Realm of ChaosWelcome to my notebook! I’m a Site Reliability Engineer who is curious, loves to learn and discover the nature of things.Zola2022-05-10T00:00:00+00:00https://realmofchaos.xyz/atom.xmlThe art of extracting metrics2022-05-10T00:00:00+00:002022-05-10T00:00:00+00:00
Thomas Cuthbert
https://realmofchaos.xyz/tech/performance-analysis/extracting-metrics/<h2 id="awk">Awk</h2>
<h3 id="filtering-between-log-timestamps">filtering between log timestamps</h3>
<p>second precision</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>awk \</span></span>
<span class="giallo-l"><span> -v from="$(date +'%s' -d '2021-10-29 02:34' --utc)" \</span></span>
<span class="giallo-l"><span> -v to="$(date +'%s' -d '2021-10-29 02:36' --utc)" \</span></span>
<span class="giallo-l"><span> '</span></span>
<span class="giallo-l"><span> split($0, parts, /[\- :]/) {</span></span>
<span class="giallo-l"><span> linefmt=""</span></span>
<span class="giallo-l"><span> for(i=1;i<=6;i++) linefmt = sprintf("%s %s",linefmt, parts[i]);</span></span>
<span class="giallo-l"><span> ts=mktime(sprintf("%s UTC", linefmt))</span></span>
<span class="giallo-l"><span> if (ts > from && ts < to) print</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> '<<<'2021-10-29 04:50:00 172.31.43.164'</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span>awk \</span></span>
<span class="giallo-l"><span> -v from="$(date +'%s' -d '2021-11-27 04:15:00 UTC' --utc)" \</span></span>
<span class="giallo-l"><span> -v to="$(date +'%s' -d 'now UTC' --utc)" \</span></span>
<span class="giallo-l"><span> '</span></span>
<span class="giallo-l"><span> patsplit($1, p, /[0-9]+/) {</span></span>
<span class="giallo-l"><span> ts=mktime(sprintf("%d %d %d %d %d %d", p[1], p[2], p[3], p[4], p[5], p[6]), 1)</span></span>
<span class="giallo-l"><span> if (ts > from && ts < to) print</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> ' <(tac /var/log/frr/frr.log)|head</span></span></code></pre><h2 id="perl-alternative">perl alternative</h2>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>from="$(date -Is -d '2021-11-27T04:15:00 UTC' --utc)" \</span></span>
<span class="giallo-l"><span>to="$(date -Is -d 'now UTC' --utc)" \</span></span>
<span class="giallo-l"><span>perl \</span></span>
<span class="giallo-l"><span> -MDate::Parse \</span></span>
<span class="giallo-l"><span> -lane \</span></span>
<span class="giallo-l"><span> '</span></span>
<span class="giallo-l"><span> $ts=str2time($F[0]);</span></span>
<span class="giallo-l"><span> $f=str2time($ENV{from});</span></span>
<span class="giallo-l"><span> $t=str2time($ENV{to});</span></span>
<span class="giallo-l"><span> print if ($ts >= $f && $ts <= $t )</span></span>
<span class="giallo-l"><span> ' <(zcat -f /var/log/syslog*) | tee "/syslog-$(date -Im)"</span></span></code></pre><h2 id="from-ms-precision-unix-timestamp">from ms precision unix timestamp</h2>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>awk \</span></span>
<span class="giallo-l"><span> -v format="%F %T" \</span></span>
<span class="giallo-l"><span> -v from="$(date +'%s' -d '2021-10-29 02:34' --utc)" \</span></span>
<span class="giallo-l"><span> -v to="$(date +'%s' -d '2021-10-29 02:36' --utc)" \</span></span>
<span class="giallo-l"><span> '{</span></span>
<span class="giallo-l"><span> ts=substr($0, 0, index($0, ".")-1)</span></span>
<span class="giallo-l"><span> if (ts > from && ts < to) print strftime(format, ts), substr($0,index($0,$1))</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> ' <<<'2021-10-29 04:50:00 172.31.43.164'</span></span></code></pre><h2 id="sed">Sed</h2>
<p>Filtering interesting lines for nxos. Note, NXOS has an ancient version of sed, it only supports the <code>-n</code> flag.</p>
<h2 id="monitoring-procfs">monitoring procfs</h2>
<p>Continuously monitor a procfs file, output is tabular.</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>cat /proc/pressure/cpu</span></span>
<span class="giallo-l"><span>some avg10=1.34 avg60=1.63 avg300=2.33 total=2483371233</span></span>
<span class="giallo-l"><span>full avg10=0.18 avg60=0.03 avg300=0.06 total=827064553</span></span></code></pre>
<ul>
<li>sleep trap: <a rel="external" href="https://stackoverflow.com/questions/65644307/ctrl-c-doesnt-always-terminate-a-shell-script">https://stackoverflow.com/questions/65644307/ctrl-c-doesnt-always-terminate-a-shell-script</a></li>
<li>getline summary: <a rel="external" href="https://www.gnu.org/software/gawk/manual/gawk.html#Getline-Summary">https://www.gnu.org/software/gawk/manual/gawk.html#Getline-Summary</a></li>
<li>printf formatting: <a rel="external" href="https://bl831.als.lbl.gov/~gmeigs/scripting_help/printf_awk_notes.txt">https://bl831.als.lbl.gov/~gmeigs/scripting_help/printf_awk_notes.txt</a>, <a rel="external" href="https://www.gnu.org/software/gawk/manual/html_node/Printf.html">https://www.gnu.org/software/gawk/manual/html_node/Printf.html</a></li>
</ul>
<!-- -->
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>awk -F'[ =]' -vlinefmt="%-8s%-8s%-10s%-10s%-8s\n" -vcpu_pressure="/proc/pressure/cpu" 'BEGIN {</span></span>
<span class="giallo-l"><span> printf linefmt, "avg10", "avg60", "avg300", "increase", "total"</span></span>
<span class="giallo-l"><span> do {</span></span>
<span class="giallo-l"><span> if (system("trap true INT; sleep 1")) {</span></span>
<span class="giallo-l"><span> exit</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> if ($1=="full") {</span></span>
<span class="giallo-l"><span> printf linefmt, $3, $5, $7, int($9-prev_tot), $9</span></span>
<span class="giallo-l"><span> prev_tot = $9</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> } while ((getline < cpu_pressure) || (close(cpu_pressure) == 0))</span></span>
<span class="giallo-l"><span>}'</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span>avg10 avg60 avg300 increase total</span></span>
<span class="giallo-l"><span>0.36 0.17 0.07 829472174 829472174</span></span>
<span class="giallo-l"><span>0.36 0.17 0.07 0 829472174</span></span>
<span class="giallo-l"><span>0.24 0.16 0.07 24957 829497131</span></span></code></pre>
<p>collect metrics for all PSI.</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>awk -F'[ =\t]' -vlinefmt="%-14s" -vfields='"cpuavg10", "cpuavg60", "cpuavg300", "cputotal", "cpuincrease", "ioavg10", "ioavg60", "ioavg300", "iototal", "ioincrease", "memavg10", "memavg60", "memavg300", "memtotal","memincrease"' -vcpu_pressure="bash -c 'paste /proc/pressure/{cpu,io,memory}'" \</span></span>
<span class="giallo-l"><span>'BEGIN { patsplit(fields, fmts, /[^", ]+/)</span></span>
<span class="giallo-l"><span> do {</span></span>
<span class="giallo-l"><span> if (system("trap true INT; sleep 1")) {</span></span>
<span class="giallo-l"><span> exit</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> if ($1=="some") {</span></span>
<span class="giallo-l"><span> for(x in fmts) {</span></span>
<span class="giallo-l"><span> printf linefmt, fmts[x]</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> printf "\n"</span></span>
<span class="giallo-l"><span> for(i=3;i<=NF;i+=2) {</span></span>
<span class="giallo-l"><span> if(i%9 == 0 && i%3 == 0) {</span></span>
<span class="giallo-l"><span> printf linefmt""linefmt, $(i), int($(i)-increase[i]) </span></span>
<span class="giallo-l"><span> increase[i]=$i</span></span>
<span class="giallo-l"><span> i+=1</span></span>
<span class="giallo-l"><span> } else {</span></span>
<span class="giallo-l"><span> printf linefmt, $i</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> printf "\n\n"</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> } while ((cpu_pressure|getline) || (close(cpu_pressure) == 0))</span></span>
<span class="giallo-l"><span>}'</span></span></code></pre><h2 id="histograms">histograms</h2>
<p>The .1 decimal for size helps tie breakers when min == max.</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>while :; do</span></span>
<span class="giallo-l"><span> ss -n -t -o $(printf " state %s" {fin-wait-1,fin-wait-2,time-wait,close-wait,last-ack,closing}) |\</span></span>
<span class="giallo-l"><span> awk -v bmin=0 -vsize=10000.1 'BEGIN{tm["sec"] = 1000;tm["min"] = "60000"} match($6,/,([0-9.]+)(sec|ms|min)/,m){t=(m[2]=="ms"?int(m[1]):int(tm[m[2]]*m[1]) );b=int(t/size);a[b]++;bmax=b>bmax?b:bmax; bmin=b<bmin?b:bmin} END{for(i=bmin;i<=bmax;++i) printf "%d %d %d\n", (i*size)/tm["sec"],((i+1)*size)/tm["sec"],a[i]}'</span></span>
<span class="giallo-l"><span> sleep 1</span></span>
<span class="giallo-l"><span>done</span></span></code></pre>
<p>Using time functions.</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>LC_ALL=C awk -v bmin=0 -vsize=10.1 -v date="2022 03 06" 'split($4,p,/[: ]/){t=mktime(date" "p[2]" "p[3]" "p[4]); b=int(t/size);a[b]++;bmax=b>bmax?b:bmax; bmin=b<bmin?b:bmin} END{for(i=bmin;i<=bmax;++i) if(a[i]) printf "%s %s %d\n", strftime("%T",(i*size)),strftime("%T",((i+1)*size)),a[i]}' gopkg.in-access.log-2022-03-06T13\:00.log</span></span></code></pre>
<p>Useful squid one</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>for i in $(awk '!s[$4]++{print $4}' squid-access.log); do LC_ALL=C awk -v bmin=0 -vsize=300.1 -vhist="$i" '$0 !~ hist{next} {t=int($1);b=int(t/size);a[b]++;bmax=b>bmax?b:bmax; bmin=b<bmin?b:bmin} END{printf "%s 300s histogram\n", hist;for(i=bmin;i<=bmax;++i) if(a[i]) printf "%s %s %d\n", strftime("%T",(i*size)),strftime("%T",((i+1)*size)),a[i] > "histograms.sout"}' squid-access.log; done</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span>LC_ALL=C awk -v bmin=0 -vsize=10.1 -v date="2022 03 06" \</span></span>
<span class="giallo-l"><span>'split($4, p, /[: ]/) {</span></span>
<span class="giallo-l"><span> t = mktime(date " " p[2] " " p[3] " " p[4])</span></span>
<span class="giallo-l"><span> b = int(t / size)</span></span>
<span class="giallo-l"><span> a[b]++</span></span>
<span class="giallo-l"><span> bmax = b > bmax ? b : bmax</span></span>
<span class="giallo-l"><span> bmin = b < bmin ? b : bmin</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span>END {</span></span>
<span class="giallo-l"><span> for (i = bmin; i <= bmax; ++i) {</span></span>
<span class="giallo-l"><span> if (a[i]) {</span></span>
<span class="giallo-l"><span> printf "%s %s %d\n", strftime("%T", (i * size)), strftime("%T", ((i + 1) * size)), a[i]</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span>}'</span></span></code></pre>
<p>iptables filtering</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>sudo iptables -t nat -nL |awk -vrgxp="$(rgxg cidr 10.131.31.0/24)" '/^(Chain|target)/{f=1} f==1||$0 ~ rgxp{s[NR]=$0;f++}; length($0)==0{if(f>2){for(i in s) print s[i]};split("",s);f=0}'</span></span></code></pre>networking2022-04-20T00:00:00+00:002022-04-20T00:00:00+00:00
Thomas Cuthbert
https://realmofchaos.xyz/tech/networking/<h2 id="linux-tcp-tuning">Linux TCP tuning</h2>
<p>These are example Netflix TCP kernel parameters.</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>net.core.default_qdisc = fq</span></span>
<span class="giallo-l"><span>net.core.netdev_max_backlog = 5000</span></span>
<span class="giallo-l"><span>net.core.rmem_max = 16777216</span></span>
<span class="giallo-l"><span>net.core.somaxconn = 1024</span></span>
<span class="giallo-l"><span>net.core.wmem_max = 16777216</span></span>
<span class="giallo-l"><span>net.ipv4.ip_local_port_range = 10240 65535</span></span>
<span class="giallo-l"><span>net.ipv4.tcp_abort_on_overflow = 1</span></span>
<span class="giallo-l"><span>net.ipv4.tcp_congestion_control = bbr</span></span>
<span class="giallo-l"><span>net.ipv4.tcp_max_syn_backlog = 8192</span></span>
<span class="giallo-l"><span>net.ipv4.tcp_rmem = 4096 12582912 16777216</span></span>
<span class="giallo-l"><span>net.ipv4.tcp_slow_start_after_idle = 0</span></span>
<span class="giallo-l"><span>net.ipv4.tcp_syn_retries = 2</span></span>
<span class="giallo-l"><span>net.ipv4.tcp_tw_reuse = 1</span></span>
<span class="giallo-l"><span>net.ipv4.tcp_wmem = 4096 12582912 16777216</span></span></code></pre>
<p>These are some examples I came up with for an apache2 site running moin via wsgi.</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span># WSGIDaemonProcess moin processes=12 threads=1 maximum-requests=5000 queue-timeout=20</span></span>
<span class="giallo-l"><span>net.core.somaxconn = 256 # observed max number of requests on the scoreboard</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span># consider being more aggressive with flaky connections</span></span>
<span class="giallo-l"><span># try this first</span></span>
<span class="giallo-l"><span>#net.ipv4.tcp_slow_start_after_idle = 0</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span># aggressively reap flakey connections. avoid queue saturation from slow/flakey</span></span>
<span class="giallo-l"><span># clients</span></span>
<span class="giallo-l"><span>#net.ipv4.tcp_fin_timeout = 5</span></span>
<span class="giallo-l"><span>#net.ipv4.tcp_syn_retries = 2</span></span>
<span class="giallo-l"><span>#net.ipv4.tcp_synack_retries = 2</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span># then maybe this</span></span>
<span class="giallo-l"><span>#net.ipv4.tcp_tw_reuse = 1 # this should only be enabled if we are seeing a high rate of time-wait connections</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span># needs further investigation, but potentially some of the below could be used</span></span>
<span class="giallo-l"><span>#net.core.rmem_max = 16777216</span></span>
<span class="giallo-l"><span>#net.core.wmem_max = 16777216</span></span>
<span class="giallo-l"><span>#net.ipv4.tcp_rmem = 4096 12582912 16777216</span></span>
<span class="giallo-l"><span>#net.ipv4.tcp_wmem = 4096 12582912 16777216</span></span>
<span class="giallo-l"><span>#net.ipv4.tcp_mem = 1638400 1638400 1638400</span></span>
<span class="giallo-l"><span># /etc/systemd/system/apache2.service.d/prlimits.conf</span></span>
<span class="giallo-l"><span>#[Service]</span></span>
<span class="giallo-l"><span>#LimitNOFILE=</span></span>
<span class="giallo-l"><span>#LimitNOFILE=infinity</span></span></code></pre>Application Performance Analysis2022-03-22T00:00:00+00:002022-03-22T00:00:00+00:00
Thomas Cuthbert
https://realmofchaos.xyz/tech/incident-response/<p>In this post I will detail the investigation process I followed while responding to a request backlog alert.</p>
<p><em><strong>High level overview of the alerting service</strong></em></p>
<pre class="mermaid">
flowchart TD
HAProxy --> App --> Storage
</pre>
<script src="https://realmofchaos.xyz/js/mermaid-init.js"></script>
<p>I’ve redacted any identifiable information, however the methodolgy remains the same.</p>
<h2 id="frontend-haproxy">Frontend (HAProxy)</h2>
<p>The <code>halog</code> tool can generate lots of useful reports. Adjust the time slice so you have a decent buffer before and after the time of the incident.</p>
<p>The snippet below will generate a series of reports:</p>
<ul>
<li>URL averages</li>
<li>URL total times OK averages</li>
<li>Connect/response histogram <sup><a href="javascript:;" onclick="document.location.hash='#fn1';">1</a></sup></li>
</ul>
<p>The <code>-e</code> flag filters by errors.</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>sudo cat /var/log/haproxy.log|halog -time "$(date '+%s' -d '6 hour ago')" -H -ua|awk 'NR==1;NR>1{print $0 | "sort -rnk4"}'|head -n25|column -t</span></span>
<span class="giallo-l"><span>sudo cat /var/log/haproxy.log|halog -e -time "$(date '+%s' -d '6 hour ago')" -H -uto|awk 'NR==1;NR>1{print $0 | "sort -rnk4"}'|head -n25|column -t</span></span>
<span class="giallo-l"><span>sudo cat /var/log/haproxy.log|halog -time "$(date '+%s' -d '6 hour ago')" -pct -q</span></span>
<span class="giallo-l"><span>sudo cat /var/log/haproxy.log|halog -time "$(date '+%s' -d '6 hour ago')" -H -srv|awk 'NR==1;NR>1{print $0 | "sort -rnk12"}'|column -t</span></span></code></pre><h2 id="application-server">Application server</h2>
<p>Capture 5 minutes worth of TCP header data. Limit pcap file size to 500M. Absolute sequence numbers <sup><a href="javascript:;" onclick="document.location.hash='#fn2';">2</a></sup> .</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>intf=</span></span>
<span class="giallo-l"><span>timeout 300s tcpdump -i "${intf?}" -vvvSs 1500 -C500 -w cap_5m.pcap 'tcp && net 10.0.0.0/16'</span></span></code></pre>
<p>Analyse the data with <a rel="external" href="https://www.wireshark.org/docs/man-pages/tshark.html">tshark</a></p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>> cap.analysis \</span></span>
<span class="giallo-l"><span> tshark -r cap_5m.pcap -t ud \</span></span>
<span class="giallo-l"><span> -z \</span></span>
<span class="giallo-l"><span> endpoints,tcp \</span></span>
<span class="giallo-l"><span> -z \</span></span>
<span class="giallo-l"><span> expert,comment,tcp \</span></span>
<span class="giallo-l"><span> -T \</span></span>
<span class="giallo-l"><span> fields \</span></span>
<span class="giallo-l"><span> -e \</span></span>
<span class="giallo-l"><span> _ws.col.Time \</span></span>
<span class="giallo-l"><span> -e \</span></span>
<span class="giallo-l"><span> ip.src \</span></span>
<span class="giallo-l"><span> -e \</span></span>
<span class="giallo-l"><span> ip.dst \</span></span>
<span class="giallo-l"><span> -e \</span></span>
<span class="giallo-l"><span> tcp.dstport \</span></span>
<span class="giallo-l"><span> -e \</span></span>
<span class="giallo-l"><span> _ws.expert.message \</span></span>
<span class="giallo-l"><span> -e \</span></span>
<span class="giallo-l"><span> _ws.expert.severity \</span></span>
<span class="giallo-l"><span> -e \</span></span>
<span class="giallo-l"><span> _ws.expert.group \</span></span>
<span class="giallo-l"><span> -e \</span></span>
<span class="giallo-l"><span> _ws.col.Info</span></span></code></pre>
<p>Identify any problematic flows from the <code>cap.analysis</code> file tshark generated. In my case, I observed a high rate of TCP Window Full responses from the server, indicating that the application was pushing too much data to it, or the server may be having systemic overload issues.</p>
<p>You can confirm your theory by monitoring tcp statistics over time.</p>
<p><strong>System level tcp stats.</strong></p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>while sleep 300; stdbuf -o0 nstat -p; done tee nstat.sout</span></span></code></pre>
<p><strong>Endpoint level statistics</strong></p>
<p><code>ip -s tcpmetrics</code> provides similar data, I prefer the socket stats tool <code>ss</code>.</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>for i in {0..300}; do</span></span>
<span class="giallo-l"><span> echo === ; ss -in state synchronized 'dst 10.0.0.10 '; echo ===</span></span>
<span class="giallo-l"><span> sleep 1</span></span>
<span class="giallo-l"><span>done | tee sockets2.sout</span></span>
<span class="giallo-l"><span>awk '/ESTAB/&&/10.0.0/&&and($4,$5){print "";print;print "";getline;l=patsplit($0,f,/[^:[:blank:]]*/);for(i=1;i<=l;i+=2) printf "%24s %24s\n", f[i],f[i+1]}' sockets2.sout</span></span></code></pre>
<p>From the output I observed the following:</p>
<p>The application server misses too many acknowledgements and backs off from sending data (<code>backoff 1</code>).</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span> rto 208</span></span>
<span class="giallo-l"><span> rtt 4.714/0.643</span></span>
<span class="giallo-l"><span> ato 40</span></span>
<span class="giallo-l"><span> mss 1374</span></span>
<span class="giallo-l"><span> pmtu 1426</span></span>
<span class="giallo-l"><span> rcvmss 536</span></span>
<span class="giallo-l"><span> advmss 1374</span></span>
<span class="giallo-l"><span> cwnd 143</span></span>
<span class="giallo-l"><span> send 333.4Mbps</span></span>
<span class="giallo-l"><span> pacing_rate 400.1Mbps</span></span>
<span class="giallo-l"><span> delivery_rate 257.2Mbps</span></span>
<span class="giallo-l"><span> busy 11672ms</span></span>
<span class="giallo-l"><span> rwnd_limited 11388ms(97.6%)</span></span>
<span class="giallo-l"><span> unacked 126</span></span>
<span class="giallo-l"><span> retrans 0/12</span></span>
<span class="giallo-l"><span> reordering 74</span></span>
<span class="giallo-l"><span> notsent 1051110</span></span>
<span class="giallo-l"><span> minrtt 0.993</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span> rto 216</span></span>
<span class="giallo-l"><span> backoff 1</span></span>
<span class="giallo-l"><span> rtt 14.491/16.568</span></span>
<span class="giallo-l"><span> ato 40</span></span>
<span class="giallo-l"><span> mss 1374</span></span>
<span class="giallo-l"><span> pmtu 1426</span></span>
<span class="giallo-l"><span> rcvmss 536</span></span>
<span class="giallo-l"><span> advmss 1374</span></span>
<span class="giallo-l"><span> cwnd 143</span></span>
<span class="giallo-l"><span> send 108.5Mbps</span></span>
<span class="giallo-l"><span> pacing_rate 130.2Mbps</span></span>
<span class="giallo-l"><span> delivery_rate 3.3Mbps</span></span>
<span class="giallo-l"><span> busy 12680ms</span></span>
<span class="giallo-l"><span> rwnd_limited 12360ms(97.5%)</span></span>
<span class="giallo-l"><span> retrans 0/16</span></span>
<span class="giallo-l"><span> reordering 74</span></span>
<span class="giallo-l"><span> notsent 1023662</span></span>
<span class="giallo-l"><span> minrtt 0.993</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span> rto 208</span></span>
<span class="giallo-l"><span> rtt 5.519/0.312</span></span>
<span class="giallo-l"><span> ato 40</span></span>
<span class="giallo-l"><span> mss 1374</span></span>
<span class="giallo-l"><span> pmtu 1426</span></span>
<span class="giallo-l"><span> rcvmss 536</span></span>
<span class="giallo-l"><span> advmss 1374</span></span>
<span class="giallo-l"><span> cwnd 217</span></span>
<span class="giallo-l"><span> send 432.2Mbps</span></span>
<span class="giallo-l"><span> pacing_rate 518.6Mbps</span></span>
<span class="giallo-l"><span> delivery_rate 254.7Mbps</span></span>
<span class="giallo-l"><span> busy 15700ms</span></span>
<span class="giallo-l"><span> rwnd_limited 15324ms(97.6%)</span></span>
<span class="giallo-l"><span> unacked 133</span></span>
<span class="giallo-l"><span> retrans 0/17</span></span>
<span class="giallo-l"><span> reordering 74</span></span>
<span class="giallo-l"><span> notsent 1719216</span></span>
<span class="giallo-l"><span> minrtt 0.993</span></span></code></pre>
<p>We can get richer statistics by analysing the packet capture with tshark. The output is easily grep’d. My favourite statistic report is the io,stat table, you pass it packet fields to aggregate over and produce a configurable histogram. In my example below I created a per second packet rate and window size histogram.</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>tshark -r cap_5m.pcap -q -z http_srv,tree</span></span>
<span class="giallo-l"><span>tshark -r cap_5m.pcap -q -z http_srv,tree -z conv,tcp</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span>grep -P 'Window Full|PUT' cap.analysis|head;</span></span>
<span class="giallo-l"><span>tshark -n -q -r *.pcap -z io,stat,1,"COUNT(tcp.window_size_value)tcp.window_size_value and ip.addr==10.0.0.10 && tcp.dstport == 8080","MIN(tcp.window_size_value)tcp.window_size_value and ip.addr==10.0.0.10 && tcp.dstport == 8080","MAX(tcp.window_size_value)tcp.window_size_value and ip.addr==10.0.0.10 && tcp.dstport == 8080","AVG(tcp.window_size_value)tcp.window_size_value and ip.addr==10.0.0.10 && tcp.dstport == 8080" |grep -v ' 0 '</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span>2022-03-22 09:45:08.845938 10.0.1.100 10.0.0.10 8080 PUT /api/resource HTTP/1.1\r\n 2097152 33554432 PUT /api/resource HTTP/1.1</span></span>
<span class="giallo-l"><span>2022-03-22 09:45:09.116693 10.0.1.100 10.0.0.10 8080 PUT /api/resource HTTP/1.1 [TCP segment of a reassembled PDU]</span></span>
<span class="giallo-l"><span>2022-03-22 09:45:09.245875 10.0.1.100 10.0.0.10 8080 TCP window specified by the receiver is now completely full 6291456 33554432 [TCP Window Full] Continuation[Packet size limited during capture]</span></span>
<span class="giallo-l"><span>2022-03-22 09:45:09.250035 10.0.1.100 10.0.0.10 8080 TCP window specified by the receiver is now completely full 6291456 33554432 [TCP Window Full] Continuation[Packet size limited during capture]</span></span>
<span class="giallo-l"><span>2022-03-22 09:45:09.250133 10.0.1.100 10.0.0.10 8080 TCP window specified by the receiver is now completely full 6291456 33554432 [TCP Window Full] Continuation[Packet size limited during capture]</span></span>
<span class="giallo-l"><span>2022-03-22 09:45:09.253985 10.0.1.100 10.0.0.10 8080 TCP window specified by the receiver is now completely full 6291456 33554432 [TCP Window Full] Continuation[Packet size limited during capture]</span></span>
<span class="giallo-l"><span>2022-03-22 09:45:09.255907 10.0.1.100 10.0.0.10 8080 TCP window specified by the receiver is now completely full 6291456 33554432 [TCP Window Full] Continuation[Packet size limited during capture]</span></span>
<span class="giallo-l"><span>2022-03-22 09:45:09.257952 10.0.1.100 10.0.0.10 8080 TCP window specified by the receiver is now completely full 6291456 33554432 [TCP Window Full] Continuation[Packet size limited during capture]</span></span>
<span class="giallo-l"><span>2022-03-22 09:45:09.262310 10.0.1.100 10.0.0.10 8080 TCP window specified by the receiver is now completely full 6291456 33554432 [TCP Window Full] Continuation[Packet size limited during capture]</span></span>
<span class="giallo-l"><span>2022-03-22 09:45:09.268328 10.0.1.100 10.0.0.10 8080 TCP window specified by the receiver is now completely full 6291456 33554432 [TCP Window Full] Continuation[Packet size limited during capture]</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span>======================================================================================================</span></span>
<span class="giallo-l"><span>| IO Statistics |</span></span>
<span class="giallo-l"><span>| |</span></span>
<span class="giallo-l"><span>| Duration: 270.938461 secs |</span></span>
<span class="giallo-l"><span>| Interval: 1 secs |</span></span>
<span class="giallo-l"><span>| |</span></span>
<span class="giallo-l"><span>| Col 1: COUNT(tcp.window_size_value)tcp.window_size_value and ip.addr==10.0.0.10 && tcp.dstport |</span></span>
<span class="giallo-l"><span>| == 8080 |</span></span>
<span class="giallo-l"><span>| 2: MIN(tcp.window_size_value)tcp.window_size_value and ip.addr==10.0.0.10 && tcp.dstport == |</span></span>
<span class="giallo-l"><span>| 8080 |</span></span>
<span class="giallo-l"><span>| 3: MAX(tcp.window_size_value)tcp.window_size_value and ip.addr==10.0.0.10 && tcp.dstport == |</span></span>
<span class="giallo-l"><span>| 8080 |</span></span>
<span class="giallo-l"><span>| 4: AVG(tcp.window_size_value)tcp.window_size_value and ip.addr==10.0.0.10 && tcp.dstport == |</span></span>
<span class="giallo-l"><span>| 8080 |</span></span>
<span class="giallo-l"><span>|----------------------------------------------------------------------------------------------------|</span></span>
<span class="giallo-l"><span>| |1 |2 |3 |4 | |</span></span>
<span class="giallo-l"><span>| Interval | COUNT | MIN | MAX | AVG | |</span></span>
<span class="giallo-l"><span>|--------------------------------------------| |</span></span>
<span class="giallo-l"><span>| 9 <> 10 | 898 | 508 | 65142 | 651 | |</span></span>
<span class="giallo-l"><span>| 10 <> 11 | 849 | 508 | 508 | 508 | |</span></span>
<span class="giallo-l"><span>| 11 <> 12 | 5 | 507 | 508 | 507 | |</span></span>
<span class="giallo-l"><span>| 24 <> 25 | 6 | 508 | 65142 | 11280 | |</span></span>
<span class="giallo-l"><span>| 25 <> 26 | 51 | 507 | 65142 | 3042 | |</span></span>
<span class="giallo-l"><span>| 32 <> 33 | 6 | 486 | 62314 | 10791 | |</span></span>
<span class="giallo-l"><span>| 33 <> 34 | 91 | 486 | 62314 | 1844 | |</span></span>
<span class="giallo-l"><span>| 34 <> 35 | 5 | 485 | 486 | 485 | |</span></span>
<span class="giallo-l"><span>| 38 <> 39 | 6 | 508 | 65142 | 11280 | |</span></span>
<span class="giallo-l"><span>| 47 <> 48 | 121 | 508 | 65142 | 2110 | |</span></span>
<span class="giallo-l"><span>| 48 <> 49 | 80 | 507 | 508 | 507 | |</span></span>
<span class="giallo-l"><span>| 56 <> 57 | 4 | 508 | 65142 | 16667 | |</span></span>
<span class="giallo-l"><span>| 57 <> 58 | 22 | 507 | 65142 | 6383 | |</span></span>
<span class="giallo-l"><span>| 82 <> 83 | 6 | 508 | 65142 | 11280 | |</span></span>
<span class="giallo-l"><span>| 83 <> 84 | 43 | 507 | 65142 | 3514 | |</span></span>
<span class="giallo-l"><span>| 98 <> 99 | 6 | 508 | 65142 | 11280 | |</span></span>
<span class="giallo-l"><span>| 99 <> 100 | 42 | 507 | 65142 | 3585 | |</span></span>
<span class="giallo-l"><span>| 100 <> 101 | 6 | 508 | 65142 | 11280 | |</span></span>
<span class="giallo-l"><span>| 102 <> 103 | 7 | 508 | 65142 | 18975 | |</span></span>
<span class="giallo-l"><span>| 103 <> 104 | 164 | 507 | 508 | 507 | |</span></span>
<span class="giallo-l"><span>| 105 <> 106 | 13 | 508 | 65142 | 15424 | |</span></span>
<span class="giallo-l"><span>| 106 <> 107 | 34 | 507 | 508 | 507 | |</span></span>
<span class="giallo-l"><span>| 115 <> 116 | 6 | 508 | 65142 | 11280 | |</span></span>
<span class="giallo-l"><span>| 117 <> 118 | 556 | 508 | 65142 | 740 | |</span></span>
<span class="giallo-l"><span>| 118 <> 119 | 5 | 507 | 508 | 507 | |</span></span>
<span class="giallo-l"><span>| 127 <> 128 | 6 | 508 | 65142 | 11280 | |</span></span>
<span class="giallo-l"><span>| 128 <> 129 | 4 | 508 | 65142 | 16667 | |</span></span>
<span class="giallo-l"><span>| 129 <> 130 | 501 | 508 | 65142 | 637 | |</span></span>
<span class="giallo-l"><span>| 131 <> 132 | 5 | 507 | 508 | 507 | |</span></span>
<span class="giallo-l"><span>| 159 <> 160 | 6 | 508 | 65142 | 11280 | |</span></span>
<span class="giallo-l"><span>| 161 <> 162 | 4 | 508 | 65142 | 16667 | |</span></span>
<span class="giallo-l"><span>| 162 <> 163 | 149 | 507 | 65142 | 941 | |</span></span>
<span class="giallo-l"><span>| 187 <> 188 | 4 | 508 | 65142 | 16667 | |</span></span>
<span class="giallo-l"><span>| 188 <> 189 | 2 | 508 | 508 | 508 | |</span></span>
<span class="giallo-l"><span>| 225 <> 226 | 10 | 508 | 65142 | 13435 | |</span></span>
<span class="giallo-l"><span>| 226 <> 227 | 76 | 507 | 65142 | 1358 | |</span></span>
<span class="giallo-l"><span>| 240 <> 241 | 6 | 508 | 65142 | 11280 | |</span></span>
<span class="giallo-l"><span>| 242 <> 243 | 444 | 508 | 65142 | 799 | |</span></span>
<span class="giallo-l"><span>| 243 <> 244 | 7 | 508 | 65142 | 18975 | |</span></span>
<span class="giallo-l"><span>| 244 <> 245 | 898 | 507 | 508 | 507 | |</span></span>
<span class="giallo-l"><span>| 245 <> 246 | 496 | 508 | 508 | 508 | |</span></span>
<span class="giallo-l"><span>| 246 <> 247 | 516 | 508 | 508 | 508 | |</span></span>
<span class="giallo-l"><span>| 247 <> 248 | 496 | 508 | 65142 | 638 | |</span></span>
<span class="giallo-l"><span>| 248 <> 249 | 482 | 508 | 65142 | 776 | |</span></span>
<span class="giallo-l"><span>| 249 <> 250 | 485 | 507 | 508 | 507 | |</span></span>
<span class="giallo-l"><span>| 250 <> 251 | 602 | 508 | 508 | 508 | |</span></span>
<span class="giallo-l"><span>| 251 <> 252 | 629 | 508 | 508 | 508 | |</span></span>
<span class="giallo-l"><span>| 252 <> 253 | 664 | 508 | 508 | 508 | |</span></span>
<span class="giallo-l"><span>| 253 <> 254 | 519 | 508 | 508 | 508 | |</span></span>
<span class="giallo-l"><span>| 254 <> 255 | 719 | 508 | 508 | 508 | |</span></span>
<span class="giallo-l"><span>| 255 <> 256 | 646 | 508 | 508 | 508 | |</span></span>
<span class="giallo-l"><span>| 256 <> 257 | 764 | 508 | 508 | 508 | |</span></span>
<span class="giallo-l"><span>| 257 <> 258 | 376 | 508 | 508 | 508 | |</span></span>
<span class="giallo-l"><span>| 260 <> 261 | 11 | 507 | 65142 | 6383 | |</span></span>
<span class="giallo-l"><span>| 263 <> 264 | 51 | 508 | 65142 | 4310 | |</span></span>
<span class="giallo-l"><span>| 264 <> 265 | 19 | 507 | 508 | 507 | |</span></span>
<span class="giallo-l"><span>| 267 <> 268 | 3 | 509 | 65142 | 22053 | |</span></span>
<span class="giallo-l"><span>| 268 <> 269 | 7 | 508 | 65142 | 9741 | |</span></span>
<span class="giallo-l"><span>| 269 <> 270 | 80 | 507 | 65142 | 2123 | |</span></span>
<span class="giallo-l"><span>| 270 <> Dur | 17 | 507 | 65142 | 8112 | |</span></span>
<span class="giallo-l"><span>======================================================================================================</span></span></code></pre><h2 id="next-steps">Next steps</h2>
<p>At this point it’s best to raise a bug with the developers. In the mean time, spawning additional application workers to spread the queue around may help ungrease the wheel a bit.</p>
<p>Longterm we should confirm the retransmissions aren’t caused by poor network conditions. The application could be patched to establish a long lived connection while pushing data into object storage. It currently creates a new session per push. Longer connection life-times would ensure the TCP congestion algorithm heuristics have time to stabilise.</p>
<p>Footnotes</p>
<p>1.</p>
<p><code><percentile> <request count> <Request Time*> <Connect Time**> <Response Time***> <Data Time****></code></p>
<p>2.</p>
<p>TCP sequence numbers are generally unhelpful when capturing packets from a server. This is due to segment offloading to the NIC.</p>
TCP state meanings2022-03-18T00:00:00+00:002022-03-18T00:00:00+00:00
Thomas Cuthbert
https://realmofchaos.xyz/tech/refs/tcp-stats/<p>More details can be found here</p>
<ul>
<li><a rel="external" href="https://blog.karatos.in/a?ID=01150-2167abb2-4213-4a7e-a8c2-39ac05a54a5d">TCP SNMP counters netstat -s each parameter meaning</a></li>
<li><a rel="external" href="https://www.kernel.org/doc/html/latest/networking/snmp_counter.html">Linux SNMP counters</a></li>
<li><a rel="external" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWFCA0">TCP slow and fast path meaning</a></li>
<li><code>linux/snmp.h</code></li>
</ul>
<h2 id="tcp-basic">TCP Basic</h2>
<table>
<colgroup>
<col style="width: 33%" />
<col style="width: 33%" />
<col style="width: 33%" />
</colgroup>
<thead>
<tr>
<th>category</th>
<th>name</th>
<th>description</th>
</tr>
</thead>
<tbody>
<tr>
<td>Tcp</td>
<td>ActiveOpens</td>
<td>tcp_connect(), when sending SYN, add 1</td>
</tr>
<tr>
<td>Tcp</td>
<td>PassiveOpens</td>
<td>tcp_create_openreq_child(), passive three-way handshake is completed, add 1</td>
</tr>
<tr>
<td>Tcp</td>
<td>AttemptFails</td>
<td>tcp_done(): If you end a connection in the SYN_SENT/SYN_RECV state, add 1<br />
<br />
tcp_check_req(): If there is an RST|SYN flag in the input packet in the last stage of the passive three-way handshake, add 1</td>
</tr>
<tr>
<td>Tcp</td>
<td>CurrEstab</td>
<td>tcp_set_state(), according to ESTABLISHED is the new/old state, plus or minus one respectively.</td>
</tr>
<tr>
<td>Tcp</td>
<td>EstabResets</td>
<td>tcp_set_state(), the new state is TCP_CLOSE, if the old state is ESTABLISHED/TCP_CLOSE_WAIT, add 1</td>
</tr>
<tr>
<td>Tcp</td>
<td>ListenOverflows</td>
<td>tcp_v4_syn_recv_sock(): After the last step of the three-way handshake is completed, add 1 when the Accept queue exceeds the upper limit</td>
</tr>
<tr>
<td>Tcp</td>
<td>ListenDrops</td>
<td>tcp_v4_syn_recv_sock(): For any reason, including Accept queue exceeding limit, creating new connection, failure to inherit port, etc., add 1</td>
</tr>
<tr>
<td>Tcp</td>
<td>MaxConn</td>
<td>0</td>
</tr>
<tr>
<td>Tcp</td>
<td>InSegs</td>
<td>tcp_v4_rcv(), receive a skb, add 1</td>
</tr>
<tr>
<td>Tcp</td>
<td>InErrs</td>
<td>tcp_rcv_established() -> tcp_validate_incoming(): If there is SYN and seq >= rcv_nxt, add 1<br />
<br />
In the following function, if the checksum is wrong or the packet length is less than the TCP header, add 1: tcp_v4_do_rcv()tcp_rcv_established()tcp_v4_rcv()</td>
</tr>
<tr>
<td>Tcp</td>
<td>OutSegs</td>
<td>tcp_v4_send_reset(), tcp_v4_send_ack(), add 1tcp_transmit_skb(), tcp_make_synack(), add tcp_skb_pcount(skb) (see TCP_COOKIE_TRANSACTIONS)</td>
</tr>
<tr>
<td>Tcp</td>
<td>OutRsts</td>
<td>tcp_v4_send_reset(), tcp_send_active_reset() plus 1</td>
</tr>
</tbody>
</table>
<h2 id="tcp-congestion-processing">TCP Congestion Processing</h2>
<table><thead><tr><th>category</th><th>name</th><th>description</th></tr></thead><tbody>
<tr><td>TcpExt</td><td>TW</td><td>inet_twdr_do_twkill_work(): The number of sockets with TIME_WAIT timeout (timeout >= 4s). The reason why timewait sockets are treated as timeouts may be because the timeout time distribution of long timeout sockets is relatively scattered, and different search methods are required.</td></tr>
<tr><td>TcpExt</td><td>TWKilled</td><td>inet_twdr_twcal_tick(): TIME_WAIT timeout socket number. (timeout <4s), only when sysctl_tw_recycle is enabled, and TCP timestamp option is used, this will happen. At this time, 3.5x RTO is used as timewait timeout, and the default timeout is 60s</td></tr>
<tr><td>TcpExt</td><td>TWRecycled</td><td>tcp_v4_connect() -> __inet_check_established(): During establishment, if the port is reused from the TIME_WAIT socket, add 1</td></tr>
<tr><td>TcpExt</td><td>TCPTimeWaitOverflow</td><td>tcp_time_wait(): When the system cannot allocate new tcp_timewait_socket, or tw_count (scheduled timewait sockets) exceeds sysctl_max_tw_buckets, add 1</td></tr>
</tbody></table>
<table>
<colgroup>
<col style="width: 33%" />
<col style="width: 33%" />
<col style="width: 33%" />
</colgroup>
<thead>
<tr>
<th>category</th>
<th>name</th>
<th>description</th>
</tr>
</thead>
<tbody>
<tr>
<td>TcpExt</td>
<td>TCPDSACKUndo</td>
<td>tcp_ack() -> tcp_fastretrans_alrt() -> tcp_try_undo_dsack()In the Disorder state, the number of undo completion (undo_retrans == 0).</td>
</tr>
<tr>
<td>TcpExt</td>
<td>TCPFullUndo</td>
<td>tcp_ack() -> tcp_fastretrans_alrt() -> tcp_try_undo_recovery()In Recovery state, the number of times that all confirmations (snd_una >= high_seq) have been received and undo has been completed (undo_retrans == 0).</td>
</tr>
<tr>
<td>TcpExt</td>
<td>TCPPartialUndo</td>
<td>tcp_ack() -> tcp_fastretrans_alrt() -> tcp_undo_partial()In Recovery state, the number of times that a partial confirmation (snd_una <high_seq) has been received but the undo has been completed (undo_retrans == 0).</td>
</tr>
<tr>
<td>TcpExt</td>
<td>TCPLossUndo</td>
<td>tcp_ack() -> tcp_fastretrans_alrt() -> tcp_try_undo_loss()In Loss state, the number of times that all confirmations (snd_una >= high_seq) have been received and undo has been completed (undo_retrans == 0).</td>
</tr>
<tr>
<td>TcpExt</td>
<td>TCPRenoReorder</td>
<td>Update in tcp_update_reordering(). When metric > tp -> reordering and SACK is not enabled, this counter is incremented by 1.<br />
<br />
In summary, when sacked_out is “unreliable”, tp -> reordering is updated to the “used seg” in the current window. “Number, including unconfirmed (and confirmed?) data, but not lost_out.<br />
<br />
A. tcp_ack() -> tcp_fastretrans_alert() -> tcp_add_reno_sack() -> tcp_check_reno_reordering() -> tcp_update_reordering(): When receiving dupACK in the Open/Recovery/Disorder/CWR state , use the sacked_out + lost_metric> (= packets_out) call tcp_update_reordering()<br />
<br />
B. tcp_ack() -> tcp_clean_rtx_queue() -> tcp_remove_reno_sacks() -> tcp_check_reno_reordering() -> tcp_update_reordering() : When clearing rtx queues, lost_outets_out will be subtracted from lost_packets_out The number of confirmed segs , if sacked_out + lost_out> packets_out, call tcp_update_reordering() with metric( = packets_out + acked_pcount)<br />
<br />
Note:<br />
<br />
sacked_out: the number of dupACK receivedlost_out: Limit the minimum value to 1 and the maximum value to packets_outtp -> reordering: When creating a socket, passively establishing a connection, and entering the Loss state, it is initialized to sysctl_tcp_reordering </td>
</tr>
<tr>
<td>TcpExt</td>
<td>TCPSACKReorder</td>
<td>Update in tcp_update_reordering(). When metric > tp -> reordering and SACK is enabled but FACK is disabled, this counter is incremented by 1.<br />
<br />
A. tcp_ack() -> tcp_sacktag_write_queue() -> tcp_update_reordering() will calculate faxes_out in tcp_sacktag_walk() By accumulating state.fack_count), this value is the number of segs from the beginning of snd_una to the highest sequence number of SACK (including those that are not covered by SACK). The conditions for judging the disorder are: (1) D-SACK for retransmission messages is found; (2) The currently received SACK sequence number is smaller than the largest SACK sequence number previously received. state.reord is the smallest fack_count when disorder occurs, that is, disorder occurs at “snd_una + fack_count”. metric = tp -> fackets_out-state.reord, that is, the maximum number of packets that may be out of order.<br />
<br />
B. tcp_ack() -> tcp_clean_rtx_queue() -> tcp_update_reordering() is similar to A. tcp_clean_rtx_queue() calculates the hole in the data (non-retransmitted) that has been SACKed in the rtx queue, and the reord saves the position of the “smallest number” hole ( “Seats” in the retransmission queue). Prior_fackets-reord is the number of TCP segments that may be out of order. If there is no SACK, reorder = prior_fackets = 0 metric = prior_fackets - reord</td>
</tr>
<tr>
<td>TcpExt</td>
<td>TCPFACKReorder</td>
<td>Similar to TCPSACKReorder, if SACK and FACK are enabled at the same time, this counter is increased.</td>
</tr>
<tr>
<td>TcpExt</td>
<td>TCPTSReorder</td>
<td>tcp_ack() -> tcp_fastretrans_alrt() -> tcp_undo_partial() -> tcp_update_reordering() In the Recovery state, the number of times that a partial confirmation (snd_una <high_seq) has been received but the undo has been completed (undo_retrans == 0). The number is equal to TCPPartialUndo.
r<br />
</td>
</tr>
</tbody>
</table>
<h2 id="tcp-loss-retrans">TCP Loss & Retrans</h2>
<table><thead><tr><th>category</th><th>name</th><th>description</th></tr></thead><tbody>
<tr><td>Tcp</td><td>TCPTimeouts</td><td>In the RTO timer, the number of times from the first timeout in the CWR/Open state, the remaining states are not counted in this counter. The number of SYN-ACK timeouts.</td></tr>
<tr><td>Tcp</td><td>RtoAlgorithm</td><td>1, tcp_mib_init() initialization</td></tr>
<tr><td>Tcp</td><td>RtoMax</td><td>120000, tcp_mib_init() initialization: TCP_RTO_MAX<em>1000/HZ, TCP_RTO_MAX=120</em>HZ</td></tr>
<tr><td>Tcp</td><td>RtoMin</td><td>200, tcp_mib_init() initialization: TCP_RTO_MIN*1000/HZ, TCP_RTO_MIN=HZ/5</td></tr>
<tr><td>Tcp</td><td>RetransSegs</td><td>The number of retransmissions, including RTO timer and regular retransmissions, that is, tcp_transmit_skb() is called in tcp_retransmit_skb(), and the successful return is +1.</td></tr>
<tr><td>Tcp</td><td>TCPForwardRetrans</td><td>(Non-RTO timer) The number of times to send new data, that is, in tcp_fastretrans_alrt()/tcp_simple_retransmit()->tcp_xmit_retransmit_queue(), If it is found that skb->seq> tp->retransmit_high (usually snd_una), if the current state is Recovery, SACK is enabled, and the sending conditions allow, then send new data in this function.</td></tr>
<tr><td>Tcp</td><td>TCPFastRetrans</td><td>(Non-RTO timer) The number of fast retransmissions, ie tcp_fastretrans_alrt()/tcp_simple_retransmit()->tcp_xmit_retransmit_queue(), if it is not in the LOSS state, add 1</td></tr>
<tr><td>Tcp</td><td>TCPSlowStartRetrans</td><td>(Non-RTO timer) retransmission times: ie tcp_fastretrans_alrt()/tcp_simple_retransmit()->tcp_xmit_retransmit_queue(), if it is in the state of LOSS, add 1</td></tr>
<tr><td>Tcp</td><td>TCPLostRetransmit</td><td>Resegment packet loss counter inferred from SACK data: in tcp_sacktag_write_queue()->tcp_mark_lost_retrans(), if tcp_highest_sack_seq(tp) is found to exceed the snd_nxt(TCB->ack_seq) of a certain skb during retransmission, it is considered that this retransmitted packet If it has been lost, add 1 (not the number of segments). tcp_highest_sack_seq(tp) is the seq of the skb with the highest SEQ number that has been SACKed.</td></tr>
<tr><td>Tcp</td><td>TCPSpuriousRTOs</td><td>Resegment packet loss counter inferred from SACK data: in tcp_sacktag_write_queue()->tcp_mark_lost_retrans(), if tcp_highest_sack_seq(tp) is found to exceed the snd_nxt(TCB->ack_seq) of a certain skb during retransmission, it is considered that this retransmitted packet If it has been lost, add 1 (not the number of segments). tcp_highest_sack_seq(tp) is the seq of the skb with the highest SEQ number that has been SACKed.</td></tr>
</tbody></table>
<h2 id="tcp-others">TCP Others</h2>
<table><thead><tr><th>category</th><th>name</th><th>description</th></tr></thead><tbody>
<tr><td>TcpExt</td><td>TCPRenoRecoveryFail</td><td>“tcp_retransmit_timer(): RTO occurs in the Reovery state, and SACK is not enabled, add 1”</td></tr>
<tr><td>TcpExt</td><td>TCPRenoFailures</td><td>“tcp_retransmit_timer(): In the Reorder state, or when sacked_out is not 0, RTO occurs and SACK is not enabled, add 1”</td></tr>
<tr><td>TcpExt</td><td>TCPRenoRecovery</td><td>tcp_fastretrans_alrt(): The number of times that TCP without SACK enters the Reovery state</td></tr>
<tr><td>TcpExt</td><td>ArpFilter</td><td>“arp_rcv() -> NETFILTER(ARP_IN) -> arp_process()It has nothing to do with TCP. When an ARP packet is received, an output route search (sip, tip) is performed. If the device of the route item found is different from the input device, the counter is increased by 1”</td></tr>
<tr><td>TcpExt</td><td>EmbryonicRsts</td><td>tcp_v4_do_rcv() -> tcp_v4_hnd_req() -> tcp_check_req(): The number of RST or SYN received in the SYN_RECV state during the three-handed handshake.</td></tr>
<tr><td>TcpExt</td><td>LockDroppedIcmps</td><td>“tcp_v4_err(): ICMP error message is received, but the tcp socket is locked by the user”</td></tr>
<tr><td>TcpEx</td><td>OfoPruned</td><td>“tcp_data_queue() -> tcp_try_rmem_schedule()In the slow path, if the data cannot be copied directly to the user space, it needs to be added to the sk_receive_queue, and the receiver side memory is checked whether it is allowed. If the rcv_buf is insufficient, it may be prune ofo queue. At this time the counter is incremented by 1”</td></tr>
<tr><td>TcpExt</td><td>OutOfWindowIcmps</td><td>“tcp_v4_err(): ICMP received, but the number of times the TCP header sequence number in ICMP is not within the receiving window. There are two possible situations: (1) In the LISTEN state, the sequence number does not wait for ISN; (2) In other states, the sequence number Not between SND_UNA .. SND_NXT”</td></tr>
<tr><td>TcpExt</td><td>PAWSActive</td><td>“tcp_rcv_synsent_state_process(): After sending SYN, ACK is received, but the number of PAWS check failures.”</td></tr>
<tr><td>TcpExt</td><td>PAWSEstab</td><td>“tcp_validate_incoming()tcp_timewait_state_process()tcp_check_req() enters the number of PAWS failures in the package.”</td></tr>
<tr><td>TcpExt</td><td>PAWSPassive</td><td>tcp_v4_conn_request(): The number of PAWS check failures for the last ACK of the three-way handshake.</td></tr>
<tr><td>TcpExt</td><td>PruneCalled</td><td>“tcp_data_queue() -> tcp_try_rmem_schedule()In the slow path, if the data cannot be copied directly to the user space, it needs to be added to the sk_receive_queue, and the receiver side memory is checked whether it is allowed. If the rcv_buf is insufficient, it may be prune ofo queue. At this time the counter is incremented by 1”</td></tr>
<tr><td>TcpExt</td><td>RcvPruned</td><td>“tcp_data_queue() -> tcp_try_rmem_schedule()In the slow path, if the data cannot be copied directly to the user space, it needs to be added before sk_receive_queue, and the receiver side memory is checked whether it is allowed. If the rcv_buf is insufficient, the prune receive queue may be prune. If prune fails, this counter is increased by 1.”</td></tr>
<tr><td>TcpExt</td><td>SyncookiesFailed</td><td>cookie_v4_check(): SYN cookie check failed times.</td></tr>
<tr><td>TcpExt</td><td>SyncookiesRecv</td><td>cookie_v4_check(): The number of times of receiving SYN cookie.</td></tr>
<tr><td>TcpExt</td><td>SyncookiesSent</td><td>cookie_v4_init_sequence(): The number of times the SYN cookie is generated.</td></tr>
<tr><td>TcpExt</td><td>TCPAbortFailed</td><td>tcp_send_active_reset(): alloc_skb() or tcp_transmit_skb() failed.</td></tr>
<tr><td>TcpExt</td><td>TCPAbortOnClose</td><td>tcp_close(): The number of times there is still data in sk_receive_queue.</td></tr>
<tr><td>TcpExt</td><td>TCPAbortOnData</td><td>“tcp_rcv_state_process(): Receive subsequent data in the FIN_WAIT_1/FIN_WAIT_2 state (serial number> RCV_NXT); or, if the TCP_LINGER2 setting value is <0, the counter is incremented by 1tcp_close(): There is no unread data, but SO_LINGER is set and linger timeout=0, the counter is incremented by 1, and the TCP is normally disconnected sk_prot->disconnect()”</td></tr>
<tr><td>TcpExt</td><td>TCPAbortOnLinger</td><td>tcp_close(): The number of times that FIN_WAIT_2 immediately switches to CLOSE due to the TCP_LINGER2 setting value <0.</td></tr>
<tr><td>TcpExt</td><td>TCPAbortOnMemory</td><td>“When executing tcp_close()/probe timer/keepalive timer, whether the number of orphan sockets and tcp_memory_allocated exceed the maximum number of times.”</td></tr>
<tr><td>TcpExt</td><td>TCPAbortOnSyn</td><td>tcp_validate_incoming(): The number of occurrences of SYN and the sequence number is greater than RCV_NXT.</td></tr>
<tr><td>TcpExt</td><td>TCPAbortOnTimeout</td><td>RTO/probe/keepalive timer reaches the maximum number of retries or the maximum number of retries</td></tr>
</tbody></table>
<h2 id="tcp-time-wait">TCP TIME_WAIT</h2>
<table><thead><tr><th>category</th><th>name</th><th>description</th></tr></thead><tbody>
<tr><td>TcpExt</td><td>TW</td><td>inet_twdr_do_twkill_work(): The number of sockets with TIME_WAIT timeout (timeout >= 4s). The reason why timewait sockets are treated as timeouts may be because the timeout time distribution of long timeout sockets is relatively scattered, and different search methods are required.</td></tr>
<tr><td>TcpExt</td><td>TWKilled</td><td>inet_twdr_twcal_tick(): TIME_WAIT timeout socket number. (timeout <4s), only when sysctl_tw_recycle is enabled, and TCP timestamp option is used, this will happen. At this time, 3.5x RTO is used as timewait timeout, and the default timeout is 60s</td></tr>
<tr><td>TcpExt</td><td>TWRecycled</td><td>tcp_v4_connect() -> __inet_check_established(): During establishment, if the port is reused from the TIME_WAIT socket, add 1</td></tr>
<tr><td>TcpExt</td><td>TCPTimeWaitOverflow</td><td>tcp_time_wai(): When the system cannot allocate new tcp_timewait_socket, or tw_count (scheduled timewait sockets) exceeds sysctl_max_tw_buckets, add 1</td></tr>
</tbody></table>
Linux Networking2022-03-15T00:00:00+00:002022-03-15T00:00:00+00:00
Thomas Cuthbert
https://realmofchaos.xyz/tech/refs/linux-networking/<h2 id="packet-flow">Packet flow</h2>
<img src="/img/netfilter-packet-flow.svg" alt="Netfilter packet flow" style="background: #fff; padding: 1rem;" />
<p>Attribution: <a rel="external" href="https://creativecommons.org/licenses/by-sa/3.0/deed.en">CC BY-SA 3.0</a>,
<a rel="external" href="https://commons.wikimedia.org/wiki/User_talk:Jengelh">Jan Engelhardt</a></p>
HTTP References2022-03-12T00:00:00+00:002022-03-12T00:00:00+00:00
Thomas Cuthbert
https://realmofchaos.xyz/tech/refs/http/<ul>
<li><a rel="external" href="https://developer.mozilla.org/en-US/docs/Web/HTTP">Mozilla HTTP reference guide</a></li>
</ul>
<h2 id="haproxy">HAProxy</h2>
<p><code>halog -pct headers</code></p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>percentile request_count request_time connect_time response_time data_time</span></span></code></pre>WordPress Charm for k8s2020-12-02T00:00:00+00:002020-12-02T00:00:00+00:00
Thomas Cuthbert
https://realmofchaos.xyz/tech/wordpress-k8s-charm/<p>Canonical uses the WordPress blogging system for all our company blogs. Earlier this year I was tasked with updating our WordPress charm from a Services Framework Juju Charm on OpenStack to a Kubernetes based Operator Framework Charm.</p>
<p>The WordPress Operator Charm is simple by design, the goal of the charm is to just provide the various configuration options for our WordPress Kubernetes image, which does all the heavy lifting. See the <a rel="external" href="https://git.launchpad.net/charm-k8s-wordpress/tree/config.yaml">config.yaml</a> file for details on what is supported, one option that can be useful during testing is <code>container_config</code>, which gives you the ability to pass through custom Kubernetes spec environment variables. For example, to enable debug level logging and ensuring you always have the latest image, you would set:</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>microk8s.juju config wordpress container_config='WORDPRESS_DEBUG: "1" imagePullPolicy: "always"'</span></span></code></pre>
<p>The image build process downloads the latest WordPress codebase and installs it behind an Apache web server, it then downloads the plugins all of our blogs depend on, such as, akismet anti-spam support, SSO with the openid teams plugin, and a variety of Canonical Open Source themes. By default the charm will use the current stable build here, however if you wish to customise the image you can fork the code and update the <code>image</code> charm config option to point to the location of your custom image.</p>
<p>To get started with the Operator Framework WordPress charm you will need a MySQL database running locally. As I write this post there is no Kubernetes MySQL charm, so deploy one to an IaaS model with <code>juju deploy cs:mysql</code>. Initialise the database as follows:</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>CREATE DATABASE wordpress CHARACTER SET utf8 COLLATE utf8_unicode_ci;</span></span>
<span class="giallo-l"><span>CREATE USER 'wordpress'@'%' IDENTIFIED BY 'wordpress';</span></span>
<span class="giallo-l"><span>GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpress'@'%';</span></span>
<span class="giallo-l"><span>FLUSH PRIVILEGES;</span></span></code></pre>
<p>Once the database is prepared we are now able to deploy the WordPress charm. The easiest way to get started with a local Kubernetes cluster is to have MicroK8s installed, reference the <a rel="external" href="https://git.launchpad.net/charm-k8s-wordpress/tree/README.md">README</a> of the charm for details on how to get one setup. Deploy the charm as follows.</p>
<p>Deploy the charm into your Kubernetes Juju model.</p>
<p><code>microk8s.juju deploy cs:~wordpress-charmers/wordpress</code></p>
<p>The charm requires Kubernetes TLS secrets to be pre-configured to ensure logins are kept secure. Create a self-signed certificate and upload it as a Kubernetes secret.</p>
<p><code>openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt</code> <code>microk8s.kubectl create secret tls -n wordpress tls-wordpress --cert=server.crt --key=server.key</code></p>
<p>Tell the charm where the database is and provide some initial setup.</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>DB_HOST=$IP_OF_YOUR_MYSQL_DATABASE</span></span>
<span class="giallo-l"><span>microk8s.juju config wordpress db_host=$DB_HOST db_user=wordpress db_password=wordpress tls_secret_name=tls-wordpress \</span></span>
<span class="giallo-l"><span> initial_settings="user_name: admin</span></span>
<span class="giallo-l"><span> admin_email: devnull@example.com</span></span>
<span class="giallo-l"><span> weblog_title: Test Blog</span></span>
<span class="giallo-l"><span> blog_public: False"</span></span></code></pre>
<p>From there you can test the site by updating your <code>/etc/hosts</code> file and creating a static entry for the IP address of the Kubernetes ingress gateway.</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span> App Version Status Scale Charm Store Rev OS Address </span></span>
<span class="giallo-l"><span> Messagewordpress wordpress:bionic-stable waiting 1 wordpress local 0 kubernetes 10.152.183.140 </span></span></code></pre>
<p><code>echo '10.152.183.140 myblog.example.com' | sudo tee -a /etc/hosts</code></p>
<p>It will take about 5 to 10 minutes for Juju hooks to discover the site is live and perform the initial setup for you. Look for this line in the output of <code>juju debug-log</code> to confirm.</p>
<p><code>unit.wordpress/0.juju-log Wordpress configured and initialised</code></p>
<p>This is due to <a rel="external" href="https://github.com/canonical/operator/issues/166">issue #166</a> and will be fixed once Juju supports a Kubernetes pod ready hook.</p>
<p>To retrieve the random admin password, run the following.</p>
<p><code>microk8s kubectl exec -ti -n wordpress wordpress-operator-0 -- cat /root/initial.passwd</code></p>
<p>You should now be able to browse to <a rel="external" href="https://myblog.example.com/wp-admin">https://myblog.example.com/wp-admin</a>.</p>
<p>We’ve been using this charm in production for five months now, but recently updated it to bring it up to date with a current version of the Operator Framework. We’d be interested in any feedback on the charm itself, either here or via bugs against the <a rel="external" href="https://bugs.launchpad.net/charm-k8s-wordpress">charm project on Launchpad</a>.</p>
Managing Multi Cloud Services With Juju2018-10-24T00:00:00+00:002018-10-24T00:00:00+00:00
Thomas Cuthbert
https://realmofchaos.xyz/tech/managing-multi-cloud-services-with-juju/<p>Managing a service with deployments in multi-cloud environments can be a challenge in terms of troubleshooting and scalability due to the complexity of dealing with different public cloud providers. An effective way to manage services deployed cross-cloud is to use tools that allow you to define your service once and deploy anywhere: in the cloud, on bare metal, or locally inside containers. In this blog post I am going to describe how the Canonical SRE team has achieved this, the tools that we use and the way we apply them to manage the Ubuntu Archive Mirror service.</p>
<h1 id="historical-archive-mirror-setup">Historical Archive Mirror Setup</h1>
<p><img src="/img/Archive-Mirror-Diagram-2.png" alt="" /></p>
<p>It’s no secret that Ubuntu is a popular OS for running applications in the cloud. It was clear from the beginning that the increased adoption of Ubuntu in the cloud would cause a significant amount of stress on the master Ubuntu Archive Mirror service due to an increased rate of requests from Ubuntu instances running in public clouds. This was not a new problem for us, the Ubuntu Archive Mirror Network was originally conceived to protect the master Ubuntu Archives from getting over saturated with requests. The network architecture is a globally distributed system of web servers and caches that are operated by the community. The goal of this network is to improve response times for community users by directing traffic destined for the master Ubuntu Archive repositories to repositories geographically closer to the request’s origin. Without this distributed cache the millions of apt requests we receive every day would cause a denial of service to the master repository servers. Ubuntu updates would then be significantly degraded, which is unacceptable for any system running production grade services.</p>
<p>The nice thing about the Ubuntu Archive Mirror architecture is how extensible it is. Within each cloud region we have a deployment of the Ubuntu Archive Mirror service. Each regional deployment keeps in sync with the master repositories. When an Ubuntu instance is started in the cloud its apt sources are configured to point to the deployment servicing the region of which the instance is currently running. We apply this pattern to every public and private cloud we manage. This includes AWS, GCE, Azure and OpenStack.</p>
<h1 id="identifying-the-challenges">Identifying the Challenges</h1>
<p>After understanding our architectural requirements, the next step was to figure out how to manage each individual Ubuntu Archive deployment. A non exhaustive list of challenges we needed to address were:</p>
<ul>
<li>How do we manage the lifecycle of each Ubuntu Archive Mirror service?</li>
<li>Can we be sure that each environment is consistent and that the user experience remains the same no matter which Archive Mirror environment you are working on?</li>
<li>How can we test proposed changes before upgrading production services?</li>
<li>How do we respond to incidents when things go wrong with any of our environments and how do we ensure each environment is isolated from each other to avoid unnecessary outages?</li>
</ul>
<p>Our engineers can’t get bogged down with the semantics of each cloud. The best approach is to have a uniform interface that applies to any platform. This saves engineering time by making our playbooks more succinct and easier to digest, there is less room for error when there are minimal commands to run, a consistent UX reduces mean time to recovery as an engineer can be confident that the same troubleshooting methodology can be applied no matter which environment they are in, finally, environment specifications stored in version control allow us to keep track of changes, and easily test and rollback revisions that do not work.</p>
<h1 id="the-solution">The Solution</h1>
<p>Our Ubuntu Archive mirror services are modeled with Mojo which orchestrates deployments with Juju. “Automate once, deploy anywhere” is an approach we have taken in developing our environment automation solution. We define what our environments look like once and have the tooling take care of the boring details. Juju</p>
<p>Juju is the component which drives each deployment. It is responsible for talking to the cloud APIs, installation and configuration of each application, provisioning cloud services, such as security, networking, storage, and user access control. Juju enables us to deploy and scale services quickly and efficiently to a variety of providers: public clouds, physical servers, OpenStack, and local containers. Juju is responsible for provisioning instances and installing the application (a charm in Juju context) onto them. It is also responsible for managing services, such as ensuring ACLs are configured, configuring advanced networking, and allocating storage.</p>
<h1 id="deployment-control">Deployment Control</h1>
<p><img src="/img/mojo-brand.png" alt="" /></p>
<p>All our Archive Mirror deployments are centrally managed. We have a deployment host from which all SREs connect to environments we manage. An internally developed tool allows SREs to search for the environment they need to connect to (such as “Azure Archive Mirror for Japan East region”), and then configures for them everything they need to connect to that environment in a consistent way.</p>
<p>The Ubuntu Archive Mirror service itself is modeled as a Mojo specification. Mojo is a system of configuration and tools for verifying the success of Juju environment deployments. It allows us to define what an Archive Mirror is in a revision-controlled configuration repository, and a means of validating whether what we deployed is as we intended.</p>
<p>To deploy a new environment we use Mojo to run a manifest file which tells it which operations (phases) to perform and in what order. The manifest file looks similar to this:</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>collect</span></span>
<span class="giallo-l"><span>deploy config=services</span></span>
<span class="giallo-l"><span>deploy config=relations</span></span>
<span class="giallo-l"><span>script config=post-deploy</span></span>
<span class="giallo-l"><span>sleep config=10</span></span>
<span class="giallo-l"><span>nagios-check skip-checks-extra="check_ksplice,check_total_procs"</span></span>
<span class="giallo-l"><span>juju-check-wait</span></span>
<span class="giallo-l"><span>verify config=verify-deploy</span></span></code></pre>
<p>Mojo recognises different phases as different actions to perform. The three main phases to be concerned about are:</p>
<ul>
<li>collection
<ul>
<li>Mojo will download the charms (service modules) required as per the file specified in the collect call.</li>
</ul>
</li>
<li>deployment
<ul>
<li>The deploy phase is fairly self explanatory, it takes the artefacts from the collection phase and deploys them into the Juju model.</li>
</ul>
</li>
<li>verification
<ul>
<li>A script can be called once the deploy phase is complete. The script is configured to run some verification commands to make sure the deployment is in the desired state.</li>
</ul>
</li>
</ul>
<p>We define a collect file that contains an inventory of each component, known as a charm. This file looks like the following:</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>ubuntu-repository-cache lp:ubuntu-repository-cache;overwrite=True</span></span>
<span class="giallo-l"><span>haproxy cs:haproxy</span></span>
<span class="giallo-l"><span>nrpe cs:nrpe</span></span></code></pre>
<p>The actual service and relation specifications detail how each charm is related and any configuration options, i.e. Squid cache size and HAProxy monitor settings. For a look at the specification please see the appendix at the end of the post. Mojo uses codetree to pull down the charms, from either the charmstore or version control (e.g. launchpad.net or github.com), to the host and copies them to a charm repository for deployment. A phased approach protects us from incorrectly configured specifications as Mojo will not proceed if a phase fails. At the end of this process we have a new validated environment deployed and ready for use.</p>
<p>You can try this out for yourself, download the example mojo spec.</p>
<ul>
<li>
<p>Before we begin you will need to have Juju, Mojo and a Juju controller bootstrapped. You can find a tutorial on how to set this up here.</p>
</li>
<li>
<p>Configure a Mojo project and workspace which we will use to build and test our archive mirror environment locally before it gets deployed into our cloud.</p>
<p>export MOJO_STAGE=production export MOJO_WORKSPACE=archive-mirror export MOJO_PROJECT=mojo-archive-mirror-proj export MOJO_SERIES=xenial export MOJO_SPEC=<del>/mojo/mojo-archive-mirror-spec/ export MOJO_LOCAL=</del>/mojo/LOCAL/mojo-archive-mirror-spec/</p>
<p>juju bootstrap</p>
<p>mkdir -p ${MOJO_SPEC}; mkdir -p ${MOJO_LOCAL}; (cd ~/mojo; curl <a rel="external" href="https://admin.insights.ubuntu.com/wp-content/uploads/db69/mojo-archive-mirror-spec.tar.gz">https://admin.insights.ubuntu.com/wp-content/uploads/db69/mojo-archive-mirror-spec.tar.gz</a> | tar xv)</p>
<p>mojo project-new -s $MOJO_SERIES -c lxd mojo workspace-new –project $MOJO_PROJECT -s $MOJO_SERIES $MOJO_SPEC $MOJO_WORKSPACE mojo run</p>
</li>
</ul>
<p>Mojo has now orchestrated a deployment of our Archive Mirror environment. Below details the instances that were created and the applications installed onto them.</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>$ juju status</span></span></code></pre>
<p>We know our new Archive Mirror is functioning because the verify phase in our manifest has curl’d the HAProxy unit and downloaded the list of supported Ubuntu series.</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>2018-07-16 06:53:34 [INFO] Running script verify-deploy</span></span>
<span class="giallo-l"><span>2018-07-16 06:53:35 [INFO] /ubuntu/</span></span>
<span class="giallo-l"><span>artful-backports/</span></span>
<span class="giallo-l"><span>artful-proposed/</span></span>
<span class="giallo-l"><span>artful-security/</span></span>
<span class="giallo-l"><span>artful-updates/</span></span>
<span class="giallo-l"><span>artful/</span></span>
<span class="giallo-l"><span>bionic-backports/</span></span>
<span class="giallo-l"><span>bionic-proposed/</span></span>
<span class="giallo-l"><span>bionic-security/</span></span>
<span class="giallo-l"><span>bionic-updates/</span></span>
<span class="giallo-l"><span>bionic/</span></span>
<span class="giallo-l"><span>[...]</span></span>
<span class="giallo-l"><span>2018-07-16 06:53:35 [INFO] Completed script verify-deploy in 0s (0.31s)</span></span></code></pre>
<p>We keep track of each Archive Mirror deployment that we manage with stages embedded in the root of the Mojo spec directory. These stages are nothing more than sub-directories that Mojo looks out for. Under each stage is the information used by each Mojo phase.</p>
<p>The directory layout looks a little something like this:</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>mojo-archive-mirror-spec # repository root.</span></span>
<span class="giallo-l"><span>├── manifest # the manifest script, this is what mojo run is looking for.</span></span>
<span class="giallo-l"><span>└── production</span></span>
<span class="giallo-l"><span>├── collect # Contains the list of charms that the collect phase will download.</span></span>
<span class="giallo-l"><span>├── haproxy-services.yaml</span></span>
<span class="giallo-l"><span>├── relations # Specifies the contracts between each service.</span></span>
<span class="giallo-l"><span>└── services # Details how each service should be configured.</span></span></code></pre>
<p>Mojo uses this approach when sourcing local significant configuration. This comes in handy when you want to do something like configure a service with dummy credentials for the CI deployment. If we wanted to add a new stage, like ci to the list of deployments we manage, we only need to create a new directory and populate the required files:</p>
<pre class="giallo" style="color: #F8F8F2; background-color: #272822;"><code data-lang="plain"><span class="giallo-l"><span>mojo-archive-mirror-spec</span></span>
<span class="giallo-l"><span>├── manifest</span></span>
<span class="giallo-l"><span>└── production</span></span>
<span class="giallo-l"><span>├── collect</span></span>
<span class="giallo-l"><span>[...]</span></span>
<span class="giallo-l"><span>└── ci</span></span>
<span class="giallo-l"><span>├── collect</span></span></code></pre>
<p>Any changes made to the Archive Mirror specification are tested. Our testing environment is a mixture of technologies: Jenkins, Openstack, Mojo and Juju. The testing procedure is broken down as follows:</p>
<ul>
<li>Jenkins job pulls the latest Mojo specification from version control.</li>
<li>A new juju model is created for the revision of the specification. The model is deployed into one of our private OpenStack clouds.</li>
<li>The Jenkins script then executes a Mojo run which deploys the Archive Mirror service to the new Juju model.</li>
<li>Jenkins monitors the progress and provides feedback on any errors.</li>
</ul>
<p>This process gives us assurance that the changes we have made are deployable albeit only within an Openstack context.</p>
<h1 id="closing-comments">Closing Comments</h1>
<p>So far our current solution has worked well. The time taken for an SRE to redeploy an Archive Mirror environment is under an hour. If an environment is sick and we start receiving alerts we can be confident that if all else fails, and troubleshooting is taking too long, we can destroy the environment and redeploy a fresh baseline. The process is as simple as failing over DNS, recreating the Juju model, running Mojo, and configuring DNS and monitoring.</p>