Stephen Mahood's questions

I'm setting up jail shells using puppet to maintain a copy of the required libraries within the jails.

Using the following puppet code I can successfully copy the files across:

file { "/home/${username}/lib/x86_64-linux-gnu/libdl.so.2":
        ensure => present,
        source => "/lib/x86_64-linux-gnu/libdl.so.2",
        mode => '0700',
        links => 'manage',
        owner => $username,
        group => $username,
        require => File["/home/${username}/lib/x86_64-linux-gnu/"]
}

It appears though that the source file permissions are being changed to $username:$username as well as the destination file permissions.

The file /lib/x86_64-linux-gnu/libdl.so.2 end's up with the following permissions:

-rwx------ 1 $username $username ld-2.19.so

The jailed users are obviously able to login with this setup, but for everyone else that would be using /bin/bash in the real /lib folder it is breaking the login.

I have varnish setup with 2 backend servers with a round-robin director.

The 2 backends are showing up in varnishstat and varnishadm as healthy.

varnishadm output:

Backend name                   Admin      Probe
boot.app1                      probe      Healthy 5/5
boot.app2                      probe      Healthy 5/5

VCL Configuration:

probe ping {
  .interval = 5s;
  .timeout = 1s;
  .threshold = 3;
  .window = 5;
  .url = "/ping";
}
backend app1 {
  .host = "app-1.example.com";
  .port = "80";
  .probe = ping;
}

backend app2 {
  .host = "app-2.example.com";
  .port = "80";
  .probe = ping;
}

new application_servers = directors.round_robin();
application_servers.add_backend(app1);
application_servers.add_backend(app2);

set req.backend_hint = application_servers;

varnishstat output:

VBE.boot.app1.happy                                                                                                                        ffffffffff     VVVVVVVVVVVVVVVVVVVVVVVV
VBE.boot.app1.bereq_hdrbytes                                                                                                                    66.17K         0.00         91.00          0.00          0.00          0.00
VBE.boot.app1.beresp_hdrbytes                                                                                                                   76.72K         0.00        106.00          0.00          0.00          0.00
VBE.boot.app1.beresp_bodybytes                                                                                                                  11.91M         0.00         16.50K         0.00          0.00          0.00
VBE.boot.app1.conn                                                                                                                                251          0.00           .          251.00        251.00        251.00
VBE.boot.app1.req                                                                                                                                 251          0.00           .            0.00          0.00          0.00
VBE.boot.app2.happy                                                                                                                        ffffffffff     VVVVVVVVVVVVVVVVVVVVVVVV

You can see from the varnishstat command that traffic appears to only be sent to the first server in the round-robin configuration. There's no other lines for the app2 server other than .happy

Any thoughts on what would be causing the director to pick the first server every time?

I have varnish 4.1.2 installed, it starts fine from the command line but won't start when rebooting the server.

The syslog shows that the address is already in use (port 8080). There's nothing else installed on this server, it's a dedicated varnish server.

When starting from boot it looks like a panic occurs, here's the output from the panic.show in varnishadm

"Assert error in child_sigsegv_handler(), mgt/mgt_child.c line 282:
  Condition(Segmentation fault by instruction at 0x20bf68) not true.
thread = (cache-worker)
version = varnish-4.1.2 revision 0d7404e
ident = Linux,3.13.0-45-generic,x86_64,-junix,-smalloc,-smalloc,-hcritbit,epoll
Backtrace:
  0x433976: varnishd() [0x433976]
  0x452c43: varnishd() [0x452c43]
  0x7fdc2af61340: libpthread.so.0(+0x10340) [0x7fdc2af61340]
  0x43fba9: varnishd(VCL_DefaultDirector+0x19) [0x43fba9]
  0x436e05: varnishd(CNT_Request+0x9a5) [0x436e05]
  0x44e9d3: varnishd(HTTP1_Session+0xd3) [0x44e9d3]
  0x439d0d: varnishd(SES_Proto_Req+0x5d) [0x439d0d]
  0x4493d1: varnishd() [0x4493d1]
  0x44983b: varnishd() [0x44983b]
  0x7fdc2af59182: libpthread.so.0(+0x8182) [0x7fdc2af59182]
req = 0x7fdc2219a020 {
  vxid = 327766, step = R_STP_RECV,
  req_body = R_BODY_NONE,
  restarts = 0, esi_level = 0,
  sp = 0x7fdc2a1c0220 {
    fd = 22, vxid = 327765,
    client = 192.168.55.13 47216,
    step = S_STP_H1PROC,
  },
  worker = 0x7fdc2c2bac40 {
    stack = {0x7fdc2c2bb000 -> 0x7fdc2c2af000},
    ws = 0x7fdc2c2bae38 {
      id = \"wrk\",
      {s,f,r,e} = {0x7fdc2c2ba3e0,0x7fdc2c2ba3e0,(nil),+2040},
    },
    VCL::method = SYNTH,
    VCL::return = deliver,
    VCL::methods = {},
  },
  ws = 0x7fdc2219a200 {
    id = \"req\",
    {s,f,r,e} = {0x7fdc2219c000,+152,(nil),+57336},
  },
  http_conn = 0x7fdc2219a128 {
    fd = 22,
    doclose = NULL,
    ws = 0x7fdc2219a200,
    {rxbuf_b, rxbuf_e} = {0x7fdc2219c048, 0x7fdc2219c073},
    {pipeline_b, pipeline_e} = {(nil), (nil)},
    content_length = -1,
    body_status = none,
    first_byte_timeout = 0.000000,
    between_bytes_timeout = 0.000000,
  },
  http[req] = 0x7fdc2219a298 {
    ws[req] = 0x7fdc2219a200,
    hdrs {
      \"GET\",
      \"/ping\",
      \"HTTP/1.0\",
      \"Host: www.example.com\",
      \"X-Forwarded-For: 192.168.55.13\",
    },
  },
  vcl = {
    temp = warm
    srcname = {
"

The VCL file compiles file when using varnishd -C -f /etc/varnish/default.vcl

It looks like the master process is still running. Killing all the varnishd, varnishlog, and varnishncsa processes allows the service to start again.

I've got a few load balancers that all perform health checks on a number of varnish instances. The health check on the varnish side consists of matching the request method and URL to return a 200 response.

if (req.method == "GET" && req.url == "/ping") {
       return(synth(200, "OK"));
}

Using HAProxy i've got health checks configured to poll /ping on the backend servers. This is generating a lot of messages in varnishncsa. Is it possible to somehow drop log entries going into varnishncsa if they match a certain req.url?