-
Notifications
You must be signed in to change notification settings - Fork 781
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consul 1.6.3 DDos using consul-template (1.6.2 working fine) #1346
Comments
I was looking into this and while asking around was pointed to |
@obourdon see the above (and linked consul comment). I'm adding this to be sure you get messaged about it. Please let me know if this does/doesn't fix your issue. Thanks. |
@eikenb will have a look at this thanks. Sorry for not answering earlier. Will keep you posted |
@eikenb and all please have a look at my latest entry in consul issue #7259 |
@eikenb Maybe returning HTTP 429 could allow consul-template to detect that behavior and automatically apply rate limit, see hashicorp/consul#7527 and hashicorp/go-connlimit#6 |
Just sanity checking here, based on @pierresouchay's comment above I went looking for some config switch to manually apply some consul agent concurrent request limiting but didn't find any in https://github.com/hashicorp/consul-template/blob/main/watch/view.go Other than raising Currently we're using consul-template to generate nginx proxy config and due to consul's client rate limiting and consul-template's retry backoff we end up with a long delay when starting up a consul-template instance watching ~200 services. |
@srstsavage if you have issues with that, you might have a look at consul-templaterb which has heuristics to avoid this: https://github.com/criteo/consul-templaterb/ Also an article about it: https://medium.com/criteo-engineering/template-based-discovery-with-consul-templaterb-8ff88434c457 |
Please have a look at consul issue #7259
Note that running with
-once
works perfectly well so I guess the "burst" occurs on refreshI think the issue/configuration values to solve can be both in consul AND consul-template therefore the post of 2 separate issues
Consul Template version
0.24.1
Configuration
I have reproduced the issue isolated from my complete (crypted and SSL secured) environment using official consul Docker container and get the same behaviour: OK with 1.6.2 KO with 1.6.3 and later.
You can find the code to reproduce it yourself here.
Command
idem
Debug output
None to provide at this step (way too big) but again use provided reproductible test case above
Expected behavior
Either success or some limits to be configured properly to prevent this from happening but tried a lot of combination of consul and consul-template configuration parameters without success
Actual behavior
Lots of EOF are seen within consul-template output and consul client node loses connection to consul server/cluster
consul members
does not work anymore. However after some time, it seems to self-recoverSteps to reproduce
See README.md of reproductible test case
References
See also consul-template issues and PRs #1279, #1066, #1065, #1107
The text was updated successfully, but these errors were encountered: