OpenStack Identity (keystone)

allow disable wsgi keepalive

Bug #1260406 reported by Edward Hope-Morley on 2013-12-12

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Edward Hope-Morley	OpenStack Identity (keystone) 2014.1 "icehouse"

Bug Description

The wsgi server used in most if not all openstack services currently has keepalive=True by default thus keeping connections open after each request. This can cause problems when using load balancers in front of these services since connections for requests that take a long time can get closed/timeout in the load balancers. This can then cause issues for clients that persist their connections e.g. if a client performs a request using the same source port as a previous request that is not closed in the LB but still open in the server due to TCP packet sequencing in the LB and the new client not expecting the connection to already be open. So, it would be useful to be able to either disable wsgi keepalive or set the tcp_keealive timeout value on the wsgi socket like in cinder:

https://github.com/openstack/cinder/blob/master/cinder/wsgi.py#L169

See original description

Edward Hope-Morley (hopem) on 2013-12-12

Changed in keystone:
assignee:	nobody → Edward Hope-Morley (hopem)
status:	New → In Progress

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-12-13:

Can you add the other affected services to this bug?

Edward Hope-Morley (hopem) on 2013-12-13

description:

updated

Revision history for this message

Edward Hope-Morley (hopem) wrote on 2013-12-13:

Dolph, having looked closer the other services (at least Nova, Glance, Cinder) already enable SO_KEEPALIVE and provide an optional tcp_keepidle so that should be sufficient for now. I will simply port that functionality to keystone for now and we can add/modify if necessary.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-12-13: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/62036

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-02-07: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/62036
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e71f615d9f15595cec163e4fe78c0cd3796ad397
Submitter: Jenkins
Branch: master

commit e71f615d9f15595cec163e4fe78c0cd3796ad397
Author: Edward Hope-Morley <email address hidden>
Date: Fri Dec 13 15:30:49 2013 +0000

Adds tcp_keepalive and tcp_keepidle config options

    Currently the wsgi server will not close connections once requests
    complete and will not enable keepalive on it's wsgi sockets. This can
    be a problem for those who need to align the server keepalive with
    load balancer timeouts without modifying system keepalive settings.

    To remedy this we add new config options tcp_keepalive and
    tcp_keepidle which are disabled by default to remain backwards
    compatible.

    DocImpact: "new config options for wsgi tcp_keepalive & tcp_keepidle"
    Closes-bug: bug 1260406
    Co-authored-by: Hirofumi Ichihara <email address hidden>
    Change-Id: Ic53402c57e1ebe44cde4c18e5e15200dcbbcb04b

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-03-05

Changed in keystone:
milestone:	none → icehouse-3
status:	Fix Committed → Fix Released

Dolph Mathews (dolph) on 2014-03-05

Changed in keystone:
importance:	Undecided → Medium

Thierry Carrez (ttx) on 2014-04-17

Changed in keystone:
milestone:	icehouse-3 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.