Closed Pilotindream closed 1 week ago
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
Are there endpoints for this service you're trying to access? Is it the same service that is giving 200, and randomly, you're getting 503?
/triage needs-information
Are there endpoints for this service you're trying to access? Is it the same service that is giving 200, and randomly, you're getting 503?
/triage needs-information
No, this service that randomly respond with 5xx is on our production cluster. And developers complaints that they can not see pod ip that responded with 5xx response. In my qustion I give example of kyverno “dummy” service that I intentionally broke so that it respond with 5xx. I made this to ensure that 503 response is appeared in nginx-ingress logs but the upstream field is empty even with enabled error-log: debug and nginxDebug.
So in general I am looking for a way to see ip address of pod that respond with all 5xx in my ingress-nginx logs.
/remove-kind bug /kind support
The controller or the default-backend or the custom-backend will return 503
/remove-kind bug /kind support
The controller or the default-backend or the custom-backend will return 503
So am I right that when i see in ingress-nginx pod, logs with 503 response but upstream field is empty, it means that controller or the default-backend or the custom-backend will respons with 5xx?
Maybe you can suggest a way how to test a case when exactly pod will respond with 5xx error so that I will be sure that in access-logs, upstream field show pod ip address?
I did this ;
kubectl create deploy test0 --image nginx:alpine --port 80
kubectl expose deploy test0 --port 80
kubectl create ingress --class nginx --rule test0.mydomain.com/"*"=test0:80
In a different terminal, i started tailing controller pod logs
curl --resolve test0.mydomain.com:80:minikube ip
test0.mydomain.com
Then I forced 503 error
Now if I curl again, I can see 503 in controllerpod logs
A backend pod may respond with 503 when webserver in backend-pod has a problem in the internal-server for the application
@longwuyuan, so have you tried this approach and you was able to see 503 error and the “upstream” field was not empty so that you was able to see your backend pod ip? Since I tried to scale to 0 some of my deployment, and when I curl it via ingress, I see 503 in controller pod logs, but “upstream” field is empty:
"msec": "1724931972.946", "connection": "92169", "connection_requests": "3", "pid": "25", "request_id": "dee825cceb66df3f63fee9edb7ab9879", "request_length": "849", "remote_addr": "116.203.159.143", "remote_user": "", "remote_port": "", "time_local": "29/Aug/2024:11:46:12 +0000", "time_iso8601": "2024-08-29T11:46:12+00:00", "request": "GET / HTTP/1.1", "request_uri": "/", "args": "", "status": "503", "body_bytes_sent": "592", "bytes_sent": "747", "http_referer": "", "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 OPR/112.0.0.0", "http_x_forwarded_for": "116.203.159.143", "http_host": "kyverno.demo.k8sbrain.com", "server_name": "kyverno.demo.k8sbrain.com", "request_time": "0.000", "upstream": "", "upstream_connect_time": "", "upstream_header_time": "", "upstream_response_time": "", "upstream_response_length": "", "upstream_cache_status": "", "ssl_protocol": "", "ssl_cipher": "", "scheme": "http", "request_method": "GET", "server_protocol": "HTTP/1.1", "pipe": ".", "gzip_ratio": "", "http_cf_ray": "", "http_cf_ipcountry": ""}
Also, I tried to set some invalid path in my livenessProbe as well as specify invalid image but situation was same- “upstream” is empty
I understand your requirement and its possible to make some guesses as to your goal.
But your comments don't show your ack of the obvious. For example, its obvious in my test that the 503 was returned by the controller pod. So it should be obvious that normal logging configuration will not print the ipaddress of the controller-pod itself in its own logs.
The controller logging is following nginx standards. Since your comments are hinting that you are very very particular about a backend workload pod sending a 503 back to the client, via the reverseproxy in the controller, you should design your own tests and configs on the backend pod. Typically you can brute force all responses from a backend-pod to be 503, just as a experimental test.
There is not much to troubleshoot or fix/change in the controller code here. Let me know if you have data showing otherwise and then more discussions can occur based on the data you provide.
If you have a tomcat inside a backend pod, frontended by nginx inside the same pod, and you inject fault in the tomcat while the nginx in the pod is working, that results in a internal server server, which typically is a response code 5xx
@longwuyuan, thx for replies! I have last question. In case I see in controller logs that “$upstream” value is empty in access logs, does it mean that it is response from controller and the request was not sent to beckend service?
That is what my opinion is. But let us not rely on my opinion. You can check the technical definition and description of the variable you have configured for display in the logs. In the sense the if that variable is coded to get the ipaddress of the controller-pod itself, or if the logging process is configured and coded to print its own exgernal-facing interface ipaddress, when the variable $upstream is interpolated, then you can get proof. (but I am not a developer or even vaguely understand such deep code of nginx but I wonder how $upstream variable can interpolate self/own ipaddress)
Correction, on this
$upstream” value is empty in access logs, does it mean that it is response from controller and the request was not sent to beckend service?
The controller has to attempt to reverseproxy and forward the request to the backend. Otherwise the controller and particularly the reverseproixy nginx in the controller can not arbitrarily decide 503 on its own. If there is no endpoint available to send/forward the request to, only then the controller can conclude that a error-response is required to be returned to the client.
Please close the issue, if it is resolved.
You should check whether flow control is set. Usually, limit-related functions will return 503. For example, if a certain URI is limited to 5 accesses per minute, nginx will return 503 for the 6th time. And the request will not be routed to the backend, so there is no upstream_addr and upstream_response_time. You can check error.log to see if there is 503 information at 29/Aug/2024:11:46:12. The log level should be warning.
@Pilotindream I will close this issue for now as it is only adding to the tally of open issues without actually tracking any action item of the project. thanks
/close
@longwuyuan: Closing this issue.
What happened:
Hello guys! My team is running nginx-ingress in EKS cluster of version 1.11.2 (chart version 4.11.2). Sometimes we receive 5xx errors from services and we would like to know whether it`s possible to get an IP Address/Name of Pod that responded with this code? Below you can see our controller config, especially for log-format-upstream:
When it comes to 2xx successful response codes, I am able to see in logs of ingress-nginx below log where in "upstream" section the pod ip adress is vasisble. However, when I expressly broke some service so that it start throw 503 response, I see in logs that my "upstream" section is empty:
{"msec": "1724931972.946", "connection": "92169", "connection_requests": "3", "pid": "25", "request_id": "dee825cceb66df3f63fee9edb7ab9879", "request_length": "849", "remote_addr": "116.203.159.143", "remote_user": "", "remote_port": "", "time_local": "29/Aug/2024:11:46:12 +0000", "time_iso8601": "2024-08-29T11:46:12+00:00", "request": "GET / HTTP/1.1", "request_uri": "/", "args": "", "status": "503", "body_bytes_sent": "592", "bytes_sent": "747", "http_referer": "", "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 OPR/112.0.0.0", "http_x_forwarded_for": "116.203.159.143", "http_host": "[kyverno.demo.k8sbrain.com](http://kyverno.demo.k8sbrain.com/)", "server_name": "[kyverno.demo.k8sbrain.com](http://kyverno.demo.k8sbrain.com/)", "request_time": "0.000", "upstream": "", "upstream_connect_time": "", "upstream_header_time": "", "upstream_response_time": "", "upstream_response_length": "", "upstream_cache_status": "", "ssl_protocol": "", "ssl_cipher": "", "scheme": "http", "request_method": "GET", "server_protocol": "HTTP/1.1", "pipe": ".", "gzip_ratio": "", "http_cf_ray": "", "http_cf_ipcountry": ""}
What I already tried: I have already enabled error-log-level: "debug" as well as: controller.nginxDebug = true or false controller.loglevel = 1 to 3 value Found documentation here https://docs.nginx.com/nginx-ingress-controller/troubleshooting/troubleshoot-common/
However, I still can`t see the pod IP address/Name that responded with 503. After enabling these both error-log-level and nginxDebug I only started to receive some messages related to nginx work itself (some messages from lua). Example of logs from debug mode, related to my service that I intentionally broke to receive 503 response:
So my question: Is it possible to configure ingress-nginx somehow to start seeing a Pod IP Adress/Name that responded with 5xx response? Thanks in advance for your help!
What you expected to happen: I expected to see pod ip address that responded with 5xx error into "upstream" section.
How ingress-nginx installed: Installed via community Helm Chart (version: 4.11.2)
ingress-nginx version: 1.11.2