-
Notifications
You must be signed in to change notification settings - Fork 4.1k
Expand file tree
/
Copy pathserver.go
More file actions
485 lines (431 loc) · 16.3 KB
/
server.go
File metadata and controls
485 lines (431 loc) · 16.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
// Copyright 2020 The Cockroach Authors.
//
// Use of this software is governed by the CockroachDB Software License
// included in the /LICENSE file.
package sqlproxyccl
import (
"context"
"io"
"net"
"net/http"
"net/http/pprof"
"time"
"github.com/cockroachdb/cockroach/pkg/util/cache"
"github.com/cockroachdb/cockroach/pkg/util/ctxutil"
"github.com/cockroachdb/cockroach/pkg/util/grpcutil"
"github.com/cockroachdb/cockroach/pkg/util/httputil"
"github.com/cockroachdb/cockroach/pkg/util/log"
"github.com/cockroachdb/cockroach/pkg/util/metric"
"github.com/cockroachdb/cockroach/pkg/util/netutil/addr"
"github.com/cockroachdb/cockroach/pkg/util/stop"
"github.com/cockroachdb/cockroach/pkg/util/syncutil"
"github.com/cockroachdb/cockroach/pkg/util/timeutil"
"github.com/cockroachdb/errors"
"github.com/cockroachdb/logtags"
proxyproto "github.com/pires/go-proxyproto"
"github.com/prometheus/common/expfmt"
)
// Variable to be swapped in tests.
var awaitNoConnectionsInterval = time.Minute
// maxErrorLogLimiterCacheSize defines the maximum cache size for the error log
// limiter. We set it to 1M to align with the cache size of the connection
// throttler (see pkg/ccl/sqlproxyccl/throttler). Based on testing, this
// corresponds to roughly 200-300MB of memory usage when the cache is fully
// utilized. However, in practice, since the limiter is only applied to
// high-frequency errors, the cache will typically store only a small number of
// entries (e.g., around 2-3MB for 10K entries).
const maxErrorLogLimiterCacheSize = 1e6
// errorLogLimiterDuration indicates how frequent an error should be logged
// for a given (ip, tenant ID) pair.
const errorLogLimiterDuration = 5 * time.Minute
// Server is a TCP server that proxies SQL connections to a configurable
// backend. It may also run an HTTP server to expose a health check and
// prometheus metrics.
type Server struct {
Stopper *stop.Stopper
handler *proxyHandler
mux *http.ServeMux
metrics *metrics
metricsRegistry *metric.Registry
prometheusExporter metric.PrometheusExporter
// errorLogLimiter is used to rate-limit the frequency at which *common*
// errors are logged. It ensures that repeated error messages for the same
// connection tag are logged at most once every 5 minutes (see
// errorLogLimiterDuration).
mu struct {
syncutil.Mutex
errorLogLimiter *cache.UnorderedCache // map[connTag]*log.EveryN
}
}
// connTag represents the key for errorLogLimiter.
type connTag struct {
// ip is the IP address of the client.
ip string
// tenantID is the ID of the tenant database the client is connecting to.
tenantID string
}
// NewServer constructs a new proxy server and provisions metrics and health
// checks as well.
func NewServer(ctx context.Context, stopper *stop.Stopper, options ProxyOptions) (*Server, error) {
registry := metric.NewRegistry()
proxyMetrics := makeProxyMetrics()
registry.AddMetricStruct(&proxyMetrics)
handler, err := newProxyHandler(ctx, stopper, registry, &proxyMetrics, options)
if err != nil {
return nil, err
}
mux := http.NewServeMux()
s := &Server{
Stopper: stopper,
handler: handler,
mux: mux,
metrics: &proxyMetrics,
metricsRegistry: registry,
prometheusExporter: metric.MakePrometheusExporter(),
}
// Configure the error log limiter cache.
cacheConfig := cache.Config{
Policy: cache.CacheLRU,
ShouldEvict: func(size int, key, value interface{}) bool {
return size > maxErrorLogLimiterCacheSize
},
}
s.mu.errorLogLimiter = cache.NewUnorderedCache(cacheConfig)
// /metrics and /_status/{healthz,vars} matches CRDB's healthcheck and metrics
// endpoints.
mux.HandleFunc("/metrics", s.handleMetricsWithLabels)
mux.HandleFunc("/_status/vars/", s.handleMetricsWithoutLabels)
mux.HandleFunc("/_status/healthz/", s.handleHealth)
mux.HandleFunc("/_status/cancel/", s.handleCancel)
// Taken from pprof's `init()` method. See:
// https://golang.org/src/net/http/pprof/pprof.go
mux.HandleFunc("/debug/pprof/", pprof.Index)
mux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
return s, nil
}
func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) {
// TODO(chrisseto): Ideally, this health check should actually check the
// proxy's health in some fashion. How to actually check the health of a
// proxy remains to be seen.
// It has been noted that an overloaded CRDB server may fail to respond to
// a simple HTTP request, such as this one, within a short time frame
// (~5 seconds). Therefore, this health check provides a non-zero amount of
// value as it indicates if the service is _massively_ overloaded or not.
// In Kubernetes, a failed liveness check will result in the container
// being terminated and replaced.
// Its reasonable to assume that many, if not most, of the connections
// being served by this proxy are unusable, if this check can not be
// handled. An operator may adjust this window by changing the timeout on
// the check.
w.WriteHeader(http.StatusOK)
// Explicitly ignore any errors from writing our body as there's
// nothing to be done if the write fails.
_, _ = w.Write([]byte("OK"))
}
func (s *Server) handleMetricsWithLabels(w http.ResponseWriter, r *http.Request) {
s.handleMetricsHelper(w, r, true)
}
func (s *Server) handleMetricsWithoutLabels(w http.ResponseWriter, r *http.Request) {
s.handleMetricsHelper(w, r, false)
}
func (s *Server) handleMetricsHelper(w http.ResponseWriter, r *http.Request, useStaticLabels bool) {
contentType := expfmt.Negotiate(r.Header)
w.Header().Set(httputil.ContentTypeHeader, string(contentType))
scrape := func(pm *metric.PrometheusExporter) {
pm.ScrapeRegistry(s.metricsRegistry, metric.WithIncludeChildMetrics(true), metric.WithIncludeAggregateMetrics(true), metric.WithUseStaticLabels(useStaticLabels))
}
if err := s.prometheusExporter.ScrapeAndPrintAsText(w, contentType, scrape); err != nil {
log.Dev.Errorf(r.Context(), "%v", err)
http.Error(w, err.Error(), http.StatusInternalServerError)
}
}
// handleCancel processes a cancel request that has been forwarded from another
// sqlproxy.
func (s *Server) handleCancel(w http.ResponseWriter, r *http.Request) {
var retErr error
defer func() {
if retErr != nil {
// Lots of noise from this log indicates that somebody is spamming
// fake cancel requests.
log.Dev.Warningf(
r.Context(), "could not handle cancel request from client %s: %v",
r.RemoteAddr, retErr,
)
}
if f := s.handler.testingKnobs.httpCancelErrHandler; f != nil {
f(retErr)
}
}()
buf := make([]byte, proxyCancelRequestLen)
n, err := r.Body.Read(buf)
// Write the response as soon as we read the data, so we don't reveal if we
// are processing the request or not.
// Explicitly ignore any errors from writing the response as there's
// nothing to be done if the write fails.
_, _ = w.Write([]byte("OK"))
if err != nil && err != io.EOF {
retErr = err
return
}
if n != len(buf) {
retErr = errors.Errorf("unexpected number of bytes %d", n)
return
}
p := &proxyCancelRequest{}
if err := p.Decode(buf); err != nil {
retErr = err
return
}
// This request should never be forwarded, since if it is handled here, it
// was already forwarded to the correct node.
retErr = s.handler.handleCancelRequest(p, false /* allowForward */)
}
// ServeHTTP starts the proxy's HTTP server on the given listener.
// The server provides Prometheus metrics at /metrics and/_status/vars,
// a health check endpoint at /_status/healthz, and pprof debug
// endpoints at /debug/pprof.
func (s *Server) ServeHTTP(ctx context.Context, ln net.Listener) error {
if s.handler.RequireProxyProtocol {
ln = &proxyproto.Listener{
Listener: ln,
Policy: func(upstream net.Addr) (proxyproto.Policy, error) {
// There is a possibility where components doing healthchecking
// (e.g. Kubernetes) do not support the PROXY protocol directly.
// We use the `USE` policy here (which is also the default) to
// optionally allow the PROXY protocol to be supported. If a
// connection doesn't have the proxy headers, it'll just be
// treated as a regular one.
return proxyproto.USE, nil
},
ValidateHeader: s.handler.testingKnobs.validateProxyHeader,
}
}
srv := http.Server{Handler: s.mux}
err := s.Stopper.RunAsyncTask(ctx, "sqlproxy-http-cleanup", func(ctx context.Context) {
<-ctx.Done()
// Wait up to 15 seconds for the HTTP server to shut itself
// down. The HTTP service is an auxiliary service for health
// checking and metrics, which does not need a completely
// graceful shutdown.
_ = timeutil.RunWithTimeout(
context.Background(),
"http server shutdown",
15*time.Second,
func(shutdownCtx context.Context) error {
// Ignore any errors as this routine will only be called
// when the server is shutting down.
_ = srv.Shutdown(shutdownCtx)
return nil
},
)
})
if err != nil {
return err
}
if err := srv.Serve(ln); err != nil && !errors.Is(err, http.ErrServerClosed) {
return err
}
return nil
}
// Serve serves up to two listeners according to the Options given in
// NewServer().
//
// If ln is not nil, a listener is served which does not require
// proxy protocol headers, unless RequireProxyProtocol is true.
//
// If proxyProtocolLn is not nil, a listener is served which requires proxy
// protocol headers.
//
// Incoming client connections are taken through the Postgres handshake and
// relayed to the configured backend server.
func (s *Server) ServeSQL(
ctx context.Context, ln net.Listener, proxyProtocolLn net.Listener,
) error {
if ln != nil {
if s.handler.RequireProxyProtocol {
ln = s.requireProxyProtocolOnListener(ln)
}
log.Dev.Infof(ctx, "proxy server listening at %s", ln.Addr())
if err := s.Stopper.RunAsyncTask(ctx, "listener-serve", func(ctx context.Context) {
_ = s.serve(ctx, ln, s.handler.RequireProxyProtocol)
}); err != nil {
return err
}
}
if proxyProtocolLn != nil {
proxyProtocolLn = s.requireProxyProtocolOnListener(proxyProtocolLn)
log.Dev.Infof(ctx, "proxy with required proxy headers server listening at %s", proxyProtocolLn.Addr())
if err := s.Stopper.RunAsyncTask(ctx, "proxy-protocol-listener-serve", func(ctx context.Context) {
_ = s.serve(ctx, proxyProtocolLn, true /* requireProxyProtocol */)
}); err != nil {
return err
}
}
return nil
}
// serve is called by ServeSQL to serve a single listener.
func (s *Server) serve(ctx context.Context, ln net.Listener, requireProxyProtocol bool) error {
err := s.Stopper.RunAsyncTask(ctx, "listen-quiesce", func(ctx context.Context) {
<-s.Stopper.ShouldQuiesce()
if err := ln.Close(); err != nil && !grpcutil.IsClosedConnection(err) {
log.Dev.Fatalf(ctx, "closing proxy listener: %s", err)
}
})
if err != nil {
return err
}
for {
conn, err := ln.Accept()
if err != nil {
return err
}
s.metrics.AcceptedConnCount.Inc(1)
err = s.Stopper.RunAsyncTask(ctx, "proxy-con-serve", func(ctx context.Context) {
defer func() { _ = conn.Close() }()
s.metrics.CurConnCount.Inc(1)
defer s.metrics.CurConnCount.Dec(1)
ctx = logtags.AddTag(ctx, "client", log.SafeOperational(conn.RemoteAddr()))
// Use a map to collect request-specific information at higher
// layers of the stack. This helps ensure that all relevant
// information is captured, providing better context for the error
// logs.
//
// We could improve this by creating a custom context.Context object
// to track all data related to the request (including migration
// history). For now, this approach is adequate.
reqTags := make(map[string]interface{})
ctx = contextWithRequestTags(ctx, reqTags)
err := s.handler.handle(ctx, conn, requireProxyProtocol)
if err != nil && !errors.Is(err, context.Canceled) {
// Ensure that context is tagged with request tags which are
// populated at higher layers of the stack.
for key, value := range reqTags {
ctx = logtags.AddTag(ctx, key, value)
}
// log.Dev.Infof automatically prints hints (one per line) that are
// associated with the input error object. This causes
// unnecessary log spam, especially when proxy hints are meant
// for the user. We will intentionally create a new error object
// without the hints just for logging purposes.
//
// TODO(jaylim-crl): Ensure that handle does not return user
// facing errors (i.e. one that contains hints).
if s.shouldLogError(ctx, err, conn, reqTags) {
errWithoutHints := errors.Newf("%s", err.Error()) // nolint:errwrap
log.Dev.Infof(ctx, "connection closed: %v", errWithoutHints)
}
}
})
if err != nil {
return err
}
}
}
func (s *Server) requireProxyProtocolOnListener(ln net.Listener) net.Listener {
return &proxyproto.Listener{
Listener: ln,
Policy: func(upstream net.Addr) (proxyproto.Policy, error) {
// REQUIRE enforces the connection to send a PROXY header.
// The connection will be rejected if one was not present.
return proxyproto.REQUIRE, nil
},
ValidateHeader: s.handler.testingKnobs.validateProxyHeader,
}
}
// AwaitNoConnections returns a channel that is closed once the server has no open connections.
// This is meant to be used after the server has stopped accepting new connections and we are
// waiting to shutdown the server without inturrupting existing connections
//
// If the context is cancelled the channel will never close because we have to end the async task
// to allow the stopper to completely finish
func (s *Server) AwaitNoConnections(ctx context.Context) <-chan struct{} {
c := make(chan struct{})
_ = s.Stopper.RunAsyncTask(ctx, "await-no-connections", func(context.Context) {
for {
connCount := s.metrics.CurConnCount.Value()
if connCount == 0 {
close(c)
break
}
select {
case <-ctx.Done():
return
case <-time.After(awaitNoConnectionsInterval):
continue
}
}
})
return c
}
// shouldLogError returns true if an error should be logged, or false otherwise.
// The goal is to only throttle high-frequency errors for every (IP, tenantID)
// pair.
func (s *Server) shouldLogError(
ctx context.Context, err error, conn net.Conn, reqTags map[string]interface{},
) bool {
// Always log non high-frequency errors.
if !errors.Is(err, highFreqErrorMarker) {
return true
}
// Request hasn't been populated with a tenant ID yet, so log them.
tenantID, hasTenantID := reqTags["tenant"]
if !hasTenantID {
return true
}
// Tenant ID must be a string, or else there has to be a bug in the code.
// Instead of panicking, we'll skip throttling.
tenantIDStr, ok := tenantID.(string)
if !ok {
log.Dev.Errorf(
ctx,
"unexpected error: cannot extract tenant ID from request tags; found: %v",
tenantID,
)
return true
}
// Extract just the IP from the remote address. We'll log anyway if we get
// an error. This case cannot happen in practice since conn.RemoteAddr()
// will always return a valid IP.
ipAddr, _, err := addr.SplitHostPort(conn.RemoteAddr().String(), "")
if err != nil {
log.Dev.Errorf(
ctx,
"unexpected error: cannot extract remote IP from connection; found: %v",
conn.RemoteAddr().String(),
)
return true
}
s.mu.Lock()
defer s.mu.Unlock()
var limiter *log.EveryN
key := connTag{ip: ipAddr, tenantID: tenantIDStr}
c, ok := s.mu.errorLogLimiter.Get(key)
if ok && c != nil {
limiter = c.(*log.EveryN)
} else {
e := log.Every(errorLogLimiterDuration)
limiter = &e
s.mu.errorLogLimiter.Add(key, limiter)
}
return limiter.ShouldLog()
}
// requestTagsContextKey is the fast value key used to carry the request tags
// map in a context.Context object.
var requestTagsContextKey = ctxutil.RegisterFastValueKey()
// contextWithRequestTags returns a context annotated with the provided request
// tags map. Use requestTagsFromContext(ctx) to retrieve it back.
func contextWithRequestTags(ctx context.Context, reqTags map[string]interface{}) context.Context {
return ctxutil.WithFastValue(ctx, requestTagsContextKey, reqTags)
}
// requestTagsFromContext retrieves the request tags map stored in the context
// via contextWithRequestTags.
func requestTagsFromContext(ctx context.Context) map[string]interface{} {
r := ctxutil.FastValue(ctx, requestTagsContextKey)
if r == nil {
return nil
}
return r.(map[string]interface{})
}