Seamless reloads and init scripts, and nbproc > 1

[Dave Chiluk]

I'm trying to write what amounts to an init/startup script for haproxy with
a patched version of 1.7.8 that includes the seamless reload patches that
are described on this blog post.
https://www.haproxy.com/blog/truly-seamless-reloads-with-
haproxy-no-more-hacks/

#1. If haproxy dies or was killed for some reason the stats socket still
exists, and when you try to relaunch haproxy with the -x option you get
[ALERT] 249/165956 (2750) : Failed to get the sockets from the old process!

It's not impossible, but it's pretty messy to determine if the stats socket
has a valid old process listening on it when trying to relaunch/reload
haproxy.  Is there a solution for this that I'm not seeing?  Otherwise when
you first launch haproxy you have to do so without the -x and then later
have to conditionally include it, and then check to see if you succeeded.

Here's an excerpt from a bash init script as an example of the pain I'm
going through.
unset RELOADSOCK
if [ -e "${STATSFILE}" ] ; then
RELOADSOCK="-x ${STATSFILE}"
sudo -u haproxy -g haproxy haproxy -f $HAPROXY_CONFIG_FILE $RELOADSOCK
-p $HAPROXY_PID_FILE -sf $(cat $HAPROXY_PID_FILE)
if [ $? == 1 ] ; then
# We likely had difficulty reading the stats file.  Delete it and
run normally.
rm ${STATSFILE}
sudo -u haproxy -g haproxy haproxy -f $HAPROXY_CONFIG_FILE -p
$HAPROXY_PID_FILE -sf $(cat $HAPROXY_PID_FILE)
fi
else
sudo -u haproxy -g haproxy haproxy -f $HAPROXY_CONFIG_FILE $RELOADSOCK
-p $HAPROXY_PID_FILE -sf $(cat $HAPROXY_PID_FILE)
fi

Other than that, I have seen no ill effects yet when using the -x for
passing, and I can confirm that it has resolved some disconnects.

Thanks,
Dave.
p.s. The above script is not for Ubuntu, but for my day job.

Re: Need to understand logs

[Aleksandar Lazic]

Hi Rajesh.

Rajesh Kolli wrote on 07.09.2017:

> Hello,
>
> I am using HAProxy community version from a month, i need to
> understand logs of HAProxy for the i need your help.
>
> Here is a sample of my logs:

> Sep  6 17:03:31 localhost haproxy[19389]: Health check for server
> Netrovert-sites/DS-11-81-R7-CLST-Node2 succeeded, reason: Layer4 check
> passed, check duration: 0ms, status: 1/2 DOWN.

> Sep  6 17:03:33 localhost haproxy[19389]: Health check for server
> Netrovert-sites/DS-11-81-R7-CLST-Node2 succeeded, reason: Layer4 check
> passed, check duration: 0ms, status: 3/3 UP.

> Sep  6 17:03:33 localhost haproxy[19389]: Server
> Netrovert-sites/DS-11-81-R7-CLST-Node2 is UP. 2 active and 0 backup
> servers online. 0 sessions requeued, 0 total in queue.
>
> Here my doubts are, in first line health check is 1/2 DOWN and 2nd
> line it is 3/3 UP, in both cases Layer4 check passed. How to
> understand it? what exactly it is checking? what are these 1/2 & 1/3's?
>
> Finally, is there any document to understand its logging?

There is a logging part in the doc but I haven't seen such entries in 
the document.

http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#8

Maybe you have activated 
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20log-health-checks
 
in your config.


It would be nice to know which haproxy version you use.

haproxy -vv

-- 
Best Regards
Aleks
https://www.me2digital.com/

Re: AWS ELB with HA proxy showing 5XX errors

[Michael Ezzell]

On Sep 6, 2017 5:18 AM, "DHAVAL JAISWAL"  wrote:

I have some queries as well. Will above configuration slow down request -
response or site performance ?


The configuration you have shown seems valid.

If this system is running in Amazon VIC, you can replace the nameserver IP
address with 169.254.169.253.  This is a resolver provided by the VPC
infrastructure that is always available regardless of the IPv4 CIDR block
of the VPC.  There should be no need for additional resolvers, since if
this isn't working, your instance's hypervisor has almost certainly failed
and the instance will have failed along with it.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_DHCP_Options.html#AmazonDNS

Re: Kernel TLS for http/2

[Aleksandar Lazic]

Hi Willy,

Willy Tarreau wrote on 05.09.2017:

> Hi Aleks,

> On Mon, Sep 04, 2017 at 09:34:07AM +0200, Aleksandar Lazic wrote:
>> Hi,
>> 
>> Have anyone seen KTLS also?
>> 
>> https://lwn.net/Articles/666509/
>> 
>> https://netdevconf.org/1.2/papers/ktls.pdf
>> 
>> looks pretty interesting.

> As I already mentionned (I don't remember to whom), I really don't see *any*
> benefit in this approach and only problems in fact. By the way, others have
> attempted it in the past and failed.

> The intended purpose is to save memory copies. But memory copies cost very
> little compared to AES encryption, so the savings are very marginal, as the
> graph shows. The reality is that in order to increase the performance by
> only 5% :

>   - existing TLS application code will require modifications to be able to
> use both openssl and ktls

>   - as new algorithms are deployed, you'll have to switch back to openssl
> and disable kernel offloading for the time it takes to upgrade to a
> new kernel. FWIW we're seeing people install openssl 1.0.2 or 1.1.0
> on centos 7. This proves that userland moves faster than kernels. This
> problem could slow down adoption of new algorithms by the way, which is
> exactly what QUIC is fighting by moving all the TCP stack into the
> browser :-(

>   - the data to be encrypted are now transferred to the kernel and visible
> using strace. One could argue that it will help with debugging, but it
> is also sometimes useful on some production systems to know that strace
> remains a safe tool to use because you don't see clear text data.

>   - the application has less control over the TLS record size, which is
> critical to page load time as it allows browsers to parse contents on
> the fly without having to wait for a full transfer before decrypting.

> So for me it's attacking a non-problem and will cause new problems. I'm
> still not seeing any real benefit, I'm sorry. And you know that usually
> I'm the one trying to push stuff into the kernel to make things faster.
> It's just that *this* specific thing doesn't bring any obvious savings
> to me.

Thank you for the detailed answer.

I think that for some use cases could the solution fit, let's see how 
this feature will evolve.

> Cheers,
> Willy

-- 
Best Regards
Aleks

Need to understand logs

[Rajesh Kolli]

Hello,

I am using HAProxy community version from a month, i need to understand
logs of HAProxy for the i need your help.

Here is a sample of my logs:
Sep  6 17:03:31 localhost haproxy[19389]: Health check for server
Netrovert-sites/DS-11-81-R7-CLST-Node2 succeeded, reason: Layer4 check
passed, check duration: 0ms, status: 1/2 DOWN.
Sep  6 17:03:33 localhost haproxy[19389]: Health check for server
Netrovert-sites/DS-11-81-R7-CLST-Node2 succeeded, reason: Layer4 check
passed, check duration: 0ms, status: 3/3 UP.
Sep  6 17:03:33 localhost haproxy[19389]: Server
Netrovert-sites/DS-11-81-R7-CLST-Node2 is UP. 2 active and 0 backup servers
online. 0 sessions requeued, 0 total in queue.

Here my doubts are, in first line health check is 1/2 DOWN and 2nd line it
is 3/3 UP, in both cases Layer4 check passed. How to understand it? what
exactly it is checking? what are these 1/2 & 1/3's?

Finally, is there any document to understand its logging?



-- 




*Thanks & RegardsRajesh Kolli*