Set the puma persistent_timeout higher than nginx #2191
Conversation
ismarc
force-pushed
the
fix-keepalive-missmatch
branch
from
4026019 to
a7dfed5
Compare
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
CHANGELOG.md
Outdated
| @@ -26,6 +26,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. | |||
| - Upgrade Puma to 4.3.8 to resolve | |||
| [CVE-2021-29509](https://nvd.nist.gov/vuln/detail/CVE-2021-29509). | |||
|
|
|||
| ### Fixed | |||
| - Specify keepalive timeout for puma to be longer than proxy and load balancers | |||
There was a problem hiding this comment.
Lists should be surrounded by blank lines
ismarc
force-pushed
the
fix-keepalive-missmatch
branch
from
a7dfed5 to
d1b5e1e
Compare
| @@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. | |||
| - Fix bug where running `conjurctl server` or `conjurctl account create` with | |||
| passwords that contain `,`s sent via stdin raised an error. | |||
| [cyberark/conjur#2159](https://github.com/cyberark/conjur/issues/2159) | |||
| - Specify keepalive timeout for puma to be longer than proxy and load balancers | |||
There was a problem hiding this comment.
can you link to an issue please?
There was a problem hiding this comment.
how does this change affect the user?
There was a problem hiding this comment.
I've added links to known-related issues in the description. The effect should be to prevent the random and spurious 502 errors frequently seen when running conjur behind a load balancer/nginx/proxy due to mismatched keepalive times, but otherwise users should not see behavioral changes. The issue was discovered for the ConjurOps v5 deployment, but is a symptom that has been seen pretty frequently in other contexts and always chalked up to transient issues.
ismarc
force-pushed
the
fix-keepalive-missmatch
branch
from
d1b5e1e to
5da9c55
Compare
If the load balancer/proxy/server in front of Conjur has a longer timeout than Conjur, there will be 502s as Conjur will close the connection even if there are pending requests. This can lead to it being marked unavailable, errors returned to the client and performance issues as nginx/load balancer in front of it
ismarc
force-pushed
the
fix-keepalive-missmatch
branch
from
5da9c55 to
8a2602f
Compare
|
Code Climate has analyzed commit 8a2602f and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 89.2% (0.0% change). View more on Code Climate. |
|
@ismarc sent me this little tweak for some flakiness I observed while trying to use the seed-fetcher with an AWS auto-scaling group. Note that in my setup, I did NOT have a load balancer in front of my leader, my followers connected directly to it. I had regular failures with deployed followers where some wouldn't get the seed file at all. This seemed to get markedly worse after I exceeded 30 followers (with |
If the load balancer/proxy/server in front of Conjur has
a longer timeout than Conjur, there will be 502s as Conjur will
close the connection even if there are pending requests. This
can lead to it being marked unavailable, errors returned to the
client and performance issues as nginx/load balancer in front of it
What does this PR do?
persistent_timeoutvalue that should be higher than any load balancer or proxy in front of Conjur. The default value is 20 seconds, shorter than nginx and most load balancer default values.What ticket does this PR close?
Resolves
Potentially solves symptoms associated with
Checklists
Change log
Test coverage
Documentation
READMEs) were updated in this PR, and/or there is a follow-on issue to update docs, orAPI Changes