Hi guys, On Thu, Jun 15, 2017 at 11:41:43AM +0200, Willy Tarreau wrote: > On Thu, Jun 15, 2017 at 11:54:25AM +0300, Veiko Kukk wrote: > > On 14/06/17 17:37, Willy Tarreau wrote: > > > > > > Could you try to revert the attached patch which was backported to 1.6 > > > to fix an issue where nbproc and resolvers were incompatible ? To do > > > that, please use "patch -Rp1 < foo.patch". > > > > I have applied the patch. Now HAproxy working as in 1.6.11 version, no > > requests time out. > > > > > Also, have you noticed if your haproxy continues to work or if it loops > > > at 100% CPU for example ? > > > > No, there is no excessive CPU load. > > OK thank you for this. Now I don't know what to think about it, because > either it break a set of configs or another set :-/ Baptiste, could > you please see how your change could have the effect described by Veiko ?
So I have more info on this now. Veiko, first, I'm assuming that your config was using "resolvers dns_resolvers" on the "server" line, otherwise resolvers are not used. What I've seen when running your config here is that google responds both in IPv4 and IPv6. And depending on your local network settings, if you can't reach them over IPv6 after the address was updated, your connection might get stuck waiting for the connect timeout to strike (10s in your conf, multiplied by the number of retries). The way to address this is to add "resolve-prefer ipv4" at the end of your server line, it will always pick IPv4 addresses only. Now as to why it changed after the fix, I'm speculating that it might be that in fact till 1.6.11, most of the updates were lost, going to the wrong process (due to nbproc being used), and that it caused the server's address never to be changed. After the fix, the updates are properly delivered and once you learn the IPv6 address the connections fail. So in the end I think there's no regression, it's just that a bug was silently hiding a config issue. BTW, (probably that it was just for illustration purpose), but please don't use well-known services like google, yahoo or whatever for health checks. If everyone does this, it will add a huge useless load to their servers. And they can cut at any time making your service fail. We're already experiencing this on haproxy.org and sometimes I simply have to blacklist some source IP addresses to make them realise that it's not the best idea. Cheers, Willy
