proxy: add handling for subprocess cleanup, retries

[skabbes]

As a result of #308, I spent quite a long time debugging up + my application code.

In the end there were errors in both places, for up - I tried to fix and prevent this debugging session from anyone in the future.

1. A network error was assumed to be a process crash, which is not always the case (this was actually causing lambda to run out of file descriptors for processes in this case)
2. A 'bad route' would backoff and retry forever
3. listen_timeout can guard against nonsense usage (longer than 30 seconds, when 30 seconds is the APIGateway limit).
4. unused function basic in internal/proxy/request.go

It seems that most of these have already been identified as issues, TODOS, so likely nothing surprising here. I know that I didn't follow the normal "discuss features before implementing them", so feel free to throw all this code away if you like.

Implementation Strategy
When the child http server encounters an error, asynchronously ensure it is cleanly shut down by sending a nice SIGINT followed by a SIGKILL after 10 seconds of non-response. This shutdown process is done in parallel with setting up a new child server (on a separate goroutine) in order to allow the proxy to serve traffic as fast as possible. However in order to prevent slow shutdowns from causing resource exhaustion like in #308 we make the channel blocking with N=3. In addition, I tried to add sufficient logging to help future developers debug and understand this in the future.

Known Bugs
none

Notable Omissions

• Even though process shutdown is aysnc from the http serving code, it is still serialized (failing processes aren't cleaned up concurrently with each other)
• SIGKILL delay is not configurable (naming suggestion: shutdown_timeout?). This would be particularly helpful in tests, since I have added a 10 second test :(
• A failed child process cannot be recognized until another request is made.
• Clean shutdown of relay.Proxy (and cleanup goroutine)
• Concurrent execution: The whole proxy class is serialized on the ServeHTTP entry point, since lambda operates this way anyway - I don't see a strong reason to layer this complexity in until a FaaS adds actual concurrent execution.

[skabbes]

Adding some self comments to try to direct the review.

[skabbes]

Not sure the vision here, but it did feel a little dirty to assume APIGateway in this part of the code.

[tj]

We could move that to a Validate() method in ./config/lambda.go, I suppose we should give it a little breathing room to ensure the error surfaces, API GW-level timeouts are a bit more annoying to troubleshoot

I didn't realize API GW's was so low, would definitely be nice to cap lambda.timeout to that as well.

[skabbes]

Hmm, I couldn't really find a great way to accomplish that without an import cycle. I went ahead and made Relay aware of what platform it is deployed on, so that it can validate itself based on that.

[skabbes]

This one was already done as far as I could tell. relay.New implements this.

[skabbes]

To stay lightweight, we could also launch this on demand.

[skabbes]

I was trying to keep the property that if we return an error, p is not mutated.

[tj]

SGTM!

[skabbes]

tightened this up even more.

[skabbes]

just kidding, this caused a pretty bad bug - reverting.

[skabbes]

No matter what, we have to wait for the Wait to return, otherwise we don't know if the resources were atually released.

[skabbes]

Not sure if you're aware, but if you use this and have failing tests - t.Helper() tells go to skip this stack frame for error reporting line numbers and use the parent stack frame. VERY helpful for knowing which tests actually failed.

[tj]

nice! yea I had read about it in the release notes but I haven't tried it

[skabbes]

This is effectively the test case that I was running into in prod, up-proxy thought my process failed (because of a network error), however in actuality it didn't. Therefore the process stayed around forever, and continued to use resource on the lambda container.

[skabbes]

I think this is a nice thing up can do, if your clean shutdown isn't working. I think all Lambda processes need to be kill-9 safe anyway

[skabbes]

unused?

[skabbes]

refactored this without adding deps, it was getting complex.

added:

• /env to fetch a key from process.env
• /close to stop accepting connections without killing the server
• /pid to fetch the pid
• /swallowSignals to install signal handlers

[tj]

woah awesome! Should be able to get to this today

[tj]

cool LGTM! thanks for digging into this, I don't see any issues, I'll pull it down and test it out.

the additional timeout option sounds good to me too

[tj]

We could move that to a Validate() method in ./config/lambda.go, I suppose we should give it a little breathing room to ensure the error surfaces, API GW-level timeouts are a bit more annoying to troubleshoot

I didn't realize API GW's was so low, would definitely be nice to cap lambda.timeout to that as well.

[tj]

I think b has b.Attempts we could utilize for this

[skabbes]

I also defaulted maxRetries to be config.Proxy.Backoff.Attmpets.

[tj]

SGTM!

[skabbes]

Ok, I think this is ready for re-review.

[tj]

did you have any issues running the tests from root? oddly they work every time in http/relay, but fail every time from root haha checking it out

[tj]

nvm, seems to be that gt program, go test works fine

[tj]

awesome 💥 , big thanks man!