HTTP 2 connection draining is non-graceful for low-volume listeners

[murray-stripe]

Title: HTTP 2 connection draining is non-graceful for low-volume listeners

Description:

When a listener enters into a draining state either due to a hot-restart or an LDS update, it should not accept new requests but should let existing requests finish gracefully. There is a drain-time limit that, when reached will terminate any open connections non-gracefully.

For HTTP 2, putting a connection into a draining state should be equivalent with Envoy sending a GOAWAY frame on the connection. This signals that no new streams should be created on the connection, but existing streams are allowed to finish. Assuming a well-behaved client (one that respects the GOAWAY), this should mirror the desired behavior for connection draining. However, Envoy does not send a GOAWAY proactively when the drain-time begins. Instead, Envoy issues a GOAWAY after the next request made on the connection is completed. Represented visually, this would look like:

With appropriately long drain-time for your traffic and a sufficiently busy listener, this delayed GOAWAY does not generally lead to issues. However, if the listener is processing a low volume of long-requests, then it is possible to find ourselves in the following scenario:

In this scenario the request does not begin until near the end of the drain-time window. Because the GOAWAY signal is not sent until the request ends. This results in a request being interrupted as the connection is non-gracefully closed -- non-graceful defined as 1) without a GOAWAY and 2) with in-flight requests.

An interrupted request is logged into the access log with the DC flag and will return a 503 response. If the downstream is another Envoy instance, then the downstream will have an access log with a UC flag.

I would expect that Envoy would issue a GOAWAY (NO_ERROR error-code) at the beginning of the drain-period (without the external tigger of a request) as this already matches the desired behavior of Envoy's connection-draining. I suspect the current implementation to be an artifact of how connections would be closed for persistent HTTP 1.

Repro steps:

This has been reproduced in our internal integration-test suite, but can be reproduced readily with the following:

• Configure drain-time of 20 seconds
• Configure parent-shutdown time of 25 seconds
• Start Envoy
• Create a client (either H1 or H2) and generate some traffic to ensure established connections
• Begin a reload or perform an LDS update
• Issue a request over the same connection that:
  • Begins 10s after the reload/LDS-update was initiated
  • Lasts for 30s (upstream service sleeps 30s before responding)
• Observe non-graceful connection termination

All tests were done using a concurrency of 1 to ensure a single listener/connection.

[dio]

cc. @ggreenway @alyssawilk

[alyssawilk]

Yeah, I think the HCM checks in at certain points in the request life cycle to see if it should drain, and if it's totally idle it doesn't pick it up very fast. It would be plausible to proactively inform the various HCMs to start drain, it'd just need to be done carefully (possibly batching, as doing them all at once could be labor intensive for high-QPS listeners)

[mattklein123]

Yeah this is a known issue. We have discussed in the past allowing the drain process to loop through all open connections. Also sending GOAWAY at request start would probably also work OK.

[alyssawilk]

I think goaway at request start would just reduce the impact a bit - we'd have the same race for a number of other circumstances (idle connection used shortly before drain completes, hanging GETs etc)

[mattklein123]

Yeah I agree it's just a slightly better bandaid. The iterate through all connections approach would be better.

[murray-stripe]

👋   Wanted to get your feedback on an approach before diving into an implementation since I'm
sure you all have a much better idea of what works and what doesn't.

It seems like the DrainManagerImpl is the common class that ties the HCM
(Http::ConnectionManager) which needs to react to a signal and the bits that generate the signal
(ListenerHandler, ListenerManagerImpl, and server::Instance). I'm not seeing a clear path from
all of the signal-emitters to the HCM that doesn't go through the drain manager, so I'm considering adding
a callback to the drain-manager that the connection-manager can use to register themselves.

ConnectionManagerImpl::ConnectionManagerImpl(/* ... params ...*/) {
    drain_manager_.registerOnDrain([this](const std::chrono::secionds drain_delay) -> void { 
        drain_timer_ = dispatcher_.createTimer([this]() { startDrainSequence(); });
        drain_timer.enable(drain_delay);
    });
  // ...
}

And now the drain-manager can perform the proactive drain:

void
DrainManagerImpl::startDrainSequence(std::function<void()> drain_complete_cb) {
    ASSERT(drain_complete_cb);
    ASSERT(!draining_);
    ASSERT(!drain_tick_timer_);
  
    // Retain atomic-bool write to keep above asserts valid
    draining_ = true;
  
    // Proactively push drain events according to the drain schedule
    const std::chrono::seconds no_wait = 0s;

    for (const auto& drain_cb : drain_cbs_) {
        if (server_.options().drainStrategy() == Server::DrainStrategy::Immediate) {
            drain_cb(no_wait);
        }
        ASSERT(server_.options().drainStrategy() == Server::DrainStrategy::Gradual);

        const MonotonicTime current_time = server_.dispatcher().timeSource().monotonicTime();
        if (current_time >= drain_deadline_) {
            drain_cb(no_wait);
        }

        // use routine to spread drain times out between span [current_time, drain_deadline_]
        const auto drain_at = get_drain_time(current_time, drain_deadline_);
        drain_cb(drain_at);
    }
  
    drain_tick_timer_ = server_.dispatcher().createTimer(drain_complete_cb);
    const std::chrono::seconds drain_delay(server_.options().drainTime());
    drain_tick_timer_->enableTimer(drain_delay);
    drain_deadline_ = server_.dispatcher().timeSource().monotonicTime() + drain_delay;
}

From my reading this had the advantage of:

• Allow the drain-manager to control the rate at which is drains listeners (as it does currently)
• A single point to handle batching (although unsure what this should look like)
• All existing code-paths that trigger drains to stay the same
• New connection managers can opt-in to either a pull or push-based system

Drawbacks??
This currently doesn't take into account any sort of batching and I'll admit that I don't fully
understand the performance concerns or what batching would look like (or by what dimensions we'd
batch).

cc @mattklein123 @alyssawilk

[mattklein123]

Yeah this sounds like a great plan to me. In the drain manager API let's make sure to return an RAII handle (see CallbackManager and callback_impl.h).