Hi Willy,
> This one seems to have missed 3 years of bugfixes
I've just done a "apt-get update && apt-get upgrade" successfully and reboot
the machine this week. I think the OS is fresh enough, but I'll try to upgrade
the kernal to a newer one. :-)
> I find this very strange here because the request time is high, indicating a
> reused keep-alive connection.
Yes, we enabled http keep-alive with a 5 minutes idle timeout. You can get my
full config file in my previous mail.
Also, we are using the long-polling mechanism to doing the message push (comet)
task. The long-polling request will be timed-out (return a empty http response)
within 285 seconds if there is no message to push to the client. Of course it
could be returned earlier if there are something to notify the client.
The HTTP long-polling API is "/FFC/App/lpWaitMessage", it should only appeared
in the "https-in" front-end. If you saw a large request time, as you said, it
maybe caused by a connection which previously doing a long-polling request has
been reused.
> When the problem happens, could you please try to dump the output of "show
> sess all" sent on the CLI ?
> So that makes me think that the output of one second of strace when the
> trouble appears will also help
It's very difficault, because I could not predict when it will happen
accurately. Anyway, I will give it a try.
> I remember having seen a kernel bug affecting epoll a long time ago where a
> deleted even was still reported...
Amm... I think it not the kernal's issue here. Because:
1. As I said, I've just done a update of it.
2. Our backend servers are all using the same Ubuntu 12.04 LTS Server image,
and all of them are using epoll + non-blocking IO + thread pool on linux. It's
working fine for many years, we have never seen any trouble on it.
3. Even if the epoll_wait have returned a invalid file descriptor, we still get
into a cpu exhausion here. As far as I can remembered:
3.1. epoll can works on two mode: "edge" triggered and "level" triggered. If we
are in level triggered mode, we must set the EPOLLONESHOT flag to avoid
duplicated events. Otherwise we need to set EPOLLET flag to turn it to edge
triggered mode.
3.2. The "events" field of the epoll event should be carefully checked before
using it.
3.3. Using epoll on a full-duplex connection need some special care. Or some
bad things may occured in some special event sequence (e.g.: read after write
fault, write after a read fault, etc.).
3.4. Maybe we have a loop to manipulate a invalid file descriptor incorrectly
(e.g.: Are we correctly processes all possiable return values and error codes
of some system call like read, write, close, etc.)?
> I find this quite strange but given that we had no such report in more than
> one year of 1.5 deployed everywhere
I remembered it firstly appeared after I upgraded haproxy to the 1.6.2, at that
time, I seems added some options to the config file:
timeout client-fin 10s # 对客户端连接完成 TCP 4 次挥手超时
timeout server-fin 5s # 对后端 Server 连接完成 TCP 4 次挥手超时
http-reuse always # 对不同的前端请求,尽量重用相同的后端空闲连接(1.6+)
The "http-reuse" option could be omitted because it's 1.6+ only and I have been
disabled it when downgrade to 1.5.15 and 1.5.14.
I have been upgrade back to 1.6.2 with all these three options disabled now,
waiting to see what will happen. If it appeared again, I'll upgrade the linux
kernel to the newest one of Ubuntu 12.04.
Thanks :-)
--
Best Regards
BaiYang
baiy...@gmail.com
http://baiy.cn
**** < END OF EMAIL > ****
From: Willy Tarreau
Date: 2015-11-20 17:26
To: baiyang
CC: Lukas Tribus; haproxy
Subject: Re: Re: CPU 100% when waiting for the client timeout
Hi,
On Fri, Nov 20, 2015 at 04:11:48PM +0800, baiyang wrote:
> Sorry for send it again, mail.formilux.org told me my attachment is too
> large: /var/spool/mail/archives-haproxy: error writing message: File too large
> So I striped it.
Thanks. I don't remember the file size limit but the list delivers to about
1000 persons so for sure we have to set sane limits.
> Unfortunately, we have been downgraded to 1.5.14, but the issue still there:
> HA-Proxy version 1.5.14 2015/07/02
> Copyright 2000-2015 Willy Tarreau <wi...@haproxy.org>
Ah interesting, at least it makes more sense!
> Build options :
(...)
I'm not seeing anything wrong there.
> # uname -a
> Linux WD-G0-SRP1 3.2.0-29-generic #46-Ubuntu SMP Fri Jul 27 17:03:23 UTC 2012
> x86_64 x86_64 x86_64 GNU/Linux
This one seems to have missed 3 years of bugfixes but anyway I don't see
how any kernel bug could make haproxy fail, and if it did we'd have to
find a workaround anyway (or a way to detect it).
> Again, there are some 15 minutes timeout records at the end of the spike:
> Nov 20 11:04:56 WD-G0-SRP1 haproxy[28443]: 125.71.115.147:15351
> [20/Nov/2015:10:48:43.099] http-in WebSvr/ws0 17791/0/0/3/973281 200 251352 -
> - CD-- 51/7/1/0/0 0/0 "GET /whitedolphin/wd.dbc.pdf HTTP/1.1"
> ...
> Nov 20 11:05:14 WD-G0-SRP1 haproxy[28443]: 125.71.115.147:15352
> [20/Nov/2015:10:48:43.106] http-in WebSvr/ws0 17550/0/0/3/991660 200 405432 -
> - CD-- 50/6/0/0/0 0/0 "GET /whitedolphin/wd.overview.pdf HTTP/1.1"
>
> But we also find a 15 minutes timeout at the early stage of the spike:
> Nov 20 10:52:31 WD-G0-SRP1 haproxy[28443]: 125.71.115.147:15231
> [20/Nov/2015:10:36:10.183] https-in~ g0n0/n0 52555/0/0/1/981749 200 138069 -
> - CD-- 29/24/11/11/0 0/0 "GET /mobile/lib/sencha-touch-all.js?v=1 HTTP/1.1"
Note, it's not a timeout in haproxy, the client closed first ('CD').
I find this very strange here because the request time is high,
indicating a reused keep-alive connection. If the total time is that
long, it probably means a low transfer rate, which doesn't make much
sense. This doesn't match an idle connection because idle connections
wouldn't produce a log. Or we're facing an asynchronous error that is
reported once we wake-up due to the timeout, though I have no idea when
this could happen.
Anyway your logs are very useful because they make me scratch my head.
> Again, We have been reviewed all log records involved in this case, and
> nothing special there, they are all working fine.
OK.
> I suspect if the connection is broken by a link level or physical level
> interruption (e.g.: 4G signal lost, Unplug the network cable, etc.), or other
> cases cause the Four-way handshake or even the RST signal could not to be
> sent.
I suspect it has something to do with the very long timeout. Maybe
we're facing an error while closing on timeout and we're looping on
this. I find this quite strange but given that we had no such report
in more than one year of 1.5 deployed everywhere, I'm trying to find
what could cause this. Network timeouts are fairly common these days
with mobile devices everywhere. Long connections are common as well
in certain environments (websocket, RDP, etc).
When the problem happens, could you please try to dump the output
of "show sess all" sent on the CLI ? Typically :
$ echo "show sess all" | socat - /var/run/haproxy.stat > all-sess.txt
(or wherever you put it).
Be careful, the list can be huge, no need to send it to the mailing list.
It may also disclose some IP information that you don't necessarily want
to disclose publicly. I'll be interested in matching this output against
the log line indicating the issue. The session's flags will greatly help.
> Then some infinity look (e.g.: spin lock?) may be triggered within the
> haproxy's timeout thread until it is surely timed out?
No, there's no lock, no thread or any such thing here. The fact that it
continues to work indicates a missed event that we attempt to process
and that cannot be processed.
Note, I remember having seen a kernel bug affecting epoll a long time
ago where a deleted even was still reported. It was a problem because
when epoll_wait() reports a non-existing file descriptor, you try to
close it but you can't, as it doesn't exist anymore. So that makes me
think that the output of one second of strace when the trouble appears
will also help :
$ strace -ttT -o haproxy-trace.txt -p $(pidof haproxy)Hi,
<wait one second>
[Ctrl-C]
You'll have to press Ctrl-C to stop it once you run it. It can be large
as well if the process is spinning. But it will also tell us a lot of
things.
Best regards,
Willy
