This message was deleted.
# opals
Slackbot
06/09/2023, 7:47 AMThis message was deleted.
r
Raz Co
06/09/2023, 7:51 AMThat’s extremely odd.
Many of our customers (and Permit.Io itself) are using OPAL with huge loads in production envs without any CPU issues.
Can you maybe check which process is using the CPU inside the pod ? Using top or any other solution you are familiar with
b
Ben Wallis
06/09/2023, 7:54 AMHmm the opal server container doesn't have ps or top, any suggestions? I could create a custom Dockerfile if not
Ben Wallis
06/09/2023, 7:57 AMAh nvm found it from the node, let me take a look
Ben Wallis
06/09/2023, 8:59 AMAppears to be the opal server gunicorn process
Ben Wallis
06/09/2023, 9:14 AMIt seems to be that the main gunicorn process is spawning 4 workers in a loop and they're immediately dying and being respawned
Ben Wallis
06/09/2023, 9:15 AM(just based on the output of
ps aux | grep gunicornBen Wallis
06/09/2023, 9:15 AMThere are no processes being OOM killed and the pod has sufficient memory available
o
Or Weis
06/09/2023, 9:21 AMQuick thoughts here:
• Are the OPAL workers throwing any exceptions?
• Are they be killed externally?
• Maybe a healthcheck misconfiguration?
b
Ben Wallis
06/09/2023, 9:29 AMI think I've just figured out that it's related to having
OPAL_STATISTICS_ENABLED=trueBen Wallis
06/09/2023, 9:30 AMThere's this in the logs when I have statistics enabled:
Copy code
[2023-06-09 09:29:32 +0000] [7151] [INFO] Booting worker with pid: 7151
[2023-06-09 09:29:32 +0000] [7120] [INFO] Error while closing socket [Errno 9] Bad file descriptor
[2023-06-09 09:29:32 +0000] [7135] [INFO] Error while closing socket [Errno 9] Bad file descriptor
2023-06-09T09:29:32.990341+0000 | 7141 | opal_server.server | INFO | Trigger worker graceful shutdowno
Or Weis
06/09/2023, 9:35 AMOdd, can you share the logs from the server?
I'd expect an error in the statistics flow.
Otherwise do you maybe have something using the statistics for healthcheck?
Can you share your configuration spec?
@Ro'e Katz
b
Ben Wallis
06/09/2023, 9:35 AMI don't have any healthchecks configured for opal server currently
Ben Wallis
06/09/2023, 9:37 AMconfigmap envvars:
Copy code
UVICORN_NUM_WORKERS=4
OPAL_LOG_LEVEL=DEBUG
OPAL_STATISTICS_ENABLED=true Copy code
spec:
replicas: 1
selector:
matchLabels:
app: authz-opal-server
template:
metadata:
labels:
app: authz-opal-server
<http://app.kubernetes.io/name|app.kubernetes.io/name>: authz-opal-server
<http://app.kubernetes.io/component|app.kubernetes.io/component>: server
spec:
containers:
- name: authz-opal-server
image: permitio/opal-server
envFrom:
- configMapRef:
name: opal-server-env-config
- secretRef:
name: opal-server-env-secrets
env:
- name: OPAL_BROADCAST_URI
value: <postgres://postgres:postgres@authz-opal-server-broadcast-service:5432/postgres>
- name: OPAL_POLICY_REPO_URL
value: git@localhost:/srv/git/policy
- name: OPAL_POLICY_REPO_MAIN_BRANCH
value: master
- name: OPAL_POLICY_REPO_POLLING_INTERVAL
value: "86400"
- name: OPAL_DATA_CONFIG_SOURCES
value: '{"external_source_url":"<http://localhost/config.json>"}'
- name: OPAL_LOG_FORMAT_INCLUDE_PID
value: "true"
ports:
- containerPort: 7002
resources:
limits:
memory: 2Gi
requests:
memory: 250Mir
Ro'e Katz
06/09/2023, 12:21 PM@Ben Wallis
My guess would be you haven’t configured Broadcaster, or the broadcaster isn’t available.
When statistics are enabled, the server immediately tries using it and probably restarts the worker as a result (we should have a better behavior there or at least have a more clear log).
💪 1
b
Ben Wallis
06/09/2023, 12:26 PMah! yes that's it - I had got it configured but late in the process of configuring I moved the postgres secrets to a separate secrets file and forgot to move the OPAL_BROADCAST_URI envvar there too so it was using the default "postgres" password as shown above
Ben Wallis
06/09/2023, 12:27 PMYeah a check to see if the broadcast server is available immediately on startup would be nice
Ben Wallis
06/09/2023, 12:29 PMThanks for the help 🙂
💜 1