Adding a drained callback to ConnPoolImplBase causes test failure

[chradcliffe]

Description:
There is an early return in ConnPoolImplBase::checkForDrained that prevents closeIdleConnections from being called in the case where there are no drained callbacks registered for the pool:

void ConnPoolImplBase::checkForDrained() {
  if (drained_callbacks_.empty()) {
    return;
  }

  closeIdleConnections();

In TcpTunnelingIntegrationTest.InvalidResponseHeaders inside test/integration/tcp_tunneling_integration_test.cc, the behaviour expected by the test changes based on the presence of a callback.

In this InvalidResponseHeaders test, an invalid response header is sent from the upstream fake server. The test expects that Envoy will send an HTTP/2 reset frame, but if the connection pool has a drained callback, the connection closes at the transport layer instead.

The relevant sequence is as follows:

1. The server sends a non-200 response code
2. Inside TcpProxy::HttpUpstream::DecoderShim::decodeHeaders, TcpProxy::HttpUpstream::resetEncoder is called.
3. After a few more intermediate function calls, Http::CodecClient::deleteRequest is called and the request is removed from the client's active_requests_ list.
4. After this, codec_client_callbacks_->onStreamDestroy() is called, which ends up with a call to Http::Http2::ConnPoolImpl::onStreamDestroy.
5. In onStreamDestroy, ConnPoolImplBase::checkForDrained is called.

In the current code, when checkForDrained is called at step (5), the early exit is hit so no idle connections are affected. The connection is then allowed to send out a HTTP/2 reset frame and the upstream server endpoint closes the connection.

However, if you add a callback to the connection pool, the early exit is skipped and closeIdleConnections is executed. Because the request was removed in step (3) above, the ActiveClient associated with the connection is considered idle and is closed, which in turn closes the connection on the Envoy upstream client side. This prevents the HTTP/2 reset frame from being sent.

I have a few questions:

1. Is it correct that checkForDrained should have different observable behaviour depending on the presence of an idle callback? (I'm guessing 'no')
   ** If we wanted to do this, we could move closeIdleConnections above the early return, but that affects question (2)
2. The Http2::ConnPoolImpl::onStreamDestroy code greedily attempts to reap idle connections (which closes the socket at the transport layer), while the integration test asserts that the HTTP/2 layer should be allowed to sent a reset frame. Which is correct?

This was found while I was testing requested changes for #13061 so if there's a good solution to this problem I might be able to wrap it up in that PR.

Repro steps:
Add a drained callback to the constructor of ConnectionPool::ConnPoolImplBase and run the bazel target //test/integration:tcp_tunneling_integration_test.

Logs:
The test log after the repro steps above (with -l trace) invalid_response_headers.log

[mattklein123]

@alyssawilk would you mind taking a look at this?

[alyssawilk]

The checkForDrained code is supposed to check to see if the connection pool is currently being drained.

If the connection pool is being drained, each connection is told this is the last request it can serve, and as connections are returned to the pool they are closed. Normally, idle connections can be returned to the pool and reused, but if we're draining the pool (say we've reloaded config, and new traffic goes to the new pool) idle connections should not be recycled.

The callback shouldn't make a difference in this case, because if the callback is set, drainConnectionsImpl() has already been called, so all idle connections should have already been closed and all in-use connections should be drained (only one request remaining, so when they return they should be close as no longer usable and should be closed without the idle check). So I think there's an invariant that if we're draining there are not idle connections. If you think you've found a situation where the invariant doesn't hold true, send the test my way?

[chradcliffe]

So if I understand what you're saying correctly, the presence of a callback in ConnPoolImplBase::drained_callbacks_ is an implicit indication that the pool is draining -- is that right? I think that's what I didn't understand -- you can't actually add a drained callback without implicitly draining the pool. I'll have to rethink what I was trying to do.

However, I did find at least one case where drainConnectionsImpl is not called prior to host removal. As far as I can tell, that function is only called when host health has failed and is not called when a host is removed from a cluster for other reasons.

I created a branch (https://github.com/chradcliffe/envoy/tree/chradcliffe/check-drained-connections-called) with a commit that adds an assert to test that drainConnectionsImpl is always called before the drained callbacks are triggered. I also checked in a config file to that branch (dynamic_forward_proxy.yaml) that I used for my test. If you run something like curl --proxy http://${ENVOY_LISTENER} google.com and wait until the TTL expires (for me it was about 5 minutes), Envoy will trip the assert.

The root cause of this ticket I think is now invalid (except maybe we should add some comments clarifying that drained callbacks cannot be added without triggering a drain).

[alyssawilk]

Yeah, I think there's a difference between removing a host, and draining the whole pool.
For sure, behavior will change when it's draining, and cleaning up comments that adding a drained callback should only be done when draining would help clear things up.

[alyssawilk]

Hm, looking at the interface, it does say you can addDrained without draining, which I don't think has ever been true. I'll send out a PR.