LBaaS: connection limit does not work with HA Proxy

Per the haproxy documentation here: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-maxconn

maxconn on the frontend is a valid configuration.

More information would be required to debug.
What version of haproxy do you have installed?
What driver are you using?

Even with the new info, we're not doing much else with the old namespace driver.

haproxy-1.5.14-3.el7.x86_64 and LBaaS v1 API．

I set connection_limit to 50000.

# neutron lb-vip-show 75a12b66-9d2a-4a68-962e-ec9db8c3e2fb
+---------------------+-----------------------------------------------------+
| Field | Value |
+---------------------+-----------------------------------------------------+
| address | 192.168.10.20 |
| admin_state_up | True |
| connection_limit | 50000 |
| description | ossvert lb vip |
| id | 75a12b66-9d2a-4a68-962e-ec9db8c3e2fb |
| name | ossvert-vip |
| pool_id | fb8ba6e3-71a4-47dd-8a83-2978bafea6e7 |
| port_id | 0dab638b-e03b-4598-8285-c094938b1a93 |
| protocol | HTTP |
| protocol_port | 80 |
| session_persistence | {"cookie_name": "JSESSIONID", "type": "APP_COOKIE"} |
| status | ACTIVE |
| status_description | |
| subnet_id | 7845c833-beef-405c-a575-10bf21530992 |
| tenant_id | c2a36e1cdf654de58673cfcfcaa53081 |
+---------------------+-----------------------------------------------------+

As far as I checked haproxy configuration with socat, it did not affect haproxy configuration.

# socat readline /var/lib/neutron/lbaas/fb8ba6e3-71a4-47dd-8a83-2978bafea6e7/sock
show info
Name: HAProxy
Version: 1.5.14
Release_date: 2015/07/02
Nbproc: 1
Process_num: 1
Pid: 23847
Uptime: 0d 0h41m58s
Uptime_sec: 2518
Memmax_MB: 0
Ulimit-n: 4033
Maxsock: 4033
Maxconn: 2000
Hard_maxconn: 2000
CurrConns: 0
CumConns: 1803
CumReq: 76741
MaxSslConns: 0
CurrSslConns: 0
CumSslConns: 0
Maxpipes: 0
PipesUsed: 0
PipesFree: 0
ConnRate: 0
ConnRateLimit: 0
MaxConnRate: 10
SessRate: 0
SessRateLimit: 0
MaxSessRate: 10
SslRate: 0
SslRateLimit: 0
MaxSslRate: 0
SslFrontendKeyRate: 0
SslFrontendMaxKeyRate: 0
SslFrontendSessionReuse_pct: 0
SslBackendKeyRate: 0
SslBackendMaxKeyRate: 0
SslCacheLookups: 0
SslCacheMisses: 0
CompressBpsIn: 0
CompressBpsOut: 0
CompressBpsRateLim: 0
ZlibMemUsage: 0
MaxZlibMemUsage: 0
Tasks: 8
Run_queue: 1
Idle_pct: 100
node: network
description:

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/279402
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

[Expired for neutron because there has been no activity for 60 days.]

Resurrecting this bug, since we ran into it. It looks like maxconn in HAproxy is a bit more nuanced: the global maxconn setting will cause HAProxy is used to compute the maximum number of socket and file descriptor ulimits, while the listener maxconn is used to limit connections on a specific listener. The global maxconn setting should equal or greater than the sum of the maxconn for each listener. This can be verified by observing the file descriptor limits in /proc/$PID/limits once HAproxy has started.

Fix proposed to branch: master
Review: https://review.openstack.org/341806

Reviewed: https://review.openstack.org/341806
Committed: https://git.openstack.org/cgit/openstack/neutron-lbaas/commit/?id=56b8a621509af9688e6fcaa98e511702d68ba0b2
Submitter: Jenkins
Branch: master

commit 56b8a621509af9688e6fcaa98e511702d68ba0b2
Author: Dustin Lundquist <email address hidden>
Date: Wed Jul 13 13:54:44 2016 -0700

    haproxy ns driver: set global haproxy maxconn

    Haproxy uses two separate maxconn values: the maxconn setting in the
    global context is used to adjust file descriptor limits and allocate
    resources, while the maxconn setting in the frontend context controls
    if additional connections are accepted on that frontend.

    This patch adds a maxconn to the global context equal to the sum of the
    connection limit on each listener.

    Change-Id: I950abaed780d7df33f0ab5c682bf583aa581889f
    Closes-Bug: 1544861

Can this be backported to Mitaka?

The fix was reverted here: https://review.openstack.org/#/c/345444/

This issue was fixed in the openstack/neutron-lbaas 9.0.0.0b3 development milestone.

Why was this patch reverted? I do not find any bugs associated with https://review.openstack.org/#/c/345444/

Can one of the admins reopen this defect since the changes are reverted back?

@ssrikant the patch was reverted because it caused a gate failure in Heat.

Re-opened this bug as the patch had to be reverted. Revert patch with details: https://review.openstack.org/#/c/345444/

Fix proposed to branch: master
Review: https://review.openstack.org/369088

Reviewed: https://review.openstack.org/369089
Committed: https://git.openstack.org/cgit/openstack/octavia/commit/?id=f37b3e5422aecd9dc34192911262d0fa03800fb2
Submitter: Jenkins
Branch: master

commit f37b3e5422aecd9dc34192911262d0fa03800fb2
Author: Stephen Balukoff <email address hidden>
Date: Mon Sep 12 17:16:30 2016 -0700

    Set haproxy global connection limit

    Haproxy uses two separate maxconn values: the maxconn setting in the
    global context is used to adjust file descriptor limits and allocate
    resources, while the maxconn setting in the frontend context controls if
    additional connections are accepted on that frontend.

    This patch adds a maxconn to the global context equal to the sum of the
    connection limit on each listener. For listeners which no connection
    limit specified, we don't set this value and leave it at haproxy's
    default (2000).

    Change-Id: I30f3cf5f469db953a0002721a315f02694621b7d
    Partial-Bug: #1544861

Reviewed: https://review.openstack.org/369088
Committed: https://git.openstack.org/cgit/openstack/neutron-lbaas/commit/?id=a792d8906c6c39a1097e9c8c0ab9fb0ce5aedbe3
Submitter: Jenkins
Branch: master

commit a792d8906c6c39a1097e9c8c0ab9fb0ce5aedbe3
Author: Dustin Lundquist <email address hidden>
Date: Wed Jul 13 13:54:44 2016 -0700

    haproxy ns driver: set global haproxy maxconn

    Haproxy uses two separate maxconn values: the maxconn setting in the
    global context is used to adjust file descriptor limits and allocate
    resources, while the maxconn setting in the frontend context controls if
    additional connections are accepted on that frontend.

    This patch adds a maxconn to the global context equal to the sum of the
    connection limit on each listener. For listeners which no connection
    limit specified, the haproxy default global connection limit (2000
    connections) is used. This way we provide the same behavior as a default
    haproxy configuraiton which no connection limit specified in the case of
    a single load balancer.

    Change-Id: Icc63771ed15a7f718dab0389c1fb63d628896e0a
    Partial-Bug: 1544861

Doesn't seem critical for Mitaka that is critical/cve only now.