Page MenuHomePhabricator
Create Task
Maniphest T236458

ats-tls shows a huge amount of ESTABLISHED sockets even when the server is depooled
Closed, ResolvedPublic
Actions

Description

as spotted by @BBlack, cp3030 shows 34k ESTABLISHED sockets against port 443 (ats-tls) even when the server was depooled for a few hours.

Comparing cp5007 vs the rest of text nodes (running nginx) show a huge different in sockets as well. Grafana reports ~100k sockets in use for cp5007 and ~37k for the rest of servers

Details

SubjectRepoBranchLines +/-
Revert "ATS: Disable allow_half_open in cp4031"operations/puppetproduction+1 -1
ATS: Disable allow_half_open in cp4031operations/puppetproduction+1 -1
ATS: Puppetize allow_half_open HTTP settingoperations/puppetproduction+9 -0
ATS: Set the default activity timeout to 300 seconds on ats-tlsoperations/puppetproduction+9 -2
ATS: Track total client connections for HTTP/2 clientsoperations/puppetproduction+2 -0
ATS: Enable the SSL handshake timeout and set it to 60 secondsoperations/puppetproduction+7 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Vgutierrez created this task.Oct 25 2019, 4:59 AM
Stashbot added a comment.Oct 25 2019, 5:03 AM

Mentioned in SAL (#wikimedia-operations) [2019-10-25T05:03:15Z] <vgutierrez> Applying a SSL handshake timeout of 60 secs on ats-tls/cp5007 - T236458

Vgutierrez added a comment.Oct 25 2019, 5:15 AM

I'm tracking used TCP sockets on eqsin text nodes in https://grafana.wikimedia.org/d/ivPJtZAWz/t236458?orgId=1&from=now-1h&to=now, I've manually applied a SSL handshake timeout on cp5007 at 05:03 UTC

ayounsi removed a subscriber: ayounsi.Oct 25 2019, 5:16 AM
Vgutierrez triaged this task as Medium priority.Oct 25 2019, 5:31 AM
Vgutierrez moved this task from Backlog to TLS on the Traffic board.
gerritbot added a comment.Oct 25 2019, 5:57 AM

Change 546014 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable the SSL handshake timeout and set it to 60 seconds

https://gerrit.wikimedia.org/r/546014

gerritbot added a project: Patch-For-Review.Oct 25 2019, 5:57 AM
gerritbot added a comment.Oct 25 2019, 7:56 AM

Change 546014 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable the SSL handshake timeout and set it to 60 seconds

https://gerrit.wikimedia.org/r/546014

Stashbot added a comment.Oct 25 2019, 8:02 AM

Mentioned in SAL (#wikimedia-operations) [2019-10-25T08:02:22Z] <vgutierrez> rolling restart of ats-tls to introduce a SSL handshake timeout of 60 secs - T236458

Maintenance_bot removed a project: Patch-For-Review.Oct 25 2019, 8:10 AM
Vgutierrez closed this task as Resolved.Oct 25 2019, 9:46 AM
Vgutierrez reopened this task as Open.Oct 29 2019, 7:44 AM

Reopening cause the issue hasn't been solved as it can be seen here: https://grafana.wikimedia.org/d/ivPJtZAWz/t236458?orgId=1&from=1571989146430&to=now

Stashbot added a comment.Oct 29 2019, 8:06 AM

Mentioned in SAL (#wikimedia-operations) [2019-10-29T08:06:05Z] <vgutierrez> restarting ats-tls on cp5007 with TCP FASTOPEN disabled - T236458

Stashbot added a comment.Oct 29 2019, 9:27 AM

Mentioned in SAL (#wikimedia-operations) [2019-10-29T09:27:27Z] <vgutierrez> restart ats-tls on cp5007 disabling TCP SO_LINGER - T236458

gerritbot added a comment.Oct 29 2019, 2:53 PM

Change 546957 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Track total client connections for HTTP/2 clients

https://gerrit.wikimedia.org/r/546957

gerritbot added a project: Patch-For-Review.Oct 29 2019, 2:53 PM
gerritbot added a comment.Oct 29 2019, 3:07 PM

Change 546957 merged by Vgutierrez:
[operations/puppet@production] ATS: Track total client connections for HTTP/2 clients

https://gerrit.wikimedia.org/r/546957

Maintenance_bot removed a project: Patch-For-Review.Oct 29 2019, 3:10 PM
Stashbot added a comment.Oct 29 2019, 3:25 PM

Mentioned in SAL (#wikimedia-operations) [2019-10-29T15:25:45Z] <vgutierrez> restarting ats-tls on cp5007 with a default inactivity timeout of 5 minutes and half open disabled - T236458

Stashbot added a comment.Oct 30 2019, 2:40 AM

Mentioned in SAL (#wikimedia-operations) [2019-10-30T02:40:04Z] <vgutierrez> restarting ats-tls on cp3050 with half open disabled - T236458

Stashbot added a comment.Oct 30 2019, 3:09 AM

Mentioned in SAL (#wikimedia-operations) [2019-10-30T03:09:06Z] <vgutierrez> Rolling restart of prometheus-exporter-trafficserver-tls - T236458

Stashbot added a comment.Oct 30 2019, 4:24 AM

Mentioned in SAL (#wikimedia-operations) [2019-10-30T04:24:52Z] <vgutierrez> restarting ats-tls on cp4027 with half open disabled - T236458

gerritbot added a comment.Oct 30 2019, 5:44 AM

Change 547073 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Set the default activity timeout to 300 seconds on ats-tls

https://gerrit.wikimedia.org/r/547073

gerritbot added a project: Patch-For-Review.Oct 30 2019, 5:44 AM
gerritbot added a comment.Oct 30 2019, 5:55 AM

Change 547073 merged by Vgutierrez:
[operations/puppet@production] ATS: Set the default activity timeout to 300 seconds on ats-tls

https://gerrit.wikimedia.org/r/547073

Stashbot added a comment.Oct 30 2019, 5:58 AM

Mentioned in SAL (#wikimedia-operations) [2019-10-30T05:58:10Z] <vgutierrez> Rolling restart of ats-tls to get rid of leaked sockets and benefit from the lower inactivity timeout - T236458

Maintenance_bot removed a project: Patch-For-Review.Oct 30 2019, 6:10 AM
Vgutierrez closed this task as Resolved.Oct 31 2019, 1:35 AM

This's been successfully mitigated by 9002f6dfc959fccf527b7c7a3778947496858695

Stashbot added a comment.Feb 13 2020, 3:38 PM

Mentioned in SAL (#wikimedia-operations) [2020-02-13T15:38:31Z] <vgutierrez> disable allow_half_open on ats-tls @ cp4031 - T236458

gerritbot added a comment.Feb 13 2020, 4:00 PM

Change 572016 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Puppetize allow_half_open HTTP setting

https://gerrit.wikimedia.org/r/572016

gerritbot added a project: Patch-For-Review.Feb 13 2020, 4:00 PM

Change 572017 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Disable allow_half_open in cp4031

https://gerrit.wikimedia.org/r/572017

gerritbot added a comment.Feb 13 2020, 4:20 PM

Change 572016 merged by Vgutierrez:
[operations/puppet@production] ATS: Puppetize allow_half_open HTTP setting

https://gerrit.wikimedia.org/r/572016

gerritbot added a comment.Feb 13 2020, 4:28 PM

Change 572017 merged by Vgutierrez:
[operations/puppet@production] ATS: Disable allow_half_open in cp4031

https://gerrit.wikimedia.org/r/572017

Maintenance_bot removed a project: Patch-For-Review.Feb 13 2020, 5:11 PM
gerritbot added a comment.Feb 14 2020, 6:28 AM

Change 572149 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] Revert "ATS: Disable allow_half_open in cp4031"

https://gerrit.wikimedia.org/r/572149

gerritbot added a project: Patch-For-Review.Feb 14 2020, 6:28 AM

Change 572149 merged by Vgutierrez:
[operations/puppet@production] Revert "ATS: Disable allow_half_open in cp4031"

https://gerrit.wikimedia.org/r/572149

Maintenance_bot removed a project: Patch-For-Review.Feb 14 2020, 7:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL