Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use independent deadline for sending error #79

Merged
merged 2 commits into from
Jul 1, 2024
Merged

fix: use independent deadline for sending error #79

merged 2 commits into from
Jul 1, 2024

Conversation

aruiz14
Copy link
Contributor

@aruiz14 aruiz14 commented Jun 12, 2024
edited
Loading

Issue: 44576

Complementary (but not mutually blocking) to #74

Problem

remotedialer connections (those multiplexed over a single websocket) rely on receiving an Error message (io.EOF in the case of success), in order to consider a connection closed. In some cases, this message is never received, causing associated resources to be kept indefinitely.

Solution

#74 mitigates this problem by adding a synchronization mechanism to detect those stale connections by sharing ids of the active connections. That PR is complementary in the sense that it will make the protocol more robust, while this one should provide a fix for the original problem that caused the Error message not to be sent. I was able to troubleshoot this thanks to the errors printed by the changes from #67.

connection implements the net.Conn interface (including SetWriteDeadline), and is created from a Dialer.
In the case of Rancher, one of the uses is to create a Kubernetes client to access the API of downstream clusters. This client is configured to use remotedialer as part of is Transport, hence using HTTPS over the remotedialer connection.

The HTTP client used seems to be configured by default with a IdleConnTimeout of 90 seconds, after which the connection is automatically closed. However, the intermediate TLS connection layer will send an alert, then proceed to call SetWriteDeadline on the underlying connection with an invalid value in order to prevent any further writes, which makes writeErr to fail, because it uses the value of writeDeadline for sending the Error message.

Given that this is a control message (at the Session level), it should use its own deadline and not rely on the connection anymore.

CheckList

  • Test
    • Adapted unit test to cover this unit case. Without the deadline change, it will fail with:
time="2024-06-13T09:29:10+02:00" level=warning msg="[2] encountered error \"deadline exceeded\" while writing error \"connection closed\" to close remotedialer"
    session_serve_test.go:134: message not sent on closed connection
--- FAIL: TestSession_closeConnection (0.00s)

@aruiz14 aruiz14 requested a review from a team as a code owner June 12, 2024 16:10
moio
moio previously approved these changes Jun 13, 2024
View reviewed changes
aruiz14 added a commit to aruiz14/remotedialer that referenced this pull request Jun 13, 2024
@aruiz14
fix: use independent deadline for sending error
d06676d 
See rancher#79
aruiz14 added a commit to rancher/rancher that referenced this pull request Jun 13, 2024
@aruiz14
remotedialer: use patched version
7bf65d7 
includes:
 - rancher/remotedialer#68
 - rancher/remotedialer#78
 - rancher/remotedialer#79
 - rancher/remotedialer#74
aruiz14 added a commit to rancher/rancher that referenced this pull request Jun 14, 2024
@aruiz14
remotedialer: use patched version
c6f39db 
includes:
 - rancher/remotedialer#68
 - rancher/remotedialer#78
 - rancher/remotedialer#79
 - rancher/remotedialer#74
aruiz14 added a commit to rancher/rancher that referenced this pull request Jun 26, 2024
@aruiz14
remotedialer: use patched version
069fda1 
includes:
 - rancher/remotedialer#78
 - rancher/remotedialer#79
 - rancher/remotedialer#74
@aruiz14
fix: use independent deadline for sending error
1fdf480 
The other side of the connection relies on this error message being
received in order to close the connection, indefinitely keeping it open
otherwise. Taking this into account, this should be considered a control
message, not part of the connection but the session instead.
However, since c.writeDeadline is being used (which is indeed controlled
via net.Conn interface), the upper crypto/tls.Conn is setting this
deadline to an invalid value in order to prevent further writes.
This causes the error messages to never be sent.
@aruiz14
tests: adapt unit tests to cover this case
a409494
@moio
Copy link
Contributor

moio commented Jul 1, 2024

Thanks for the review, can this be merged @maxsokolovsky ?

@maxsokolovsky maxsokolovsky merged commit 40afe79 into rancher:master Jul 1, 2024
1 check passed
@aruiz14 aruiz14 deleted the writeErrDeadline branch July 1, 2024 18:10
@aruiz14 aruiz14 mentioned this pull request Jul 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moio moio moio approved these changes

@maxsokolovsky maxsokolovsky maxsokolovsky approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@aruiz14 @moio @maxsokolovsky