TCP connection is closed when HTTP upstream returns a 503 & retries are enabled

[julia-stripe]

Title: TCP connection is closed when HTTP upstream returns a 503

Description:

When a HTTP upstream returns a 503 and retries are enabled, Envoy closes the TCP connection to the upstream (with a FIN packet). This is really confusing because it doesn't happen when retries are disabled, which makes me think that it may be a bug in Envoy.

This is similar to #5022 but it's different enough (a FIN, not a RST, and the behavior depends on the HTTP headers sent) that I decided to open a separate issue.

Repro steps:

To start Envoy & the upstream server:

git clone https://gist.github.com/julia-stripe/41fdc36f96b33c1e0e1708376fb7540d
cd 41fdc36f96b33c1e0e1708376fb7540d
ruby ./server.rb # start a server that always returns 503s
envoy -c ./envoy-config.yaml  --service-cluster test --service-node test

To cause the connection to be closed after each request:

curl localhost:8190 -i -H "x-envoy-retry-on: 5xx" -H "x-envoy-max-retries: 1"

To make a similar request that *doesn't result in the connection being closed:

curl localhost:8190 -i

tcpdump

• tcpdump-503s.pcap. Note that every connection is closed almost immediately by Envoy after the response is received.
• tcpdump-503s-no-retry.pcap. Note that in this packet capture almost all of the requests happen over the same TCP connection.

The only difference between these two packet captures is retry HTTP headers -- they're running with exactly the same Envoy configuration & server.

Admin and Stats Output:

In this gist:

https://gist.github.com/julia-stripe/ced04325aa7ce299a2304f7374b236c0

Config:

https://gist.githubusercontent.com/julia-stripe/41fdc36f96b33c1e0e1708376fb7540d/raw/5b574fe26d9f7cd29139f53bcdf711870c4af5e7/envoy-config.yaml

[mattklein123]

Yeah as described this is likely a bug. Will need some research so marking help wanted.

[julia-stripe]

My guess from looking through the code is that the connection is being closed here:

envoy/source/common/router/router.cc

Lines 768 to 770 in 6b56612

	if (!end_stream) {
	upstream_request_->resetStream();
	}

I don't really understand what the end_stream boolean is supposed to signify there, but my best guess is that the intention of that code is to reset the HTTP/2 stream in the case of a retry (why?), and that in the HTTP/1 case this results in the TCP connection being closed.

[mattklein123]

end_stream indicates whether it is a header-only response or not. If end_stream is false, we must reset the upstream stream to indicate that we no longer care about potentially large amounts of body data.

What I suspect is happening here is that in some code paths, HTTP/1.1 responses are raised as headers with end_stream as false, followed by an empty body with end_stream as true. It might also be that your server is actually sending a body with the response. Do you know? Either way, we end up in a situation similar to the other ticket you opened. HTTP/2 solves this case also.

Now, if we are in a situation in which there is no HTTP/1.1 body (can you confirm) it's possible we can do a code change to make sure that response gets raised as end_stream = true and then we wouldn't reset/close the stream which for HTTP/1.1 results in connection close.

[julia-stripe]

Can confirm that:

1. The content length of the HTTP response from the upstream is 0 (the body is empty)
2. end_stream is being set to false
3. The line where end_stream is being set to false in this case is

   envoy/source/common/http/http1/codec_impl.cc

   Line 718 in 6b56612

   pending_responses_.front().decoder_->decodeHeaders(std::move(headers), false);

we must reset the upstream stream to indicate that we no longer care about potentially large amounts of body data.

I'm confused about this -- why do we need to reset the upstream stream when the request is meant to be retried, but not if retries are turned off? It seems to me like Envoy should behave the same way regardless of whether the request is retried.

I checked that https://github.com/envoyproxy/envoy/compare/master...julia-stripe:avoid-closing-503s?expand=1 partially fixes this issue (when retries are on & the content-length is 0, the connection is no longer closed), but the retries on / retries off behaviour still doesn't match when the body is nonempty.

[mattklein123]

I'm confused about this -- why do we need to reset the upstream stream when the request is meant to be retried, but not if retries are turned off? It seems to me like Envoy should behave the same way regardless of whether the request is retried.

When retries are disabled, we proxy the 503, with body or not. Thus, nothing is reset. If we are retrying, we must cancel the upstream response so that we can start a new one. They are very different paths.

If there is no body, the appropriate fix here is not in the router, it would be in the HTTP/1.1 codec or the codec client (would need to be investigated) to make sure that the response is raised is a header only response with end_stream = true. If you look at the HTTP/1.1 codec there is already some logic there to deal with cases like this (I can't remember if on the request or response path or both).

[julia-stripe]

If we are retrying, we must cancel the upstream response so that we can start a new one. They are very different paths.

Why are the paths so different? I think there's some basic fact about Envoy's design I'm missing. Is there an invariant like "there can be only be one upstream request at a time per request that Envoy is handling"?

The patch I linked (https://github.com/envoyproxy/envoy/compare/master...julia-stripe:avoid-closing-503s?expand=1) is in the HTTP/1.1 codec -- does that look right to you?

[mattklein123]

Why are the paths so different? I think there's some basic fact about Envoy's design I'm missing. Is there an invariant like "there can be only be one upstream request at a time per request that Envoy is handling"?

It's the same reason as why we close HTTP/1.1 connections that timeout. It's the simplest thing to do. If we don't reset the stream, what do we do with it? We need to back hole the data, have an extra timeout, etc. It's a lot of logic for no good reason.

The patch I linked (https://github.com/envoyproxy/envoy/compare/master...julia-stripe:avoid-closing-503s?expand=1) is in the HTTP/1.1 codec -- does that look right to you?

Yes at quick glance that patch looks correct. I would work on some tests and then we can discuss further in code review. This is the only fix we can reasonably do here. For responses with body we will continue to reset the stream, and the best solution is to move to HTTP/2 if this type of performance is important to you.

[julia-stripe]

It's the same reason as why we close HTTP/1.1 connections that timeout. It's the simplest thing to do. If we don't reset the stream, what do we do with it?

The thing I don't understand yet is why the retry & not-retry cases are so different. You said we proxy the 503 in the not-retry case -- is the point that every request needs to be either proxied or cancelled, and there's no third option for "something went wrong with this request, just let it finish"?

Definitely point taken that switching to HTTP/2 is the right answer here -- I'm really just trying to take this as an opportunity to understand how Envoy works internally a little better :)

[mattklein123]

is the point that every request needs to be either proxied or cancelled, and there's no third option for "something went wrong with this request, just let it finish"?

Effectively yes. We must maintain state of any type of request/stream that is ongoing. This state is non-trivial with lots of corner cases. So, in the retry case, we have implicitly said: "We no longer care about this response stream, so kill it." If we don't kill it, we have to track it, black hole it, have additional timeouts, etc. It would be very complicated for no legitimate product reason to add that complexity. Hopefully that helps?