Re: TCP Resets when closing connection opened via SSL - Mailing list pgsql-general

From Jānis Pūris
Subject Re: TCP Resets when closing connection opened via SSL
Date
Msg-id 9718d4fc-de72-45bc-af1b-f759b9f2b29d@Spark
Whole thread Raw
In response to Re: TCP Resets when closing connection opened via SSL  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: TCP Resets when closing connection opened via SSL
Re: TCP Resets when closing connection opened via SSL
List pgsql-general
Thanks for the insight, Tom.

It's fairly obvious from the postmaster log that the client side
is not bothering to close the transaction it started

Thats what I was also thinking, but I've managed to reproduce it with autocommit or commit before closing connection as well.
This is only reproducible with SSL connection.

I've reproduced it with ubuntu package bundles certs, my own created, generated with CA etc hence I do not think it is a problem with certificates themselves.
This happens with various clients, php driver, java driver and also libpq used by psycopg2. We are running a lot of different kind of microservices and thus far I can tell, almost (if not all) of them have this problem manifest.

I can not however reproduce this when doing something like
$ psql "user=postgres sslmode=require host=localhost dbname=postgres"
postgres=# \q

So, please re-think why you are considering them problematic in the first place.

This is an issue because we have a lot of connections being initiated and closed. And this creates a lot of TCP resets.

We could go with something like pgbouncer in front of it to pool the connections in order to reduce the reset count, but this would not be solving the root cause, but merely working around it.

Other than that, this does not seem to "break" anything. This is basically large noise for monitoring and huge numbers of resets, when looking at something like netstat. And by no means, this happens casually.

Has no one expieriencing this ?
Should I just assume this is "normal" and forget about it ? I'd still want to understand what's going on thought.

Med vennlig hilsen.
Best regards, Janis Puris.
On 26 Apr 2019, 16:17 +0200, Tom Lane <tgl@sss.pgh.pa.us>, wrote:
Jānis Pūris <janis@puris.lv> writes:
I'm trying to do a simple health check for keepalived and other services via a python script and psycopg2 library. All seems to be all right, until I close the connection, at which point a packet with TCP reset is produced.

Hm. It's fairly obvious from the postmaster log that the client side
is not bothering to close the transaction it started:

2019-04-23 16:27:45.306 CEST process=15615 c=BEGIN t=0 s=5cbf20e1.3cff monitoring@127.0.0.1:postgres app=[unknown] LOG: duration: 0.095 ms
2019-04-23 16:27:45.306 CEST process=15615 c=SELECT t=0 s=5cbf20e1.3cff monitoring@127.0.0.1:postgres app=[unknown] LOG: duration: 0.234 ms
2019-04-23 16:27:45.306 CEST process=15615 c=idle in transaction t=0 s=5cbf20e1.3cff monitoring@127.0.0.1:postgres app=[unknown] LOG: disconnection: session time: 0:00:00.006 user=monitoring database=postgres host=127.0.0.1 port=40797

There's no COMMIT or ROLLBACK to go with the BEGIN, and that's reflected
in the fact that the disconnection message shows c=idle in transaction.
Now, I doubt that would have any impact on the TCP-level session behavior,
but it suggests that maybe the client isn't bothering to close the session
cleanly either. The RST rather than FIN would then likely be caused by
SSL having to do an unclean shutdown.

regards, tom lane

pgsql-general by date:

Previous
From: Tom Lane
Date:
Subject: Re: TCP Resets when closing connection opened via SSL
Next
From: Tom Lane
Date:
Subject: Re: TCP Resets when closing connection opened via SSL