Merge pull request steemit#204 from steemit/add-net-tuning

Add sysctl tuning to nginx runnit run file

.pre-commit-config.yaml

@@ -1,5 +1,6 @@
+repos:
 - repo: git://github.com/pre-commit/pre-commit-hooks
-  sha: v0.9.5
+  rev: v0.9.5
   hooks:
     - id: check-ast
     - id: trailing-whitespace
@@ -24,15 +25,15 @@
 #  hooks:
 #    - id: dockerfile_lint
 - repo: git://github.com/Lucas-C/pre-commit-hooks
-  sha: v1.1.4
+  rev: v1.1.5
   hooks:
     - id: remove-tabs
       exclude: Makefile
-- repo: git://github.com/detailyang/pre-commit-shell
-  sha: 1b26bf757e6d5b9bfed2566339c6464f44779678
-  hooks:
-    - id: shell-lint
-      files: run$
+#- repo: git://github.com/detailyang/pre-commit-shell
+#  rev: 1.0.2
+#  hooks:
+#    - id: shell-lint
+#      files: run$
 - repo: local
   hooks:
     - id: check-bash-syntax

Dockerfile

@@ -20,7 +20,7 @@ ENV APP_ROOT /app
 ENV APP_CMD jussi.serve
 ENV JUSSI_SERVER_HOST 0.0.0.0
 ENV JUSSI_SERVER_PORT 9000
-ENV JUSSI_DEBUG_PORT 7777
+ENV JUSSI_MONITOR_PORT 7777
 
 # all nginx env vars must also be changed in service/nginx/nginx.conf
 ENV NGINX_SERVER_PORT 8080
@@ -116,4 +116,4 @@ RUN chown -R www-data . && \
 RUN pipenv run pytest
 
 EXPOSE ${NGINX_SERVER_PORT}
-EXPOSE ${JUSSI_DEBUG_PORT}
+EXPOSE ${JUSSI_MONITOR_PORT}

jussi/handlers.py

@@ -51,7 +51,7 @@ async def healthcheck(http_request: HTTPRequest) -> HTTPResponse:
 # pylint: disable=protected-access, too-many-locals, no-member, unused-variable
 
 
-async def debug(http_request: HTTPRequest) -> HTTPResponse:
+async def monitor(http_request: HTTPRequest) -> HTTPResponse:
     app = http_request.app
     import inspect
 

jussi/listeners.py

@@ -19,11 +19,11 @@ def setup_listeners(app: WebApp) -> WebApp:
     def setup_debug(app: WebApp, loop) -> None:
         logger = app.config.logger
         logger.info('setup_debug', debug=app.config.args.debug,
-                    debug_route=app.config.args.debug_route,
+                    debug_route=app.config.args.monitor_route,
                     when='before_server_start')
-        if app.config.args.debug_route is True or app.config.args.debug is True:
-            from jussi.handlers import debug
-            app.add_route(debug, '/debug', methods=['GET'])
+        if app.config.args.monitor_route is True or app.config.args.debug is True:
+            from jussi.handlers import monitor
+            app.add_route(monitor, '/monitor', methods=['GET'])
 
     @app.listener('before_server_start')
     def setup_upstreams(app: WebApp, loop) -> None:

jussi/middlewares/jussi.py

@@ -35,7 +35,6 @@ async def finalize_jussi_response(request: HTTPRequest,
             response.headers['x-jussi-api'] = request.jsonrpc.urn.api
             response.headers['x-jussi-method'] = request.jsonrpc.urn.method
             response.headers['x-jussi-params'] = _repr(request.jsonrpc.urn.params)
-            if b'error' not in response.body:
-                response.headers['x-jussi-success'] = '1'
+
     except BaseException as e:
         logger.warning('finalize_jussi error', e=e)

jussi/serve.py

@@ -59,9 +59,9 @@ def parse_args(args: list = None):
                         type=lambda x: bool(strtobool(x)),
                         env_var='JUSSI_DEBUG',
                         default=False)
-    parser.add_argument('--debug_route',
+    parser.add_argument('--monitor_route',
                         type=lambda x: bool(strtobool(x)),
-                        env_var='JUSSI_DEBUG_ROUTE',
+                        env_var='JUSSI_MONITOR_ROUTE',
                         default=True)
     parser.add_argument('--server_host', type=str, env_var='JUSSI_SERVER_HOST',
                         default='0.0.0.0')

service/nginx/nginx.conf

@@ -91,8 +91,8 @@ http {
             stub_status on;
         }
 
-        # jussi debug only from localhost
-        location = /debug {
+        # jussi monitor only from localhost
+        location = /monitor {
             limit_except GET HEAD OPTIONS {
                 deny all;
             }

service/nginx/run

@@ -1,5 +1,55 @@
 #!/bin/bash
 
+
+# Only make these changes if container is running in privileged mode
+ip link add dummy0 type dummy >/dev/null
+if [[ $? -eq 0 ]]; then
+    # PRIVILEGED
+    # clean the dummy0 link
+    ip link delete dummy0 >/dev/null
+
+    sysctl -p - <<EOF
+    # Max receive buffer size (8 Mb)
+    net.core.rmem_max=8388608
+    # Max send buffer size (8 Mb)
+    net.core.wmem_max=8388608
+    # Default receive buffer size
+    net.core.rmem_default=65536
+    # Default send buffer size
+    net.core.wmem_default=65536
+
+    net.ipv4.tcp_rmem=8192 873800 8388608
+    net.ipv4.tcp_wmem=4096 655360 8388608
+
+    #  Set all these values high to prevent any mem pressure  on TCP sockets
+    net.ipv4.tcp_mem=8388608 8388608 8388608
+
+    # Increase max number of sockets allowed in TIME_WAIT
+    net.ipv4.tcp_max_tw_buckets=6000000
+
+    # Increase max half-open connections.
+    net.ipv4.tcp_max_syn_backlog=65536
+
+    # Increase max TCP orphans
+    # These are sockets which have been closed and no longer have a file handle attached to them
+    net.ipv4.tcp_max_orphans=262144
+
+    # Max listen queue backlog
+    # make sure to increase nginx backlog as well if changed
+    net.core.somaxconn=16384
+
+    # Max number of packets that can be queued on interface input
+    # If kernel is receiving packets faster than can be processed
+    # this queue increases
+    net.core.netdev_max_backlog=16384
+
+    net.ipv4.tcp_slow_start_after_idle=0
+    net.ipv4.ip_local_port_range=10240 65535
+    net.ipv4.tcp_abort_on_overflow=1
+EOF
+fi
+
+
 sv -w3 check jussi
 chown www-data /dev/stdout
 exec setuidgid www-data /usr/sbin/nginx -c /etc/service/nginx/nginx.conf

tests/test_restricted_routes.py

@@ -20,7 +20,7 @@ def make_params(path, allowed, not_allowed_status_code=403):
 params2 = make_params('/health', ['GET', 'HEAD', 'OPTIONS'])
 params3 = make_params('/.well-known/healthcheck.json', [])
 params4 = make_params('/index.html', [])
-params5 = make_params('/debug', [])
+params5 = make_params('/monitor', [])
 params6 = make_params('/nginx_status', [])