tripleo

HAproxy's redis check missing OK response on AUTH request

Bug #1843535 reported by Radoslaw Smigielski on 2019-09-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Medium	Radoslaw Smigielski	tripleo train-3

Bug Description

HAproxy config section for redis looks like this:

listen redis
  bind 10.17.1.12:6379 transparent
  balance first
  option tcp-check
  option tcplog
  tcp-check send AUTH\ password\r\n
  tcp-check send PING\r\n
  tcp-check expect string +PONG
  tcp-check send info\ replication\r\n
  tcp-check expect string role:master
  tcp-check send QUIT\r\n
  tcp-check expect string +OK
  ....

And that works when auth was suncesful. But in fact there is one response missing in the tcp-check section, just after "tcp-check send AUTH", redis server sends back "+OK", which is missing above.
Here is how it looks like:

[root@overcloud-controller-1 containers]# nc 172.17.1.15 6379
AUTH password
+OK <----- missing response in tcp-check

See original description

Tags:

Radoslaw Smigielski (radoslaw-smigielski) on 2019-09-11

Changed in tripleo:
assignee:	nobody → Radoslaw Smigielski (radoslaw-smigielski)

Radoslaw Smigielski (radoslaw-smigielski) on 2019-09-11

description:

updated

OpenStack Infra (hudson-openstack) on 2019-09-11

Changed in tripleo:
status:	New → In Progress

Revision history for this message

Bogdan Dobrelya (bogdando) wrote on 2019-09-13:

The tcp-check pattern is quite common for other services we have behind HAProxy. Do you think we should double-check the remaining services are not affected by the same issue?..

Changed in tripleo:
importance:	Undecided → Medium
milestone:	none → train-3

Revision history for this message

Radoslaw Smigielski (radoslaw-smigielski) wrote on 2019-09-13:

hi Bogdan,
This TCP check is unique because of the way how Redis cluster works with one active master and two slaves. It's specific to Redis only so this is not related to other services.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-13: Fix merged to puppet-tripleo (master)

Reviewed: https://review.opendev.org/681385
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=fb602da597d90f1472be45f0c893dbe4a72e4651
Submitter: Zuul
Branch: master

commit fb602da597d90f1472be45f0c893dbe4a72e4651
Author: Radoslaw Smigielski <email address hidden>
Date: Wed Sep 11 13:12:48 2019 +0200

Add missing response to Redis tcp-check in HAProxy

HAProxy Redis configuration contains the tcp-check section.
That tcp-check section is missing authentication response.

Auth request:
> tcp-check send AUTH\ password\r\n

Should be followed by:
> expect string +OK

This make sure we won't continue when auth was not suncesful.

Change-Id: Ia4d615a2a038f0b2e5e33f4b0eabe7f777a74145
Closes-Bug: #1843535

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-10-21: Fix included in openstack/puppet-tripleo 11.3.0

This issue was fixed in the openstack/puppet-tripleo 11.3.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.