Re: OCSP update restarts all proxies

Sat, 30 Sep 2023 00:20:49 -0700 

On 9/28/23 02:29, Remi Tricot-Le Breton wrote:
That's really strange, the OCSP update mechanism does not have anything to do with proxies. Are you sure you did not have a crash and autorestart of your haproxy ? 


I did not think that I had autorestart for haproxy, but it turns out 
that the service file created by the systemd stuff in the source repo 
DOES have "Restart=always".



After I changed that to never and did systemctl daemon-reload, I 
discovered that at the top of the hour, something caused systemd to 
reload the service.  From systemctl status haproxy:



Sep 30 01:00:02 smeagol haproxy[234282]: [WARNING]  (234282) : Proxy 
be_gitlab_8881 stopped (cumulated conns: FE: 0, BE: 0).
Sep 30 01:00:02 smeagol haproxy[234282]: [WARNING]  (234282) : Proxy 
be_gitlab2_8881 stopped (cumulated conns: FE: 0, BE: 0).
Sep 30 01:00:02 smeagol haproxy[234282]: [WARNING]  (234282) : Proxy 
be_artifactory_8082 stopped (cumulated conns: FE: 0, BE: 0).
Sep 30 01:00:02 smeagol haproxy[234282]: [WARNING]  (234282) : Proxy 
be_zabbix_81 stopped (cumulated conns: FE: 0, BE: 0).
Sep 30 01:00:02 smeagol haproxy[234279]: [NOTICE]   (234279) : New 
worker (236124) forked
Sep 30 01:00:02 smeagol haproxy[234279]: [NOTICE]   (234279) : Loading 
success.

Sep 30 01:00:02 smeagol systemd[1]: Reloaded HAProxy Load Balancer.

Sep 30 01:00:02 smeagol haproxy[234279]: [NOTICE]   (234279) : haproxy 
version is 2.8.3-0499db-3
Sep 30 01:00:02 smeagol haproxy[234279]: [NOTICE]   (234279) : path to 
executable is /usr/local/sbin/haproxy
Sep 30 01:00:02 smeagol haproxy[234279]: [WARNING]  (234279) : Former 
worker (234282) exited with code 0 (Exit)



There are no relevant systemd timers, nothing in user crontabs, nothing 
in the various cron.* directories that could cause this.  I did compile 
haproxy with systemd support ... can haproxy itself ask systemd for a 
reload?



A way to check for a possible crash in the OCSP update code would be to 
use the "update ssl ocsp-response <certfile>" from the CLI as well. It 
would use most of the OCSP update code so if a crash were to happen you 
might see it this way.



Can you explain to me how to do this and see any output?  I tried piping 
the command to socat talking to the stats proxy socket, and got no 
response.  I think I do not know how to use socat correctly for this.


Thanks,
Shawn
























					Reply via email to