Re: [PATCHES] SRV record support

[Willy Tarreau]

Hi Jerry,

On Fri, Aug 04, 2017 at 12:47:51PM -0700, Jerry Scharf wrote:
> Willy,
> 
> I can't answer for the code but I can talk about SRV records. I helped bury
> some of the bodies in DNS. :)
> 
> A SRV record in DNS is a different type of record, like MX, PTR, TXT,...
> 
> You can think of SRV as MX generalized for any listener. The naming form is
> _http._tcp to keep it from colliding with names, but that was mostly for
> clarity as requested by the RFC editor. In the DNS protocol you will never
> get SRV records when doing normal host lookup (A/ records.) When you ask
> for SRV records, you may also get back the A/ records for the hosts it
> points to as "additional data."

OK but what I meant is that I suspected the type of request was altered
by the naming, though I can be wrong. I don't know well the DNS code
here. I'm aware however of the naming to avoid collisions :-)

Thanks,
Willy

Re: [PATCHES] SRV record support

[Jerry Scharf]

Willy,

I can't answer for the code but I can talk about SRV records. I helped 
bury some of the bodies in DNS. :)


A SRV record in DNS is a different type of record, like MX, PTR, TXT,...

You can think of SRV as MX generalized for any listener. The naming form 
is _http._tcp to keep it from colliding with names, but that was mostly 
for clarity as requested by the RFC editor. In the DNS protocol you will 
never get SRV records when doing normal host lookup (A/ records.) 
When you ask for SRV records, you may also get back the A/ records 
for the hosts it points to as "additional data."


jerry


On 8/4/17 12:18 PM, Willy Tarreau wrote:

Just a few questions and minor comments below :

On Fri, Aug 04, 2017 at 06:49:43PM +0200, Olivier Houchard wrote:

This also adds support for SRV records. To use them, simply use a SRV label
instead of a hostname on the server line, ie :
server s1 _http._tcp.example.com  resolvers dns check
server s2 _http._tcp.example.com  resolvers dns check

When this is done, haproxy will first resolve _http._tcp.example.com, and then
give the hostname (as well as port and weight) to each available server, that
will then do a regular DNS resolution to get the IP.

What makes the distinction between an SRV record and a real hostname here ?
Just the leading underscore, or the plain "_http." maybe ? I'm not expecting
any problem with this given that the underscore is not allowed as a regular
hostname character (except under windows). But at least this will deserve
a mention in the doc where the server's address is described, so that anyone
experiencing trouble could spot this easily.


 From 1b408464590fea38d8a45b2b7fed5c615465a858 Mon Sep 17 00:00:00 2001
From: Olivier Houchard 
Date: Thu, 6 Jul 2017 18:46:47 +0200
Subject: [PATCH 1/4] MINOR: dns: Cache previous DNS answers.

As DNS servers may not return all IPs in one answer, we want to cache the
previous entries. Those entries are removed when considered obsolete, which
happens when the IP hasn't been returned by the DNS server for a time
defined in the "hold obsolete" parameter of the resolver section. The default
is 30s.
---
  doc/configuration.txt  |   7 +-
  include/proto/server.h |   2 +-
  include/types/dns.h|   9 +-
  src/cfgparse.c |   5 +-
  src/dns.c  | 247 -
  src/server.c   |  28 --
  6 files changed, 175 insertions(+), 123 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index bfeb3ce0..f4674387 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -11693,6 +11693,10 @@ For example, with 2 name servers configured in a 
resolvers section:
   - first response is truncated and second one is a NX Domain, then HAProxy
 stops resolution.
  
+As a DNS server may not answer all the IPs in one DNS request, haproxy keeps

+a cache of previous answers, an answer will be considered obsolete after
+"hold obsolete" seconds without the IP returned.
+
  
  resolvers 

Creates a new name server list labelled 
@@ -11709,7 +11713,7 @@ hold  
Defines  during which the last name resolution should be kept based
on last resolution 
   : last name resolution status. Acceptable values are "nx",
-   "other", "refused", "timeout", "valid".
+   "other", "refused", "timeout", "valid", "obsolete".
   : interval between two successive name resolution when the last
 answer was in . It follows the HAProxy time format.
  is in milliseconds by default.
@@ -11756,6 +11760,7 @@ timeout  
   hold nx  30s
   hold timeout 30s
   hold valid   10s
+ hold obsolete30s
  
  
  6. HTTP header manipulation

diff --git a/include/proto/server.h b/include/proto/server.h
index 43e4e425..c4f8e1d5 100644
--- a/include/proto/server.h
+++ b/include/proto/server.h
@@ -52,7 +52,7 @@ int srv_init_addr(void);
  struct server *cli_find_server(struct appctx *appctx, char *arg);
  
  /* functions related to server name resolution */

-int snr_update_srv_status(struct server *s);
+int snr_update_srv_status(struct server *s, int has_no_ip);
  int snr_resolution_cb(struct dns_requester *requester, struct dns_nameserver 
*nameserver);
  int snr_resolution_error_cb(struct dns_requester *requester, int error_code);
  struct server *snr_check_ip_callback(struct server *srv, void *ip, unsigned 
char *ip_family);
diff --git a/include/types/dns.h b/include/types/dns.h
index 7a19aa37..12c11552 100644
--- a/include/types/dns.h
+++ b/include/types/dns.h
@@ -113,7 +113,7 @@ struct dns_query_item {
  /* NOTE: big endian structure */
  struct dns_answer_item {
struct list list;
-   char *name; /* answer name
+   char name[DNS_MAX_NAME_SIZE];   /* answer name

Do you have an estimate of the worst case increase of memory usage incurred
by using the max name size for every name component ? I

Re: Check just one backend, node down in all

[Willy Tarreau]

Hello Andrea,

On Fri, Aug 04, 2017 at 09:33:00PM +0200, Andrea wrote:
> Hello,
> I have an haproxy configuration with 2 frontend (http and https) pointing
> to two different backends (http and https), but having exactly the same
> nodes.
> 
> As it seems I can't configure an healthy check on https, I'd like to
> consider down even on https the node that fails the check on http.
> 
> Is it possible to do it in some way?

Yes, take a look at the "track" server keyword. It's made exactly for this.

Regards,
Willy

Check just one backend, node down in all

[Andrea]

Hello,
I have an haproxy configuration with 2 frontend (http and https) pointing
to two different backends (http and https), but having exactly the same
nodes.

As it seems I can’t configure an healthy check on https, I’d like to
consider down even on https the node that fails the check on http.

Is it possible to do it in some way?

Thanks!
Andrea

Re: [PATCHES] SRV record support

[Willy Tarreau]

Just a few questions and minor comments below :

On Fri, Aug 04, 2017 at 06:49:43PM +0200, Olivier Houchard wrote:
> This also adds support for SRV records. To use them, simply use a SRV label
> instead of a hostname on the server line, ie :
> server s1 _http._tcp.example.com  resolvers dns check
> server s2 _http._tcp.example.com  resolvers dns check
> 
> When this is done, haproxy will first resolve _http._tcp.example.com, and then
> give the hostname (as well as port and weight) to each available server, that
> will then do a regular DNS resolution to get the IP.

What makes the distinction between an SRV record and a real hostname here ?
Just the leading underscore, or the plain "_http." maybe ? I'm not expecting
any problem with this given that the underscore is not allowed as a regular
hostname character (except under windows). But at least this will deserve
a mention in the doc where the server's address is described, so that anyone
experiencing trouble could spot this easily.

> From 1b408464590fea38d8a45b2b7fed5c615465a858 Mon Sep 17 00:00:00 2001
> From: Olivier Houchard 
> Date: Thu, 6 Jul 2017 18:46:47 +0200
> Subject: [PATCH 1/4] MINOR: dns: Cache previous DNS answers.
> 
> As DNS servers may not return all IPs in one answer, we want to cache the
> previous entries. Those entries are removed when considered obsolete, which
> happens when the IP hasn't been returned by the DNS server for a time
> defined in the "hold obsolete" parameter of the resolver section. The default
> is 30s.
> ---
>  doc/configuration.txt  |   7 +-
>  include/proto/server.h |   2 +-
>  include/types/dns.h|   9 +-
>  src/cfgparse.c |   5 +-
>  src/dns.c  | 247 
> -
>  src/server.c   |  28 --
>  6 files changed, 175 insertions(+), 123 deletions(-)
> 
> diff --git a/doc/configuration.txt b/doc/configuration.txt
> index bfeb3ce0..f4674387 100644
> --- a/doc/configuration.txt
> +++ b/doc/configuration.txt
> @@ -11693,6 +11693,10 @@ For example, with 2 name servers configured in a 
> resolvers section:
>   - first response is truncated and second one is a NX Domain, then HAProxy
> stops resolution.
>  
> +As a DNS server may not answer all the IPs in one DNS request, haproxy keeps
> +a cache of previous answers, an answer will be considered obsolete after
> +"hold obsolete" seconds without the IP returned.
> +
>  
>  resolvers 
>Creates a new name server list labelled 
> @@ -11709,7 +11713,7 @@ hold  
>Defines  during which the last name resolution should be kept based
>on last resolution 
>   : last name resolution status. Acceptable values are "nx",
> -   "other", "refused", "timeout", "valid".
> +   "other", "refused", "timeout", "valid", "obsolete".
>   : interval between two successive name resolution when the last
> answer was in . It follows the HAProxy time format.
>  is in milliseconds by default.
> @@ -11756,6 +11760,7 @@ timeout  
>   hold nx  30s
>   hold timeout 30s
>   hold valid   10s
> + hold obsolete30s
>  
>  
>  6. HTTP header manipulation
> diff --git a/include/proto/server.h b/include/proto/server.h
> index 43e4e425..c4f8e1d5 100644
> --- a/include/proto/server.h
> +++ b/include/proto/server.h
> @@ -52,7 +52,7 @@ int srv_init_addr(void);
>  struct server *cli_find_server(struct appctx *appctx, char *arg);
>  
>  /* functions related to server name resolution */
> -int snr_update_srv_status(struct server *s);
> +int snr_update_srv_status(struct server *s, int has_no_ip);
>  int snr_resolution_cb(struct dns_requester *requester, struct dns_nameserver 
> *nameserver);
>  int snr_resolution_error_cb(struct dns_requester *requester, int error_code);
>  struct server *snr_check_ip_callback(struct server *srv, void *ip, unsigned 
> char *ip_family);
> diff --git a/include/types/dns.h b/include/types/dns.h
> index 7a19aa37..12c11552 100644
> --- a/include/types/dns.h
> +++ b/include/types/dns.h
> @@ -113,7 +113,7 @@ struct dns_query_item {
>  /* NOTE: big endian structure */
>  struct dns_answer_item {
>   struct list list;
> - char *name; /* answer name
> + char name[DNS_MAX_NAME_SIZE];   /* answer name

Do you have an estimate of the worst case increase of memory usage incurred
by using the max name size for every name component ? I understand that it
might not be possible to use a shared area anymore for all entries once you
start to deal with obsolescence, but it's just to get an idea of what the
worst DNS response could have as impact.

> @@ -124,7 +124,8 @@ struct dns_answer_item {
>   int16_t port;   /* SRV type port */
>   int16_t data_len;   /* number of bytes in target 
> below */
>   struct sockaddr address;/* IPv4 or IPv6, network format 
> */
> - char *target;   

Re: [PATCHES] SRV record support

[Willy Tarreau]

Hi Olivier,

On Fri, Aug 04, 2017 at 06:49:43PM +0200, Olivier Houchard wrote:
> Hi guys,
> 
> Following Baptiste's work on DNS, the attached patchset adds support for DNS
> obsolescence, and SRV support.
(...)

Really cool, thank you. Let's wait for some feedback.

Willy

[PATCHES] SRV record support

[Olivier Houchard]

Hi guys,

Following Baptiste's work on DNS, the attached patchset adds support for DNS
obsolescence, and SRV support.
DNS obsolescence means we cache DNS answers, and only consider the entries
are gone if we don't see for X seconds, X being defined in the config file
with the "hold obsolete" entry in the resolvers section, ie :
esolvers dns
nameserver pouet 8.8.8.8:53
hold valid 10s
hold obsolete 5s

This is done as we may get incomplete DNS answers for each request, so we
can't assume an entry is gone just because it was not in a DNS answer.
This also adds support for SRV records. To use them, simply use a SRV label
instead of a hostname on the server line, ie :
server s1 _http._tcp.example.com  resolvers dns check
server s2 _http._tcp.example.com  resolvers dns check

When this is done, haproxy will first resolve _http._tcp.example.com, and then
give the hostname (as well as port and weight) to each available server, that
will then do a regular DNS resolution to get the IP.
The SRV label is resolved periodically, any server that disappeares will be
removed, and any new server will be added, assuming there're free servers in
the haproxy config.

Any testing would be greatly appreciated.

Regards,

Olivier

>From 1b408464590fea38d8a45b2b7fed5c615465a858 Mon Sep 17 00:00:00 2001
From: Olivier Houchard 
Date: Thu, 6 Jul 2017 18:46:47 +0200
Subject: [PATCH 1/4] MINOR: dns: Cache previous DNS answers.

As DNS servers may not return all IPs in one answer, we want to cache the
previous entries. Those entries are removed when considered obsolete, which
happens when the IP hasn't been returned by the DNS server for a time
defined in the "hold obsolete" parameter of the resolver section. The default
is 30s.
---
 doc/configuration.txt  |   7 +-
 include/proto/server.h |   2 +-
 include/types/dns.h|   9 +-
 src/cfgparse.c |   5 +-
 src/dns.c  | 247 -
 src/server.c   |  28 --
 6 files changed, 175 insertions(+), 123 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index bfeb3ce0..f4674387 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -11693,6 +11693,10 @@ For example, with 2 name servers configured in a 
resolvers section:
  - first response is truncated and second one is a NX Domain, then HAProxy
stops resolution.
 
+As a DNS server may not answer all the IPs in one DNS request, haproxy keeps
+a cache of previous answers, an answer will be considered obsolete after
+"hold obsolete" seconds without the IP returned.
+
 
 resolvers 
   Creates a new name server list labelled 
@@ -11709,7 +11713,7 @@ hold  
   Defines  during which the last name resolution should be kept based
   on last resolution 
  : last name resolution status. Acceptable values are "nx",
-   "other", "refused", "timeout", "valid".
+   "other", "refused", "timeout", "valid", "obsolete".
  : interval between two successive name resolution when the last
answer was in . It follows the HAProxy time format.
 is in milliseconds by default.
@@ -11756,6 +11760,7 @@ timeout  
  hold nx  30s
  hold timeout 30s
  hold valid   10s
+ hold obsolete30s
 
 
 6. HTTP header manipulation
diff --git a/include/proto/server.h b/include/proto/server.h
index 43e4e425..c4f8e1d5 100644
--- a/include/proto/server.h
+++ b/include/proto/server.h
@@ -52,7 +52,7 @@ int srv_init_addr(void);
 struct server *cli_find_server(struct appctx *appctx, char *arg);
 
 /* functions related to server name resolution */
-int snr_update_srv_status(struct server *s);
+int snr_update_srv_status(struct server *s, int has_no_ip);
 int snr_resolution_cb(struct dns_requester *requester, struct dns_nameserver 
*nameserver);
 int snr_resolution_error_cb(struct dns_requester *requester, int error_code);
 struct server *snr_check_ip_callback(struct server *srv, void *ip, unsigned 
char *ip_family);
diff --git a/include/types/dns.h b/include/types/dns.h
index 7a19aa37..12c11552 100644
--- a/include/types/dns.h
+++ b/include/types/dns.h
@@ -113,7 +113,7 @@ struct dns_query_item {
 /* NOTE: big endian structure */
 struct dns_answer_item {
struct list list;
-   char *name; /* answer name
+   char name[DNS_MAX_NAME_SIZE];   /* answer name
 * For SRV type, name also 
includes service
 * and protocol value */
int16_t type;   /* question type */
@@ -124,7 +124,8 @@ struct dns_answer_item {
int16_t port;   /* SRV type port */
int16_t data_len;   /* number of bytes in target 
below */
struct sockaddr address;/* IPv4 or IPv6, network format 
*/
-   char *target;  

Re: 1.7.8 upgrade question

[Willy Tarreau]

Hi Bjoern,

On Thu, Aug 03, 2017 at 12:52:10AM +0200, bjun...@gmail.com wrote:
> Hi,
> 
> we want to roll-out 1.7.8 in production (upgrading from 1.6.8).
> 
> While preparing the update (reading changelog/mailinglist/git log,
> searching for known issues etc.), i stumbled upon this:
> 
> https://www.mail-archive.com/haproxy@formilux.org/msg26282.html
> 
> 
> I don't know if i'm interpreting "TUNNEL mode" correctly.
> 
> We are using "option http-server-close" in fe + be, so would this bug
> affect us?

It only depends if your server always emits a content-length or not.
But regardless of this, only the logs are affected, the data are
properly transported.

> P.S.: I know a patch exists for the issue in 1.7 tree, but we're usually
> only use version releases in production.

And you're right. We've been holding on that patch a little bit before
doing a release because there are always some people here deploying such
code in production, with very optimized and safe deployment processes
where the smallest hickup will make them quickly revert. When we perform
a release, we know that most users will deploy without considering the
rollback. And it's our responsibility as maintainers to ensure they can
continue to trust us. This way the fix is under observation by the fastest
adopters and will have received a broader testing once we emit 1.7.9.

We may possibly do it next week by the way, I know that some people are
waiting and I normally dont' like waiting too much.

By the way, the list of fixes in 1.7 branch that are not yet in a released
version can be consulted here :

   http://www.haproxy.org/bugs/bugs-1.7.html

The major bug just after the tunnel fix was precisely a fix for a regression
introduced there, which shows it's a good idea to stick to releases when in
doubt :-)

Regards,
Willy

Re: What is an applet in haproxy?

[Willy Tarreau]

Hi,

On Fri, Aug 04, 2017 at 03:18:02PM +0900, flamese...@yahoo.co.jp wrote:
> Hi,
> 
> What is an applet in haproxy? what is it for?

It's a small autonomous entity which communicates via a stream to another
side. It usually behaves exactly like a client or a server and is seen by
the internal code as an external entity. The main purpose is to be able to
plug it where an external connection is normally expected, so as to offer
services without changing the complex (and fragile) internal code.

A few examples :
  - the CLI handler. Haproxy "thinks" it's forwarding incoming connections
to a remote server except that this remote server is the CLI applet
  - the stats page, it renders HTML code which passes through the HTTP
response processing exactly as if it came from a server. It may even
be compressed on the fly thanks to this (very convenient)
  - the peers protocol handler, it initiate connections to other LBs and
accepts their connections
  - Lua and SPOE also use applets as connection initiators for their external
communications

HTTP/2 will also use applets, one dedicated to the H2 connection, which
demuxes the requests, and one per stream to write the translated H1 request
into the next stage's buffer. The response processing follows the exact
opposite path. The H2 applet knows a list of the H1 streams and each H1
stream has a link to its parent H2 applet. Together they form sort of a
protocol conversion proxy (one client + one server).

Hoping this helps,
Willy

Re: ASML SW quote request for resale

[Sander Klein]

Hi Brigitta,

You are contacting the haproxy mailing list which is used for support. 

The haproxy gpl edition is free for use by anyone. But if you want commercial 
support you probably want to contact cont...@haproxy.com

Regards,

Sander

> On 4 Aug 2017, at 12:55, Brigitta Csaszar  wrote:
> 
> Dear Sir/ Madame
> 
> I'm Brigitta Csaszar from ASML Procurement and contacting you in case of some 
> SW prices for resale.
> ASML is one of the world’s leading manufacturers of chip-making machines with 
> 16.500 employee. Founded in the Netherlands in 1984, the company is publicly 
> traded on Euronext Amsterdam and NASDAQ under the symbol ASML. For further 
> information,  please visit https://www.asml.com/  .
> 
> Our enginers are develioping a  new virtual computing platform (VCP), that is 
> going to be sold to our endcustomers. Your,  bellow listed SW, would be built 
> into our VCP as part of our solution.  So due to that fact, we are intersted 
> in your resale prices and conditons:
> 
> Role
> 
> Name  Version License MultiplicityDesired metric
> Loadbalancing Haproxy 1.7.5 or later  LGPL/GPL1 instance per VCP 
> installation 1 license per VCP (virtual computing platform)
>  
> Would you please send me an offer on this SW license, in which you inform me, 
> about: 
>- your SW sales conditions, if your customer would like to resell your SW 
> to its endcustomers
>   - the list of your distirbutors for EMEA, who can sell your SW for resale
>   - your prices and confirmation that we can use these SW for resale
>- your maintenance option and prices ( I would be interested in the 
> annual, 3-years and 5 years maintance prices and conditions)
>- your SLAs; Modification Request Process and Problem Report Help Desk.
>   - validity of your prices
> 
> We are at the information gathering and planning phase, so at this moment I 
> would like to have prices on these basic numbers.
> 
> In  case of any questions regarding our required SW, please contact me.
> I would highly appreciate if you could send me your offer till Tuesday (7th 
> August) 17:00 PM
> 
> If you have any questions, do not hesitate to contact me.
> Thank you in advance.
> 
> Kind regards,
> Brigitta Csaszar
> ASML Senior Tactical Buyer - IT, Professional Services 
>  
> E-mail: brigitta.csas...@asml.com Phone: +36-1-778-7292
> 
> -- The information contained in this communication and any attachments is 
> confidential and may be privileged, and is for the sole use of the intended 
> recipient(s). Any unauthorized review, use, disclosure or distribution is 
> prohibited. Unless explicitly stated otherwise in the body of this 
> communication or the attachment thereto (if any), the information is provided 
> on an AS-IS basis without any express or implied warranties or liabilities. 
> To the extent you are relying on this information, you are doing so at your 
> own risk. If you are not the intended recipient, please notify the sender 
> immediately by replying to this message and destroy all copies of this 
> message and any attachments. Neither the sender nor the company/group of 
> companies he or she represents shall be liable for the proper and complete 
> transmission of the information contained in this communication, or for any 
> delay in its receipt.

ASML SW quote request for resale

[Brigitta Csaszar]

Dear Sir/ Madame

I'm Brigitta Csaszar from ASML Procurement and contacting you in case of some 
SW prices for resale.
ASML is one of the world’s leading manufacturers of chip-making machines with 
16.500 employee. Founded in the Netherlands in 1984, the company is publicly 
traded on Euronext Amsterdam and NASDAQ under the symbol ASML. For further 
information,  please visit https://www.asml.com/  .

Our enginers are develioping a  new virtual computing platform (VCP), that is 
going to be sold to our endcustomers. Your,  bellow listed SW, would be built 
into our VCP as part of our solution.  So due to that fact, we are intersted in 
your resale prices and conditons:


Role
NameVersion License MultiplicityDesired metric

Loadbalancing   Haproxy 1.7.5 or later  LGPL/GPL1 instance per VCP 
installation 1 license per VCP (virtual computing platform)

Would you please send me an offer on this SW license, in which you inform me, 
about:
   - your SW sales conditions, if your customer would like to resell your SW to 
its endcustomers
  - the list of your distirbutors for EMEA, who can sell your SW for resale
  - your prices and confirmation that we can use these SW for resale
   - your maintenance option and prices ( I would be interested in the annual, 
3-years and 5 years maintance prices and conditions)
   - your SLAs; Modification Request Process and Problem Report Help Desk.
  - validity of your prices

We are at the information gathering and planning phase, so at this moment I 
would like to have prices on these basic numbers.

In  case of any questions regarding our required SW, please contact me.
I would highly appreciate if you could send me your offer till Tuesday (7th 
August) 17:00 PM

If you have any questions, do not hesitate to contact me.
Thank you in advance.

Kind regards,
Brigitta Csaszar
ASML Senior Tactical Buyer - IT, Professional Services

E-mail: brigitta.csas...@asml.com Phone: 
+36-1-778-7292


-- The information contained in this communication and any attachments is 
confidential and may be privileged, and is for the sole use of the intended 
recipient(s). Any unauthorized review, use, disclosure or distribution is 
prohibited. Unless explicitly stated otherwise in the body of this 
communication or the attachment thereto (if any), the information is provided 
on an AS-IS basis without any express or implied warranties or liabilities. To 
the extent you are relying on this information, you are doing so at your own 
risk. If you are not the intended recipient, please notify the sender 
immediately by replying to this message and destroy all copies of this message 
and any attachments. Neither the sender nor the company/group of companies he 
or she represents shall be liable for the proper and complete transmission of 
the information contained in this communication, or for any delay in its 
receipt.

Re: 3 HA proxy instances on 3 ECS clusters hang on and off

[Ransika Desilva]

Hi,

Sorry about the attachment. The text file is attached.

Regards,
Ransika

On Fri, Aug 4, 2017 at 3:16 AM, Cyril Bonté  wrote:

> Hi,
>
> Le 03/08/2017 à 19:17, Ransika Desilva a écrit :
>
>> Hello,
>>
>> Thanks for a wonderful product. We have an issue as off now, hoping that
>> you will be able to help us.
>>
>> We are having 3 clusters (dev/staging/prod) based on AWS ECS and we
>> deploy the HA Proxy as docker containers on them. Each cluster has 1
>> instance of the HA Proxy running.
>>
>> We have noticed that even during low volume, all the 3 clusters getting
>> hang. The instances are running but traffic is not forwarded. A simple
>> restart works. We have added aws resolvers to handle the LB IP address
>> changes.
>>
>> The issue is some what similar to https://discourse.haproxy.org/
>> t/haproxy-crashes-on-3-nodes-at-exactly-the-same-time/1039, but we are
>> not using FreeBSD.
>>
>> I have attached the HA Proxy config for your kind reference.
>>
>> Thanks and looking forward to hear from you soon.
>>
>
> The RTF file is a pain, please send the configuration as plain text in
> your mail next time ;-)
>
> The issue is on your server lines :
>   server foo-a fs-sim-alb-external-XX.com:39997 resolvers awsvpc
> You have configured a resolver but you didn't enable health checks. This
> is (currently) mandatory to name updates :
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.
> html#resolvers%20(Server%20and%20default-server%20options)
>
>
> --
> Cyril Bonté
>
{\rtf1\ansi\ansicpg1252\cocoartf1504\cocoasubrtf830
{\fonttbl\f0\fnil\fcharset0 Menlo-Regular;}
{\colortbl;\red255\green255\blue255;\red27\green31\blue34;\red255\green255\blue255;\red109\green109\blue109;
\red21\green23\blue26;\red87\green96\blue106;\red27\green31\blue34;}
{\*\expandedcolortbl;;\cssrgb\c14118\c16078\c18039;\cssrgb\c10\c10\c10;\cssrgb\c50196\c50196\c50196;
\cssrgb\c10588\c12157\c13725\c29804;\cssrgb\c41569\c45098\c49020;\cssrgb\c14118\c16078\c18039;}
\paperw11900\paperh16840\margl1440\margr1440\vieww20300\viewh11720\viewkind0
\deftab720

\itap1\trowd \taflags1 \trgaph108\trleft-108 \trcbpat3 \trbrdrt\brdrnil 
\trbrdrl\brdrnil \trbrdrr\brdrnil 
\clvertalt \clshdrawnil \clwWidth1267\clftsWidth3 \clbrdrt\brdrnil 
\clbrdrl\brdrnil \clbrdrb\brdrnil \clbrdrr\brdrnil \clpadl200 \clpadr200 
\gaph\cellx4320
\clmrg \clvertalt \clshdrawnil \clwWidth1267\clftsWidth3 \clbrdrt\brdrnil 
\clbrdrl\brdrnil \clbrdrb\brdrnil \clbrdrr\brdrnil \clpadl200 \clpadr200 
\gaph\cellx8640
\pard\intbl\itap1\pardeftab720\sl400\partightenfactor0

\f0\fs24 \cf2 \expnd0\expndtw0\kerning0
\outl0\strokewidth0 \strokec2 global\cell 
\pard\intbl\itap1\cell \row

\itap1\trowd \taflags1 \trgaph108\trleft-108 \trcbpat3 \trbrdrl\brdrnil 
\trbrdrr\brdrnil 
\clvertalt \clshdrawnil \clwWidth1267\clftsWidth3 \clminw1000 \clbrdrt\brdrnil 
\clbrdrl\brdrnil \clbrdrb\brdrnil \clbrdrr\brdrnil \clpadl200 \clpadr200 
\gaph\cellx4320
\clvertalt \clshdrawnil \clwWidth15138\clftsWidth3 \clbrdrt\brdrnil 
\clbrdrl\brdrnil \clbrdrb\brdrnil \clbrdrr\brdrnil \clpadl200 \clpadr200 
\gaph\cellx8640
\pard\intbl\itap1\pardeftab720\sl400\qr\partightenfactor0
\cf5 \strokec5 \cell 
\pard\intbl\itap1\pardeftab720\sl400\partightenfactor0
\cf2 \strokec2 \cf6 \strokec6 # to have these messages end up in 
/var/log/haproxy.log you will\cf2 \strokec2 \cell \row

\itap1\trowd \taflags1 \trgaph108\trleft-108 \trcbpat3 \trbrdrl\brdrnil 
\trbrdrr\brdrnil 
\clvertalt \clshdrawnil \clwWidth1267\clftsWidth3 \clminw1000 \clbrdrt\brdrnil 
\clbrdrl\brdrnil \clbrdrb\brdrnil \clbrdrr\brdrnil \clpadl200 \clpadr200 
\gaph\cellx4320
\clvertalt \clshdrawnil \clwWidth15138\clftsWidth3 \clbrdrt\brdrnil 
\clbrdrl\brdrnil \clbrdrb\brdrnil \clbrdrr\brdrnil \clpadl200 \clpadr200 
\gaph\cellx8640
\pard\intbl\itap1\pardeftab720\sl400\qr\partightenfactor0
\cf5 \strokec5 \cell 
\pard\intbl\itap1\pardeftab720\sl400\partightenfactor0
\cf2 \strokec2 \cf6 \strokec6 # need to:\cf2 \strokec2 \cell \row

\itap1\trowd \taflags1 \trgaph108\trleft-108 \trcbpat3 \trbrdrl\brdrnil 
\trbrdrr\brdrnil 
\clvertalt \clshdrawnil \clwWidth1267\clftsWidth3 \clminw1000 \clbrdrt\brdrnil 
\clbrdrl\brdrnil \clbrdrb\brdrnil \clbrdrr\brdrnil \clpadl200 \clpadr200 
\gaph\cellx4320
\clvertalt \clshdrawnil \clwWidth15138\clftsWidth3 \clbrdrt\brdrnil 
\clbrdrl\brdrnil \clbrdrb\brdrnil \clbrdrr\brdrnil \clpadl200 \clpadr200 
\gaph\cellx8640
\pard\intbl\itap1\pardeftab720\sl400\qr\partightenfactor0
\cf5 \strokec5 \cell 
\pard\intbl\itap1\pardeftab720\sl400\partightenfactor0
\cf2 \strokec2 \cf6 \strokec6 #\cf2 \strokec2 \cell \row

\itap1\trowd \taflags1 \trgaph108\trleft-108 \trcbpat3 \trbrdrl\brdrnil 
\trbrdrr\brdrnil 
\clvertalt \clshdrawnil \clwWidth1267\clftsWidth3 \clminw1000 \clbrdrt\brdrnil 
\clbrdrl\brdrnil \clbrdrb\brdrnil \clbrdrr\brdrnil \clpadl200 \clpadr200 
\gaph\cellx4320
\clvertalt \clshdrawnil \clwWidth15138\clftsWidth3 \clbrdrt\brdrnil 
\clbrdrl\brdrnil \clbrdrb\brdrnil \clbrdrr\brdrnil \clpadl200 \cl