Info: Everything we do on 1.0.6 to minimise 503s

[Stono]

I've had several chats with people recently so I'm putting there here to capture everything we do on 1.0.6 to deal with 503's, and then people can tell me what shouldn't be required as of 1.1.x.

The combination of all these things we see little 503's in the mesh, and basically none at the edge.

On the VirtualService for every service, we configure the envoy retry headers:

spec:
  http:
  - appendHeaders:
      x-envoy-max-retries: "10"
      x-envoy-retry-on: gateway-error,connect-failure,refused-stream

On the DestinationRule for high QPS (3k/sec over 6 pods) applications, we configure outlier detection, this would result in 400-500errors to 2-5, during a pod restart.

spec:
  trafficPolicy
    outlierDetection:
      maxEjectionPercent: 50
      baseEjectionTime: 30s
      consecutiveErrors: 5
      interval: 30s

On the pods, we configure the application container to have a preStop sleep, which gives time for the unready state of the pod (during termination) to populate to other envoys and the traffic to drain:

    lifecycle:
      preStop:
        exec:
          command:
          - sleep
          - "10"

On envoy, we have a custom pre-stop hook that waits for the primary application to stop listening:

#!/bin/bash
set -e
if ! pidof envoy &>/dev/null; then
  exit 0
fi

if ! pidof pilot-agent &>/dev/null; then
  exit 0
fi

while [ $(netstat -plunt | grep tcp | grep -v envoy | wc -l | xargs) -ne 0 ]; do
  sleep 3;
done
exit 0

In the istio config we do policyCheckFailOpen: true

[stefanprodan]

How do you add the pre-stop hook to Envoy? Can it be done in the injection webhook config?

[Stono]

Yeah I build a custom image for the sidecar with the pre stop script in it, and then I modify the injector template to have the preStop hook

…

On Sat, 2 Mar 2019, 9:33 am Stefan Prodan, ***@***.***> wrote: How do you add the pre-stop hook to Envoy? Can it be done in the injection webhook config? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#12183 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABaviUvUVH-ftcl7NVVH669VkrKJJ4A4ks5vSkVogaJpZM4bZdzt> .

[Stocco]

Hello @Stono thanks for the info. We are afraid of adding the retry policy in all services because of the worries if the apps will handle duplicate transactions in case of envoy sending the request again for whatever reason he wants to.
However, in istio 1.0.5 we are not seeing 503' anymore as we were seeing on versions <= 1.0.2 we only have 503/404 errors when pilot starts to have problems.
Now for clarifications, what does the outlierDetection part means? It will affect envoy circuit break definitions?

[Stono]

Hey the retry I use is only for gateway unavailable etc, a real transaction should not get through (which is why I specify the criteria explicitly). The outlier detection is envoys circuit breaker. We found when a pod was going down, upstream envoys would still try and send traffic to it until they got updated mesh config, the circuit breaker for us quickly excluded those terminating pods (rather than loads of 503s). This was particularly useful on very high qps pods. Karl

…

On Sat, 2 Mar 2019, 10:58 am Stocco, ***@***.***> wrote: Hello @Stono <https://github.com/Stono> thanks for the info. We are afraid of adding the retry policy in all services because of the worries if the apps will handle duplicate transactions in case of envoy sending the request again for whatever reason he wants to. However, in istio 1.0.5 we are not seeing 503' anymore as we were seeing on versions <= 1.0.2 we only have 503/404 errors when pilot starts to have problems. Now for clarifications, what does the outlierDetection part means? It will affect envoy circuit break definitions? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#12183 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABavie8IdZ6kL1znMBNRB_0GYobHf-Bjks5vSllGgaJpZM4bZdzt> .

[mumoshu]

@Stono Hey! Thanks for sharing this. Really helped me shape the general direction I should go.

On the VirtualService for every service, we configure the envoy retry headers:

Sounds great. If I add one thing, we should ensure that only idempotent requests are retried.

Instead of:

spec:
  http:
  - appendHeaders:
      x-envoy-max-retries: "10"
      x-envoy-retry-on: gateway-error,connect-failure,refused-stream

We should probably do:

spec:
  http:
  - match:
    - method:
        exact: get
    appendHeaders:
      x-envoy-max-retries: "10"
      x-envoy-retry-on: gateway-error,connect-failure,refused-stream
    route:
    - destination:
        host: ratings.prod.svc.cluster.local
  - route:
    - destination:
        host: ratings.prod.svc.cluster.local

Sry if you've already done this/and my suggestion didn't work in any way. I just couldn't help leaving a note :)

[Stono]

@mumoshu I actually think for gateway-error,connect-failure,refused-stream you're safe to retry POST, PUT etc too, as those errors mean the request never made it to the target application anyhoo.

It's all a bit moot in 1.1.0 anyway as this retry stuff happens transparently!

[mumoshu]

Also, I agree that the prestop sleep is a must-have, and it isn't actually Istio or workload specific as far as I can say. I even hope we can extend the Istio's Sidecar resource it accept prestop sleep length.

Envoy, hence Istio, is eventually consistent. To make our Envoys/Istio sidecars and ingress gateways NOT to accidentally send traffic to "just-stopped" endpoints, we need a special care.

// I did had to add such prestop sleeps to my envoy upstreams when using a vanilla envoy with STRICT_DNS as a front proxy, for the same reason

The "special care" here seems to be a "grace period", to prevent the envoy sidecar and the app container from exiting, after your pod receives SIGTERM, until other envoys stops sending traffic to it.

Probably the only way to implement this "grace period" today is to build your own sidecar image and add the prestop sleep?
Then I think Sidecar resource should better enhanced to accept the sleep length for ease of use. Just my two cents.

[mumoshu]

@Stono Thanks for clarifying. Maybe you're correct!

But my impression was that, if gateway-error stands for 502, envoy still have a chance to receive it after they transferred your POST request to the upstream, the upstream processed it and prepared a response, but then the connection between the envoy and the upstream failed. We won't like envoy to retry the POST request in this case, though?

I hope I'm thinking too much and this doesn't happen in reality :)

[iandyh]

@mumoshu Hello. I've sent a PR to add the preStop to gateway deployment.

[mumoshu]

@iandyh Hey! Just took a quick look at your PR #12342 - I think we need to consider two cases,

The one is sidecar -> gateway, and the another is gateway -> sidecar, sidecar -> sidecar.

Your workaround of adding sleep 30 to the gateway should work, only in a way that all the other sidecars who wants to talk to the gateway has a grace period of 30 seconds until it stops traffic to the gateway.

That is, we may also need to add sidecars prestop sleeps, for gateway -> sidecar and sidecar -> sidecar cases.

[iandyh]

@mumoshu sidecar actually does not talk to gateway since gateway only route the traffic into the cluster.

We are actually going to add the preStop hook to all the deployments in our cluster because regardless using istio or not, there is a chance of request drop during rolling update of these deployments.