envoy icon indicating copy to clipboard operation
envoy copied to clipboard

Published 20 hours ago verified publisher icon envoyproxy

Envoy does not use graceful shutdown when sending HTTP/2 GOAWAYs

Open birenroy opened this issue 5 months ago • 1 comments
trafficstars

Title: Envoy does not use graceful shutdown when sending HTTP/2 GOAWAYs

Description: When initiating a GOAWAY on an active HTTP/2 connection, Envoy should use the graceful shutdown behavior described by RFC 9113 to avoid affecting requests in flight.

RFC 9113 section 6.8 says:

A server that is attempting to gracefully shut down a connection SHOULD send an initial GOAWAY frame with the last stream identifier set to 2^31-1 and a NO_ERROR code. This signals to the client that a shutdown is imminent and that initiating further requests is prohibited. After allowing time for any in-flight stream creation (at least one round-trip time), the server MAY send another GOAWAY frame with an updated last stream identifier. This ensures that a connection can be cleanly shut down without losing requests.

This is the code in question:

  • https://github.com/envoyproxy/envoy/blob/741e47c9bf3c36065a9ade6e3ce32d4abfd777a4/source/common/http/http2/codec_impl.cc#L1038

Current behavior: When ConnectionImpl::goAway() is invoked, Envoy currently sends a single GOAWAY frame with a last_stream_id set to the highest received stream ID.

Desired behavior: When ConnectionImpl::goAway() is invoked, Envoy should send one GOAWAY frame with a last_stream_id set to 2^31-1, as described in RFC 9113. After a reasonable interval (e.g. one round trip time), Envoy should send a followup GOAWAY frame with last_stream_id set to the highest received stream ID at that point in time.

Why it matters: Filters can initiate a GOAWAY action:

  • https://github.com/envoyproxy/envoy/blob/741e47c9bf3c36065a9ade6e3ce32d4abfd777a4/source/common/http/filter_manager.h#L308

as can this load shed point:

  • https://github.com/envoyproxy/envoy/blob/741e47c9bf3c36065a9ade6e3ce32d4abfd777a4/source/common/http/http2/codec_impl.cc#L2287

If these GOAWAYs are not graceful, they can cause collateral damage to other traffic being handled on the same connection.

birenroy avatar Jun 12 '25 19:06 birenroy

FYI @RyanTheOptimist @diannahu @adisuissa @yanavlasov @yurykats

birenroy avatar Jun 12 '25 19:06 birenroy

@tyxia

tyxia avatar Jul 28 '25 20:07 tyxia

/assign @kanurag94

kanurag94 avatar Sep 30 '25 07:09 kanurag94

kanurag94 is not allowed to assign users.

:cat:

Caused by: a https://github.com/envoyproxy/envoy/issues/39876#issuecomment-3350310533 was created by @kanurag94.

see: more, trace.

repokitteh-read-only[bot] avatar Sep 30 '25 07:09 repokitteh-read-only[bot]

/assign

kanurag94 avatar Sep 30 '25 07:09 kanurag94

kanurag94 is not allowed to assign users.

:cat:

Caused by: a https://github.com/envoyproxy/envoy/issues/39876#issuecomment-3350315871 was created by @kanurag94.

see: more, trace.

repokitteh-read-only[bot] avatar Sep 30 '25 07:09 repokitteh-read-only[bot]

/assign @kanurag94

wbpcode avatar Sep 30 '25 10:09 wbpcode

@kanurag94 cannot be assigned to this issue.

:cat:

Caused by: a https://github.com/envoyproxy/envoy/issues/39876#issuecomment-3351126211 was created by @wbpcode.

see: more, trace.

repokitteh-read-only[bot] avatar Sep 30 '25 10:09 repokitteh-read-only[bot]