Data Plane API is killed by SIGTERM in openshift#329
Description
Introduction
I try to run haproxy in front of craftcms and want to use the Data Plane API for management.
Data Plane API infos
This is the dataplane api version.
curl -vLo dataplaneapi-haproxy-v2.9.1.tar.gz \ https://github.com/haproxytech/dataplaneapi/archive/refs/tags/v2.9.1.tar.gzDue to the fact that the trace output of the dataplaneapi binary was not very helpful have I added this lines to the code which creates the output below.
original code
dataplaneapi/client-native/cn.go
Lines 95 to 103 in 14ab8aa
my "patch"
# client-native/cn.go:96 } else{// if nbproc is not set, use master socket with 1 processout, myerr:=exec.Command("ls", "-la", "/data/haproxy/run/master-socket").Output() ifmyerr!=nil{fmt.Printf("%s", myerr) } fmt.Println("Command Successfully Executed") output:=string(out[:]) fmt.Println(output) ms:=runtime_options.MasterSocket(masterSocket, 1) runtimeClient, err=runtime_api.New(ctx, mapsDir, ms) iferr==nil{returnruntimeClient } log.Warningf("Error setting up runtime client with master socket (1): %s : %s", masterSocket, err.Error()) }That's the output when I run the HAProxy with the dataplane api
alex@CPC-aleks-RW2GP on 02/04/2024 at 22:49:17_UTC /mnt/c/local_data/git-repos/craftcms_k8s$ oc -n craftcms logs craftcms-hap-b87b89874-ppssv [NOTICE] (1) : New program 'api' (8) forked [NOTICE] (1) : New worker (9) forked [NOTICE] (1) : Loading success. [WARNING] (9) : fcgi-servers/craftcms1 changed its IP from (none) to 10.129.2.11 by kube-dns/dns1. fcgi-servers/craftcms1 changed its IP from (none) to 10.129.2.11 by kube-dns/dns1. [WARNING] (9) : Server fcgi-servers/craftcms1 ('craftcms-php.craftcms.svc.cluster.local') is UP/READY (resolves again). Server fcgi-servers/craftcms1 ('craftcms-php.craftcms.svc.cluster.local') is UP/READY (resolves again). [WARNING] (9) : Server fcgi-servers/craftcms1 administratively READY thanks to valid DNS answer. Server fcgi-servers/craftcms1 administratively READY thanks to valid DNS answer. configuration file /data/haproxy/etc/dataplaneapi.yaml does not exists, creating one time="2024-04-02T22:49:16Z" level=info msg="Build from: " time="2024-04-02T22:49:16Z" level=info msg="HAProxy Data Plane API .dev.dirty" time="2024-04-02T22:49:16Z" level=info msg="Build date: 2024-04-02T22:45:03Z" time="2024-04-02T22:49:16Z" level=info msg="Reload strategy: custom" Command Successfully Executed srwxr-xr-x. 1 1000940000 root 0 Apr 2 22:49 /data/haproxy/run/master-socket time="2024-04-02T22:49:16Z" level=warning msg="Error setting up runtime client with master socket (1): /data/haproxy/run/master-socket;sockpair@7 : dial unix /data/haproxy/run/master-socket;sockpair@7: connect: no such file or directory" [NOTICE] (1) : haproxy version is 2.9.6-9eafce5 [NOTICE] (1) : path to executable is /usr/local/sbin/haproxy [ALERT] (1) : Current program 'api' (8) exited with code 1 (Exit) [ALERT] (1) : exit-on-failure: killing every processes with SIGTERM [ALERT] (1) : Current worker (9) exited with code 143 (Terminated) [WARNING] (1) : All workers exited. Exiting... (1)My observations
This line confuses me
time="2024-04-02T22:49:16Z" level=warning \ msg="Error setting up runtime client with master socket (1): \ /data/haproxy/run/master-socket;sockpair@7 : \ dial unix /data/haproxy/run/master-socket;sockpair@7: \ connect: no such file or directory" because the ls before the command runtime_api.New(...) shows that the socket is there.
srwxr-xr-x. 1 1000940000 root 0 Apr 2 22:49 /data/haproxy/run/master-socketand I can execute the help command on the master socket
alex@CPC-aleks-RW2GP on 02/04/2024 at 23:11:02_UTC /mnt/c/local_data/git-repos/craftcms_k8s$ oc -n craftcms rsh --shell /bin/bash craftcms-hap-b87b89874-ddxs8 groups: cannot find name for group ID 1000940000 1000940000@craftcms-hap-b87b89874-ddxs8:/$ echo"help"|socat /data/haproxy/run/master-socket - The following commands are valid at this level: @!<pid>: send a command to the <pid> process @<relative pid>: send a command to the <relative pid> process @master : send a command to the master process hard-reload : achieve a hard-reload (-st) of haproxy operator : lower the level of the current CLI session to operator reload : achieve a soft-reload (-sf) of haproxy show cli level : display the level of the current CLI session show cli sockets : dump list of cli sockets show proc : show processes status show startup-logs : report logs emitted during HAProxy startup show version : show version of the current process user : lower the level of the current CLI session to user help [<command>] : list matching or all commands prompt [timed] : toggle interactive mode with prompt quit : disconnectMy assumption is that dataplaneapi tries to connect to /data/haproxy/run/master-socket;sockpair@7 which of course does not exist.
Important
When is the ;sockpair@7 added to the master-socket?
haproxy infos
haproxy run
This is how the haproxy is started.
oc -n craftcms exec craftcms-hap-b87b89874-ddxs8 -- ps axf PID TTY STAT TIME COMMAND 24 ? Rs 0:00 ps axf 1 ? Ss 0:00 haproxy -f /data/haproxy/etc/haproxy.cfg -db -W -S /data/haproxy/run/master-socket 8 ? Sl 0:01 haproxy -f /data/haproxy/etc/haproxy.cfg -db -W -S /data/haproxy/run/master-sockethaproxy config
#--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global log stdout format raw daemon debug pidfile /data/haproxy/run/haproxy.pid master-worker stats socket /data/haproxy/run/stats mode 660 level admin expose-fd listeners resolvers kube-dns nameserver dns1 dns-default.openshift-dns.svc.cluster.local:53 accepted_payload_size 4096 resolve_retries 3 timeout resolve 1s timeout retry 1s hold other 30s hold refused 30s hold nx 30s hold timeout 30s hold valid 10s hold obsolete 30s #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block #--------------------------------------------------------------------- defaults mode http balance leastconn log global option httplog option dontlognull option log-health-checks option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s userlist haproxy-dataplaneapi user admin insecure-password mypassword # program api command /usr/bin/dataplaneapi -f=/data/haproxy/etc/dataplaneapi.yaml --log-to=stdout --log-level=trace --spoe-dir=/data/haproxy/spoe --maps-dir=/data/haproxy/maps --ssl-certs-dir=/data/haproxy/ssl --general-storage-dir=/data/haproxy/general --host 0.0.0.0 --port 5555 --haproxy-bin /usr/sbin/haproxy --config-file /data/haproxy/etc/haproxy.cfg --reload-cmd "kill -SIGUSR2 1" --restart-cmd "kill -SIGUSR2 1" --reload-delay 5 --userlist haproxy-dataplaneapi --socket-path=/data/haproxy/run/data-plane.sock no option start-on-reload #--------------------------------------------------------------------- # main frontend which proxys to the backends #--------------------------------------------------------------------- frontend craft-cms bind *:8080 tcp-request inspect-delay 5s tcp-request content accept if HTTP monitor-uri /health http-request deny if{path_sub -i %0a %0d } http-request deny if{hdr_len(content-length) 0 } http-request del-header Proxy http-request set-header Host %[req.hdr(Host),lower] acl exist-php-ext path_sub -i .php http-request set-path /index.php%[path] if !exist-php-ext !{path_end .php } http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" default_backend fcgi-servers listen stats bind *:1936 monitor-uri /healthz http-request use-service prometheus-exporter if{path /metrics } stats enable stats uri / backend fcgi-servers option httpchk http-check connect proto fcgi http-check send meth GET uri /fpm-ping use-fcgi-app php-fpm # https://www.haproxy.com/blog/circuit-breaking-haproxy server-template craftcms 5 craftcms-php.craftcms.svc.cluster.local:9000 proto fcgi check resolvers kube-dns init-addr none observe layer7 error-limit 5 on-error mark-down inter 10s rise 30 slowstart 40s fcgi-app php-fpm log-stderr global option keep-conn option mpxs-conns option max-reqs 10 docroot /app/web index index.php path-info ^(/.+\.php)(/.*)?$ Output of haproxy -vv
haproxy -vv HAProxy version 2.9.6-9eafce5 2024/02/26 - https://haproxy.org/ Status: stable branch - will stop receiving fixes around Q1 2025. Known bugs: http://www.haproxy.org/bugs/bugs-2.9.6.html Running on: Linux 5.14.0-284.52.1.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Jan 30 08:35:38 EST 2024 x86_64 Build options : TARGET = linux-glibc CPU = generic CC = cc CFLAGS = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment OPTIONS = USE_PTHREAD_EMULATION=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1 USE_TFO=1 USE_QUIC=1 USE_PROMEX=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_QUIC_OPENSSL_COMPAT=1 DEBUG = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_AWSLC -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL +PROMEX +PTHREAD_EMULATION +QUIC +QUIC_OPENSSL_COMPAT +RT +SHM_OPEN +SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 -SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL -ZLIB Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=8). Built with OpenSSL version : OpenSSL 3.0.2 15 Mar 2022 Running on OpenSSL version : OpenSSL 3.0.2 15 Mar 2022 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 OpenSSL providers loaded : default Built with Lua version : Lua 5.4.4 Built with the Prometheus exporter as a service Built with network namespace support. Built with libslz for stateless compression. Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with PCRE2 version : 10.39 2021-10-29 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with gcc compiler version 11.4.0 Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) quic : mode=HTTP side=FE mux=QUIC flags=HTX|NO_UPG|FRAMED h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG <default> : mode=HTTP side=FE|BE mux=H1 flags=HTX h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG <default> : mode=TCP side=FE|BE mux=PASS flags= none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG Available services : prometheus-exporter Available filters : [BWLIM] bwlim-in [BWLIM] bwlim-out [CACHE] cache [COMP] compression [FCGI] fcgi-app [SPOE] spoe [TRACE] trace Dockerfile
That's the Dockerfile of the image.
FROM haproxytech/haproxy-ubuntu:2.9 COPY container-files/ / RUN set -x \ && cp /usr/bin/dataplaneapi /usr/bin/dataplaneapi.orig \ && cp /data/haproxy/bin/dataplaneapi /usr/bin/dataplaneapi \ && mkdir -p /data/haproxy/etc \ /data/haproxy/run \ /data/haproxy/maps \ /data/haproxy/ssl \ /data/haproxy/general \ /data/haproxy/spoe \ && chown -R 1001:0 /data \ && chmod -R g=u /data \ && /usr/bin/dataplaneapi -v USER 1001