HAproxy's redis check missing OK response on AUTH request

Bug #1843535 reported by Radoslaw Smigielski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Radoslaw Smigielski

Bug Description

HAproxy config section for redis looks like this:

listen redis
  bind 10.17.1.12:6379 transparent
  balance first
  option tcp-check
  option tcplog
  tcp-check send AUTH\ password\r\n
  tcp-check send PING\r\n
  tcp-check expect string +PONG
  tcp-check send info\ replication\r\n
  tcp-check expect string role:master
  tcp-check send QUIT\r\n
  tcp-check expect string +OK
  ....

And that works when auth was suncesful. But in fact there is one response missing in the tcp-check section, just after "tcp-check send AUTH", redis server sends back "+OK", which is missing above.
Here is how it looks like:

[root@overcloud-controller-1 containers]# nc 172.17.1.15 6379
AUTH password
+OK <----- missing response in tcp-check

Tags: puppet
Changed in tripleo:
assignee: nobody → Radoslaw Smigielski (radoslaw-smigielski)
description: updated
Changed in tripleo:
status: New → In Progress
Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

The tcp-check pattern is quite common for other services we have behind HAProxy. Do you think we should double-check the remaining services are not affected by the same issue?..

Changed in tripleo:
importance: Undecided → Medium
milestone: none → train-3
Revision history for this message
Radoslaw Smigielski (radoslaw-smigielski) wrote :

hi Bogdan,
   This TCP check is unique because of the way how Redis cluster works with one active master and two slaves. It's specific to Redis only so this is not related to other services.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.opendev.org/681385
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=fb602da597d90f1472be45f0c893dbe4a72e4651
Submitter: Zuul
Branch: master

commit fb602da597d90f1472be45f0c893dbe4a72e4651
Author: Radoslaw Smigielski <email address hidden>
Date: Wed Sep 11 13:12:48 2019 +0200

    Add missing response to Redis tcp-check in HAProxy

    HAProxy Redis configuration contains the tcp-check section.
    That tcp-check section is missing authentication response.

    Auth request:
        > tcp-check send AUTH\ password\r\n

    Should be followed by:
        > expect string +OK

    This make sure we won't continue when auth was not suncesful.

    Change-Id: Ia4d615a2a038f0b2e5e33f4b0eabe7f777a74145
    Closes-Bug: #1843535

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 11.3.0

This issue was fixed in the openstack/puppet-tripleo 11.3.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.