Seamless reloads and init scripts, and nbproc > 1
I'm trying to write what amounts to an init/startup script for haproxy with a patched version of 1.7.8 that includes the seamless reload patches that are described on this blog post. https://www.haproxy.com/blog/truly-seamless-reloads-with- haproxy-no-more-hacks/ #1. If haproxy dies or was killed for some reason the stats socket still exists, and when you try to relaunch haproxy with the -x option you get [ALERT] 249/165956 (2750) : Failed to get the sockets from the old process! It's not impossible, but it's pretty messy to determine if the stats socket has a valid old process listening on it when trying to relaunch/reload haproxy. Is there a solution for this that I'm not seeing? Otherwise when you first launch haproxy you have to do so without the -x and then later have to conditionally include it, and then check to see if you succeeded. Here's an excerpt from a bash init script as an example of the pain I'm going through. unset RELOADSOCK if [ -e "${STATSFILE}" ] ; then RELOADSOCK="-x ${STATSFILE}" sudo -u haproxy -g haproxy haproxy -f $HAPROXY_CONFIG_FILE $RELOADSOCK -p $HAPROXY_PID_FILE -sf $(cat $HAPROXY_PID_FILE) if [ $? == 1 ] ; then # We likely had difficulty reading the stats file. Delete it and run normally. rm ${STATSFILE} sudo -u haproxy -g haproxy haproxy -f $HAPROXY_CONFIG_FILE -p $HAPROXY_PID_FILE -sf $(cat $HAPROXY_PID_FILE) fi else sudo -u haproxy -g haproxy haproxy -f $HAPROXY_CONFIG_FILE $RELOADSOCK -p $HAPROXY_PID_FILE -sf $(cat $HAPROXY_PID_FILE) fi Other than that, I have seen no ill effects yet when using the -x for passing, and I can confirm that it has resolved some disconnects. Thanks, Dave. p.s. The above script is not for Ubuntu, but for my day job.
Re: Need to understand logs
Hi Rajesh. Rajesh Kolli wrote on 07.09.2017: > Hello, > > I am using HAProxy community version from a month, i need to > understand logs of HAProxy for the i need your help. > > Here is a sample of my logs: > Sep 6 17:03:31 localhost haproxy[19389]: Health check for server > Netrovert-sites/DS-11-81-R7-CLST-Node2 succeeded, reason: Layer4 check > passed, check duration: 0ms, status: 1/2 DOWN. > Sep 6 17:03:33 localhost haproxy[19389]: Health check for server > Netrovert-sites/DS-11-81-R7-CLST-Node2 succeeded, reason: Layer4 check > passed, check duration: 0ms, status: 3/3 UP. > Sep 6 17:03:33 localhost haproxy[19389]: Server > Netrovert-sites/DS-11-81-R7-CLST-Node2 is UP. 2 active and 0 backup > servers online. 0 sessions requeued, 0 total in queue. > > Here my doubts are, in first line health check is 1/2 DOWN and 2nd > line it is 3/3 UP, in both cases Layer4 check passed. How to > understand it? what exactly it is checking? what are these 1/2 & 1/3's? > > Finally, is there any document to understand its logging? There is a logging part in the doc but I haven't seen such entries in the document. http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#8 Maybe you have activated http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20log-health-checks in your config. It would be nice to know which haproxy version you use. haproxy -vv -- Best Regards Aleks https://www.me2digital.com/
Re: AWS ELB with HA proxy showing 5XX errors
On Sep 6, 2017 5:18 AM, "DHAVAL JAISWAL"wrote: I have some queries as well. Will above configuration slow down request - response or site performance ? The configuration you have shown seems valid. If this system is running in Amazon VIC, you can replace the nameserver IP address with 169.254.169.253. This is a resolver provided by the VPC infrastructure that is always available regardless of the IPv4 CIDR block of the VPC. There should be no need for additional resolvers, since if this isn't working, your instance's hypervisor has almost certainly failed and the instance will have failed along with it. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_DHCP_Options.html#AmazonDNS
Re: Kernel TLS for http/2
Hi Willy, Willy Tarreau wrote on 05.09.2017: > Hi Aleks, > On Mon, Sep 04, 2017 at 09:34:07AM +0200, Aleksandar Lazic wrote: >> Hi, >> >> Have anyone seen KTLS also? >> >> https://lwn.net/Articles/666509/ >> >> https://netdevconf.org/1.2/papers/ktls.pdf >> >> looks pretty interesting. > As I already mentionned (I don't remember to whom), I really don't see *any* > benefit in this approach and only problems in fact. By the way, others have > attempted it in the past and failed. > The intended purpose is to save memory copies. But memory copies cost very > little compared to AES encryption, so the savings are very marginal, as the > graph shows. The reality is that in order to increase the performance by > only 5% : > - existing TLS application code will require modifications to be able to > use both openssl and ktls > - as new algorithms are deployed, you'll have to switch back to openssl > and disable kernel offloading for the time it takes to upgrade to a > new kernel. FWIW we're seeing people install openssl 1.0.2 or 1.1.0 > on centos 7. This proves that userland moves faster than kernels. This > problem could slow down adoption of new algorithms by the way, which is > exactly what QUIC is fighting by moving all the TCP stack into the > browser :-( > - the data to be encrypted are now transferred to the kernel and visible > using strace. One could argue that it will help with debugging, but it > is also sometimes useful on some production systems to know that strace > remains a safe tool to use because you don't see clear text data. > - the application has less control over the TLS record size, which is > critical to page load time as it allows browsers to parse contents on > the fly without having to wait for a full transfer before decrypting. > So for me it's attacking a non-problem and will cause new problems. I'm > still not seeing any real benefit, I'm sorry. And you know that usually > I'm the one trying to push stuff into the kernel to make things faster. > It's just that *this* specific thing doesn't bring any obvious savings > to me. Thank you for the detailed answer. I think that for some use cases could the solution fit, let's see how this feature will evolve. > Cheers, > Willy -- Best Regards Aleks
Need to understand logs
Hello, I am using HAProxy community version from a month, i need to understand logs of HAProxy for the i need your help. Here is a sample of my logs: Sep 6 17:03:31 localhost haproxy[19389]: Health check for server Netrovert-sites/DS-11-81-R7-CLST-Node2 succeeded, reason: Layer4 check passed, check duration: 0ms, status: 1/2 DOWN. Sep 6 17:03:33 localhost haproxy[19389]: Health check for server Netrovert-sites/DS-11-81-R7-CLST-Node2 succeeded, reason: Layer4 check passed, check duration: 0ms, status: 3/3 UP. Sep 6 17:03:33 localhost haproxy[19389]: Server Netrovert-sites/DS-11-81-R7-CLST-Node2 is UP. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue. Here my doubts are, in first line health check is 1/2 DOWN and 2nd line it is 3/3 UP, in both cases Layer4 check passed. How to understand it? what exactly it is checking? what are these 1/2 & 1/3's? Finally, is there any document to understand its logging? -- *Thanks & RegardsRajesh Kolli*