puppet-wildfly icon indicating copy to clipboard operation
puppet-wildfly copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

503 Service Unavailable

Open alexjfisher opened this issue 7 years ago • 2 comments

The code designed to retry api connections if Wildfly hasn't started up yet isn't working for me.

Error: /Stage[main]/Profile::Keycloak/Wildfly::Resource[/socket-binding-group=standard-sockets/socket-binding=proxy-https]/Wildfly_resource[/socket-binding-group=standard-sockets/socket-binding=proxy-https]: Could not evaluate: 757: unexpected token at '<html><head><title>Error</title></head><body>503 - Service Unavailable</body></html>'
/opt/puppetlabs/puppet/lib/ruby/2.1.0/json/common.rb:155:in `parse'
/opt/puppetlabs/puppet/lib/ruby/2.1.0/json/common.rb:155:in `parse'
/opt/puppetlabs/puppet/cache/lib/puppet_x/wildfly/api_client.rb:58:in `submit'
/opt/puppetlabs/puppet/cache/lib/puppet_x/wildfly/operation_request.rb:40:in `exists?'
/opt/puppetlabs/puppet/cache/lib/puppet/provider/wildfly_resource/http_api.rb:18:in `exists?'

It appears the @http_client.request authz_request get in authz_header works fine, but the post in submit gets a 503. The service is 'partially' started?? Furthermore, the 503 isn't returned as json so I get the unexpected token exception instead of the "Failed with: #{response['failure-description']} for #{body.to_json}" one.

I'm using the keycloak distribution on CentOS 7 with puppet 4.10.3. I think you should be able to reproduce the issue with the following and puppet apply.

class { '::wildfly':
    version           => '10.1.0',
    distribution      => 'wildfly',
    config            => 'standalone-ha.xml',
    install_cache_dir => '/tmp',
    install_source    => 'https://downloads.jboss.org/keycloak/3.1.0.Final/keycloak-3.1.0.Final.tar.gz',
    mgmt_user         => {
      username => 'admin',
      password => 'admin',
    },
  }
wildfly::resource { '/socket-binding-group=standard-sockets/socket-binding=proxy-https':
    content => {
      port => 443,
    },
    notify  => Wildfly::Reload['Reload if necessary'],
}

wildfly::reload { 'Reload if necessary':
    retries => 2,
    wait    => 15,
}

Many thanks, Alex

alexjfisher avatar Jun 21 '17 11:06 alexjfisher

I have seen this as well using the standard wildfly distribution, so it's not related to keycloak. Could perhaps be solved by checking if response is an instance of Net::HTTPSuccess, and if not trigger a retry?

cfrantsen avatar Jun 22 '17 11:06 cfrantsen

Just confirmed this. Don't even need wildfly::reload to reproduce it.

It's not happening during retry - and the retried request needs to return 401 (Net::HTTPUnauthorized) with data to perform digest authentication.

This is happening afterwards during the actual Management Request - as far as I understood, Management API is ready to process authentication, but Wildfly is not ready to receive any management operations, hence the 503.

Sysvinit scripts used to work by checking Wildfly's logs for JBAS015874, but they replaced it with a markerfile approach. Bundled systemd scripts does not use any of this.

I need another way to assert that Wildfly is ready cause I can't retry actual management requests since some of them are not idempotent. It was OK to retry authentication.

One alternative would be to not use bundled systemd script but systemd/sysvinit wrapper (like Wildfly < 10: https://github.com/biemond/biemond-wildfly/blob/master/templates/wildfly.sysvinit.service.epp) or create a new script.

jairojunior avatar Jun 25 '17 21:06 jairojunior