From 5220a8c5c453b780caea6aaefa30734019785d69 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Tue, 11 Apr 2023 08:04:04 +0200 Subject: [PATCH] BUG/MEDIUM: resolvers: Force the connect timeout for DNS resolutions Timeouts for dynamic resolutions are not handled at the stream level but by the resolvers themself. It means there is no connect, client and server timeouts defined on the internal proxy used by a resolver. While it is not an issue for DNS resolution over UDP, it can be a problem for resolution over TCP. New sessions are automatically created when required, and killed on excess. But only established connections are considered. Connecting ones are never killed. Because there is no conncet timeout, we rely on the kernel to report a connection error. And this may be quite long. Because resolutions are periodically triggered, this may lead to an excess of unusable sessions in connecting state. This also prevents HAProxy to quickly exit on soft-stop. It is annoying, especially because there is no reason to not set a connect timeout. So to mitigate the issue, we now use the "resolve" timeout as connect timeout for the internal proxy attached to a resolver. This patch should be backported as far as 2.4. --- src/resolvers.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/resolvers.c b/src/resolvers.c index 632d90611..692099554 100644 --- a/src/resolvers.c +++ b/src/resolvers.c @@ -3245,7 +3245,7 @@ void resolvers_setup_proxy(struct proxy *px) px->conn_retries = 1; px->timeout.server = TICK_ETERNITY; px->timeout.client = TICK_ETERNITY; - px->timeout.connect = TICK_ETERNITY; + px->timeout.connect = 1000; // by default same than timeout.resolve px->accept = NULL; px->options2 |= PR_O2_INDEPSTR | PR_O2_SMARTCON; } @@ -3714,8 +3714,11 @@ int cfg_parse_resolvers(const char *file, int linenum, char **args, int kwm) } if (args[1][2] == 't') curr_resolvers->timeout.retry = tout; - else + else { curr_resolvers->timeout.resolve = tout; + curr_resolvers->px->timeout.connect = tout; + } + } else { ha_alert("parsing [%s:%d] : '%s' expects 'retry' or 'resolve' and