Hi Pawel, On Tue, May 19, 2015 at 02:47:41PM -0700, Pawel Veselov wrote: > > This settings should theoretically make > > haproxy behave exactly the same. > > > > So think that somehow, 1.5 was creating or keeping a lot more open > connections at a time, and depriving the kernel, or its own limits of > available connections?
There's no reason, you should definitely have the same number of connections with both versions. Also, even on small machines the number of connections a single process will sustain when reaching servers will be much lower than the kernel's default FD limits due to the limited number of source ports. For example, here on a 2GB-equipped atom, the limit is already at 204k fd, which is much larger than the 2*64k you'd have from a single source address, and I'm expecting that your production LB is larger than this box : $ cat /proc/sys/fs/file-max 204282 > > In its absence, the behavior would indeed have changed, from the old > > default: > > option http-tunnel [1] > > > > to: > > option http-keep-alive [2] > > > > > > One thing I can suggest is to replace "option httpclose" in the default > > section with the following configuration: > > option http-keep-alive > > option prefer-last-server > > timeout http-keep-alive 5s (or whatever keep alive timeout works for you) > > > > I personally don't see any reason for having any connections left kept > alive. We want to minimize the amount of open files, we've had problems > with keep-alive choking us quite quickly. OK that's fair enough. Then you should use http-server-close. "httpclose" is a hack from version 1.1 which consists in simply adding "connection: close" to the headers and to let each side decide to close. In practice it used to result in a number of servers to keep the connection alive despite this, forcing us to implement extra hacks like "forceclose". Since 1.4 this connection management is much cleaner as haproxy can actively close a connection, while it was only watching it previously. > I see the doc says that httpclose is "...is deprecated since what it does > is very cheap but not reliable", which I guess means that it won't work > with all the servers, but our servers honor the Connection:close header > quite fine, so I don't see a reason to change that. Perfect, then just use http-server-close, even on 1.4 since you have it. > I guess what I should do - is try 1.5 during "quiet time", and compare the > environment (open fds, etc) with 1.4, and see what is different... Or maybe first test http-server-close on 1.4 to see if there's anything related to this. It could very well be that something on the network doesn't always see the closed connections. Regards, Willy
