Closed myf5 closed 5 years ago
# nginx -V
nginx version: nginx/1.15.10 (nginx-plus-r18-p1)
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.0j 20 Nov 2018 (running with OpenSSL 1.1.0k 28 May 2019)
TLS SNI support enabled
configure arguments: --build=nginx-plus-r18-p1 --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_jwt_module --with-http_auth_request_module --with-http_dav_module --with-http_f4f_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_hls_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_session_log_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-plus-1.15.10/debian/debuild-base/nginx-plus-1.15.10=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
Hi @myf5, thanks for posting the issue.
I have just tried and is working on my end (same version of NGINX Plus and IC than you). In order to understand what might be happening:
Could you post your /etc/nginx/nginx.conf
and /etc/nginx/conf.d/...
files?
Could you also post the first lines of the logs of the IC to check the version? kubectl logs <IC_POD
, something like I0830 13:58:16.341688 1 main.go:155] Starting NGINX Ingress controller Version=edge GitCommit=15c945a8
It seems that the configuration is correct for what you posted but something is causing a segfault in your NGINX Plus instance. This would be more an issue with the module, not with the Ingress Controller itself.
@Rulox Thanks for the help.
No other module. I build the image by default file with except of "ADD default.pem /etc/nginx/secrets/default": make PREFIX=myf5/nginx-plus-ingress-opentracing DOCKERFILE=DockerfileWithOpentracingForPlus GENERATE_DEFAULT_CERT_AND_KEY=1
No special annotations, here is the cafe-ingress.yaml: Note: the below annotations was added after the above test. With or without the annotation, get same failure.
[root@k8s-master complete-example]# cat cafe-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
kubernetes.io/ingress.class: "canary"
spec:
tls:
- hosts:
- cafe.lab.f5se.io
secretName: cafe-secret
rules:
- host: cafe.lab.f5se.io
http:
paths:
- path: /tea
backend:
serviceName: tea-svc
servicePort: 80
- path: /coffee
backend:
serviceName: coffee-svc
servicePort: 80
I am posting my nginx.conf in below comments.
Here are the files when I am not creating the configmap "kubernetes-ingress/examples/opentracing/nginx-config.yaml" So currently the IC is running with the default nginx-config configmap, which the data part is blank.
Go into the container:
# cat /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
daemon off;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65s;
keepalive_requests 100;
#gzip on;
server_names_hash_max_size 512;
variables_hash_bucket_size 256;
variables_hash_max_size 1024;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
map $http_upgrade $vs_connection_header {
default upgrade;
'' $default_connection_header;
}
server {
# required to support the Websocket protocol in VirtualServer/VirtualServerRoutes
set $default_connection_header "";
listen 80 default_server;
listen 443 ssl default_server;
ssl_certificate /etc/nginx/secrets/default;
ssl_certificate_key /etc/nginx/secrets/default;
server_name _;
server_tokens "on";
access_log off;
location / {
return 404;
}
}
# NGINX Plus APIs
server {
listen 8888;
root /usr/share/nginx/html;
access_log off;
location = /dashboard.html {
}
allow 172.16.0.0/16;
deny all;
location /api {
api write=off;
}
}
# NGINX Plus API over unix socket
server {
listen unix:/var/run/nginx-plus-api.sock;
access_log off;
# $config_version_mismatch is defined in /etc/nginx/config-version.conf
location /configVersionCheck {
if ($config_version_mismatch) {
return 503;
}
return 200;
}
location /api {
api write=on;
}
}
include /etc/nginx/config-version.conf;
include /etc/nginx/conf.d/*.conf;
}
stream {
log_format stream-main '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
access_log /var/log/nginx/stream-access.log stream-main;
}
# ls /etc/nginx/conf.d/
default-cafe-ingress.conf
# cat /etc/nginx/conf.d/default-cafe-ingress.conf
# configuration for default/cafe-ingress
upstream default-cafe-ingress-cafe.lab.f5se.io-coffee-svc-80 {
zone default-cafe-ingress-cafe.lab.f5se.io-coffee-svc-80 256k;
random two least_conn;
server 10.244.0.111:80 max_fails=1 fail_timeout=10s max_conns=0;
}
upstream default-cafe-ingress-cafe.lab.f5se.io-tea-svc-80 {
zone default-cafe-ingress-cafe.lab.f5se.io-tea-svc-80 256k;
random two least_conn;
server 10.244.0.112:80 max_fails=1 fail_timeout=10s max_conns=0;
}
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/nginx/secrets/default-cafe-secret;
ssl_certificate_key /etc/nginx/secrets/default-cafe-secret;
server_tokens "on";
server_name cafe.lab.f5se.io;
status_zone cafe.lab.f5se.io;
if ($scheme = http) {
return 301 https://$host:443$request_uri;
}
location /tea {
proxy_http_version 1.1;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
client_max_body_size 1m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering on;
proxy_pass http://default-cafe-ingress-cafe.lab.f5se.io-tea-svc-80;
}
location /coffee {
proxy_http_version 1.1;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
client_max_body_size 1m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering on;
proxy_pass http://default-cafe-ingress-cafe.lab.f5se.io-coffee-svc-80;
}
}
Now, create the configmap with "kubernetes-ingress/examples/opentracing/nginx-config.yaml" The IC will coredump.
The first line log:
[root@k8s-master opentracing]# kubectl logs nginx-ingress-g9tjd -n nginx-ingress
I0830 07:57:56.417549 1 main.go:155] Starting NGINX Ingress controller Version=edge GitCommit=924726b
The last lines log:
I0831 09:33:15.417048 1 event.go:209] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"369db247-ca71-11e9-8f84-005056b34685", APIVersion:"extensions/v1beta1", ResourceVersion:"34275299", FieldPath:""}): type: 'Warning' reason: 'UpdatedWithError' Configuration for default/cafe-ingress was updated but was not applied: Error when updating config from ConfigMap: nginx reload failed: Command /usr/sbin/nginx -s reload stdout: ""
stderr: "Segmentation fault (core dumped)\n"
finished with error: exit status 139
I0831 09:33:15.417073 1 event.go:209] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"nginx-ingress", Name:"nginx-config", UID:"b853b442-ca6f-11e9-8f84-005056b34685", APIVersion:"v1", ResourceVersion:"34389127", FieldPath:""}): type: 'Warning' reason: 'UpdatedWithError' Configuration from nginx-ingress/nginx-config was updated but was not applied: Error when updating config from ConfigMap: nginx reload failed: Command /usr/sbin/nginx -s reload stdout: ""
stderr: "Segmentation fault (core dumped)\n"
finished with error: exit status 139
Related files now: NOTE: Why there is " opentracing off;" in the default server definition block?
# cat /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
daemon off;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
load_module modules/ngx_http_opentracing_module.so;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65s;
keepalive_requests 100;
#gzip on;
server_names_hash_max_size 512;
variables_hash_bucket_size 256;
variables_hash_max_size 1024;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
map $http_upgrade $vs_connection_header {
default upgrade;
'' $default_connection_header;
}
opentracing on;
opentracing_load_tracer /usr/local/lib/libjaegertracing_plugin.so /etc/tracer-config.json;
server {
# required to support the Websocket protocol in VirtualServer/VirtualServerRoutes
set $default_connection_header "";
listen 80 default_server;
listen 443 ssl default_server;
ssl_certificate /etc/nginx/secrets/default;
ssl_certificate_key /etc/nginx/secrets/default;
server_name _;
server_tokens "on";
access_log off;
opentracing off;
location / {
return 404;
}
}
# NGINX Plus APIs
server {
listen 8888;
root /usr/share/nginx/html;
access_log off;
opentracing off;
location = /dashboard.html {
}
allow 172.16.0.0/16;
deny all;
location /api {
api write=off;
}
}
# NGINX Plus API over unix socket
server {
listen unix:/var/run/nginx-plus-api.sock;
access_log off;
opentracing off;
# $config_version_mismatch is defined in /etc/nginx/config-version.conf
location /configVersionCheck {
if ($config_version_mismatch) {
return 503;
}
return 200;
}
location /api {
api write=on;
}
}
include /etc/nginx/config-version.conf;
include /etc/nginx/conf.d/*.conf;
}
stream {
log_format stream-main '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
access_log /var/log/nginx/stream-access.log stream-main;
}
# cat /etc/nginx/conf.d/default-cafe-ingress.conf
# configuration for default/cafe-ingress
upstream default-cafe-ingress-cafe.lab.f5se.io-coffee-svc-80 {
zone default-cafe-ingress-cafe.lab.f5se.io-coffee-svc-80 256k;
random two least_conn;
server 10.244.0.111:80 max_fails=1 fail_timeout=10s max_conns=0;
}
upstream default-cafe-ingress-cafe.lab.f5se.io-tea-svc-80 {
zone default-cafe-ingress-cafe.lab.f5se.io-tea-svc-80 256k;
random two least_conn;
server 10.244.0.112:80 max_fails=1 fail_timeout=10s max_conns=0;
}
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/nginx/secrets/default-cafe-secret;
ssl_certificate_key /etc/nginx/secrets/default-cafe-secret;
server_tokens "on";
server_name cafe.lab.f5se.io;
status_zone cafe.lab.f5se.io;
if ($scheme = http) {
return 301 https://$host:443$request_uri;
}
location /tea {
proxy_http_version 1.1;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
client_max_body_size 1m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering on;
proxy_pass http://default-cafe-ingress-cafe.lab.f5se.io-tea-svc-80;
}
location /coffee {
proxy_http_version 1.1;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
client_max_body_size 1m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering on;
proxy_pass http://default-cafe-ingress-cafe.lab.f5se.io-coffee-svc-80;
}
}
Hi @myf5 thanks for all the data.
I have used exactly the same version and config as you and it is working perfectly on my end, I can't reproduce your error (your pasted configs seem ok too). The only difference is the version of k8s (I am using 1.12). 1.10 is a really old version. I would recommend you to update at least to 1.11 as well anyways.
Also could you provide the list of arguments and/org configmaps you are using? I see you are using for example NginxStatusAllowCIDRs
among others, that's the only difference we have in configs.
Another check that you could perform is try to re-build the IC image (make clean && make build...
), just in case something went wrong the first time (unlikely)
I'll run the issue with the rest of the team to see if others can reproduce. Will update the issue with any news. Sorry for the inconvenience.
Re: NOTE: Why there is " opentracing off;" in the default server definition block?
This is intended. We decided to disable opentracing in all server/locations that weren't configured by the user, including the default server.
@myf5 Thanks for the extensive info. As @Rulox mentioned, we haven't been able to reproduce the issue. Could you send us some additional information below?
Could you possibly run the following command from the IC container: $ dpkg -l | grep nginx
?
Could you possibly try to reproduce the bug once again but this time enabling the NGINX debug log? To enable the debug log:
-nginx-debug
cli argument of the ICerror-log-level: "debug"
in the ConfigMapload_module modules/ngx_http_opentracing_module.so;
-> load_module modules/ngx_http_opentracing_module-debug.so;
so that debug logging is enabled in the OT module as well.Once the debug logging is enabled, could you reproduce an issue and share the debug log related to the core dump?
If during the building of an image you encounter an error The following packages have unmet dependencies: nginx-plus-module-opentracing : Depends: nginx-plus-r19
, please update the Dockerfile and specify the version of the OT module: nginx-plus-module-opentracing=18+0.8.0-1~stretch
Thanks
@Rulox Sorry for the late response as PTO. Here is the arguments of the controller:
[root@k8s-master daemon-set]# cat nginx-plus-ingress.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: nginx-ingress-apidmeo
namespace: nginx-ingress
spec:
selector:
matchLabels:
app: nginx-ingress-apidemo
template:
metadata:
labels:
app: nginx-ingress-apidemo
#annotations:
#prometheus.io/scrape: "true"
#prometheus.io/port: "9113"
spec:
serviceAccountName: nginx-ingress
containers:
- image: myf5/nginx-plus-ingress-opentracing:edge
imagePullPolicy: IfNotPresent
name: nginx-plus-ingress-apidemo
ports:
- name: http
containerPort: 80
hostPort: 80
- name: https
containerPort: 443
hostPort: 443
- name: apiport
containerPort: 8889
hostPort: 8889
#- name: prometheus
#containerPort: 9113
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args:
- -nginx-plus
- -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
- -nginx-status
- -nginx-status-allow-cidrs=172.16.0.0/16
- -nginx-status-port=8889
# - -ingress-class=canary
#- -v=3 # Enables extensive logging. Useful for troubleshooting.
#- -report-ingress-status
#- -external-service=nginx-ingress
#- -enable-leader-election
#- -enable-prometheus-metrics
#- -enable-custom-resources
For configmap, I am using the same to the exmaples, which is:
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-config
namespace: nginx-ingress
data:
opentracing: "True"
opentracing-tracer: "/usr/local/lib/libjaegertracing_plugin.so"
opentracing-tracer-config: |
{
"service_name": "nginx-ingress",
"sampler": {
"type": "const",
"param": 1
},
"reporter": {
"localAgentHostPort": "jaeger-agent.default.svc.cluster.local:6831"
}
}
@pleshakov
# dpkg -l | grep nginx
ii nginx-plus 18-2~stretch amd64 NGINX Plus, provided by Nginx, Inc.
ii nginx-plus-module-opentracing 18+0.8.0-1~stretch amd64 NGINX Plus, provided by Nginx, Inc. (3rd-party OpenTracing dynamic module)
I will try to debug it follow your instructions
@pleshakov I tried load the debug OT module by Configmap. The logs of the pods:
[root@k8s-master opentracing]# kubectl logs nginx-ingress-apidmeo-tp52z -n nginx-ingress
I0918 12:29:09.843313 1 main.go:155] Starting NGINX Ingress controller Version=edge GitCommit=924726b
F0918 12:29:14.041817 1 manager.go:195] Could not get newest config version: could not get expected version: 0
Seem like there was some wrong, and no debug logs?
Here is what I did:
edit the configmap: [root@k8s-master opentracing]# cat nginx-config-debug.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-config
namespace: nginx-ingress
data:
error-log-level: "debug"
opentracing: "True"
opentracing-tracer: "/usr/local/lib/libjaegertracing_plugin.so"
main-template: |
user nginx;
worker_processes {{.WorkerProcesses}};
{{- if .WorkerRlimitNofile}}
......truncated....
{{- if .OpenTracingLoadModule}}
load_module modules/ngx_http_opentracing_module-debug.so;
{{- end}}
......truncated....
}
opentracing-tracer-config: |
{
"service_name": "nginx-ingress",
"sampler": {
"type": "const",
"param": 1
},
"reporter": {
"localAgentHostPort": "jaeger-agent.default.svc.cluster.local:6831"
}
}
edit IC Daemonset yaml: [root@k8s-master opentracing]# cat ../../deployments/daemon-set/nginx-plus-ingress-debug.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: nginx-ingress-apidmeo
namespace: nginx-ingress
spec:
selector:
matchLabels:
app: nginx-ingress-apidemo
template:
metadata:
labels:
app: nginx-ingress-apidemo
#annotations:
#prometheus.io/scrape: "true"
#prometheus.io/port: "9113"
spec:
serviceAccountName: nginx-ingress
containers:
- image: myf5/nginx-plus-ingress-opentracing:edge
imagePullPolicy: IfNotPresent
name: nginx-plus-ingress-apidemo
ports:
- name: http
containerPort: 80
hostPort: 80
- name: https
containerPort: 443
hostPort: 443
- name: apiport
containerPort: 8889
hostPort: 8889
#- name: prometheus
#containerPort: 9113
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args:
- -nginx-plus
- -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
- -nginx-status
- -nginx-status-allow-cidrs=172.16.0.0/16
- -nginx-status-port=8889
- -nginx-debug
# - -ingress-class=canary
#- -v=3 # Enables extensive logging. Useful for troubleshooting.
#- -report-ingress-status
#- -external-service=nginx-ingress
#- -enable-leader-election
#- -enable-prometheus-metrics
#- -enable-custom-resources
Thanks all. Rebuild image solve the issue.
Nice!
Closing the issue.
Describe the bug The opentracing setting is updated to nginx.conf in the ingress controller after creating config map with "kubernetes-ingress/examples/opentracing/nginx-config.yaml".
The configuration is:
opentracing on; opentracing_load_tracer /usr/local/lib/libjaegertracing_plugin.so /etc/tracer-config.json;
But the nginx can not reload the conifg, got coredump.
The nginx will reload successfully if I manually comment the opentracing setting from the nginx.conf file:
To Reproduce Steps to reproduce the behavior:
Expected behavior A clear and concise description of what you expected to happen.
Your environment
Additional context Add any other context about the problem here. Any log files you want to share.