Validate RLIMIT_NOFILE against limits.http_max_conns_per_client #7434
Conversation
pierresouchay
force-pushed
the
check_for_max_file_descriptors
branch
from
cee0944
to
3adfcb5
Compare
pierresouchay
force-pushed
the
check_for_max_file_descriptors
branch
from
b1d6422
to
d1c9c84
Compare
There was a problem hiding this comment.
Thank you for the PR!
Would it be possible to do this validation earlier in the flow? It seems like this check is validating a configuration option. Could it be validated as part of the config validation?
The lint timeout in CI should be fixed by #7496. It seems that the default timeout is 1 minute and sometimes it takes a bit longer.
pierresouchay
force-pushed
the
check_for_max_file_descriptors
branch
2 times, most recently
from
a4e3f6e
to
27b4f78
Compare
|
@dnephin DONE, now, it fails with consul validate |
pierresouchay
force-pushed
the
check_for_max_file_descriptors
branch
from
27b4f78
to
7373bcd
Compare
|
@dnephin DONE, with fix in unit test (since validation now fails), try to fix another unstable unit test in last commit Message: |
pierresouchay
force-pushed
the
check_for_max_file_descriptors
branch
from
28692bd
to
9a9553a
Compare
hanshasselberg
added
the
waiting-reply
pierresouchay
force-pushed
the
check_for_max_file_descriptors
branch
2 times, most recently
from
db25c61
to
e66bfbf
Compare
|
Unstable test for go-tests: Probably due to a VM issue, restarting test |
ghost
removed
the
waiting-reply
pierresouchay
force-pushed
the
check_for_max_file_descriptors
branch
from
e66bfbf
to
9da0843
Compare
There was a problem hiding this comment.
Thank you for making those changes! I think I did not explain myself well in the previous comment. I was hoping we could do this validation in a single place as part of config validation.
I've left some comments below that I think will allow us to isolate this validation to a single package. Please let me know if I've missed something, or if that won't work for some reason.
|
@dnephin Fixed your concerns in the last commit |
agent/agent_test.go
Outdated
| # This value is more than max on Windows as well | ||
| http_max_conns_per_client = 16777217 | ||
| }` | ||
| _, _, validationError := TestConfigWithErr(testutil.Logger(t), config.Source{Name: t.Name(), Format: "hcl", Data: hcl}) |
There was a problem hiding this comment.
It can be difficult to understand what is being tested when test helpers hide the function-under-test. TestConfig as a helper for testing other code makes a lot of sense, but in this case since we are testing validate I think we want to be calling Builder.Validate or Builder.BuildAndValidate directly, not through a helper.
agent/config/agent_limits.go
Outdated
|
|
||
| // CheckLimitsFromMaxConnsPerClient check that value provided might be OK | ||
| // return an error if values are not compatible | ||
| func CheckLimitsFromMaxConnsPerClient(maxConnsPerClient int) error { |
There was a problem hiding this comment.
This can be unexported (checkLimitsFromMaxConnsPerClient) now that it is called from inside the same package.
agent/testagent.go
Outdated
|
|
||
| // TestConfig returns a unique default configuration for testing an | ||
| // agent. | ||
| func TestConfig(logger hclog.Logger, sources ...config.Source) *config.RuntimeConfig { |
There was a problem hiding this comment.
I think with the change suggested above (to call Builder.BuildAndValidate directly from the test), this new function won't be necessary .
I spent some time today on my local Mac to figure out why Consul 1.6.3+ was not accepting limits.http_max_conns_per_client. This adds an explicit check on number of file descriptors to be sure it might work (this is no guarantee as if many clients are reaching the agent, it might consume even more file descriptors) Anyway, many users are fighting with RLIMIT_NOFILE, having a clear message would allow them to figure out what to fix. Example of message (reload or start): ``` 2020-03-11T16:38:37.062+0100 [ERROR] agent: Error starting agent: error="system allows a max of 512 file descriptors, but limits.http_max_conns_per_client: 8192 needs at least 8212" ```
pierresouchay
force-pushed
the
check_for_max_file_descriptors
branch
from
b196a28
to
5869ee6
Compare
pierresouchay
force-pushed
the
check_for_max_file_descriptors
branch
from
5869ee6
to
f6b83a8
Compare
|
@dnephin DONE |
|
Hi Pierre, after a little internal discussion, what do you think about putting all the code into one place without exporting any of it? It could go all in config, without touching lib at all. |
|
@i0rek @dnephin DONE, moved limits*.go to config package + un-exported |
agent/config/agent_limits_test.go
Outdated
| @@ -0,0 +1,45 @@ | |||
| // +build !consulent | |||
There was a problem hiding this comment.
Was this by mistake? Why do we want to exclude this test on consulent ?
|
@i0rek @dnephin Oops, yes, I took it from another test, wrong copy/paste. Fixed in last commit |
pierresouchay
force-pushed
the
check_for_max_file_descriptors
branch
from
4bf6d49
to
1bd0553
Compare
I spent some time today on my local Mac to figure out why Consul 1.6.3+ was not accepting
limits.http_max_conns_per_client.This adds an explicit check on the number of file descriptors to be sure it might work (this is no guarantee as if many clients are reaching the agent, it might consume even more file descriptors)
Anyway, many users are fighting with
RLIMIT_NOFILE, having a clear message would allow them to figure out what to fix.Example of message (reload or start):