MySQL and other server-speak-protocols require explicit configuration #339
Comments
|
There's a bunch of usability questions that this raises around automaticity vs convention vs configuration. Tentatively reslotting this for 0.4 to give us time to design and scope. |
IIUC, this determination would need to be made for each original destination address; and therefore connecting to an HTTP endpoint would always incur a wasted connection establishment:
Either that, or we'd need some way to offer a connection to the load balancer / connection pool. This cost may not be that high, but it does seem to be worse in the most common case--especially in the case where we fall back to DNS only to produce the original dst address. I think we'd want some way to avoid that unnecessary latency.
Is it the case that HTTP/TLS services never write data on the server socket before reading data from the client? It seems that there could be situations where injecting latency into the client could bypass protocol detection (and therefore policy). I assume this approach is fine, but want to double check this point. |
I wasn't proposing this method that involves throwing away a connection.
I'm proposing that every connection starts in the TCP load balancer and then migrates to the HTTP load balancer if/when we detect HTTP traffic.
TLS and HTTP are both client-speaks-first protocols.
Nothing here is relying on timeout-like logic so I don't think this is a concern. |
|
Sean and I discussed this today. Sean pointed out that requiring us to peek at incoming traffic from the server requires us to have a connection to the server, but our routing & load balancing for HTTP is totally designed to avoid making new connections to the server, and these two goals are at odds with each other. Many thoughts were shared regarding moving this forward. Now I'm less confident we can do this in a 100% zero-configuration way. However, absolute 100% zero configuration has never been a goal. Strawman "simplest thing that could possibly work" proposal:
In particular, this proposal is to NOT try to add any logic like described in the initial comment to detect server-speaks-first protocols, and this proposal is to DISABLE protocol detection for the IANA-assigned port numbers for server-speaks-first protocols. [edited]. |
|
We looked at Istio BookInfo's use of MySQL and it's pod/service definitions are using the IANA-assigned port for MySQL, so the proposal in the previous comment would get the BookInfo example, and probably many other use cases, working without any explicit configuration and with a simple and minimal code change. AFAICT the practical side effects are minimal. |
A possible expansion of this is to allow our list to be configurable, such that by default, we assume some certain list, and an environment variable could be used to override. This would allow 1) to add a port if not using a well-known one, 2) to disable some ports if using the well-known for HTTP. |
How would the user configure it? If they would configure it on a per-pod basis (in every |
From the proxy's point of view, it's just an environment variable, so like
I do think that's for the best, but we don't yet know how we would communicate that for outbound. Especially in cases where, as you mentioned, they may have their service outside of Kubernetes. For example, putting their MySQL server at |
What I meant was something like |
This sounds like a good short-term fix to me. I want to note one additional wrinkle: we currently need to skip ports for things like websockets (since the proxy currently fails to upgrade these streams), meaning that if an application communicates via websockets on port 80, we'll have to treat all http traffic as TCP. This is probably okay in the short-term, but just want to note that there are non-server-speaks-first use cases here that may impact usability more broadly. |
Agreed. This issue is about server-speaks-first protocols. #195 is about websockets. I don't think we have one about CONNECT but I think it's similar enough to websockets that we can consider #195 to be about it too. |
|
I've got a branch with this working, minus just one part: naming the ports in the environment variable. I'm not sure what that gets us, besides some additional complexity parsing. |
- Adds environment variables to configure a set of ports that, when an incoming connection has an SO_ORIGINAL_DST with a port matching, will disable protocol detection for that connection and immediately start a TCP proxy. - Adds a default list of well known ports: SMTP and MySQL. Closes #339 Signed-off-by: Sean McArthur <sean@seanmonstar.com>
- Adds environment variables to configure a set of ports that, when an incoming connection has an SO_ORIGINAL_DST with a port matching, will disable protocol detection for that connection and immediately start a TCP proxy. - Adds a default list of well known ports: SMTP and MySQL. Closes #339
- Adds environment variables to configure a set of ports that, when an incoming connection has an SO_ORIGINAL_DST with a port matching, will disable protocol detection for that connection and immediately start a TCP proxy. - Adds a default list of well known ports: SMTP and MySQL. Closes linkerd#339
Our protocol detection logic currently only works for client-speaks-first protocols--where the client immediately sends data upon the TCP connection completing. MySQL and some other protocols are server-speaks-first; the client won't send anything on the connection until the server sends something. We should change the protocol detection logic so that it is insensitive to which side speaks first, insofar as that is possible.
Currently in Conduit 0.2 we document that the user must explicitly configure the proxy to turn off L7 features for server-speaks-first protocols. This is counter to our goal to "just work" with zero configuration.
A potential strategy:
/cc @seanmonstar @olix0r @wmorgan
The text was updated successfully, but these errors were encountered: