Haproxy in docker stack won't start

cmeis · January 11, 2024, 1:30pm

I wanted to spin up a local test instance of OpenRemote today. I was following the quickstart from GitHub - openremote/openremote: 100% open-source IoT Platform - Integrate your devices, create rules, and analyse and visualise your data using this (unmodified) docker-compose.yml: https://raw.githubusercontent.com/openremote/openremote/master/docker-compose.yml

I tried this on several hosts, in our local lab and a datacenter. All were running some kind of RHEL-ish distro, most AlmaLinux 8 oder 9.
No other applications / containers are running on those machines.

The haproxy from the docker stack is stuck in a start loop with the following log entries:

openremote-proxy-1       | [INFO][2024-01-11 13:27:34] HAPROXY_USER_PARAMS:
openremote-proxy-1       | [INFO][2024-01-11 13:27:34] PROXY_LOGLEVEL: info
openremote-proxy-1       | [INFO][2024-01-11 13:27:34] LUA_PATH:
openremote-proxy-1       | [INFO][2024-01-11 13:27:34] CERT_DIR: /deployment/certs
openremote-proxy-1       | [INFO][2024-01-11 13:27:34] LE_DIR: /deployment/letsencrypt
openremote-proxy-1       | [INFO][2024-01-11 13:27:34] Checking HAProxy configuration: /etc/haproxy/haproxy.cfg
openremote-proxy-1       | Configuration file is valid
openremote-proxy-1       | [INFO][2024-01-11 13:27:34] Starting crond
openremote-proxy-1       | [INFO][2024-01-11 13:27:34] cert_init...waiting 10s for haproxy to be ready
openremote-proxy-1       | [INFO][2024-01-11 13:27:34] Starting monitoring process
openremote-proxy-1       | [INFO][2024-01-11 13:27:34] HAProxy starting
openremote-proxy-1       | [INFO][2024-01-11 13:27:34] Monitoring config file '/etc/haproxy/haproxy.cfg' and certs in '/deployment/certs' for changes...
openremote-proxy-1       | [NOTICE]   (1) : haproxy version is 2.7.8-58c657f
openremote-proxy-1       | [ALERT]    (1) : Not enough memory to allocate 1073741815 entries for fdtab!
openremote-proxy-1       | [ALERT]    (1) : No polling mechanism available.
openremote-proxy-1       |   This may happen when using thread-groups with old pollers (poll/select), or
openremote-proxy-1       |   it is possible that haproxy was built with TARGET=generic and that FD_SETSIZE
openremote-proxy-1       |   is too low on this platform to support maxconn and the number of listeners
openremote-proxy-1       |   and servers. You should rebuild haproxy specifying your system using TARGET=
openremote-proxy-1       |   in order to support other polling systems (poll, epoll, kqueue) or reduce the
openremote-proxy-1       |   global maxconn setting to accommodate the system's limitation. For reference,
openremote-proxy-1       |   FD_SETSIZE=1024 on this system, global.maxconn=536870889 resulting in a maximum of
openremote-proxy-1       |   1073741815 file descriptors. You should thus reduce global.maxconn by 536870396. Also,
openremote-proxy-1       |   check build settings using 'haproxy -vv'.
openremote-proxy-1       |
openremote-proxy-1 exited with code 1

Has anybody seen this and has some quick pointers as to where / how to fix this?
Or do I have to do some deep diving myself?

Best regards,
Christian

cmeis · January 11, 2024, 1:46pm

Oh, and I forgot to mention this before: As there’s the obvious line “Not enough memory” - all test machines had at least 32 GB of RAM free at the time of testing. I suppose this should be enough for a simple test setup?

Christian

martin.peeters · January 11, 2024, 4:17pm

Looks like this is causing the issue;

github.com/haproxy/haproxy

Removed limit in Docker Engine 23 breaks existing config file

opened 03:03PM - 13 Feb 23 UTC

kamulos

type: bug status: needs-triage

### Detailed Description of the Problem So this might be perfectly intentiona…l, but I wanted to raise awareness, that this broke our system: On Arch Linux the Docker Engine got the update to version 23.0.1. In this the nofile hard limit is now 1073741816. Because haproxy is allocating resources based on the hard limit I get the following error message when I start the haproxy now in the docker container: ``` [NOTICE] (1) : haproxy version is 2.8-dev3-e74d77b [NOTICE] (1) : path to executable is /usr/local/sbin/haproxy [ALERT] (1) : Not enough memory to allocate 1073741815 entries for fdtab! [ALERT] (1) : No polling mechanism available. This may happen when using thread-groups with old pollers (poll/select), or it is possible that haproxy was built with TARGET=generic and that FD_SETSIZE is too low on this platform to support maxconn and the number of listeners and servers. You should rebuild haproxy specifying your system using TARGET= in order to support other polling systems (poll, epoll, kqueue) or reduce the global maxconn setting to accommodate the system's limitation. For reference, FD_SETSIZE=1024 on this system, global.maxconn=536870885 resulting in a maximum of 1073741815 file descriptors. You should thus reduce global.maxconn by 536870396. Also, check build settings using 'haproxy -vv'. ``` ### Expected Behavior I would expect haproxy to choose reasonable limits even if the nofile limit is really big. This issue might be frustrating for anyone who stumbles on it. But obviously this can easily be fixed by setting a `maxconn` value, which could be reasonable anyway. ### Steps to Reproduce the Behavior 1. Use archlinux or any System, that uses an unchanged Docker Engine 23.0.1 2. create a haproxy container with an empty config file 3. start the container ### Do you have any idea what may have caused this? Maybe this: https://github.com/containerd/containerd/commit/c691c36614622b205a859ae7e656badb4a553076 ### Do you have an idea how to solve the issue? _No response_ ### What is your configuration? ```haproxy empty config file in docker container ``` ### Output of `haproxy -vv` ```plain Our system currently uses haproxy 2.4, but this also occurs with haproxy 2.8-dev HAProxy version 2.8-dev3-e74d77b 2023/02/04 - https://haproxy.org/ Status: development branch - not safe for use in production. Known bugs: https://github.com/haproxy/haproxy/issues?q=is:issue+is:open Running on: Linux 6.1.11-arch1-1 #1 SMP PREEMPT_DYNAMIC Thu, 09 Feb 2023 20:06:08 +0000 x86_64 Build options : TARGET = linux-glibc CPU = generic CC = cc CFLAGS = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment OPTIONS = USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_PROMEX=1 USE_PCRE2=1 USE_PCRE2_JIT=1 DEBUG = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC +LIBCRYPT +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL +PROMEX -PTHREAD_EMULATION -QUIC +RT +SHM_OPEN +SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 -SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL -ZLIB Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=8). Built with OpenSSL version : OpenSSL 1.1.1n 15 Mar 2022 Running on OpenSSL version : OpenSSL 1.1.1n 15 Mar 2022 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version : Lua 5.3.3 Built with the Prometheus exporter as a service Built with network namespace support. Support for malloc_trim() is enabled. Built with libslz for stateless compression. Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with PCRE2 version : 10.36 2020-12-04 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with gcc compiler version 10.2.1 20210110 Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG <default> : mode=HTTP side=FE|BE mux=H1 flags=HTX h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG <default> : mode=TCP side=FE|BE mux=PASS flags= none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG Available services : prometheus-exporter Available filters : [BWLIM] bwlim-in [BWLIM] bwlim-out [CACHE] cache [COMP] compression [FCGI] fcgi-app [SPOE] spoe [TRACE] trace ``` ### Last Outputs and Backtraces _No response_ ### Additional Information _No response_

Seems like adding maxconn to the HAProxy config is necessary.
@Rich any idea or suggestions?

cmeis · January 11, 2024, 4:23pm

Yeah, that looks like it. Docker is on version 24 on all our systems.
I suppose there’s no easy way to change the haproxy config with rebuilding the docker image myself?

martin.peeters · January 12, 2024, 9:26am

As mentioned in the docker-compose.yml file you sent,
you can provide a custom config usingthe HAPROXY_CONFIG environment variable.
The config file we use can be found here.

Our proxy image is available on GitHub here, but it’s basically only a wrapper around HAProxy.
Feel free to use a different proxy, or use the repo and build a local image if you need to.

cmeis · January 12, 2024, 11:55am

Hi Martin,

thanks for taking your time to answer here. I loaded a custom config with a global maxconn for haproxy, which let’s it start correctly.
After that I cannot even get any webpage, I just get an empty page. dev console shows requests for manager_config.json, keycloak.min.js, or.json run into a 404. A request for /register gives a 403.

I found some posts about putting a default manager_config.json to the deployment folder, but that doesn’t get picked up there as it seems (still 404).

All in all it seems that’s not a way to quickly fire up a basic local test instance of OpenRemote (which is what I wanted to to basically, while fiddling around with some ideos for usage).

I’ll have to drop it here and perhaps revisit this if I can make some more free time to experiment.

Thanks for now and have a nice weekend!
Christian

Rich · January 31, 2024, 12:03pm

Thanks for bringing this to our attention. I have now created a new openremote/proxy:latest image which should solve the problem, just pull this latest image:

docker compose -p or pull proxy

NOTE: if you are using a custom haproxy.cfg then you might need to make changes as haproxy seems to have made breaking changes to how they process " within redirect statements.

system · March 1, 2024, 12:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.