Health Discovery Service

[htuch]

The v2 APIs introduce HDS - https://github.com/lyft/envoy-api/blob/master/api/hds.proto (@amb67). It works as follows (pasting in the .proto comment):

1. Envoy starts up and if its can_healthcheck option in the static bootstrap config is enabled, sends HealthCheckRequest to the management server. It supplies its capabilities (which protocol it can health check with, what zone it resides in, etc.).
2. In response to (1), the management server designates this Envoy as a healthchecker to health check a subset of all upstream hosts for a given cluster (for example upstream Host 1 and Host 2). It streams HealthCheckSpecifier messages with cluster related configuration for all clusters this Envoy is designated to health check. Subsequent HealthCheckSpecifier message will be sent on changes to:
   a. Endpoints to health checks
   b. Per cluster configuration change
3. Envoy creates a health probe based on the HealthCheck config and sends it to endpoint(ip:port) of Host 1 and 2. Based on the HealthCheck configuration Envoy waits upon the arrival of the probe response and looks at the content of the response to decide whether the endpoint is healthy or not. If a response hasn’t been received within the timeout interval, the endpoint health status is considered TIMEOUT.
4. Envoy reports results back in an EndpointHealthResponse message. Envoy streams responses as often as the interval configured by the management server in HealthCheckSpecifier.
5. The management server collects health statuses for all endpoints in the cluster (for all clusters) and uses this information to construct EDS DiscoveryResponse messages.
6. Once Envoy has a list of upstream endpoints to send traffic to, it load balances traffic to them without additional health checking. It may use inline healthcheck (i.e. consider endpoint UNHEALTHY if connection failed to a particular endpoint to account for health status propagation delay between HDS and EDS).

This issue will track implementation work on HDS.

[stale]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

[sschepens]

@htuch Been meaning to test and probably use HDS, I bumped into #5279 though, which made me think.
What's the status of HDS?
What things remain to be done? It would be great to have a list of TODOs, i can probably tackle some of them.
For example, I find that the EndpointHealthResponse which get's sent to the control plane is probably lacking information, like which cluster the target belongs to.
I can also imagine HDS being a bit more intelligent, like not responding healthchecks with a fixed interval (using healthchecks interval?), responding only when status has changed or a new stream has been established.

[htuch]

@sschepens I left some notes in #5279 (comment).

If you'd like to continue to drive HDS, taking it from its current alpha status to production ready, that would be totally rad. I'd be happy to do reviews and have design discussions. We'd like to iterate here. It's likely that Google will also have bandwidth to help with the implementation in the next 1-2 quarters, but no guarantees at this point.

[sschepens]

@htuch I'd be totally willing to have me and my team continuing with HDS and hopefully get it production ready.
What would be the channel for having design discussions? I also want to understand previous deisgn decisions.

[htuch]

@sschepens this PR or Slack; we could create an HDS channel. Also, happy to do Hangouts meeting to context dump.

[banks]

I see that health moved out of service/discovery/v2 into it's own service/health/v3 for v3. Is that actually usable now? I tried to run a v3 service and bootstrap Envoy with:

hds_config:
  api_type: GRPC
  transport_api_version: V3
  grpc_services:
  - envoy_grpc:
      cluster_name: xds_cluster
  set_node_on_first_message_only: true

but I see in logs it's failing with unknown service envoy.service.discovery.v2.HealthDiscoveryService still. This is Envoy 1.14.1.

I don't think I see differences from v2 yet just wondering what the "right" way to work with HDS is now v2 is supposed to be deprecated?

If I can get the basics working here I might end up able to find resources to contribute to any additional work needed here as this could become a critical feature for us in the next 6 months or so.

[htuch]

@banks yeah, I think you're seeing the effect of #10609

[banks]

I'm also struggling to get HDS to work at all in 1.14.1. I can file a bug separately if that helps but not sure if it's expected to be working per this open issue state.

Whenever I send HealthChecks for a cluster (I've tried both with static clusters and clusters delivered via xDS) Envoy crashes:

Envoy Debug output

[2020-04-29 14:21:18.511][3530335][debug][upstream] [external/envoy/source/common/upstream/health_discovery_service.cc:187] New health check response message cluster_health_checks {
  cluster_name: "cluster-00000"
  health_checks {
    timeout {
      seconds: 1
    }
    interval {
      seconds: 5
    }
    http_health_check {
      host: "localhost"
      path: "/v1/agent/self"
    }
  }
}
interval {
  seconds: 5
}

[2020-04-29 14:21:18.511][3530335][debug][upstream] [external/envoy/source/common/upstream/health_discovery_service.cc:140] New health check response message cluster_health_checks {
  cluster_name: "cluster-00000"
  health_checks {
    timeout {
      seconds: 1
    }
    interval {
      seconds: 5
    }
    http_health_check {
      host: "localhost"
      path: "/v1/agent/self"
    }
  }
}
interval {
  seconds: 5
}

[2020-04-29 14:21:18.511][3530335][debug][upstream] [external/envoy/source/common/upstream/health_discovery_service.cc:169] New HdsCluster config name: "cluster-00000"
connect_timeout {
  seconds: 1
}
per_connection_buffer_limit_bytes {
  value: 32768
}
health_checks {
  timeout {
    seconds: 1
  }
  interval {
    seconds: 5
  }
  http_health_check {
    host: "localhost"
    path: "/v1/agent/self"
  }
}
load_assignment {
  endpoints {
  }
}

[2020-04-29 14:21:18.511][3530335][debug][upstream] [external/envoy/source/common/upstream/health_discovery_service.cc:228] Creating an HdsCluster
[2020-04-29 14:21:18.516][3530335][critical][main] [external/envoy/source/exe/terminate_handler.cc:13] std::terminate called! (possible uncaught exception, see trace)
[2020-04-29 14:21:18.516][3530335][critical][backtrace] [bazel-out/darwin-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:91] Backtrace (use tools/stack_decode.py to get line numbers):
[2020-04-29 14:21:18.516][3530335][critical][backtrace] [bazel-out/darwin-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:92] Envoy version: 3504d40f752eb5c20bc2883053547717bcb92fd8/1.14.1/clean-getenvoy-902f20f-envoy/RELEASE/BoringSSL
[2020-04-29 14:21:18.516][3530335][critical][backtrace] [bazel-out/darwin-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:104] Caught Abort trap: 6, suspect faulting address 0x7fff70d6d2c2
[2020-04-29 14:21:18.516][3530335][critical][backtrace] [bazel-out/darwin-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:91] Backtrace (use tools/stack_decode.py to get line numbers):
[2020-04-29 14:21:18.516][3530335][critical][backtrace] [bazel-out/darwin-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:92] Envoy version: 3504d40f752eb5c20bc2883053547717bcb92fd8/1.14.1/clean-getenvoy-902f20f-envoy/RELEASE/BoringSSL
AsyncClient 0x9a30d00, stream_id_: 15660133565381783220
&stream_info_:
  StreamInfoImpl 0x9a30eb0, protocol_: 1, response_code_: null, response_code_details_: via_upstream, health_check_request_: 0, route_name_:
fish: 'envoy -c ./bootstrap.yaml -l de…' terminated by signal SIGABRT (Abort)

One interesting thing is that the initial message is repeated - I've checked and as far as I can see my control plane (a simple test app running locally) is not sending the message twice on the stream.

I also spent about an hour trying to get stack_decode.py to work on a Mac and failed - potentially because this binary (from getenvoy.io) has debug symbols stripped anyway?

Happy to file this as a separate issue if that's most useful.

Does anyone have a basic example of a HDS check actually working in 1.14 or 1.15 they can share?

I think we'd need the TODO item of specific endpoint checks rather than cluster level ones eventually but just trying to see the mechanism work for now!

[banks]

I realised that I was missing actually specifying the actual Endpoints as I wrongly assumed from docs it was going to get that from the cluster spec.

Even with that I still see the same crash. Also interesting is that the protobuf dump of the thing I sent uses different field names than the actual v2 HDS proto definition:

[2020-04-29 16:15:19.112][3773067][debug][upstream] [external/envoy/source/common/upstream/health_discovery_service.cc:169] New HdsCluster config name: "cluster-00000"
connect_timeout {
  seconds: 1
}
per_connection_buffer_limit_bytes {
  value: 32768
}
health_checks {
  timeout {
    seconds: 1
  }
  interval {
    seconds: 5
  }
  http_health_check {
    host: "localhost"
    path: "/v1/agent/self"
  }
}
load_assignment {
  endpoints {
    lb_endpoints {
      endpoint {
        address {
          socket_address {
            address: "127.0.0.1"
            port_value: 8500
          }
        }
      }
    }
  }
}
[2020-04-29 16:15:19.112][3773067][debug][upstream] [external/envoy/source/common/upstream/health_discovery_service.cc:228] Creating an HdsCluster
[2020-04-29 16:15:19.113][3773067][debug][upstream] [external/envoy/source/common/upstream/upstream_impl.cc:275] transport socket match, socket default selected for host with address 127.0.0.1:8500
[2020-04-29 16:15:19.116][3773067][critical][main] [external/envoy/source/exe/terminate_handler.cc:13] std::terminate called! (possible uncaught exception, see trace)

load_assignment where the actual hds.proto calls that locality_endpoints no idea if that's significant or not though...

The lines just before the crash are different now - something about the socket address. But not sure if that's significant.

[htuch]

@banks can you share the stack trace? FWIW, we do have an HDS integration test that demonstrates some subset of this working, see https://github.com/envoyproxy/envoy/blob/master/test/integration/hds_integration_test.cc.

[banks]

@htuch Thanks for your help!

I've not managed to get any more stack trace info than is in the first comment above. Note it's collapsed by default and needs to be expanded. If that's what you mean then great but otherwise I've not managed to get further decoding it.

I also spent about an hour trying to get stack_decode.py to work on a Mac and failed - potentially because this binary (from getenvoy.io) has debug symbols stripped anyway?

If it would help I can try and re-run same config on a linux VM and see if I can get a more useful trace? I didn't want to spend too many hours shaving that pile of yaks though if this report is useful on it's own.

Thanks for the link the to integration test. I'll see if I can my example to work based on that.

[banks]

@htuch that integration test was perfect - I got it to work withotu a crash just by adding unhealthy_threshold: 2, healthy_threshold: 2 to the Health Check definition.

Those are documented as required to be fair which I'd missed. I'm not sure if an uncaught exception is still considered a bug for bad config though? Hopefully it will be easy to recreate now anyway - I can file a separate issue if that is useful.

[htuch]

Yeah, this is probably a bug in HDS handling of PGV validation. I think filing a separate issue makes sense (please tag me), the fix is likely only a few lines of code (plus tests..).

[banks]

@htuch I went to file a new issue on Gh but the notice about not reporting any crash publicly put me off a bit... It's already public here but should I still report this via the security list instead?

[htuch]

@banks it's fine, since this is a control plane induced crash, which is outside the threat model as far as embargoes goes today. Thanks for checking though.

[mattklein123]

I'm going to call this finished. Let's open new issues that are specific to features/bugs/etc.