Bug 1366180
Summary: | [networking_public_107]reencrypt route will always wake up the idled service | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | zhaozhanqi <zzhao> | |
Component: | Networking | Assignee: | Solly Ross <sross> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Meng Bo <bmeng> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 3.3.0 | CC: | agoldste, aos-bugs, bbennett, eparis, sross, tdawson | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | All | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1379552 (view as bug list) | Environment: | ||
Last Closed: | 2016-09-19 15:17:21 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1379552 |
Description
zhaozhanqi
2016-08-11 09:01:17 UTC
We've determined that this is due to a the way HAProxy does health checks. With a backend which communicates over HTTP, it partially opens a TCP connection, but does not finish, or send a payload. With a backend which communicates over TLS, it tries to open a TLS connection. Opening a TLS connection requires a full TCP connection with a payload, so we interpret that as a wake-up event (seeing the full connection). We are currently evaluating options to solve this. Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/814255a16372be23ec07a42ca7343fa1eb6965f9 HAProxy Router: Don't health-check idled services Previously, all "endpoints" were health-checked by HAProxy. For backends which connected via non-secured connections, this entailed partial establishment of a TCP connection by HAProxy, which did not trigger the unidler proxy. However, for secured backends, the health check involved attempting to start a TLS connection, which used a full TCP connection, which caused a wakeup to occur. This commit adds an extra field to the template data's endpoint structure which indicates that a particular endpoint is to be considered an "idled" endpoint, meaning that no health check is necessary. The default template then uses this to disable health checking on the given backend endpoints, which actually point to service IPs backed by the unidling proxy. Fixes bug 1366180 tested this issue on # openshift version openshift v3.3.0.24-dirty kubernetes v1.3.0+507d3a7 etcd 2.3.0+git with haproxy image: openshift3/ose-haproxy-router v3.3.0.24 c1a1a20e6301 and this issue still can be reproduced. When create reencrypt route. the idled service will be waked up in 2 mins in my env. Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/b08af4a7b7a9d9e216a46f4bbed4cf8f24e79bcb HAProxy Router: Invert health-check idled check The check for no endpoints got inverted at some point during the PR, causing health checks to be enabled *only* when a service was idled, instead of the other way around. This fixes that. Fixes bug 1366180 Tested on OSE build v3.3.0.25 with router image openshift3/ose-haproxy-router v3.3.0.25 d95ecbdbc039 Issue has been fixed. The reencrypt route will not bring the idle service up. |