kolla-ansible

Unsettable keep-alive timeout in haproxy

Bug #1892622 reported by Radosław Piliszek
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Medium
Radosław Piliszek

Bug Description

Kolla-Ansible does not set `timeout http-keep-alive` in HAProxy config (and does not allow to) which results in it being always defaulted to `timeout http-request` [1].
`timeout http-request` is set by Kolla-Ansible by default to 10 seconds. It protects servers against slowloris attacks and is generally preferred to be very short (one could argue 10 seconds is too generous, 3-5 is probably apter).
However, this same timeout might not be apt for keep-alive connections.

Considering backends:
eventlet-based services have one simple timeout being a socket timeout on read and write operations. It defaults to 15 minutes; for keep-alive capped by HAProxy to 10 seconds now.
httpd-based services recently got a bump from 5 seconds to 60 seconds, effectively bumping it to only 10 seconds per HAProxy's hard limit.

[1] https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-timeout%20http-keep-alive

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/747592

Changed in kolla-ansible:
assignee: nobody → Radosław Piliszek (yoctozepto)
status: Triaged → In Progress
Revision history for this message
Radosław Piliszek (yoctozepto) wrote :

Mark has rightfully observed that, still, HAProxy deals with backend connections independently so it may reuse them for different clients if they are persistent (aka keep-alive).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/747592
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=8228b5ea1295e7cc99bfad7305fecf946a110dcd
Submitter: Zuul
Branch: master

commit 8228b5ea1295e7cc99bfad7305fecf946a110dcd
Author: Radosław Piliszek <email address hidden>
Date: Sun Aug 23 20:33:51 2020 +0200

    Make keep-alive timeout configurable

    Change-Id: Iffadcddfb70650cdf4c6c4d9ec3b7471d63f5ff8
    Closes-Bug: #1892622

Changed in kolla-ansible:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.