On Wed, Aug 11, 2021 at 01:13:25PM +0200, Aleksandar Lazic wrote: > > > But from my point of view and for server-template and dynamic-cookie-key > > > make > > > this message no sense or am I wrong? > > > > The problem is that when using dynamic cookies, the dynamic-cookie-key, > > the server's IP, and its port are hashed together to generate a fixed > > cookie value that will be stable across a cluster of haproxy LBs, but > > hashes are never without collisions despite being 64-bit, and here you > > apparently faced one. Given how unlikely it is, I suspect that the issue > > in fact is that you might have multiple servers on the same address. > > Maybe just during some DNS transitions. If that's the case, maybe we > > should improve the collision check to only report it if it happens for > > servers with different addresses. > > Well not the same IP but quite similar.
"quite similar" isn't a valid reason for having a collision, the algo uses XXH64() which features a pretty good distribution. I'm pretty sure that during the life of your farm, maybe due to some DNS settings or something like that, you end up with two servers having the same IP/port. Well, at least they result in the right requests being routed to the right place. I've written a small tool to calculate the cookie values based on the key, ip and port and committed it into admin/dyncookie/dyncookie. I'm attaching the patch if you want to build it separately. > Your explanation can be the reason for the warning. > > ``` > dig cloud-service.namespace.svc.cluster.local (...) As you can see from your list, there's no collision with this secret nor port: $ for i in 10.128.2.111 10.128.2.112 10.128.2.113 10.128.2.114 10.128.2.115 10.129.9.83 10.129.9.84 10.129.9.85 10.129.9.86 10.129.9.87 10.131.4.233 10.131.4.234 10.131.4.235 10.131.4.236 10.131.4.237; do ./admin/dyncookie/dyncookie testphrase $i 29099; done | sort 17419e9eba92b5af 4945c2f00f65ba86 5624d35859a00988 6eec16ef4c233b5b 843cc9b2cda23da5 86aefdb6fe1b2e1a 8b7cb2f615544695 96282b2f2068ccc2 b6de32af03e19900 bd5a03458300e5df bf952365b0d16bf3 c4daf5a0248612a6 ca435943549734ef cbca5601c400f7e1 e44d35f412164db8 I also think the warning message should be improved to report the two offending IP/ports when found! Willy
