[Bug 1828496] Re: service haproxy reload sometimes fails to pick up new TLS certificates
** Changed in: haproxy (Ubuntu) Status: Expired => New -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to haproxy in Ubuntu. https://bugs.launchpad.net/bugs/1828496 Title: service haproxy reload sometimes fails to pick up new TLS certificates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1828496/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1828496] Re: service haproxy reload sometimes fails to pick up new TLS certificates
Going over the details from comment #7 This is the state before the reload: ubuntu@foo:~$ ps auxfwww | grep haproxy root 1346 0.0 0.0 4356 684 ?Ss May22 0:00 /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid haproxy 2210 0.0 0.2 42644 10520 ?SMay22 0:00 \_ /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds -sf 1378 haproxy 2215 2.7 0.8 68576 36308 ?Ss May22 84:46 \_ /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds -sf 1378 -sf means to send the finish signal (which is SIGTTOU and SIGUSR1 according to haproxy(1)) to the pids listed after startup, which is pid 1378 in this case. There is no haproxy 1378 in this list, so I wonder if the "before" state was already a bit borked and what haproxy does if the pids listed after -sf do not exist. After reload, we have: ubuntu@foo:~$ ps auxfwww | grep haproxy root 1346 0.0 0.0 4356 724 ?Ss May22 0:00 /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid haproxy 2210 0.0 0.2 42644 10520 ?SMay22 0:00 \_ /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds -sf 1378 haproxy 2215 2.7 0.8 68496 36228 ?Ss May22 84:47 | \_ /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds -sf 1378 haproxy 8151 0.0 0.2 42644 10456 ?S07:36 0:00 \_ /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds -sf 2215 haproxy 8152 2.0 0.2 43048 10568 ?Ss 07:36 0:00 \_ /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds -sf 2215 ubuntu@foo:~$ Here we can see new haproxy processes with -sf pointing at the previous 2215 one. The ones with -sf 1378 are still there, and will remain there until a full restart probably. -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to haproxy in Ubuntu. https://bugs.launchpad.net/bugs/1828496 Title: service haproxy reload sometimes fails to pick up new TLS certificates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1828496/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1828496] Re: service haproxy reload sometimes fails to pick up new TLS certificates
Note that there is a systemd wrapper process in xenial: 411 ?Ss 0:00 /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid 413 ?S 0:00 \_ /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds 432 ?Ss 0:00 \_ /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds After a reload (not restart), that particular process stays (411), but its children, which is what actually serves the content, are restarted: 411 ?Ss 0:00 /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid 671 ?S 0:00 \_ /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds -sf 432 675 ?Ss 0:00 \_ /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds -sf 432 Maybe there is a bad interaction between reload, certs, and existing connections. The tests I've done so far are rather static, with a simple frontend and backend. -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to haproxy in Ubuntu. https://bugs.launchpad.net/bugs/1828496 Title: service haproxy reload sometimes fails to pick up new TLS certificates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1828496/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs