health check: gracefully handle GOAWAY in grpc health checker #11324
Conversation
|
/retest |
|
🔨 rebuilding |
jmuia
force-pushed
the
jmuia.grpc-hc-goaway
branch
from
dae6ee5 to
518fe68
Compare
|
/azp run envoy-presubmit |
|
Commenter does not have sufficient privileges for PR 11324 in repo envoyproxy/envoy |
|
@lizan These tests seem to be a flake. Or at least I can't seem to reproduce the failure locally with either bazel test //test/common/config:subscription_factory_impl_test
# or
./ci/do_ci.sh 'bazel.release' //test/common/config:subscription_factory_impl_testWould you mind taking a look, or kicking off the azure-pipeline tests again? |
Signed-off-by: Joey Muia <[email protected]>
Signed-off-by: Joey Muia <[email protected]>
jmuia
force-pushed
the
jmuia.grpc-hc-goaway
branch
from
518fe68 to
70263a6
Compare
| handleFailure(envoy::data::core::v3::NETWORK); | ||
| expect_reset_ = true; | ||
| request_encoder_->getStream().resetStream(Http::StreamResetReason::LocalReset); | ||
| received_goaway_ = true; |
There was a problem hiding this comment.
A one liner comment here about when this connection would eventually get closed would be nice. IIUC it's either on the next timeout or when the remote closes it?
There was a problem hiding this comment.
I'll add a comment. It would be closed when the active check completes (onRpcComplete) or other conditions like onResetStream and onTimeout.
| @@ -757,6 +763,8 @@ void GrpcHealthCheckerImpl::GrpcActiveHealthCheckSession::onRpcComplete( | |||
| handleFailure(envoy::data::core::v3::ACTIVE); | |||
| } | |||
|
|
|||
| const bool goaway = received_goaway_; | |||
There was a problem hiding this comment.
Mind adding a comment here explaining why we have to read the value here? Its a bit less clear than on L705 since we're not unconditionally calling resetState
| @@ -4529,21 +4529,176 @@ TEST_F(GrpcHealthCheckerImplTest, GrpcFailUnknownHealthStatus) { | |||
| cluster_->prioritySet().getMockHostSet(0)->hosts_[0]->health()); | |||
| } | |||
|
|
|||
| // Test receiving GOAWAY is interpreted as connection close event. | |||
| // Test receiving GOAWAY is handled gracefully while a check is in progress. | |||
There was a problem hiding this comment.
This tells me that the code intentionally treated GOAWAY as failures, which makes me wonder if this is the desired behavior for some? Does this mean that this should be configurable?
There was a problem hiding this comment.
This might depend on the reason for the GOAWAY? I.e. a NO_ERROR mid check might be fine as it's telling to drain, but not if it was an error.
There was a problem hiding this comment.
I see, that makes sense.
It looks like the GOAWAY error code isn't provided in the callback at the moment, but I think it would be reasonable to do that?
It seems that the onGoAway() callbacks are only fired once (see here), and - with error codes - we'd want to call them for each GOAWAY frame received. I'm not sure if that would be problematic. For reference it looks the "fire once" behaviour was added in #103.
It may also be worth mentioning that the http2 connection pool implementation doesn't change behaviour based on the GOAWAY error code at the moment (see here). It transitions the active client to the draining state if it has active requests.
There was a problem hiding this comment.
Right, if the GOAWAY error code is NO_ERROR we should just treat it as "don't reuse connection", not an error. We may have to add some additional error code info to the callback. Note that @antoniovicente just opened #11420, though IIRC nghttp2 does provide the reason code inside the frame here:
envoy/source/common/http/http2/codec_impl.cc
Line 582 in 5d8f7d7
There was a problem hiding this comment.
IRC nghttp2 does provide the reason code inside the frame here:
Yep - it looks like it's provided in frame->goaway.error_code and the debug data in frame->goaway.opaque_data
I'm happy to update the onGoAway() interface as part of this PR if @antoniovicente doesn't already have something started.
Does something along these lines look right?
# Maybe pass an Envoy-internal enum rather than the nghttp2 enum?
virtual void onGoAway(nghttp2_error_code error_code, absl::Span<uint8_t> debug_data) PURE;
There was a problem hiding this comment.
We should not leak nghttp2 specific structs to the public interface, so at least for the error code we should do a mapping. For your use case maybe just have an enum with {NO_ERROR, OTHER} and @antoniovicente can fill out more stuff later as needed?
There was a problem hiding this comment.
enum with {NO_ERROR, OTHER} sounds like a good start
Signed-off-by: Joey Muia <[email protected]>
Signed-off-by: Joey Muia <[email protected]>
Signed-off-by: Joey Muia <[email protected]>
Signed-off-by: Joey Muia <[email protected]>
jmuia
requested review from
dio,
jmarantz,
junr03,
lizan,
PiotrSikora and
zuercher
as code owners
This reverts commit 00a1fea. Signed-off-by: John Murray <[email protected]>
Revert "fix format with 'tools/code_format/check_format.py fix'"
Signed-off-by: Joey Muia <[email protected]>
Signed-off-by: Joey Muia <[email protected]>
Signed-off-by: Joey Muia <[email protected]>
| // notifications are the same as a normal GOAWAY. | ||
| if (frame->hd.type == NGHTTP2_GOAWAY && !raised_goaway_) { | ||
| // Shutdown notifications are the same as a normal GOAWAY. | ||
| if (frame->hd.type == NGHTTP2_GOAWAY) { |
There was a problem hiding this comment.
I'm not sure if this is fine or if we want to track which goaway error codes we've already seen, and run the callbacks once per error code.
There was a problem hiding this comment.
Is it expected to get multiple GOAWAY frames with different error codes? If yes, it seems bad only look at the first one, if no then we can probably keep the old logic.
There was a problem hiding this comment.
It is possible to receive GOAWAY frames with different error codes:
An endpoint MAY send multiple GOAWAY frames if circumstances change. For instance, an endpoint that sends GOAWAY with NO_ERROR during graceful shutdown could subsequently encounter a condition that requires immediate termination of the connection.
There was a problem hiding this comment.
Hmm in that case should the logic for failing the HC be that we see a NO_ERROR + no error GOAWAYs?
Also I'm not sure what the implications are of making onGoAway trigger multiple times per stream, maybe @mattklein123 or @alyssawilk has an idea? I'd be worried about invariants elsewhere relying on this being called at most once.
There was a problem hiding this comment.
Hmm in that case should the logic for failing the HC be that we see a NO_ERROR + no error GOAWAYs?
Hm, I don't quite follow, could you rephrase?
I'd be worried about invariants elsewhere relying on this being called at most once.
Agreed. It seems it was added in #103. I'm not sure if that was an optimization back then. I'm also not sure if it has become an expected behaviour (intentionally or not) since then.
There was a problem hiding this comment.
if (request_encoder_ && error_code == Http::GoAwayErrorCode::NoError) {
received_no_error_goaway_ = true;
return;
}
if a GOAWAY error follows a NO_ERROR then received_no_error_goaway_ would still be true. I was thinking that the logic should reset this flag if it saw an error frame.
There was a problem hiding this comment.
Ah, I see. I don't expect that to change the behaviour as it stands:
- If there isn't an active probe, the first (NO_ERROR) GOAWAY would've caused the connection to be closed (and we only set
received_no_error_goaway_ = true;when there's an active probe). - If there is an active probe, the stream reset will end up resetting state (
resetState()will be called byonResetStream()). - In general, I believe a connection close will end up resetting state because the
onResetStream()callbacks will run (from here).
I admit this isn't obvious / does feel a bit brittle -- happy to add a comment and/or reset the flag anyways.
There was a problem hiding this comment.
Friendly ping @mattklein123 @alyssawilk
There was a problem hiding this comment.
Sorry for the delay. My preference would be to not raise multiple goaways from the codec as I'm guessing there will be code that won't expect this and will break.
Can we just keep the previous behavior and not handle the case where multiple go away frames are received? We can potentially deal with this in a follow up if someone requests it?
There was a problem hiding this comment.
Thanks for the feedback - that seems reasonable to me. I've reverted that specific commit and added a TODO instead.
| @@ -1456,7 +1457,7 @@ TEST_P(Http2CodecImplTest, LargeRequestHeadersExceedPerHeaderLimit) { | |||
| request_headers.addCopy("big", long_string); | |||
|
|
|||
| EXPECT_CALL(request_decoder_, decodeHeaders_(_, _)).Times(0); | |||
| EXPECT_CALL(client_callbacks_, onGoAway()); | |||
| EXPECT_CALL(client_callbacks_, onGoAway(_)); | |||
There was a problem hiding this comment.
I don't completely follow why this test doesn't trigger onGoAway(_) to be called twice like the other one.
include/envoy/http/codec.h
Outdated
| @@ -36,6 +36,11 @@ const char MaxResponseHeadersCountOverrideKey[] = | |||
|
|
|||
| class Stream; | |||
|
|
|||
| enum class ErrorCode { | |||
There was a problem hiding this comment.
maybe call this GoAwayErrorCode? to make it clearer what kind of error codes are being modeled here
There was a problem hiding this comment.
👍 will update. Initially this enumerated all the error codes here, which are shared with RST_STREAM. But we've since undone that and there's already a separate Envoy-internal enum for stream resets.
| // notifications are the same as a normal GOAWAY. | ||
| if (frame->hd.type == NGHTTP2_GOAWAY && !raised_goaway_) { | ||
| // Shutdown notifications are the same as a normal GOAWAY. | ||
| if (frame->hd.type == NGHTTP2_GOAWAY) { |
There was a problem hiding this comment.
Is it expected to get multiple GOAWAY frames with different error codes? If yes, it seems bad only look at the first one, if no then we can probably keep the old logic.
| // The connection will be closed when the active check completes or another | ||
| // terminal condition occurs, such as a timeout or stream reset. | ||
| if (request_encoder_ && error_code == Http::ErrorCode::NoError) { | ||
| received_goaway_ = true; |
There was a problem hiding this comment.
maybe rename this to make it clear that we received a non-error GOAWAY?
Signed-off-by: Joey Muia <[email protected]>
Signed-off-by: Joey Muia <[email protected]>
Signed-off-by: Joey Muia <[email protected]>
| @@ -36,6 +36,11 @@ const char MaxResponseHeadersCountOverrideKey[] = | |||
|
|
|||
| class Stream; | |||
|
|
|||
| enum class GoAwayErrorCode { | |||
There was a problem hiding this comment.
sorry should have mention this but this should have a doc comment as its in include/
| // notifications are the same as a normal GOAWAY. | ||
| if (frame->hd.type == NGHTTP2_GOAWAY && !raised_goaway_) { | ||
| // Shutdown notifications are the same as a normal GOAWAY. | ||
| if (frame->hd.type == NGHTTP2_GOAWAY) { |
There was a problem hiding this comment.
Hmm in that case should the logic for failing the HC be that we see a NO_ERROR + no error GOAWAYs?
Also I'm not sure what the implications are of making onGoAway trigger multiple times per stream, maybe @mattklein123 or @alyssawilk has an idea? I'd be worried about invariants elsewhere relying on this being called at most once.
Signed-off-by: Joey Muia <[email protected]>
|
@snowp the CI failures look like flakes. Can you re-run them? |
This reverts commit 73e7308. Signed-off-by: Joey Muia <[email protected]>
Signed-off-by: Joey Muia <[email protected]>
|
/retest |
|
🤷♀️ nothing to rebuild. |
|
/azp run envoy-presubmit |
|
Commenter does not have sufficient privileges for PR 11324 in repo envoyproxy/envoy |
Signed-off-by: Joey Muia <[email protected]>
|
@snowp ready for another review. I reverted the commit that allowed multiple GOAWAYs and added a TODO instead. |
There was a problem hiding this comment.
Thanks, looks great. Will defer to @snowp for final review/merge.
…roxy#11324) Gracefully handle GOAWAY in gRPC health checker, allowing in-progress health checks to complete before closing the connection. Signed-off-by: Joey Muia <[email protected]> Co-authored-by: John Murray <[email protected]>
…roxy#11324) Gracefully handle GOAWAY in gRPC health checker, allowing in-progress health checks to complete before closing the connection. Signed-off-by: Joey Muia <[email protected]> Co-authored-by: John Murray <[email protected]> Signed-off-by: yashwant121 <[email protected]>
Commit Message:
Gracefully handle GOAWAY in gRPC health checker, allowing in-progress healthchecks to complete before closing the connection.
Additional Description:
We've observed failures in our production and integration testing environments due to the gRPC health checker interpreting GOAWAYs as a health check failure. As an example, if all endpoints in an upstream cluster drain their incoming connections at the same time (eg. listener config change) a grpc healthcheck client with
unhealthy_threshold=1will see the entire cluster become unhealthy, which is undesirable.This is my first contribution to Envoy, and would appreciate a close eye for edge cases I may have missed!
Risk Level: low/medium
Testing: added unit tests, ran (failing) grpc hc internal integration test with this patch which passed
Docs Changes: n/a
Release Notes: n/a
Signed-off-by: Joey Muia [email protected]