proxy is low performance

[sany98215]

I register an app service with /app1, when i access on the FF browser, I found long lantency than no gateway.
Then I trace the request ,found this:

HTTP/1.1 304 Not Modified
Content-Type: application/javascript; charset=UTF-8
Connection: keep-alive
Date: Tue, 08 Jun 2021 07:50:10 GMT
X-Kong-Upstream-Latency: 1
X-Kong-Proxy-Latency: 2009
Via: kong/2.2.1

some request have long lantency than 2s, try open log but found nothing.
I want to know why?

[sany98215]

Any suggestion?

[locao]

Hello @sany98215!
What do you get when sending the same request using curl or httpie?
Can you share the full request that is sent by Firefox using "copy as cURL" in "Web Developer Tools"?

[dndx]

Hello @sany98215,

2 seconds indeed seems very long. Could you enable debug logging for Kong and paste it here so we can tell better what is using the processing times?

[sany98215]

1. this is result of 'curl' command.

curl 'http://**ip:xx**/relax/rpc?tm=1623893642707' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' --compressed -H 'Content-Type: application/json' -H 'X-User-Lang: zh-CN' -H 'X-SR-A: 90183002906ab1b4ee7b81069242880d17a179a8dd5' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: http://101.201.146.190:32001' -H 'Connection: keep-alive' -H 'Referer: http://101.201.146.190:32001/relax/index.html;JSESSIONID=55830f1d-a92c-46be-be1a-6b6f456b2ab2' -H 'Cookie: _ga=GA1.1.1815228447.1623304649; _gid=GA1.1.1272375504.1623741763; sid=670500ea-b5de-4e00-88fa-e91d9fde9762' --data-raw '{"jsonrpc":"2.0","method":"/v2/license/getLicValidateResult","id":1,"params":[]}'
{"id":1,"jsonrpc":"2.0","result":{"resultType":"Success"}}

2. debug log
   log setting :
   /usr/local/share/lua/5.1/kong/templates/kong_defaults.lua

log_level= debug

and got those output:

2021/06/17 09:57:12 [debug] 181#0: *603 [lua] init.lua:998: balancer(): enabled connection keepalive (pool=10.103.255.178|9090, pool_size=60, idle_timeout=60, max_requests=100)
2021/06/17 09:57:13 [debug] 183#0: *15532 [lua] init.lua:288: [cluster_events] polling events from: 1623894400.713
2021/06/17 09:57:14 [debug] 181#0: *603 [lua] init.lua:969: balancer(): setting address (try 1): 10.103.255.178:9090
2021/06/17 09:57:14 [debug] 181#0: *603 [lua] init.lua:998: balancer(): enabled connection keepalive (pool=10.103.255.178|9090, pool_size=60, idle_timeout=60, max_requests=100)
2021/06/17 09:57:14 [debug] 179#0: *50 [lua] init.lua:969: balancer(): setting address (try 1): 10.103.255.178:9090
2021/06/17 09:57:14 [debug] 179#0: *50 [lua] init.lua:998: balancer(): enabled connection keepalive (pool=10.103.255.178|9090, pool_size=60, idle_timeout=60, max_requests=100)
2021/06/17 09:57:18 [debug] 184#0: *15663 [lua] init.lua:288: [cluster_events] polling events from: 1623894400.713
2021/06/17 09:57:19 [debug] 185#0: *15630 [lua] init.lua:969: balancer(): setting address (try 1): 10.103.255.178:9090
2021/06/17 09:57:19 [debug] 185#0: *15630 [lua] init.lua:998: balancer(): enabled connection keepalive (pool=10.103.255.178|9090, pool_size=60, idle_timeout=60, max_requests=100)
2021/06/17 09:57:19 [info] 185#0: *15630 client 100.71.202.128 closed keepalive connection
2021/06/17 09:57:20 [debug] 184#0: *980 [lua] init.lua:969: balancer(): setting address (try 1): 10.103.255.178:9090
2021/06/17 09:57:20 [debug] 184#0: *980 [lua] init.lua:998: balancer(): enabled connection keepalive (pool=10.103.255.178|9090, pool_size=60, idle_timeout=60, max_requests=100)
2021/06/17 09:57:22 [debug] 181#0: *603 [lua] init.lua:969: balancer(): setting address (try 1): 10.103.255.178:9090
2021/06/17 09:57:22 [debug] 181#0: *603 [lua] init.lua:998: balancer(): enabled connection keepalive (pool=10.103.255.178|9090, pool_size=60, idle_timeout=60, max_requests=100)
2021/06/17 09:57:23 [debug] 185#0: *15782 [lua] init.lua:288: [cluster_events] polling events from: 1623894400.713
2021/06/17 09:57:26 [debug] 181#0: *603 [lua] init.lua:969: balancer(): setting address (try 1): 10.103.255.178:9090
2021/06/17 09:57:26 [debug] 181#0: *603 [lua] init.lua:998: balancer(): enabled connection keepalive (pool=10.103.255.178|9090, pool_size=60, idle_timeout=60, max_requests=100)
2021/06/17 09:57:27 [debug] 182#0: *14841 [lua] init.lua:969: balancer(): setting address (try 1): 10.103.255.178:9090
2021/06/17 09:57:27 [debug] 182#0: *14841 [lua] init.lua:998: balancer(): enabled connection keepalive (pool=10.103.255.178|9090, pool_size=60, idle_timeout=60, max_requests=100)
2021/06/17 09:57:28 [debug] 185#0: *11498 [lua] init.lua:969: balancer(): setting address (try 1): 10.103.255.178:9090
2021/06/17 09:57:28 [debug] 185#0: *11498 [lua] init.lua:998: balancer(): enabled connection keepalive (pool=10.103.255.178|9090, pool_size=60, idle_timeout=60, max_requests=100)
2021/06/17 09:57:28 [debug] 184#0: *7343 [lua] init.lua:969: balancer(): setting address (try 1): 10.103.255.178:9090
2021/06/17 09:57:28 [debug] 184#0: *7343 [lua] init.lua:998: balancer(): enabled connection keepalive (pool=10.103.255.178|9090, pool_size=60, idle_timeout=60, max_requests=100)
2021/06/17 09:57:28 [debug] 182#0: *15915 [lua] init.lua:969: balancer(): setting address (try 1): 10.103.255.178:9090
2021/06/17 09:57:28 [debug] 182#0: *15915 [lua] init.lua:998: balancer(): enabled connection keepalive (pool=10.103.255.178|9090, pool_size=60, idle_timeout=60, max_requests=100)
2021/06/17 09:57:28 [debug] 180#0: *15916 [lua] init.lua:288: [cluster_events] polling events from: 1623894400.713

[sany98215]

@dndx @locao

[sany98215]

@dndx @locao
I tried to trace every step and logged the result ,and I found where is latency came from:

----file is balance.lua:execute  ---
.......
local ip, port, hostname, handle                                         
  if balancer then                                                              
    -- have to invoke the ring-balancer
    local hstate = run_hook("balancer:get_peer:pre", target.host)    
    ip, port, hostname, handle = balancer:getPeer(dns_cache_only,               
                                          target.balancer_handle,               
                                          hash_value)            
    run_hook("balancer:get_peer:post", hstate)                                 
    if not ip and                                                          
      (port == "No peers are available" or port == "Balancer is unhealthy") then
      return nil, "failure to get a peer from the ring-balancer", 503           
    end                                                                     
    hostname = hostname or ip         
    target.hash_value = hash_value                                 
    target.balancer_handle = handle
                                                
  else                                                       
    -- have to do a regular DNS lookup
    local try_list                                                     
    local hstate = run_hook("balancer:to_ip:pre", target.host)
    ip, port, try_list = toip(target.host, target.port, dns_cache_only)
    run_hook("balancer:to_ip:post", hstate)                            
    hostname = target.host                               
    if not ip then           
      log(ERR, "DNS resolution failed: ", port, ". Tried: ", tostring(try_list))
      if port == "dns server error: 3 name error" or                            
         port == "dns client error: 101 empty record received" then
        return nil, "name resolution failed", 503                  
      end                                        
    end                                                                
  end               

......

Latency come from toip function, which is occasionally 2~4s latency! I don't know if it's related to k8s‘ CornDNS
And I need more help!

[dndx]

@sany98215

Thanks for the logs. It seems that the resolver that Kong is using for resolving the domain may be slow. Could you try to change the upstream address to IP and see if the latency disappears?

If so, then you will probably have to investigate on the slow resolver performance in order to solve this.

[sany98215]

Thanks for reply. When I change the upstream address to IP, the latency disappears. DNS is a CoreDNS service by K8s,which the Max latency is about 385ms,but the latency by Kong is 2s. What shoud i do next? At 2021-07-01 01:10:00, "Datong Sun" ***@***.***> wrote: @sany98215 Thanks for the logs. It seems that the resolver that Kong is using for resolving the domain may be slow. Could you try to change the upstream address to IP and see if the latency disappears? If so, then you will probably have to investigate on the slow resolver performance in order to solve this. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[locao]

@sany98215 please, check the DNS server latency, it is the most probable source of the latency you are experiencing:

$ dig @<dns-server-ip> <hostname>

You will get something like this:

$ dig @1.1.1.1 mockbin.org

; <<>> DiG 9.10.6 <<>> @1.1.1.1 mockbin.org
; (1 server found)
<redacted>

;; Query time: 154 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)

The Query time field says how long the server is taking to return this query.

[sany98215]

@locao
DNS server latency is about 1msec. here is output:
dig @10.96.0.10 relax.relax.svc.cluster.local

; <<>> DiG 9.16.15 <<>> @10.96.0.10 relax.relax.svc.cluster.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44059
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d187023902f5bbd4 (echoed)
;; QUESTION SECTION:
;relax.relax.svc.cluster.local. IN      A

;; ANSWER SECTION:
relax.relax.svc.cluster.local. 14 IN    A       10.103.194.226

;; Query time: 0 msec
;; SERVER: 10.96.0.10#53(10.96.0.10)
;; WHEN: Fri Jul 16 17:16:39 CST 2021
;; MSG SIZE  rcvd: 115

[dndx]

Hello @sany98215 ,

Is there any resolvers inside /etc/resolv.conf that may be running slow.

Kong uses all resolvers it can find from /etc/resolv.conf, so if some of them are slow or unreachable and some are fast, the resolving time would still jump up high sometimes.

[sany98215]

Hi ,@datong Sun! I just have one dns which is suplied by k8s. The difference is :Each Service is register as "{app}.{namespace}" , but the real domain name is {app}.{namespace}.svc.cluster.local. And the max latancy of "{app}.{namespace}.svc.cluster.local " is about 300ms from CoreDNS. At 2021-07-22 01:12:30, "Datong Sun" ***@***.***> wrote: Hello @sany98215 , Is there any resolvers inside /etc/resolv.conf that may be running slow. Kong uses all resolvers it can find from /etc/resolv.conf, so if some of them are slow or unreachable and some are fast, the resolving time would still jump up high sometimes. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[Tieske]

The latency reported by DNS is for a single query, not for the sequential queries of all types. k8s typically uses ndots=5 in the dns config and has a long list of domains to try. So that can be many queries to try.

What happens if you make multiple requests, such that Kong gets the opportunity to use its DNS cache (note that the cache is per worker process, so you might have to hit it several times before the latency goes down).

How is your service object (in Kong) configured?

That said, 2sec is still very long.

[sany98215]

Hi, @Tieske！ You are right! The latency came from many queries to try. The configure of serives is "http://{app}.{namespace}:{port}/{service_url}", but the real virtual domain name is `app.namespace.svc.cluster.local`. The first query to resolve 'app.namespace' is the main latency. But can you give some suggest for configuration in k8s? The service domain name come from three part:serviceName,namespace and defaut suffix of CoreDNS. At 2021-07-22 13:44:07, "Thijs Schreijer" ***@***.***> wrote: The latency reported by DNS is for a single query, not for the sequential queries of all types. k8s typically uses ndots=5 in the dns config and has a long list of domains to try. So that can be many queries to try. What happens if you make multiple requests, such that Kong gets the opportunity to use its DNS cache (note that the cache is per worker process, so you might have to hit it several times before the latency goes down). How is your service object (in Kong) configured? That said, 2sec is still very long. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[Tieske]

@sany98215 what happens if you try multiple requests? The dns cache should help, does it?

Also; typically only the first dns lookup is synchronous/in-band and causes a high latency on the first request. Refreshing is done in the background (async/out-of-band).

What you can try is to use an upstream entity in Kong (load balancer) since that will resolve the name up front iirc

[sany98215]

@Tieske Dns cache works, the percentage of low performance is very low. But the latency happend top requests every day.
So I think may be I was wrong in some configuration of kong and k8s .

[Tieske]

in general if there is no traffic for that service, for longer than the DNS record TTL, then it might be expelled from the cache, and the first request after will do a synchronous lookup again, causing the longer delay. As long as there is plenty of traffic, the updates will be in the background.

[locao]

I'm converting this to a discussion as this is not an issue with Kong itself.

[esatterwhite]

I'm seeing very slow response times from kong when under sustained work load and it doesn't seem to be dns resolution time

Run 1 is sending requests directly to a using the kubernetes fqdn for the service. Run 2 is sending requests to kong which is then sending requests to the same service. The workload for the runs is exactly the same.

The yellow line is the total response time for p95. When hitting the service directly, its averages 1.5 seconds. When hitting Kong it averages 5 seconds.

The median response time is oddly enough lower through kong than the service directly, but The p95 latency is exceedingly high.

[locao]

Just to make sure we are still talking about the same thing: this difference doesn't exist when you use IP addresses instead of FQDNs for the service, right?

[esatterwhite]

The FQDN to kong demonstrates the diffiference.
The FQDN to a Service in front of the application directly does not (skipping kong)

[esatterwhite]

The majority of this issue was a problem with the default load balancer w/ kong. Changing it to least-connections solved much of the problem.

But there is still quite a bit of additional latency going through kong ~100ms vs 10ms. There is only 1 plugin enabled - prometheus metrics

[esatterwhite]

to further clarify - effectively

curl -XPOST @data.json -H 'Host: debug.test.com'  -H 'Content-Type: application/json' https://kong.test.com 

vs

curl -XPOST @data.json -H 'Content-Type: application/json' http://debug-service.default.svc.cluster.local

[esatterwhite]

To eliminate the differences in dns resolution over the public internet, I pointed the same test and cluster local dns

• run 1 http://kong-proxy.kong.svc.cluster.local
• run 2 http://http-debug-service.default.svc.cluster.local

The ingress for kong in kubernetes has only 4 rules and 1 plugin