Postgres connection leaks

[zenazn]

What is the issue?

One of the primary uses my organization relies on Tailscale for is to connect to our production Postgres database from our employee laptops. We commonly use psql and a MacOS GUI named TablePlus. Our database runs inside Render, where we run a subnet router (currently version 1.22.2), I believe in userspace mode (but I might be making that up—the deployment is based on this)

Twice now, we've encountered issues with Tailscale-mediated connections to the database piling up, resulting in us saturating the maximum number of connections the database allows. The number of "extra" connections is far in excess of the number of connections we expect, and has the classic "sawtooth" pattern of a resource leak:

Our Postgres server is configured to use TCP keepalives to detect idle clients that have disappeared. I forget the exact settings, but they're pretty reasonable (~10m of inactivity, 5 probes every minute or similar). The leaked connections are all in state idle (and not idle in transaction or similar), so I'd expect the TCP keepalives to be an effective solution on an "ordinary" network.

Frustratingly for both of us, I'm not certain this is a Tailscale bug! But given the centrality of networking to my understanding of the problem, I figured I'd open a ticket anyways and see if you folks have any ideas (or have heard similar rumblings from other customers). As always, happy to provide more detail if needed. Given the slow speed of the leak, I obviously don't have much by means of reproducing test cases or smoking guns, but happy to do some legwork to collect data if that's helpful.

Steps to reproduce

No response

Are there any recent changes that introduced the issue?

No response

OS

Linux, macOS

OS version

No response

Tailscale version

1.22.2

Bug report

BUG-1b1b6d797befc704c22048932ffcb72ce2677f8c2c08667f3bf69a4a4ee1ae83-20220425231410Z-d0c5b4f2ec891f08

[DentonGentry]

It is a lot easier to imagine how tailscale might be breaking Postgres connections than it is to imagine keeping connections alive longer than expected.

When functioning as a subnet router I believe userspace-networking is forwarding packet-by-packet. It shouldn't be terminating the TCP connection on one side and making a new connection on the other, which is how one might imagine it could absorb TCP keepalives without passing them on to the other side.

IPv4: https://github.com/google/gvisor/blob/ef9e8d913185e6967eca7321daacad5693178ca8/pkg/tcpip/network/ipv4/ipv4.go#L607

IPv6: https://github.com/google/gvisor/blob/ef9e8d913185e6967eca7321daacad5693178ca8/pkg/tcpip/network/ipv6/ipv6.go#L891

[bradfitz]

When functioning as a subnet router I believe userspace-networking is forwarding packet-by-packet. It shouldn't be terminating the TCP connection on one side and making a new connection on the other, which is how one might imagine it could absorb TCP keepalives without passing them on to the other side.

Au contraire, the userspace subnet router can't relay packets. It has no such permissions. So it works by stitching together the incoming TCP connection with a new outgoing one that it makes.

[bradfitz]

Here's the code in netstack that does the outbound TCP dial and does an io.Copy in both directions to stitch it together:

https://github.com/tailscale/tailscale/blob/v1.24.0/wgengine/netstack/netstack.go#L718-L736

[bradfitz]

Sent #4534 but I'd like @raggi to check me on it.

[raggi]

In the userspace mode that you're in, TCP keepalives from postres would be somewhat ineffective, as the TCP connection will still be alive, as it happens to be terminated on localhost. Tailscale won't even see the keepalives, and the local kernel is handling both sides of IP control machinery. If there is no application data flowing, then Tailscale never reads anything from the postgres server, so there's nothing to pass along, and a offline or restarted peer also produces no traffic. In these cases, the connection lives forever.

#4542 implements always having TCP keepalive on for userspace hosted TCP connections, which will addresses the "lives forever" part of the problem in userspace mode. Unfortunately what this does not solve is that if an application desires a shorter keepalive time, that patch alone does not solve for the problem. I don't know if there is a way for userspace mode to detect peer keepalive tuning - that's something we can look into. We also could look into providing user tunable controls for the always-applied keepalive timings.

It's a little tempting to think about implementing some additional behavior even in tun mode as well to effectively simulate "a wire between two hosts" and actively notify connections when we know a client has been offline for some extended period, perhaps shorter than two hours (such as when we've decided the node is offline). This is a larger discussion that perhaps should split out into a separate bug.