From c4be87753fa3a467179fabfb72e2302232fe0b34 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Wed, 7 Apr 2021 15:34:44 +0000 Subject: [PATCH] Set MaxConnectionsPerChild 8192 for Gitea backends When we added Apache as a filtering proxy on our Gitea backends in order to more easily mitigate resource starvation, we did not set any tuning to tell it when to recycle worker processes. As a result, backends may continue serving requests with workers which pre-date certificate rotation. This problem has also become more broadly prevalent throughout our services with the introduction of Let's Encrypt's 3-month certificate expirations as compared to our previous 2-year certificates. Add the same MaxConnectionsPerChild tuning to our Gitea backend proxies as we use for our static sites and mirror servers. Change-Id: I77d89385178a30f7dc5d04bedd0ab3772865c09f --- .../roles/gitea/files/apache-connection-tuning | 14 ++++++++++++++ playbooks/roles/gitea/handlers/main.yaml | 5 +++++ playbooks/roles/gitea/tasks/proxy.yaml | 9 +++++++++ 3 files changed, 28 insertions(+) create mode 100644 playbooks/roles/gitea/files/apache-connection-tuning diff --git a/playbooks/roles/gitea/files/apache-connection-tuning b/playbooks/roles/gitea/files/apache-connection-tuning new file mode 100644 index 0000000000..8cc4e55431 --- /dev/null +++ b/playbooks/roles/gitea/files/apache-connection-tuning @@ -0,0 +1,14 @@ +# worker MPM +# MaxConnectionsPerChild: maximum number of requests a server process serves +# +# We've noticed that our mirrors occasionally have stale workers. This leads +# to ssl certs not being refreshed properly after reload and we've also seen +# ssl connections to round robin backend services have trouble. Restarting +# the workers so that they load up new info seems to fix this. Try and force +# that to happen regularly with a connections limit per worker. + + MaxConnectionsPerChild 8192 + + + MaxConnectionsPerChild 8192 + diff --git a/playbooks/roles/gitea/handlers/main.yaml b/playbooks/roles/gitea/handlers/main.yaml index a06fe5144d..f20b3d0896 100644 --- a/playbooks/roles/gitea/handlers/main.yaml +++ b/playbooks/roles/gitea/handlers/main.yaml @@ -2,3 +2,8 @@ service: name: apache2 state: reloaded + +- name: gitea Restart apache2 + service: + name: apache2 + state: restarted diff --git a/playbooks/roles/gitea/tasks/proxy.yaml b/playbooks/roles/gitea/tasks/proxy.yaml index f05168fcdb..a1268929ce 100644 --- a/playbooks/roles/gitea/tasks/proxy.yaml +++ b/playbooks/roles/gitea/tasks/proxy.yaml @@ -24,3 +24,12 @@ group: root mode: 0644 notify: gitea Reload apache2 + +- name: Copy apache tuning + copy: + src: apache-connection-tuning + dest: /etc/apache2/conf-enabled/connection-tuning.conf + owner: root + group: root + mode: 0644 + notify: gitea Restart apache2