.0 at the end of the month  
and it''d be great to have your patches by then.

  --
  Life is like playing a violin in public and learning the instrument as
  one goes on.         -- Samuel Butler
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

And for a further data point in this thread... I spent today running Pound
instead of Apache thanks to Jeff''s work, and while load averages were
much
much higher, every single client request was happily dealt with, and a not
particularly beefy server was coping with around 30 puppet request
operations a second.


_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

On Mon, 2007-11-26 at 16:50 -0800, Nigel Kersten wrote:
> And for a further data point in this thread... I spent today running
> Pound instead of Apache thanks to Jeff''s work, and while load
averages
> were much much higher, every single client request was happily dealt
> with, and a not particularly beefy server was coping with around 30
> puppet request operations a second. 
On a side note you should consider nginx[1] as a reverse-proxy instead
of pound, it is light, fast, and really stable. Although we''re not
using
is for puppet, we''re using it as a reverse proxy for classic apache
webservers for more than a year without any issue.

[1]: http://nginx.net/
-- 
Brice Figureau <brice+puppet@daysofwonder.com>
Days of wonder, http://www.daysofwonder.com/

On Nov 27, 2007 1:37 AM, Brice Figureau <brice+puppet@daysofwonder.com>
wrote:
> On Mon, 2007-11-26 at 16:50 -0800, Nigel Kersten wrote:
> > And for a further data point in this thread... I spent today running
> > Pound instead of Apache thanks to Jeff''s work, and while load
averages
> > were much much higher, every single client request was happily dealt
> > with, and a not particularly beefy server was coping with around 30
> > puppet request operations a second.
>
> On a side note you should consider nginx[1] as a reverse-proxy instead
> of pound, it is light, fast, and really stable. Although we''re not
using
> is for puppet, we''re using it as a reverse proxy for classic
apache
> webservers for more than a year without any issue.
>
> [1]: http://nginx.net/

Thanks Brice. I''ll check it out today and see how the performance
compares.

-- 
Nigel Kersten
MacOps @ Google
"Two kinds of Kool-Aid"


_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

On Nov 27, 2007, at 11:19 AM, Nigel Kersten wrote:
> On a side note you should consider nginx[1] as a reverse-proxy instead
> of pound, it is light, fast, and really stable. Although we''re not
> using
> is for puppet, we''re using it as a reverse proxy for classic
apache
> webservers for more than a year without any issue.
>
> [1]: http://nginx.net/
>
> Thanks Brice. I''ll check it out today and see how the performance
> compares.

I love playing with SSLish things, so I couldn''t resist trying this
out.

http://reductivelabs.com/trac/puppet/wiki/UsingMongrelNginx documents  
my working configuration.  What pleased me was that it "just worked"  
the first attempt.  No patches to the proxy or to puppet, no fussing  
around...

I''ve got it running in production (couple hundred clients), and I must
say, I think nginx is a far "cleaner" piece of software than pound.

I have no performance data.  I''m pretty sure that I''m not
running in
the "margin" now that we''ve migrated our puppetmaster to a
beefier
server.

The only glaring downside to nginx that I see is a lack of CRL checking.

Cheers,
--
Jeff McCune
Systems Manager
The Ohio State University
Department of Mathematics



_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

On Nov 27, 2007, at 1:25 PM, Jeff McCune wrote:
> I love playing with SSLish things, so I couldn''t resist trying
this
> out.
>
> http://reductivelabs.com/trac/puppet/wiki/UsingMongrelNginx  
> documents my working configuration.  What pleased me was that it  
> "just worked" the first attempt.  No patches to the proxy or to  
> puppet, no fussing around...
Great to hear.
> I''ve got it running in production (couple hundred clients), and I
> must say, I think nginx is a far "cleaner" piece of software than
> pound.
>
> I have no performance data.  I''m pretty sure that I''m not
running
> in the "margin" now that we''ve migrated our puppetmaster
to a
> beefier server.
>
> The only glaring downside to nginx that I see is a lack of CRL  
> checking.
I could swear I looked at both of these tools when I first added  
mongrel support and neither of them had support for client  
certificates.  Apparently things have changed, or I just missed it.

  --
  It is said that power corrupts, but actually it''s more true that
power
  attracts the corruptible. The sane are usually attracted by other  
things
  than power.             -- David Brin
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com