Down backend server causes ~1500req/s to the Docker Swarm internal DNS

[elyulka]

Detailed Description of the Problem

I've noticed significant number of error messages apperaing at the rate of ~1500 per second in the Docker Daemon log looking like:

"error":"read udp 127.0.0.1:42034->127.0.0.11:53: i/o timeout",
"level":"error",
"message":"[resolver] failed to query DNS server: 127.0.0.11:53, query: ;efk_kibana.\\tIN\\t A"

This swarm service is currently down. Configuration works when service is up.
I've narrowed down issue to the running haproxy instances. Seems like all defined timeouts are ignored and haproxy constantly polls DNS server though it uses just 0.4% CPU.

Expected Behavior

Haproxy takes into account timeout settings and asks DNS at most once per second.

Steps to Reproduce the Behavior

1. Define Docker swarm stack with haproxy and down backend service.
2. Examine docker daemon log with journalctl -u docker.service

Do you have any idea what may have caused this?

No response

Do you have an idea how to solve the issue?

No response

What is your configuration?

global
    stats socket /var/run/haproxy.sock mode 660 expose-fd listeners level admin
    log     	 stderr len 65535 format raw local0

    chroot  	 /var/lib/haproxy
    pidfile 	 /var/run/haproxy.pid
    maxconn 	 10000

    spread-checks 5
    user    	 haproxy
    group   	 haproxy

    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # see https://ssl-config.mozilla.org/#server=haproxy&version=2.8&config=intermediate&openssl=1.1.1k&guideline=5.7
    # intermediate configuration
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    # utilize system-wide crypto-policies
    #ssl-default-bind-ciphers PROFILE=SYSTEM
    # ssl-default-server-ciphers PROFILE=SYSTEM
    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > ./dhparam
    ssl-dh-param-file /etc/haproxy/dhparam
    master-worker

resolvers docker
    # proably need to prefix with tcp@ if number of backends > 10
    nameserver dns1 127.0.0.11:53
    accepted_payload_size 8192 # allow larger DNS payloads
    resolve_retries 3

    timeout resolve 1s
    timeout retry   1s

    hold other      10s
    hold refused    10s
    hold nx         10s
    hold timeout    10s
    hold valid      10s
    hold obsolete   10s

defaults
    # fix many dockerd errors "[resolver] failed to query DNS server: 127.0.0.11:53, query: ;efk_kibana. IN AAAA"
    default-server resolve-prefer ipv4

    timeout queue           1m
    timeout connect         10s
    timeout client          30s
    timeout server          30s

    # Protection from Slowloris attacks
    timeout http-request    5s

    timeout http-keep-alive 10s
    timeout check           10s
    timeout tunnel          2m
    timeout client-fin      1s
    timeout server-fin      1s
    log-format '{"host":"%H","ident":"haproxy","pid":%pid,"time":"%Tl","haproxy":{"conn":{"act":%ac,"fe":%fc,"be":%bc,"srv":%sc},"queue":{"backend":%bq,"srv":%sq},"time":{"tq":%Tq,"tw":%Tw,"tc":%Tc,"tr":%Tr,"tt":%Tt},"termination_state":"%tsc","retries":%rc,"network":{"client_ip":"%ci","client_port":%cp,"frontend_ip":"%fi","frontend_port":%fp},"ssl":{"version":"%sslv","ciphers":"%sslc"},"request":{"method":"%HM","hu":"%HU","hp":"%HP","hq":"%[var(txn.querystring),json(utf8s)]","protocol":"%HV","header":{"host":"%[capture.req.hdr(0),json(utf8s)]","xforwardfor":"%[capture.req.hdr(1),json(utf8s)]","referer":"%[capture.req.hdr(2),json(utf8s)]"}},"name":{"backend":"%b","frontend":"%ft","server":"%s"},"response":{"status_code":%ST,"header":{"xrequestid":"%[capture.res.hdr(0),json(utf8s)]"}},"bytes":{"uploaded":%U,"read":%B}}}'
   
    error-log-format '{"host":"%H","ident":"haproxy","pid":%pid,"time":"%tr","haproxy":{"conn":{"act":%ac,"fe":%fc},"network":{"client_ip":"%ci","client_port":%cp},"ssl":{"version":"%sslv","ciphers":"%sslc","sni":"%[ssl_fc_sni,json(utf8s)]","is_resumed":%[ssl_fc_is_resumed,json(utf8s)]},"name":{"frontend":"%ft"}},"err":{"id":%[fc_err],"ssl_fc":%[ssl_fc_err],"ssl_c":%[ssl_c_err],"ssl_c_ca":%[ssl_c_ca_err]}}'
    log global

    mode http
    # options
    # option httplog
    option                  dontlognull
    option http-server-close
    # net yet supported by nginx, so skip adding IETF RFC7239 header
    option forwarded host by by_port for
    # add non-standard X-Forwarded-For header
    option forwardfor except 127.0.0.0/8
    option                  redispatch
    retries                 3
    # per frontend
    maxconn 	 5000
    backlog 131072

frontend fe_kibana
    bind *:5601 ssl crt /opt alpn h2,http/1.1
    http-request auth unless { http_auth(statcredentials) }
    http-request del-header Authorization
    acl host_app hdr_beg(host) -i "${APP_HOSTNAME}"
    use_backend be_kibana if host_app

backend be_kibana
    server-template kibana- 1 efk_kibana:5601 check resolvers docker init-addr libc,none

userlist statcredentials
    user "${HAPROXY_STATS_USER}"   insecure-password "${HAPROXY_STATS_PASSWORD}"

### Output of `haproxy -vv`

```plain
HAProxy version 2.8.7-1a82cdf 2024/02/26 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.7.html
Running on: Linux 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
  OPTIONS = USE_PTHREAD_EMULATION=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1 USE_TFO=1 USE_QUIC=1 USE_PROMEX=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_QUIC_OPENSSL_COMPAT=1
  DEBUG   = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS

Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL +PROMEX +PTHREAD_EMULATION +QUIC +QUIC_OPENSSL_COMPAT +RT +SHM_OPEN +SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 -SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL -ZLIB

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=2).
Built with OpenSSL version : OpenSSL 3.0.11 19 Sep 2023
Running on OpenSSL version : OpenSSL 3.0.11 19 Sep 2023
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
Built with Lua version : Lua 5.4.4
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.42 2022-12-11
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 12.2.0

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
       quic : mode=HTTP  side=FE     mux=QUIC  flags=HTX|NO_UPG|FRAMED
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : prometheus-exporter
Available filters :
	[BWLIM] bwlim-in
	[BWLIM] bwlim-out
	[CACHE] cache
	[COMP] compression
	[FCGI] fcgi-app
	[SPOE] spoe
	[TRACE] trace

### Last Outputs and Backtraces

```plain
[NOTICE]   (1) : haproxy version is 2.8.7-1a82cdf
[NOTICE]   (1) : path to executable is /usr/local/sbin/haproxy
[WARNING]  (1) : config : log format ignored for frontend 'fe_stats' since it has no log address.
[NOTICE]   (1) : config : [/etc/haproxy/vhost_devops.cfg:72] : 'server be_kibana/kibana-1' : could not resolve address 'efk_kibana', disabling server.
[NOTICE]   (1) : New worker (8) forked
[NOTICE]   (1) : Loading success.

### Additional Information

_No response_

[einval22]

Hi Eugene and thanks a lot for all this information !

Could you please, dump here a strace log produced by the command below. Need to look on it in order to be sure, that it is haproxy processes, which perform constant polling:

strace -e all -T -tt -d -s 256 -n -f -p <haproxy master PID>

and

strace -e all -T -tt -d -s 256 -n -ff -p <haproxy master PID>

In docker-swarm mode container's built-in resolver, where haproxy runs, intercepts the DNS queries on 127.0.0.11:53 and sends them to Docker Engine's DNS server. If Docker Engine's DNS server can't resolve request, it is forwarded to the configured default DNS server.

There a bunch of issues that has been already reported in another GitHUB projects about this container's built-in resolver. If you could enable and provide its logs here, it would be very useful as well.

Another hypothesis: could you, please retry your back-end config either with only libc method or with only none for init-addr setting, in order to see if such behavior will change ?

backend be_kibana
    server-template kibana- 1 efk_kibana:5601 check resolvers docker init-addr libc

backend be_kibana
    server-template kibana- 1 efk_kibana:5601 check resolvers docker init-addr none

Thanks in advance,
Regards

[elyulka]

Hi Valentine! I'm glad to help you. Here traces you asked for.

root@staging-devops1:~# strace -e all -T -tt -d -s 256 -n -f -p 2395
strace: new tcb for pid 2395, active tcbs:1
strace: ptrace_setoptions = 0x5f
strace: PTRACE_GET_SYSCALL_INFO works
strace: attach to pid 2395 (main) succeeded
strace: Process 2395 attached
strace: [wait(0x80057f) = 2395] WIFSTOPPED,sig=SIGTRAP,EVENT_STOP (128)
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
strace: pid 2395 has TCB_STARTUP, initializing it
strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
17:04:30.068294 [ 228] clock_gettime(CLOCK_THREAD_CPUTIME_ID, strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
{tv_sec=0, tv_nsec=282489681}) = 0 <0.001102>
strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
17:04:30.072642 [ 228] clock_gettime(CLOCK_THREAD_CPUTIME_ID, strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
{tv_sec=0, tv_nsec=282529643}) = 0 <0.000137>
strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
17:04:30.073132 [ 232] epoll_wait(3,

root@staging-devops1:~# strace -e all -T -tt -d -s 256 -n -ff -p 2395
strace: new tcb for pid 2395, active tcbs:1
strace: ptrace_setoptions = 0x5f
strace: PTRACE_GET_SYSCALL_INFO works
strace: attach to pid 2395 (main) succeeded
strace: Process 2395 attached
strace: [wait(0x80057f) = 2395] WIFSTOPPED,sig=SIGTRAP,EVENT_STOP (128)
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
strace: pid 2395 has TCB_STARTUP, initializing it
strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
17:05:31.360585 [ 228] clock_gettime(CLOCK_THREAD_CPUTIME_ID, strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
{tv_sec=0, tv_nsec=282699427}) = 0 <0.000516>
strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
17:05:31.362717 [ 228] clock_gettime(CLOCK_THREAD_CPUTIME_ID, strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
{tv_sec=0, tv_nsec=282735322}) = 0 <0.000725>
strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
17:05:31.364134 [ 232] epoll_wait(3, strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
[], 200, 60000) = 0 <60.054833>
strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
17:06:31.419835 [ 228] clock_gettime(CLOCK_THREAD_CPUTIME_ID, strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
{tv_sec=0, tv_nsec=282829639}) = 0 <0.000129>
strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
17:06:31.420227 [ 228] clock_gettime(CLOCK_THREAD_CPUTIME_ID, strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
{tv_sec=0, tv_nsec=282878744}) = 0 <0.000131>
strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
17:06:31.420558 [ 232] epoll_wait(3, strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
[], 200, 60000) = 0 <60.058247>
strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
17:07:31.479176 [ 228] clock_gettime(CLOCK_THREAD_CPUTIME_ID, strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
{tv_sec=0, tv_nsec=282961721}) = 0 <0.000166>
strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
17:07:31.479665 [ 228] clock_gettime(CLOCK_THREAD_CPUTIME_ID, strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
{tv_sec=0, tv_nsec=283008077}) = 0 <0.000200>
strace: [wait(0x00857f) = 2395] WIFSTOPPED,sig=133
strace: next_event: queued pid 2395
strace: next_event: dequeued pid 2395
17:07:31.480420 [ 232] epoll_wait(3,

[elyulka]

No luck with neither libc or none for init-addr.
libc seems to ignore prefer-ipv4 and produces next syslog:

udp 127.0.0.1:52251->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t A" spanID=0eea4220f02fdc5b traceID=f6d56604a2e1d98303c2e9dfc59c8982
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.971151015Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:39383" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:39383->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t A" spanID=074b7cf8a1295d5d traceID=e63034cfe60e40758a52ec77639a5c0e
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.971598204Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:49472" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:49472->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t AAAA" spanID=5468142f62df0afe traceID=777bc98f04e4ddd8ebde95cefbce87f4
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.844589775Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:55322" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:55322->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t A" spanID=ebd1d2b17538485b traceID=b134371525f80f9aec63eac5050db856
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.972026512Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:40833" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:40833->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t AAAA" spanID=ac85017799613f39 traceID=4f6f054822ac0a5fb02070269120d70d
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.972753230Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:58068" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:58068->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t AAAA" spanID=9270b4b73b84569a traceID=d5c873874927ae70107caa67327132e4
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.974732868Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:37385" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:37385->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t AAAA" spanID=af6a2163b16187e8 traceID=3fac90f5df0d5f7d52f968b9dcaa4cd3
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.974897208Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:50767" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:50767->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t AAAA" spanID=c4d5c4a6ea7e5c3e traceID=58eded0fb9230fc595704b47368a967d
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.975149911Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:51236" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:51236->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t AAAA" spanID=034a8c1756525ede traceID=7f6eb1b6d3514668cb0a14f5f8e592f8
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.975317376Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:53404" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:53404->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t AAAA" spanID=b4ae52db5f17735c traceID=8fc5bf5ea925625d9a5dc0ad0aa5b99b
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.975452788Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:58344" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:58344->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t A" spanID=fd9fbbf76e8eb280 traceID=121603b581b3a462ebe7b407c1dfd436
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.975679193Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:42898" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:42898->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t AAAA" spanID=5e2cc44201f8ee68 traceID=9fb5464be0721b79de6ba9ccc8b625b2
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.862888775Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:46827" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:46827->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t A" spanID=1440c460032f532b traceID=02cb2c6598ca614887014a2a275cab99
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.863445692Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:43973" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:43973->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t A" spanID=aa6592294ffbaa78 traceID=6ee77dc187b923ee172f1ba5260032ff
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.977160755Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:59833" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:59833->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t A" spanID=cfaf303bcdba5b64 traceID=375a6e16ea9ae53e4d20ada69a5d72ab
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.977483601Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:52833" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:52833->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t AAAA" spanID=97ac493ee61e0aec traceID=9d381bfbd86a318da6db280a1a56a1d2
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.864537737Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:43269" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:43269->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t AAAA" spanID=04df22db4f6c958b traceID=7d7b652e37c93681c556b36468b3d4c7
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.979071371Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:50508" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:50508->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t A" spanID=449eca97e84b2636 traceID=cecf8bebfc46e5c3d4a987916daa2571
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.866503091Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:37770" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:37770->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t A" spanID=2da17f90c0c8d341 traceID=2c60b7fa727e8e838f25df6780100910
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.982958802Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:38544" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:38544->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t AAAA" spanID=bec60786816b8133 traceID=2efbd94829caba8065f9f318d7c2e8ac
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.983270120Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:34311" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:34311->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t AAAA" spanID=390cb247b624da24 traceID=f00cc62a4655c2f50df36e809850d640
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.762033280Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:57267" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:57267->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t AAAA" spanID=2102c8a8937e494d traceID=77141c31ace8d268904e2c6225f5ca5d
Mar 26 17:22:24 staging-devops1 dockerd[825]: time="2024-03-26T17:22:24.803392987Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:127.0.0.1:42637" dns-server="udp:127.0.0.11:53" error="read udp 127.0.0.1:42637->127.0.0.11:53: i/o timeout" question=";efk_kibana.\tIN\t A" spanID=2a1b49845d92e764 traceID=9ec62b6c893202b79f24868d2d397b80

[elyulka]

Here i attached workers, they are much more noisier than master process.
worker-103431.txt
worker-103432.txt

[elyulka]

I've enabled temporarily docker daemon debug log. Attaching syslog grepped by "resolve"
syslog.txt

[einval22]

Hi Eugene, thanks a lot for logs !

Nothing suspicious in strace logs in terms of constant querying of 127.0.0.11:53.

I don't decline the possibility of bug in our DNS resolvers part.

To investigate further, could you please collect for this case haproxy logs or what it sends to stdout/stderr, please.

We also need a tcpdump on the interface, which is used by container's built-in resolver.

And could you please, connect to haproxy stats socket and dump the stats for resolvers with the following commands:

$ socat /var/run/haproxy.sock stdio
prompt
> show resolvers

I'll try to reproduce on my side such behavior.

Many thanks in advance,
Regards

[einval22]

Hi Eugene,

No luck with neither libc or none for init-addr. libc seems to ignore prefer-ipv4 and produces next syslog:

As you defined in you config "resolvers docker" section, it means that for the be_kibana backend you are using the internal haproxy resolver, not the internal libc resolver.

So, the right syntax for the server-template line will be:

server-template kibana- 1 efk_kibana:5601 check resolvers docker resolve-prefer ipv4

I guess, you probably know it, but just in case, haproxy internal resolver by default uses IPv6, same as libc's behavior, and there is possibility to use at preference IPv4 addresses from the DNS answer, if resolve-prefer ipv4 is set.

You've set it for the default-server, but this seem to be overridden in the be_kibana backend section by "check resolvers docker init-addr libc,none".

So, would you please, try the backend setting above, when efk_kibana is down, and give us the feedback on it.

Many thanks in advance
Kind regards,

[elyulka]

@vkssv
Here is tcpdump of localhost interface producing thousands of errors in syslog:
tcpdump.txt

Here is tcpdump with protocol decoding enabled:
tcpdump-decoded.txt

Tcpdump without port filter:
tcpdump-any-port.txt

Here is show resolvers two consecutive outputs with interval of 2-3s.

root@0b11c7683e24:/# date &&  echo 'show resolvers' | socat /var/run/admin-socket/haproxy.sock stdio
Sun Apr 14 11:13:34 UTC 2024
Resolvers section docker
 nameserver dns1:
  sent:        3573884
  snd_error:   0
  valid:       3402239
  update:      1315
  cname:       0
  cname_error: 0
  any_err:     0
  nx:          0
  timeout:     0
  refused:     0
  other:       11
  invalid:     0
  too_big:     0
  truncated:   0
  outdated:    171628
Resolvers section default
 nameserver 127.0.0.11:
  sent:        0
  snd_error:   0
  valid:       0
  update:      0
  cname:       0
  cname_error: 0
  any_err:     0
  nx:          0
  timeout:     0
  refused:     0
  other:       0
  invalid:     0
  too_big:     0
  truncated:   0
  outdated:    0

root@0b11c7683e24:/# date &&  echo 'show resolvers' | socat /var/run/admin-socket/haproxy.sock stdio
Sun Apr 14 11:13:37 UTC 2024
Resolvers section docker
 nameserver dns1:
  sent:        3573919
  snd_error:   0
  valid:       3402272
  update:      1315
  cname:       0
  cname_error: 0
  any_err:     0
  nx:          0
  timeout:     0
  refused:     0
  other:       11
  invalid:     0
  too_big:     0
  truncated:   0
  outdated:    171631
Resolvers section default
 nameserver 127.0.0.11:
  sent:        0
  snd_error:   0
  valid:       0
  update:      0
  cname:       0
  cname_error: 0
  any_err:     0
  nx:          0
  timeout:     0
  refused:     0
  other:       0
  invalid:     0
  too_big:     0
  truncated:   0
  outdated:    0

dig down service:

root@0b11c7683e24:/# dig mon_prometheus
;; communications error to 127.0.0.11#53: timed out
;; communications error to 127.0.0.11#53: timed out
;; communications error to 127.0.0.11#53: timed out

; <<>> DiG 9.18.24-1-Debian <<>> mon_prometheus
;; global options: +cmd
;; no servers could be reached

dig up service:

root@0b11c7683e24:/# dig whoami_whoami

; <<>> DiG 9.18.24-1-Debian <<>> whoami_whoami
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18941
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;whoami_whoami.			IN	A

;; ANSWER SECTION:
whoami_whoami.		600	IN	A	172.16.200.58

;; Query time: 4 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Sun Apr 14 11:52:10 UTC 2024
;; MSG SIZE  rcvd: 60

[einval22]

Hi Eugene,

Thanks a lot for tcpdumps and stats.

A thing that seems a bit strange for the current moment and need some explanation from your side, is:

in the tcpdump-any-port.txt, taken within haproxy container, I can see ~88 UDP packets: seems to be DNS requests, according to its size, all sent to 127.0.0.11.33339

$ cat tcpdump-any-port.pcap | grep 'localhost.38796 > 127.0.0.11.33339'
localhost.38796 > 127.0.0.11.33339: UDP, length 56
localhost.38796 > 127.0.0.11.33339: UDP, length 39
localhost.38796 > 127.0.0.11.33339: UDP, length 46

And then I see from the same dump that 127.0.0.11.53 (not 33339 !) delivers responses only to some of these clients ports, for instance:

11:42:44.262292 IP (tos 0x0, ttl 64, id 62213, offset 0, flags [DF], proto UDP (17), length 77)
localhost.40254 > 127.0.0.11.33339: UDP, length 49 ===> never replied

11:42:44.262461 IP (tos 0x0, ttl 64, id 56723, offset 0, flags [DF], proto UDP (17), length 77)
localhost.41713 > 127.0.0.11.33339: UDP, length 49 ===> this one was replied with ServFail
...
11:42:50.081605 IP (tos 0x0, ttl 64, id 63943, offset 0, flags [DF], proto UDP (17), length 66)
127.0.0.11.domain > localhost.41713: 62324 ServFail- 0/0/0 (38)

From this dump we can see, that a lot UDP packets, sent to 127.0.0.11.33339, did not have any response.

Could you, please, dump within haproxy container: netstat -enuap > netstat.txt 2>&1 and ps auxf > ps.txt 2>&1
On the host machine, where haproxy container runs, it is interesting to have a look to iptables-save -c output.

Resolver's stats seems not high ~11 reqs/s, but it is useful to look at haproxy logs as well:

$ sudo docker service logs haproxy-service

According to resolver stats, strace output and tcpdump-any-port.txt, it feels, that it is rather some misconfiguration at container level (systemd-resolver is running ? ), than haproxy resolver issue.

Another idea that helps to clarify more, is try to start only one efk_kibana container with --endpoint-mode vip
instead of --endpoint-mode dnsrr.

1. stop all efk_kibana containers
2. start and run 1-2 minutes only one efk_kibana container with --endpoint-mode vip
3. attach strace to haproxy process : strace -e all -T -tt -s 256 -n -p <haproxy worker PID>,
   launch tcpdump -nei lo udp -w lo.pcap, collect resolvers stats for some seconds.
4. stop efk_kibana container
5. continue to collect tcpdump and haproxy strace for a minute.

This helps to check if there is a problem with internal container's resolver.

Many thanks in advance,
Regards

[elyulka]

Thanks for quick reply. I've gathered some more information you asked for:

netstat.txt

ps.txt

iptables-save-c.txt

haproxy.log

I've manually removed whoami stack this time to reproduce errors as you can see from haproxy output log.

Yes, systemd-resolver is running. During errors dockerd and systemd-resolver show increased cpu usage. It seems like querying not existing domain with resolver limited to the internal docker one causes some infinite loop somewhere.