Fix #672: Add health monitoring for backend servers.

[aleksostapenko]

No description provided.

[krizhanovsky]

Good to merge after several clenups. Don't forget to close #683 since it isn't mentioned in the patch title.

[krizhanovsky]

I just noticed that APM configuration isn't documented on our Wiki at all, so please update https://github.com/tempesta-tech/tempesta/wiki/Configuration and https://github.com/tempesta-tech/tempesta/wiki/Performance-monitoring chapters. The last one also requires description on the logic from tasks #672 and #683, however probably the chapter for backend servers also must be updated.

Also please create a test issues for #672 and #683. The test must at least test following:

1. all the new configuration options
2. a server returning error response must not be scheduled, but only for configured error responses
3. after some time, when server stops return error responses, it receives requests again
4. procfs statistic must be verified for enabled and disabled server states

[aleksostapenko]

@krizhanovsky Done. Test created. Wiki:

1. https://github.com/tempesta-tech/tempesta/wiki/Health-monitor created.
2. https://github.com/tempesta-tech/tempesta/wiki/Servers:-Tempesta's-side updated.
3. https://github.com/tempesta-tech/tempesta/wiki/Servers-statistics updated.
4. https://github.com/tempesta-tech/tempesta/wiki/APM created.

[krizhanovsky]

Please place the members to minimize alignment holes

[aleksostapenko]

Corrected.

[krizhanovsky]

"configureation' -> "configuration"

[aleksostapenko]

Corrected

[krizhanovsky]

The function is partial copy & paste from tfw_http_msg_alloc(). Moreover, it's body is generic enough, but it's named with "hwmonitor" suffix. Please unify it with tfw_http_msg_alloc().

[aleksostapenko]

Corrected.

[krizhanovsky]

Please place a space between if and opening brace. Also it's better to write such loops like

if (strcasecmp(name, hm->name))
     continue;
// the if body

[aleksostapenko]

Corrected.

[krizhanovsky]

Later it'll be unclear what requests without a connection are, so please write a comment, or, better since there are a few such places, write a small function for the requests deletion.

[aleksostapenko]

Corrected. Replaced these pointer checks with TFW_HTTP_HMONITOR request flag verification, according to #877 (comment).

[krizhanovsky]

Please add an appropriate unit test to t/unit/test_tfw_str.c

[aleksostapenko]

Removed this function. tfw_str_to_cstr() used instead.

[vankoven]

Mostly the patch is good, but i don't really like new hmonitor parameter in scheduling functions and frequent checks for requests without origin connections. This should be discussed in comments before merging

[vankoven]

Extra empty line is not needed here

[aleksostapenko]

Corrected.

[vankoven]

Not a real issue, just a notice. tfw_apm_create() may fail due to improper input values (hm, tfw_hm_codes_cnt) in addition to lack of free memory. You can pass actual error code in pointer by using ERR_PTR() macro and check it using IS_ERR() macro. It's widely used across kernel and TempestaFW code.

[aleksostapenko]

Removed hm argument from tfw_apm_create(), due to reconfiguration changes.

[vankoven]

It's not clear for the first sight why we must take into account the first digit in status (status / 100), comment is required here. Also documentation of code field of the TfwApmHMCfg should be extended to cover all possible values: 4* and 5* masks in addition to exact status codes.

Explicit casting to int is not requited since status is already int.

[aleksostapenko]

Corrected.

[vankoven]

ce->vals[0|1|2] is non NULL if tfw_cfg_check_val_n(ce, 3) conditions has met.

[aleksostapenko]

Corrected.

[vankoven]

Checking for req->conn here and in many other places seems a little bit hacky. Isn't it better to introduce some flag for TfwHttpReq to indicate that the request was issued by TempestaFW it self and not by the end user.
With that flag you can also remove newly added hmonitor operand in sched_srv_conn() functions.

TempestaFW will generate more requests form it's own in the future, e.g. conditional requests to backend servers, so it's likely that we will need some way to distinguish requests from Tempesta and end clients.

[aleksostapenko]

Corrected. TFW_HTTP_HMONITOR request flag introduced.

[vankoven]

It's better to find out first is the request from client or from hmonitor and then chose the right scheduling function: generic scheduling (can be slow) or scheduling to the same server (the fastest way).

[aleksostapenko]

Corrected.

[vankoven]

Why not use tfw_str_to_cstr() here?

[aleksostapenko]

Yes, missed that handy function. Thanks.
Corrected.

[keshonok]

The error message is confusing and doesn't report the actual reason for the error. Both of these configuration options are marked as allow_none which means that they can be skipped. So the actual error here, I believe, is that at least one of these (or both, for that matter) must be configured.

[aleksostapenko]

@keshonok Thank you for review.

[aleksostapenko]

Corrected.

[keshonok]

I believe, that If the request option has a default value, then it's logical that this option should have a default value as well.

[aleksostapenko]

Corrected.

[keshonok]

helth -> health

[aleksostapenko]

Corrected.

[keshonok]

My understanding is that these two checks are congenerical - about a very similar thing, simple, and logically in the same realm. Usually there's no need for an empty line between checks like these as they are not logically separated. There's lot of examples in the code for this.

[aleksostapenko]

Corrected (and two cases below too).

[keshonok]

My understanding is that these two checks are congenerical - about a very similar thing, simple, and logically in the same realm. Usually there's no need for an empty line between checks like these as they are not logically separated. There's lot of examples in the code for this.

[keshonok]

My understanding is that these two checks are congenerical - about a very similar thing, simple, and logically in the same realm. Usually there's no need for an empty line between checks like these as they are not logically separated. There's lot of examples in the code for this.

[keshonok]

These changes leave a strange feeling of being half-done. On one hand, the new argument allows for creating of special messages without the header table that is required for the parser. On the other hand, the parser is still initialized regardless of that in the code that follows. Then, there's tfw_http_msg_alloc_err_resp() that basically does the same thing but it's still there and not removed.

Now the new argument is required for all allocations, and it looks somewhat ugly.

I believe this (and related) code should be refactored. The original top-level interface should stay the same in the form of tfw_http_msg_alloc(int type). A different interface should be introduced for messages that are not going through the parser AND are not modified - which are the messages that are fully prepared from scratch by Tempesta. Perhaps, internally, these two different sets of interfaces may use the same common code - either by calling some inline functions or with macros. tfw_http_msg_alloc_err_resp() would be superseded with the new interface.

Perhaps, you could call it tfw_http_msg_alloc_light() - nothing better comes to mind right now.

[aleksostapenko]

Done.

[keshonok]

Perhaps, hm_stats should be declared within this block as it's not used elsewhere.

[aleksostapenko]

Corrected.

[keshonok]

Correct me if I am wrong, but my understanding is that both atomic and non-atomic ops can be used on the same variable. There's only a handful of flags, and it's a 32-bit variable. So, perhaps, a separate hm_flags is unnecessary?

Also, I am not sure I understand what's going on here. For atomic access you need an unsigned long variable, but this is an unsigned int. Everywhere in the code it's cast to unsigned long, but I believe that it's incorrect as it would extend to memory occupied by other unrelated data.

[krizhanovsky]

We can not mix atomic and non-atomic access to the same data: if one operation doesn't lock the system bus, then it just writes back it's outdated view to the memory location. I agree with wrong type conversions. Also it seems the atomicity on the flags adjustment is broken, see comment for tfw_srv_mark_alive().

[aleksostapenko]

In current implementation of set_bit/clear_bit functions for x86, in cases of constant bit index argument - per-byte instructions orb and andb are used. So if for bit index we use immediate value less then 32 - we will not go beyond the int boarders. But yes, this is not very safe approach.
Corrected.

[keshonok]

Curly braces are required here according to the coding standard (because the other branch has them).

[aleksostapenko]

Corrected.

[keshonok]

Not visible here, but curly braces are required here in the else branch.

[aleksostapenko]

Corrected.

[keshonok]

This line fits perfectly in the preceding line of code.

[aleksostapenko]

Corrected.

[keshonok]

So, if we're unable to send a health monitoring request, then it's simply dropped without any trace or action upon that? Is that the intended behaviour?

[krizhanovsky]

Yeah, maybe having a warning here would be good.

[aleksostapenko]

Warning added.

[keshonok]

It's difficult to understand the variety of combinations of function's arguments without comments. orig_srv may be NULL. The code suggest it's definitely NOT NULL when !hname. Why is that? A proper comment would be helpful.

[aleksostapenko]

This code has been redesigned.

[keshonok]

There're some common shortcuts that are understood in a specific way. For instance, nth usually mean n-th consecutive number, or something like that. Of course you can name variables any way you like in a small function, but it's best if the name resemble an unambiguous meaning.

There's a number of "rules" for creating short names, one of which is removing all vowels: default -> dflt, etc. With that, it would be health -> hlth. Or just leave it health, it's sufficiently short in this particular case. Or even just h - as long as it can't be confused with h-th number or something. :-)

[aleksostapenko]

This code has been redesigned.

[keshonok]

Perhaps, this can be made a simple static const array to avoid unnecessary run-time branching?

[keshonok]

Can't this message be made clearer? What's 'value'? Perhaps, 'HTTP status code'?

[aleksostapenko]

Corrected.

[keshonok]

Frankly, this looks like extra unnecessary work. The whole body of a response is copied to memory allocated from pool just to calculate CRC32 on it.

This is a response to a health monitoring request, so I guess it's relatively small, and because it comes from a server it probably comes in minimal number of chunks (i.e. it's not sent one byte at a time). As far as I can see crc32() function is perfectly suited for calculating the checksum over data that is located in different chunks (the seed argument), so it should be straightforward to write a function that goes over string's chunks and calculates CRC32.

[krizhanovsky]

Yes, definitely: with #76 in mind we can have ~1M sites with enabled health monitoring and the copyings can be harmful. We also shouldn't make an assumption about size of health checking response - this is 100% depends on a user preferences. In general, we put a lot of effort for zero-copying - there are plenty of TfwStr and skb routines processing data chunks.

[aleksostapenko]

Done.

[krizhanovsky]

There are still several issues. hm_flags atomicity is still unclear. Also please write a wiki doc for the next review - it'd be good to review it as well.

[krizhanovsky]

The function must be tested in t/unit/test_tfw_str.c, at least that CRC32 calculated for the same data represented in single block and TfwStr's chunks have the same values. Also please calculate a checksum for some data using Linxu crc32 command (as a sysadmin is supposed to use it for calculating HTML file checksums) and use the checkusm in the test - our implementation and the utility must return the same values. Or, the better, to use the utility in the functional thest for HM.

Also please mention the Linux utility crc32 in the Wiki in an example for health monitoring settings.

[aleksostapenko]

Done.

[krizhanovsky]

I think there is no need to introduce the overhead in the function. There'd be too expensive to check the length consistency in all chunks traversing logic, so only strings creation functions should care about the consistency.

[aleksostapenko]

Yes, forgot to remove this debug code. Thanks!
Corrected.

[krizhanovsky]

Please use more realistic HTML response and properly calcucalted, using crc32 Linux tool, CRC32 checksum. The test must verify that CRC32 is calculated by Tempesta FW correctly and that Tempesta FW catches bad responses with wrong CRC32 and marks the server as dead.

@ikoveshnikov and @vladtcvs should we enumerate somewhere all the test with stress options to run them in long running mode on the CI system?

[aleksostapenko]

Done. New functional test TestHealthMonitorCRCOnly (for separate CRC32 only verification) is added.

[krizhanovsky]

There is no sense to fall down for !(req->flags & TFW_HTTP_HMONITOR) and calculate CRC32 over empty data, so just return here.

[aleksostapenko]

Corrected.

[krizhanovsky]

It seems the check should be WARN_ON_ONCE() since failing it desn't lead to the whole system crash, just to misbehaving health monitoring.

[aleksostapenko]

Corrected.

[krizhanovsky]

So if a server return us a 'good' response code, then we consider it as alive and don't check the response body. However, missbehaving server can return us 200 responce code with messy response body. Only both the correct response code and the body checksum must be treated as success.

[aleksostapenko]

But in case of default auto monitor - it seems that we haven't any acceptable CRC32 value to examine.

[krizhanovsky]

Please use crc32 of the first response, but in auto mode only.

However, for applications with dynamic content, it's good to be able to explicitly disable crc32 check. Probably, the easiest way to do this is just explicitly configure auto HM without crc32, e.g.

health_check auto {
	request		"GET / HTTTP/1.0\r\n\r\n";
	request_url	"/";
	resp_code	200;
	timeout		10;
}

Other possibility is to explicitly set auto value for crc32 field if a user want's auto calculated crc32, e.g.:

health_check auto {
	request		"GET / HTTTP/1.0\r\n\r\n";
	request_url	"/";
	resp_code	200;
        resp_crc32      auto;
	timeout		10;
}

Please update the Wiki about explicit auto configuration and automatic crc32 calculation.

[aleksostapenko]

Done (the last approach).

[krizhanovsky]

TFW_SRV_B_SUSPEND is set in tfw_http_hm_control() after check for TFW_SRV_B_HMONITOR, so TFW_SRV_B_SUSPEND can be set for HM-enabled servers only. test_bit(TFW_SRV_B_HMONITOR, &srv->hm_flags) isn't needed here and can be replaced by WARN_ON_ONCE().

...also see comment for tfw_http_hm_control(). Should the function look like?

unsigned long tmp = READ_ONCE(srv->hm_flags) & (TFW_SRV_B_HMONITOR | TFW_SRV_B_SUSPEND);
return tmp == (TFW_SRV_B_HMONITOR | TFW_SRV_B_SUSPEND));

It this way we can read and check both the flags at onece.

[aleksostapenko]

Corrected: #877 (comment).

[krizhanovsky]

I had a look at flags and it's needed for live reconfiguration only, so why not to treat the TFW_CFG_F_* the same way through atomic bit operations? It's really confusing to see two different flags. There is nothing about performance or massive concurrent updates, the only difference is that hm_flags can be ptentially updated concurrently.

Also TFW_SRV_B_HMONITOR is cleared in tfw_server_destroy() -> tfw_apm_del_srv() called from tfw_sock_srv_grace_shutdown_srv(), which sets srv->flags |= TFW_CFG_F_DEL, so probably there is a direct link between TFW_SRV_B_HMONITOR and TFW_CFG_F_DEL flags. @ikoveshnikov could you please also review this?

[aleksostapenko]

Done: flags have been merged.

[krizhanovsky]

...I still don't understand the function intention: we check TFW_SRV_B_HMONITOR at the above and check it again in tfw_srv_suspended() at the calls at the below - is it some kind of protection against concurrent clearing from tfw_apm_hm_disable_srv()? If so then why tfw_apm_hm_disable_srv() can't be called just between test_bit(TFW_SRV_B_HMONITOR, &srv->hm_flags) and test_bit(TFW_SRV_B_SUSPEND, &srv->hm_flags)? Also see comment for tfw_srv_suspended().

What's wrong if at this point of code the server is destroying due to reconfiguration? TFW_SRV_B_SUSPEND seems much easier: it seems the worse can happen is just unnecessary calculation of response body calculation or wrong mark the server as dead (the last one will be quickly fixed by the next HM message). @ikoveshnikov also please review the point.

[aleksostapenko]

Functions tfw_http_hm_control() and tfw_srv_mark_suspended() have been redesigned in accordance with discussion in chat.

[krizhanovsky]

Why not to return hm? Why do we need the pointer and a boolean return value?

[aleksostapenko]

Corrected.

[krizhanovsky]

Minor fixes are still required. Please if you have some objections about my comments - ping me in the chat.

[krizhanovsky]

There are several other places which are good to update for the code consistency:

./sock_srv.c:1993:		if (!(srv->flags & TFW_CFG_M_ACTION)) {
./sock_srv.c:2000:		else if (srv->flags & TFW_CFG_F_MOD)
./sock_srv.c:2012:		if (!(srv->flags & TFW_CFG_F_ADD))
./sock_srv.c:2066:		if (!(srv->flags & TFW_CFG_M_ACTION))
./http_sess.c:757:			if (unlikely(srv->flags & TFW_CFG_F_DEL)) {

While technically it's OK to read the flags on x86-64 in this manner, it's better to have to code consistent in using the same API to access the flags.

[aleksostapenko]

Corrected, but with TFW_CFG_M_ACTION - left the same as didn't find acceptable interface for bit mask checking.

[krizhanovsky]

Please add resp->status to the message to provide more information to a system administrator.

[aleksostapenko]

Done.

[krizhanovsky]

Please use crc32 of the first response, but in auto mode only.

However, for applications with dynamic content, it's good to be able to explicitly disable crc32 check. Probably, the easiest way to do this is just explicitly configure auto HM without crc32, e.g.

health_check auto {
	request		"GET / HTTTP/1.0\r\n\r\n";
	request_url	"/";
	resp_code	200;
	timeout		10;
}

Other possibility is to explicitly set auto value for crc32 field if a user want's auto calculated crc32, e.g.:

health_check auto {
	request		"GET / HTTTP/1.0\r\n\r\n";
	request_url	"/";
	resp_code	200;
        resp_crc32      auto;
	timeout		10;
}

Please update the Wiki about explicit auto configuration and automatic crc32 calculation.

[krizhanovsky]

Please print here a warning with expected crc32 (needed for auto mode), the response crc32 and response status code.

[aleksostapenko]

Done.

[krizhanovsky]

Thanks for the corrections! Good to merge.

[vankoven]

Need to make tfw_srv_suspended() check before any others:

• That will reduce number of atomic operations.
• An extra reference might be taken in tfw_srv_conn_get_if_live(). The reference won't be released if tfw_srv_suspended failed.

[aleksostapenko]

Corrected.

[vankoven]

The check can be done before rcu operations: no need trying to schedule request if server is suspended.

[aleksostapenko]

Corrected.

[vankoven]

Comment is misleading: function can't put server into suspended state.

[aleksostapenko]

Corrected.

[vankoven]

Sending requests should be done in separate kernel not in timer function. Must be done as a part of #736

[vankoven]

It was admitted that the main disadvantage of merged ik-51 branch (runtime backend server reconfiguration) was too many traversal across lists. In this patch you traverse the same sg->srv_list twice: here and in tfw_cfgop_update_sg_srv_list(). Can't we do the same job with only one traversal?

[aleksostapenko]

Done.

[vankoven]

Nobody checks if user specified available health monitor in tfw_cfgop_health_monitor() or later during cfgend(). In that case we may get an error here, tfw_cfgop_start_sg_cfg() will return -EINVAL and so does tfw_sock_srv_start() . This behaviour is not user-friendly since errors on start are non-recoverable and TempestaFW will be stopped. Too hard penalty for possible misprints as for me.

Instead we must check if the health monitor named sg_cfg->hm_name is available on cfgend stage. Error will be found, a new configuration will be dropped, and the TempestaFW will continue working with old good configuration.

[aleksostapenko]

Corrected.

[vankoven]

Seems at least hmstats, hm are server group-wide options and should be stored there. We can also use one timer per server group: send health check message to all server in group. What do you think? not the comment below.

[aleksostapenko]

We cannot make hmstats group-wide - since this will break the essence of the task (server-wide HTTP health statistics and server-wide suspend/alive decisions).
As for hm - yes, theoretically we can use it group-wide, but for now I'd prefer leave it server-wide for three reasons:

1. Changing current implementation (originally grounded on a server-wide approach) will require significant code changes and re-testing.
2. In current approach all health monitoring functionality is concentrated in APM module and the there is no need to spreading it between other modules (e.g sock_srv etc.)
3. Current solution is more flexible and give more granularity in HM management if it will be needed in future, and I do not see significant advantages in group-wide approach except of saving memory on hm pointers for each server.

[vankoven]

Good to merge! I've commented a couple of moments where performance optimisation is possible.

[vankoven]

It's more like a note to all places where tfw_cfgop_update_srv_health() is called. All servers in the group has the same hmonitor. That means you can check that hmonitor has changed only once, like it done here for scheduler:

tempesta/tempesta_fw/sock_srv.c

Lines 1474 to 1475 in 9381703

	if (tfw_cfgop_sched_changed(sg_cfg))
	sg_cfg->reconf_flags |= TFW_CFG_MDF_SG_SCHED;

We can add a new flag TFW_CFG_MDF_SG_HMON and set it in tfw_cfgop_setup_srv_group().

• Then when we enter tfw_cfgop_update_sg_health() function, we can return immediately if the flag is not set.
• Then we update server list in tfw_cfgop_update_sg_srv_list() we need to call tfw_cfgop_update_srv_health() only if the flag set.
• the tfw_apm_hm_srv_eq() check in tfw_cfgop_update_sg_health() won't be needed.

This suggestion is only performance optimisation. The only effect is reducing of tfw_apm_hm_srv_eq() calls: once per group instead of once per server.

[vankoven]

The check is obsolete: the function is called now only if tfw_cfgop_update_sg_srv_list() won't be called. Thus srv->flags & TFW_CFG_M_ACTION == TFW_CFG_F_KEEP for all server in group.

[vankoven]

The string can be fit in single line.

[vankoven]

The function is not specific to this test, it's rather generic one. Please move the function to chains.py. Almost the same was done in another PR: https://github.com/tempesta-tech/tempesta/pull/897/files#diff-2395c33b49b27bf69b94b134a3625992R19

[vankoven]

Same here: too generic steps in the function for the test. I'd create a new helper class in tempesta.py, which can help to pass server statistics. Init it with pointer to Tempesta instance, server group and the server name and use like helpers.tempesta.Stats class. No need to parse everything in server stats in this PR, just only needed stats.

@vladtcvs Do you have any suggestions here?

[vankoven]

I wouldn't say it's 'regression' test. It's definitely test for a independent new feature - health monitoring. Please move the test to it's own directory. We'll need more tests about HTTP availability in future.