Bind health-check listeners on binding_ip and v4v6#904
Bind health-check listeners on binding_ip and v4v6#904peanball merged 1 commit intocloudfoundry:masterfrom
binding_ip and v4v6#904Conversation
cf-foundation-community-automation
Bot
moved this to Inbox
in Application Runtime Platform Working Group
peanball
left a comment
peanball
left a comment
There was a problem hiding this comment.
Looks great. Extends the logic for v4v6 to the health check endpoints, where it was so far missing.
Approving for CI.
| <%- if enable_additional_health_check_proxy -%> | ||
| listen health_check_http_tcp-<%= tcp_proxy["name"] %>_proxy_protocol | ||
| bind :<%= tcp_proxy["health_check_http"] + 1 %> accept-proxy | ||
| bind <%= p("ha_proxy.binding_ip") %>:<%= tcp_proxy["health_check_http"] + 1 %> accept-proxy <%= v4v6 %> |
There was a problem hiding this comment.
v4v6 somewhat negates the binding IP I think. It's only used with the default address (i.e. when it's not explicitly given). Binding to 1.2.3.4:8080 v4v6 will not magically bind an IPv6 socket if I understand the HAProxy docs correctly.
Can you test whether those settings might be mutually exclusive on a real setup, or rather if they have the effect you desire?
Nevermind, the v4v6 flag is only set if the binding ip is :: (i.e. IPv6 default address) and the v4v6 config property is set:
haproxy-boshrelease/jobs/haproxy/templates/haproxy.config.erb
Lines 171 to 178 in f072fbf
This is just an extension of what we have in other locations that was just never applied to health checks.
github-project-automation
Bot
moved this from Inbox
to Pending Merge | Prioritized
in Application Runtime Platform Working Group
The four health-check listeners (`health_check_http_url`, its PROXY protocol variant, and the per-tcp-proxy `health_check_http_tcp-<name>` pair) previously bound on `:<port>`, which is IPv4-wildcard only. On IPv6-only deployments (`binding_ip: "::"`) the listeners were unreachable, causing monit host checks against `localhost` (IPv4) to fail and restart HAProxy. Bind them on `ha_proxy.binding_ip` and append `v4v6` like the other frontends so dual-stack works when `ha_proxy.v4v6` is enabled. Behavior change: when `binding_ip` is set to a specific IPv4 address, the health-check listeners now bind only on that address instead of all IPv4 interfaces. Operators probing health via a different NIC must update their probe targets accordingly. Co-authored-by: jakobve <[email protected]>
peanball
left a comment
peanball
left a comment
There was a problem hiding this comment.
approving for CI, hopefully one final time :)
github-project-automation
Bot
moved this from Pending Merge | Prioritized
to Done
in Application Runtime Platform Working Group
3 participants
The four health-check listeners (
health_check_http_url, its proxy protocol variant, and the per-tcp-proxyhealth_check_http_tcp-<name>pair) previously bound on:<port>, which is IPv4-wildcard only. On IPv6-only deployments (binding_ip: "::") the listeners were unreachable, causing monit host checks againstlocalhost(IPv4) to fail and restart HAProxy.Bind them on
ha_proxy.binding_ipand appendv4v6like the other frontends so dual-stack works whenha_proxy.v4v6is enabled.Behavior change: when
binding_ipis set to a specific IPv4 address, the health-check listeners now bind only on that address instead of all IPv4 interfaces. Operators probing health via a different NIC must update their probe targets accordingly.