|
|
Lua: Architecture and first steps
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
version 2.3
|
|
|
|
|
|
author: Thierry FOURNIER
|
|
|
contact: tfournier at arpalert dot org
|
|
|
|
|
|
|
|
|
|
|
|
HAProxy is a powerful load balancer. It embeds many options and many
|
|
|
configuration styles in order to give a solution to many load balancing
|
|
|
problems. However, HAProxy is not universal and some special or specific
|
|
|
problems do not have solution with the native software.
|
|
|
|
|
|
This text is not a full explanation of the Lua syntax.
|
|
|
|
|
|
This text is not a replacement of the HAProxy Lua API documentation. The API
|
|
|
documentation can be found at the project root, in the documentation directory.
|
|
|
The goal of this text is to discover how Lua is implemented in HAProxy and using
|
|
|
it efficiently.
|
|
|
|
|
|
However, this can be read by Lua beginners. Some examples are detailed.
|
|
|
|
|
|
Why a scripting language in HAProxy
|
|
|
===================================
|
|
|
|
|
|
HAProxy 1.5 makes at possible to do many things using samples, but some people
|
|
|
want to more combining results of samples fetches, programming conditions and
|
|
|
loops which is not possible. Sometimes people implement these functionalities
|
|
|
in patches which have no meaning outside their network. These people must
|
|
|
maintain these patches, or worse we must integrate them in the HAProxy
|
|
|
mainstream.
|
|
|
|
|
|
Their need is to have an embedded programming language in order to no longer
|
|
|
modify the HAProxy source code, but to write their own control code. Lua is
|
|
|
encountered very often in the software industry, and in some open source
|
|
|
projects. It is easy to understand, efficient, light without external
|
|
|
dependencies, and leaves the resource control to the implementation. Its design
|
|
|
is close to the HAProxy philosophy which uses components for what they do
|
|
|
perfectly.
|
|
|
|
|
|
The HAProxy control block allows one to take a decision based on the comparison
|
|
|
between samples and patterns. The samples are extracted using fetch functions
|
|
|
easily extensible, and are used by actions which are also extensible. It seems
|
|
|
natural to allow Lua to give samples, modify them, and to be an action target.
|
|
|
So, Lua uses the same entities as the configuration language. This is the most
|
|
|
natural and reliable way for the Lua integration. So, the Lua engine allows one
|
|
|
to add new sample fetch functions, new converter functions and new actions.
|
|
|
These new entities can access the existing samples fetches and converters
|
|
|
allowing to extend them without rewriting them.
|
|
|
|
|
|
The writing of the first Lua functions shows that implementing complex concepts
|
|
|
like protocol analysers is easy and can be extended to full services. It appears
|
|
|
that these services are not easy to implement with the HAProxy configuration
|
|
|
model which is based on four steps: fetch, convert, compare and action. HAProxy
|
|
|
is extended with a notion of services which are a formalisation of the existing
|
|
|
services like stats, cli and peers. The service is an autonomous entity with a
|
|
|
behaviour pattern close to that of an external client or server. The Lua engine
|
|
|
inherits from this new service and offers new possibilities for writing
|
|
|
services.
|
|
|
|
|
|
This scripting language is useful for testing new features as proof of concept.
|
|
|
Later, if there is general interest, the proof of concept could be integrated
|
|
|
with C language in the HAProxy core.
|
|
|
|
|
|
The HAProxy Lua integration also provides a simple way for distributing Lua
|
|
|
packages. The final user needs only to install the Lua file, load it in HAProxy
|
|
|
and follow the attached documentation.
|
|
|
|
|
|
Design and technical things
|
|
|
===========================
|
|
|
|
|
|
Lua is integrated into the HAProxy event driven core. We want to preserve the
|
|
|
fast processing of HAProxy. To ensure this, we implement some technical concepts
|
|
|
between HAProxy and the Lua library.
|
|
|
|
|
|
The following paragraph also describes the interactions between Lua and HAProxy
|
|
|
from a technical point of view.
|
|
|
|
|
|
Prerequisite
|
|
|
-----------
|
|
|
|
|
|
Reading the following documentation links is required to understand the
|
|
|
current paragraph:
|
|
|
|
|
|
HAProxy doc: http://cbonte.github.io/haproxy-dconv/
|
|
|
Lua API: http://www.lua.org/manual/5.3/
|
|
|
HAProxy API: http://www.arpalert.org/src/haproxy-lua-api/1.9dev/index.html
|
|
|
Lua guide: http://www.lua.org/pil/
|
|
|
|
|
|
more about Lua choice
|
|
|
---------------------
|
|
|
|
|
|
Lua language is very simple to extend. It is easy to add new functions written
|
|
|
in C in the core language. It is not required to embed very intrusive libraries,
|
|
|
and we do not change compilation processes.
|
|
|
|
|
|
The amount of memory consumed can be controlled, and the issues due to lack of
|
|
|
memory are perfectly caught. The maximum amount of memory allowed for the Lua
|
|
|
processes is configurable. If some memory is missing, the current Lua action
|
|
|
fails, and the HAProxy processing flow continues.
|
|
|
|
|
|
Lua provides a way for implementing event driven design. When the Lua code
|
|
|
wants to do a blocking action, the action is started, it executes non blocking
|
|
|
operations, and returns control to the HAProxy scheduler when it needs to wait
|
|
|
for some external event.
|
|
|
|
|
|
The Lua process can be interrupted after a number of instructions executed. The
|
|
|
Lua execution will resume later. This is a useful way for controlling the
|
|
|
execution time. This system also keeps HAProxy responsive. When the Lua
|
|
|
execution is interrupted, HAProxy accepts some connections or transfers pending
|
|
|
data. The Lua execution does not block the main HAProxy processing, except in
|
|
|
some cases which we will see later.
|
|
|
|
|
|
Lua function integration
|
|
|
------------------------
|
|
|
|
|
|
The Lua actions, sample fetches, converters and services are integrated in
|
|
|
HAProxy with "register_*" functions. The register system is a choice for
|
|
|
providing HAProxy Lua packages easily. The register system adds new sample
|
|
|
fetches, converters, actions or services usable in the HAProxy configuration
|
|
|
file.
|
|
|
|
|
|
The register system is defined in the "core" functions collection. This
|
|
|
collection is provided by HAProxy and is always available. Below, the list of
|
|
|
these functions:
|
|
|
|
|
|
- core.register_action()
|
|
|
- core.register_converters()
|
|
|
- core.register_fetches()
|
|
|
- core.register_init()
|
|
|
- core.register_service()
|
|
|
- core.register_task()
|
|
|
|
|
|
These functions are the execution entry points.
|
|
|
|
|
|
HTTP action must be used for manipulating HTTP request headers. This action
|
|
|
can not manipulates HTTP content. It is dangerous to use the channel
|
|
|
manipulation object with an HTTP request in an HTTP action. The channel
|
|
|
manipulation can transform a valid request in an invalid request. In this case,
|
|
|
the action will never resume and the processing will be frozen. HAProxy
|
|
|
discards the request after the reception timeout.
|
|
|
|
|
|
Non blocking design
|
|
|
-------------------
|
|
|
|
|
|
HAProxy is an event driven software, so blocking system calls are absolutely
|
|
|
forbidden. However, the Lua allows to do blocking actions. When an action
|
|
|
blocks, HAProxy is waiting and do nothing, so the basic functionalities like
|
|
|
accepting connections or forwarding data are blocked while the end of the system
|
|
|
call. In this case HAProxy will be less responsive.
|
|
|
|
|
|
This is very insidious because when the developer tries to execute its Lua code
|
|
|
with only one stream, HAProxy seems to run fine. When the code is used with
|
|
|
production stream, HAProxy encounters some slow processing, and it cannot
|
|
|
hold the load.
|
|
|
|
|
|
However, during the initialisation state, you can obviously using blocking
|
|
|
functions. There are typically used for loading files.
|
|
|
|
|
|
The list of prohibited standard Lua functions during the runtime contains all
|
|
|
that do filesystem access:
|
|
|
|
|
|
- os.remove()
|
|
|
- os.rename()
|
|
|
- os.tmpname()
|
|
|
- package.*()
|
|
|
- io.*()
|
|
|
- file.*()
|
|
|
|
|
|
Some other functions are prohibited:
|
|
|
|
|
|
- os.execute(), waits for the end of the required execution blocking HAProxy.
|
|
|
|
|
|
- os.exit(), is not really dangerous for the process, but it's not the good way
|
|
|
for exiting the HAProxy process.
|
|
|
|
|
|
- print(), writes data on stdout. In some cases these writes are blocking, the
|
|
|
best practice is reserving this call for debugging. We must prefer
|
|
|
to use core.log() or TXN.log() for sending messages.
|
|
|
|
|
|
Some HAProxy functions have a blocking behaviour pattern in the Lua code, but
|
|
|
there are compatible with the non blocking design. These functions are:
|
|
|
|
|
|
- All the socket class
|
|
|
- core.sleep()
|
|
|
|
|
|
Responsive design
|
|
|
-----------------
|
|
|
|
|
|
HAProxy must process connections accept, forwarding data and processing timeouts
|
|
|
as soon as possible. The first thing is to believe that a Lua script with a long
|
|
|
execution time should impact the expected responsive behaviour.
|
|
|
|
|
|
It is not the case, the Lua script execution are regularly interrupted, and
|
|
|
HAProxy can process other things. These interruptions are exprimed in number of
|
|
|
Lua instructions. The number of interruptions between two interrupts is
|
|
|
configured with the following "tune" option:
|
|
|
|
|
|
tune.lua.forced-yield <nb>
|
|
|
|
|
|
The default value is 10 000. For determining it, I ran benchmark on my laptop.
|
|
|
I executed a Lua loop between 10 seconds with different values for the
|
|
|
"tune.lua.forced-yield" option, and I noted the results:
|
|
|
|
|
|
configured | Number of
|
|
|
instructions | loops executed
|
|
|
between two | in millions
|
|
|
forced yields |
|
|
|
---------------+---------------
|
|
|
10 | 160
|
|
|
500 | 670
|
|
|
1000 | 680
|
|
|
5000 | 700
|
|
|
7000 | 700
|
|
|
8000 | 700
|
|
|
9000 | 710 <- ceil
|
|
|
10000 | 710
|
|
|
100000 | 710
|
|
|
1000000 | 710
|
|
|
|
|
|
The result showed that from 9000 instructions between two interrupt, we reached
|
|
|
a ceil, so the default parameter is 10 000.
|
|
|
|
|
|
When HAProxy interrupts the Lua processing, we have two states possible:
|
|
|
|
|
|
- Lua is resumable, and it returns control to the HAProxy scheduler,
|
|
|
- Lua is not resumable, and we just check the execution timeout.
|
|
|
|
|
|
The second case occurs if it is required by the HAProxy core. This state is
|
|
|
forced if the Lua is processed in a non resumable HAProxy part, like sample
|
|
|
fetches or converters.
|
|
|
|
|
|
It occurs also if the Lua is non resumable. For example, if some code is
|
|
|
executed through the Lua pcall() function, the execution is not resumable. This
|
|
|
is explained later.
|
|
|
|
|
|
So, the Lua code must be fast and simple when is executed as sample fetches and
|
|
|
converters, it could be slow and complex when is executed as actions and
|
|
|
services.
|
|
|
|
|
|
Execution time
|
|
|
--------------
|
|
|
|
|
|
The Lua execution time is measured and limited. Each group of functions has its
|
|
|
own timeout configured. The time measured is the real Lua execution time, and
|
|
|
not the difference between the end time and the start time. The groups are:
|
|
|
|
|
|
- main code and init are not submitted to the timeout,
|
|
|
- fetches, converters and action have a default timeout of 4s,
|
|
|
- task, by default does not have timeout,
|
|
|
- service have a default timeout of 4s.
|
|
|
|
|
|
The corresponding tune options are:
|
|
|
|
|
|
- tune.lua.session-timeout (fetches, converters and action)
|
|
|
- tune.lua.task-timeout (task)
|
|
|
- tune.lua.service-timeout (services)
|
|
|
|
|
|
The task does not have a timeout because it runs in background along the
|
|
|
HAProxy process life.
|
|
|
|
|
|
For example, if an Lua script is executed during 1.1s and the script executes a
|
|
|
sleep of 1 second, the effective measured running time is 0.1s.
|
|
|
|
|
|
This timeout is useful for preventing infinite loops. During the runtime, it
|
|
|
should be never triggered.
|
|
|
|
|
|
The stack and the coprocess
|
|
|
---------------------------
|
|
|
|
|
|
The Lua execution is organized around a stack. Each Lua action, even out of the
|
|
|
effective execution, affects the stack. HAProxy integration uses one main stack,
|
|
|
which is common for all the process, and a secondary one used as coprocess.
|
|
|
After the initialization, the main stack is no longer used by HAProxy, except
|
|
|
for global storage. The second type of stack is used by all the Lua functions
|
|
|
called from different Lua actions declared in HAProxy. The main stack permits
|
|
|
to store coroutines pointers, and some global variables.
|
|
|
|
|
|
Do you want to see an example of how seems Lua C development around a stack ?
|
|
|
Some examples follows. This first one, is a simple addition:
|
|
|
|
|
|
lua_pushnumber(L, 1)
|
|
|
lua_pushnumber(L, 2)
|
|
|
lua_arith(L, LUA_OPADD)
|
|
|
|
|
|
It's easy, we push 1 on the stack, after, we push 2, and finally, we perform an
|
|
|
addition. The two top entries of the stack are added, popped, and the result is
|
|
|
pushed. It is a classic way with a stack.
|
|
|
|
|
|
Now an example for constructing array and objects. It's a little bit more
|
|
|
complicated. The difficult consist to keep in mind the state of the stack while
|
|
|
we write the code. The goal is to create the entity described below. Note that
|
|
|
the notation "*1" is a metatable reference. The metatable will be explained
|
|
|
later.
|
|
|
|
|
|
name*1 = {
|
|
|
[0] = <userdata>,
|
|
|
}
|
|
|
|
|
|
*1 = {
|
|
|
"__index" = {
|
|
|
"method1" = <function>,
|
|
|
"method2" = <function>
|
|
|
}
|
|
|
"__gc" = <function>
|
|
|
}
|
|
|
|
|
|
Let's go:
|
|
|
|
|
|
lua_newtable() // The "name" table
|
|
|
lua_newtable() // The metatable *1
|
|
|
lua_pushstring("__index")
|
|
|
lua_newtable() // The "__index" table
|
|
|
lua_pushstring("method1")
|
|
|
lua_pushfunction(function)
|
|
|
lua_settable(-3) // -3 is an index in the stack. insert method1
|
|
|
lua_pushstring("method2")
|
|
|
lua_pushfunction(function)
|
|
|
lua_settable(-3) // insert method2
|
|
|
lua_settable(-3) // insert "__index"
|
|
|
lua_pushstring("__gc")
|
|
|
lua_pushfunction(function)
|
|
|
lua_settable() // insert "__gc"
|
|
|
lua_setmetatable(-1) // attach metatable to "name"
|
|
|
lua_pushnumber(0)
|
|
|
lua_pushuserdata(userdata)
|
|
|
lua_settable(-3)
|
|
|
lua_setglobal("name")
|
|
|
|
|
|
So, coding for Lua in C, is not complex, but it needs some mental gymnastic.
|
|
|
|
|
|
The object concept and the HAProxy format
|
|
|
-----------------------------------------
|
|
|
|
|
|
The object seems to be not a native concept. An Lua object is a table. We can
|
|
|
note that the table notation accept three forms:
|
|
|
|
|
|
1. mytable["entry"](mytable, "param")
|
|
|
2. mytable.entry(mytable, "param")
|
|
|
3. mytable:entry("param")
|
|
|
|
|
|
These three notation have the same behaviour pattern: a function is executed
|
|
|
with the table itself as first parameter and string "param" as second parameter
|
|
|
The notation with [] is commonly used for storing data in a hash table, and the
|
|
|
dotted notation is used for objects. The notation with ":" indicates that the
|
|
|
first parameter is the element at the left of the symbol ":".
|
|
|
|
|
|
So, an object is a table and each entry of the table is a variable. A variable
|
|
|
can be a function. These are the first concepts of the object notation in the
|
|
|
Lua, but it is not the end.
|
|
|
|
|
|
With the objects, we usually expect classes and inheritance. This is the role of
|
|
|
the metable. A metable is a table with predefined entries. These entries modify
|
|
|
the default behaviour of the table. The simplest example is the "__index" entry.
|
|
|
If this entry exists, it is called when a value is requested in the table. The
|
|
|
behaviour is the following:
|
|
|
|
|
|
1 - looks in the table if the entry exists, and if it the case, return it
|
|
|
|
|
|
2 - looks if a metatable exists, and if the "__index" entry exists
|
|
|
|
|
|
3 - if "__index" is a function, execute it with the key as parameter, and
|
|
|
returns the result of the function.
|
|
|
|
|
|
4 - if "__index" is a table, looks if the requested entry exists, and if
|
|
|
exists, return it.
|
|
|
|
|
|
5 - if not exists, return to step 2
|
|
|
|
|
|
The behaviour of the point 5 represents the inheritance.
|
|
|
|
|
|
In HAProxy all the provided objects are tables, the entry "[0]" contains private
|
|
|
data, there are often userdata or lightuserdata. The metatable is registered in
|
|
|
the global part of the main Lua stack, and it is called with the case sensitive
|
|
|
class name. A great part of these class must not be used directly because it
|
|
|
requires an initialisation using the HAProxy internal structs.
|
|
|
|
|
|
The HAProxy objects use unified conventions. An Lua object is always a table.
|
|
|
In most cases, an HAProxy Lua object needs some private data. These are always
|
|
|
set in the index [0] of the array. The metatable entry "__tostring" returns the
|
|
|
object name.
|
|
|
|
|
|
The Lua developer can add entries to the HAProxy object. They just work carefully
|
|
|
and prevent to modify the index [0].
|
|
|
|
|
|
Common HAproxy objects are:
|
|
|
|
|
|
- TXN : manipulates the transaction between the client and the server
|
|
|
- Channel : manipulates proxified data between the client and the server
|
|
|
- HTTP : manipulates HTTP between the client and the server
|
|
|
- Map : manipulates HAProxy maps.
|
|
|
- Fetches : access to all HAProxy sample fetches
|
|
|
- Converters : access to all HAProxy sample converters
|
|
|
- AppletTCP : process client request like a TCP server
|
|
|
- AppletHTTP : process client request like an HTTP server
|
|
|
- Socket : establish tcp connection to a server (ipv4/ipv6/socket/ssl/...)
|
|
|
|
|
|
The garbage collector and the memory allocation
|
|
|
-----------------------------------------------
|
|
|
|
|
|
Lua doesn't really have a global memory limit, but HAProxy implements it. This
|
|
|
permits to control the amount of memory dedicated to the Lua processes. It is
|
|
|
specially useful with embedded environments.
|
|
|
|
|
|
When the memory limit is reached, HAProxy refuses to give more memory to the Lua
|
|
|
scripts. The current Lua execution is terminated with an error and HAProxy
|
|
|
continues its processing.
|
|
|
|
|
|
The max amount of memory is configured with the option:
|
|
|
|
|
|
tune.lua.maxmem
|
|
|
|
|
|
As many other script languages, Lua uses a garbage collector for reusing its
|
|
|
memory. The Lua developer can work without memory preoccupation. Usually, the
|
|
|
garbage collector is controlled by the Lua core, but sometimes it will be useful
|
|
|
to run when the user/developer requires. So the garbage collector can be called
|
|
|
from C part or Lua part.
|
|
|
|
|
|
Sometimes, objects using lightuserdata or userdata requires to free some memory
|
|
|
block or close filedescriptor not controlled by the Lua. A dedicated garbage
|
|
|
collection function is provided through the metatable. It is referenced with the
|
|
|
special entry "__gc".
|
|
|
|
|
|
Generally, in HAProxy, the garbage collector does this job without any
|
|
|
intervention. However some objects use a great amount of memory, and we want to
|
|
|
release as quickly as possible. The problem is that only the GC knows if the
|
|
|
object is in use or not. The reason is simple variable containing objects can be
|
|
|
shared between coroutines and the main thread, so an object can be used
|
|
|
everywhere in HAProxy.
|
|
|
|
|
|
The only one example is the HAProxy sockets. These are explained later, just for
|
|
|
understanding the GC issues, a quick overview of the socket follows. The HAProxy
|
|
|
socket uses an internal session and stream, the session uses resources like
|
|
|
memory and file descriptor and in some cases keeps a socket open while it is no
|
|
|
longer used by Lua.
|
|
|
|
|
|
If the HAProxy socket is used, we forcing a garbage collector cycle after the
|
|
|
end of each function using HAProxy socket. The reason is simple: if the socket
|
|
|
is no longer used, we want to close the connection quickly.
|
|
|
|
|
|
A special flag is used in HAProxy indicating that a HAProxy socket is created.
|
|
|
If this flag is set, a full GC cycle is started after each Lua action. This is
|
|
|
not free, we loose about 10% of performances, but it is the only way for closing
|
|
|
sockets quickly.
|
|
|
|
|
|
The yield concept / longjmp issues
|
|
|
----------------------------------
|
|
|
|
|
|
The "yield" is an action which does some Lua processing in pause and give back
|
|
|
the hand to the HAProxy core. This action is do when the Lua needs to wait about
|
|
|
data or other things. The most basically example is the sleep() function. In an
|
|
|
event driven software the code must not process blocking systems call, so the
|
|
|
sleep blocks the software between a lot of time. In HAProxy, an Lua sleep does a
|
|
|
yield, and ask to the scheduler to be woken up in a required sleep time.
|
|
|
Meanwhile, the HAProxy scheduler does other things, like accepting new
|
|
|
connection or forwarding data.
|
|
|
|
|
|
A yield is also executed regularly, after a lot of Lua instructions processed.
|
|
|
This yield permits to control the effective execution time, and also give back
|
|
|
the hand to the HAProxy core. When HAProxy finishes to process the pending jobs,
|
|
|
the Lua execution continues.
|
|
|
|
|
|
This special "yield" uses the Lua "debug" functions. Lua provides a debug method
|
|
|
called "lua_sethook()" which permits to interrupt the execution after some
|
|
|
configured condition and call a function. This condition used in HAProxy is
|
|
|
a number of instructions processed and when a function returns. The function
|
|
|
called controls the effective execution time, and if it is possible to send a
|
|
|
"yield".
|
|
|
|
|
|
The yield system is based on a couple setjmp/longjmp. In brief, the setjmp()
|
|
|
stores a stack state, and the longjmp restores the stack in its state which had
|
|
|
before the last Lua execution.
|
|
|
|
|
|
Lua can immediately stop its execution if an error occurs. This system uses also
|
|
|
the longjmp system. In HAProxy, we try to use this system only for unrecoverable
|
|
|
errors. Maybe some trivial errors target an exception, but we try to remove it.
|
|
|
|
|
|
It seems that Lua uses the longjmp system for having a behaviour like the java
|
|
|
try / catch. We can use the function pcall() to execute some code. The function
|
|
|
pcall() run a setjmp(). So, if any error occurs while the Lua code execution,
|
|
|
the flow immediately returns from the pcall() with an error.
|
|
|
|
|
|
The big issue of this behaviour is that we cannot do a yield. So if some Lua code
|
|
|
executes a library using pcall for catching errors, HAProxy must be wait for the
|
|
|
end of execution without processing any accept or any stream. The cause is the
|
|
|
yield must be jump to the root of execution. The intermediate setjmp() avoids
|
|
|
this behaviour.
|
|
|
|
|
|
|
|
|
HAproxy start Lua execution
|
|
|
+ Lua puts a setjmp()
|
|
|
+ Lua executes code
|
|
|
+ Some code is executed in a pcall()
|
|
|
+ pcall() puts a setjmp()
|
|
|
+ Lua executes code
|
|
|
+ A yield is require for a sleep function
|
|
|
it cannot be jumps to the Lua root execution.
|
|
|
|
|
|
|
|
|
Another issue with the processing of strong errors is the manipulation of the
|
|
|
Lua stack outside of an Lua processing. If one of the functions called occurs a
|
|
|
strong error, the default behaviour is an abort(). It is not acceptable when
|
|
|
HAProxy is in runtime mode. The Lua documentation propose to use another
|
|
|
setjmp/longjmp to avoid the abort(). The goal is to put a setjmp between
|
|
|
manipulating the Lua stack and using an alternative "panic" function which jumps
|
|
|
to the setjmp() in error case.
|
|
|
|
|
|
All of these behaviours are very dangerous for the stability, and the internal
|
|
|
HAProxy code must be modified with many precautions.
|
|
|
|
|
|
For preserving a good behaviour of HAProxy, the yield is mandatory.
|
|
|
Unfortunately, some HAProxy parts are not adapted for resuming an execution
|
|
|
after a yield. These parts are the sample fetches and the sample converters. So,
|
|
|
the Lua code written in these parts of HAProxy must be quickly executed, and can
|
|
|
not do actions which require yield like TCP connection or simple sleep.
|
|
|
|
|
|
HAproxy socket object
|
|
|
---------------------
|
|
|
|
|
|
The HAProxy design is optimized for the data transfers between a client and a
|
|
|
server, and processing the many errors which can occurs during these exchanges.
|
|
|
HAProxy is not designed for having a third connection established to a third
|
|
|
party server.
|
|
|
|
|
|
The solution consist to put the main stream in pause waiting for the end of the
|
|
|
exchanges with the third connection. This is completed by a signal between
|
|
|
internal tasks. The following graph shows the HAProxy Lua socket:
|
|
|
|
|
|
|
|
|
+--------------------+
|
|
|
| Lua processing |
|
|
|
------------------\ | creates socket | ------------------\
|
|
|
incoming request > | and puts the | Outgoing request >
|
|
|
------------------/ | current processing | ------------------/
|
|
|
| in pause waiting |
|
|
|
| for TCP applet |
|
|
|
+-----------------+--+
|
|
|
^ |
|
|
|
| |
|
|
|
| signal | read / write
|
|
|
| | data
|
|
|
| |
|
|
|
+-------------+---------+ v
|
|
|
| HAProxy internal +----------------+
|
|
|
| applet send signals | |
|
|
|
| when data is received | | -------------------\
|
|
|
| or some room is | Attached I/O | Client TCP stream >
|
|
|
| available | Buffers | -------------------/
|
|
|
+--------------------+--+ |
|
|
|
| |
|
|
|
+-------------------+
|
|
|
|
|
|
|
|
|
A more detailed graph is available in the "doc/internals" directory.
|
|
|
|
|
|
The HAProxy Lua socket uses a full HAProxy session / stream for establishing the
|
|
|
connection. This mechanism provides all the facilities and HAProxy features,
|
|
|
like the SSL stack, many socket type, and support for namespaces.
|
|
|
Technically it supports the proxy protocol, but there are no way to enable it.
|
|
|
|
|
|
How compiling HAProxy with Lua
|
|
|
==============================
|
|
|
|
|
|
HAProxy 1.6 requires Lua 5.3. Lua 5.3 offers some features which make easy the
|
|
|
integration. Lua 5.3 is young, and some distros do not distribute it. Luckily,
|
|
|
Lua is a great product because it does not require exotic dependencies, and its
|
|
|
build process is really easy.
|
|
|
|
|
|
The compilation process for linux is easy:
|
|
|
|
|
|
- download the source tarball
|
|
|
wget http://www.lua.org/ftp/lua-5.3.1.tar.gz
|
|
|
|
|
|
- untar it
|
|
|
tar xf lua-5.3.1.tar.gz
|
|
|
|
|
|
- enter the directory
|
|
|
cd lua-5.3.1
|
|
|
|
|
|
- build the library for linux
|
|
|
make linux
|
|
|
|
|
|
- install it:
|
|
|
sudo make INSTALL_TOP=/opt/lua-5.3.1 install
|
|
|
|
|
|
HAProxy builds with your favourite options, plus the following options for
|
|
|
embedding the Lua script language:
|
|
|
|
|
|
- download the source tarball
|
|
|
wget http://www.haproxy.org/download/1.6/src/haproxy-1.6.2.tar.gz
|
|
|
|
|
|
- untar it
|
|
|
tar xf haproxy-1.6.2.tar.gz
|
|
|
|
|
|
- enter the directory
|
|
|
cd haproxy-1.6.2
|
|
|
|
|
|
- build HAProxy:
|
|
|
make TARGET=linux-glibc \
|
|
|
USE_LUA=1 \
|
|
|
LUA_LIB=/opt/lua-5.3.1/lib \
|
|
|
LUA_INC=/opt/lua-5.3.1/include
|
|
|
|
|
|
- install it:
|
|
|
sudo make PREFIX=/opt/haproxy-1.6.2 install
|
|
|
|
|
|
First steps with Lua
|
|
|
====================
|
|
|
|
|
|
Now, it's time to use Lua in HAProxy.
|
|
|
|
|
|
Start point
|
|
|
-----------
|
|
|
|
|
|
The HAProxy global directive "lua-load <file>" allows to load an Lua file. This
|
|
|
is the entry point. This load become during the configuration parsing, and the
|
|
|
Lua file is immediately executed.
|
|
|
|
|
|
All the register_*() functions must be called at this time because they are used
|
|
|
just after the processing of the global section, in the frontend/backend/listen
|
|
|
sections.
|
|
|
|
|
|
The most simple "Hello world !" is the following line a loaded Lua file:
|
|
|
|
|
|
core.Alert("Hello World !");
|
|
|
|
|
|
It displays a log during the HAProxy startup:
|
|
|
|
|
|
[alert] 285/083533 (14465) : Hello World !
|
|
|
|
|
|
Default path and libraries
|
|
|
--------------------------
|
|
|
|
|
|
Lua can embed some libraries. These libraries can be included from different
|
|
|
paths. It seems that Lua doesn't like subdirectories. In the following example,
|
|
|
I try to load a compiled library, so the first line is Lua code, the second line
|
|
|
is an 'strace' extract proving that the library was opened. The next lines are
|
|
|
the associated error.
|
|
|
|
|
|
require("luac/concat")
|
|
|
|
|
|
open("./luac/concat.so", O_RDONLY|O_CLOEXEC) = 4
|
|
|
|
|
|
[ALERT] 293/175822 (22806) : parsing [commonstats.conf:15] : lua runtime
|
|
|
error: error loading module 'luac/concat' from file './luac/concat.so':
|
|
|
./luac/concat.so: undefined symbol: luaopen_luac/concat
|
|
|
|
|
|
Lua tries to load the C symbol 'luaopen_luac/concat'. When Lua tries to open a
|
|
|
library, it tries to execute the function associated to the symbol
|
|
|
"luaopen_<libname>".
|
|
|
|
|
|
The variable "<libname>" is defined using the content of the variable
|
|
|
"package.cpath" and/or "package.path". The default definition of the
|
|
|
"package.cpath" (on my computer is ) variable is:
|
|
|
|
|
|
/usr/local/lib/lua/5.3/?.so;/usr/local/lib/lua/5.3/loadall.so;./?.so
|
|
|
|
|
|
The "<libname>" is the content which replaces the symbol "<?>". In the previous
|
|
|
example, its "luac/concat", and obviously the Lua core try to load the function
|
|
|
associated with the symbol "luaopen_luac/concat".
|
|
|
|
|
|
My conclusion is that Lua doesn't support subdirectories. So, for loading
|
|
|
libraries in subdirectory, it must fill the variable with the name of this
|
|
|
subdirectory. The extension .so must disappear, otherwise Lua try to execute the
|
|
|
function associated with the symbol "luaopen_concat.so". The following syntax is
|
|
|
correct:
|
|
|
|
|
|
package.cpath = package.cpath .. ";./luac/?.so"
|
|
|
require("concat")
|
|
|
|
|
|
First useful example
|
|
|
--------------------
|
|
|
|
|
|
core.register_fetches("my-hash", function(txn, salt)
|
|
|
return txn.sc:sdbm(salt .. txn.sf:req_fhdr("host") .. txn.sf:path() .. txn.sf:src(), 1)
|
|
|
end)
|
|
|
|
|
|
You will see that these 3 lines can generate a lot of explanations :)
|
|
|
|
|
|
Core.register_fetches() is executed during the processing of the global section
|
|
|
by the HAProxy configuration parser. A new sample fetch is declared with name
|
|
|
"my-hash", this name is always prefixed by "lua.". So this new declared
|
|
|
sample fetch will be used calling "lua.my-hash" in the HAProxy configuration
|
|
|
file.
|
|
|
|
|
|
The second parameter is an inline declared anonymous function. Note the closed
|
|
|
parenthesis after the keyword "end" which ends the function. The first parameter
|
|
|
of this anonymous function is "txn". It is an object of class TXN. It provides
|
|
|
access functions. The second parameter is an arbitrary value provided by the
|
|
|
HAProxy configuration file. This parameter is optional, the developer must
|
|
|
check if it is present.
|
|
|
|
|
|
The anonymous function registration is executed when the HAProxy backend or
|
|
|
frontend configuration references the sample fetch "lua.my-hash".
|
|
|
|
|
|
This example can be written with another style, like below:
|
|
|
|
|
|
function my_hash(txn, salt)
|
|
|
return txn.sc:sdbm(salt .. txn.sf:req_fhdr("host") .. txn.sf:path() .. txn.sf:src(), 1)
|
|
|
end
|
|
|
|
|
|
core.register_fetches("my-hash", my_hash)
|
|
|
|
|
|
This second form is clearer, but the first one is compact.
|
|
|
|
|
|
The operator ".." is a string concatenation. If one of the two operands is not a
|
|
|
string, an error occurs and the execution is immediately stopped. This is
|
|
|
important to keep in mind for the following things.
|
|
|
|
|
|
Now I write the example on more than one line. Its an easiest way for commenting
|
|
|
the code:
|
|
|
|
|
|
1. function my_hash(txn, salt)
|
|
|
2. local str = ""
|
|
|
3. str = str .. salt
|
|
|
4. str = str .. txn.sf:req_fhdr("host")
|
|
|
5. str = str .. txn.sf:path()
|
|
|
6. str = str .. txn.sf:src()
|
|
|
7. local result = txn.sc:sdbm(str, 1)
|
|
|
8. return result
|
|
|
9. end
|
|
|
10.
|
|
|
11. core.register_fetches("my-hash", my_hash)
|
|
|
|
|
|
local
|
|
|
~~~~~
|
|
|
|
|
|
The first keyword is "local". This is a really important keyword. You must
|
|
|
understand that the function "my_hash" will be called for each HAProxy request
|
|
|
using the declared sample fetch. So, this function can be executed many times in
|
|
|
parallel.
|
|
|
|
|
|
By default, Lua uses global variables. So in this example, if the variable "str"
|
|
|
is declared without the keyword "local", it will be shared by all the parallel
|
|
|
executions of the function and obviously, the content of the requests will be
|
|
|
shared.
|
|
|
|
|
|
This warning is very important. I tried to write useful Lua code like a rewrite
|
|
|
of the statistics page, and it is very hard thing to declare each variable as
|
|
|
"local".
|
|
|
|
|
|
I guess that this behaviour will be the cause of many troubles on the mailing
|
|
|
list.
|
|
|
|
|
|
str = str ..
|
|
|
~~~~~~~~~~~~
|
|
|
|
|
|
Now a parenthesis about the form "str = str ..". This form allows to do string
|
|
|
concatenations. Remember that Lua uses a garbage collector, so what happens when
|
|
|
we do "str = str .. 'another string'" ?
|
|
|
|
|
|
str = str .. "another string"
|
|
|
^ ^ ^ ^
|
|
|
1 2 3 4
|
|
|
|
|
|
Lua executes first the concatenation operator (3), it allocates memory for the
|
|
|
resulting string and fill this memory with the concatenation of the operands 2
|
|
|
and 4. Next, it frees the variable 1, now the old content of 1 can be garbage
|
|
|
collected. And finally, the new content of 1 is the concatenation.
|
|
|
|
|
|
what the matter ? when we do this operation many times, we consume a lot of
|
|
|
memory, and the string data is duplicated and move many times. So, this practice
|
|
|
is expensive in execution time and memory consumption.
|
|
|
|
|
|
There are easy ways to prevent this behaviour. I guess that a C binding for
|
|
|
concatenation with chunks will be available ASAP (it is already written). I do
|
|
|
some benchmarks. I compare the execution time of 1 000 times, 1 000
|
|
|
concatenation of 10 bytes written in pure Lua and with a C library. The result is
|
|
|
10 times faster in C (1s in Lua, and 0.1s in C).
|
|
|
|
|
|
txn
|
|
|
~~~
|
|
|
|
|
|
txn is an HAProxy object of class TXN. The documentation is available in the
|
|
|
HAProxy Lua API reference. This class allow the access to the native HAProxy
|
|
|
sample fetches and converters. The object txn contains 2 members dedicated to
|
|
|
the sample fetches and 2 members dedicated to the converters.
|
|
|
|
|
|
The sample fetches members are "f" (as sample-Fetch) and "sf" (as String
|
|
|
sample-Fetch). These two members contain exactly the same functions. All the
|
|
|
HAProxy native sample fetches are available, obviously, the Lua registered sample
|
|
|
fetches are not available. Unfortunately, HAProxy sample fetches names are not
|
|
|
compatible with the Lua function names, and they are renamed. The rename
|
|
|
convention is simple, we replace all the '.', '+' and '-' by '_'. The '.' is the
|
|
|
object member separator, and the "-" and "+" is math operator.
|
|
|
|
|
|
Now, that I'm writing this article, I know the Lua better than I wrote the
|
|
|
sample-fetches wrapper. The original HAProxy sample-fetches name should be used
|
|
|
using alternative manner to call an object member, so the sample-fetch
|
|
|
"req.fhdr" (actually renamed req_fhdr") should be used like this:
|
|
|
|
|
|
txn.f["req.fhdr"](txn.f, ...)
|
|
|
|
|
|
However, I think that this form is not elegant.
|
|
|
|
|
|
The "s" collection return a data with a type near to the original returned type.
|
|
|
A string returns an Lua string, an integer returns an Lua integer and an IP
|
|
|
address returns an Lua string. Sometime the data is not or not yet available, in
|
|
|
this case it returns the Lua nil value.
|
|
|
|
|
|
The "sf" collection guarantees that a string will be always returned. If the data
|
|
|
is not available, an empty string is returned. The main usage of these collection
|
|
|
is to concatenate the returned sample-fetches without testing each function.
|
|
|
|
|
|
The parameters of the sample-fetches are according with the HAProxy
|
|
|
documentation.
|
|
|
|
|
|
The converters run exactly with the same manner as the sample fetches. The
|
|
|
only one difference is that the first parameter is the converter entry element.
|
|
|
The "c" collection returns a precise result, and the "sc" collection returns
|
|
|
always a string.
|
|
|
|
|
|
The sample-fetches used in the example function are "txn.sf:req_fhdr()",
|
|
|
"txn.sf:path()" and "txn.sf:src()". The converter is "txn.sc:sdbm()". The same
|
|
|
function with the "s" collection of sample-fetches and the "c" collection of
|
|
|
converter should be written like this:
|
|
|
|
|
|
1. function my_hash(txn, salt)
|
|
|
2. local str = ""
|
|
|
3. str = str .. salt
|
|
|
4. str = str .. tostring(txn.f:req_fhdr("host"))
|
|
|
5. str = str .. tostring(txn.f:path())
|
|
|
6. str = str .. tostring(txn.f:src())
|
|
|
7. local result = tostring(txn.c:sdbm(str, 1))
|
|
|
8. return result
|
|
|
9. end
|
|
|
10.
|
|
|
11. core.register_fetches("my-hash", my_hash)
|
|
|
|
|
|
tostring
|
|
|
~~~~~~~~
|
|
|
|
|
|
The function tostring ensures that its parameter is returned as a string. If the
|
|
|
parameter is a table or a thread or anything that will not have any sense as a
|
|
|
string, a form like the typename followed by a pointer is returned. For example:
|
|
|
|
|
|
t = {}
|
|
|
print(tostring(t))
|
|
|
|
|
|
returns:
|
|
|
|
|
|
table: 0x15facc0
|
|
|
|
|
|
For objects, if the special function __tostring() is registered in the attached
|
|
|
metatable, it will be called with the table itself as first argument. The
|
|
|
HAProxy object returns its own type.
|
|
|
|
|
|
About the converters entry point
|
|
|
--------------------------------
|
|
|
|
|
|
In HAProxy, a converter is a stateless function that takes a data as entry and
|
|
|
returns a transformation of this data as output. In Lua it is exactly the same
|
|
|
behaviour.
|
|
|
|
|
|
So, the registered Lua function doesn't have any special parameters, just a
|
|
|
variable as input which contains the value to convert, and it must return data.
|
|
|
|
|
|
The data required as input by the Lua converter is a string. So HAProxy will
|
|
|
always provide a string as input. If the native sample fetch is not a string it
|
|
|
will be converted in best effort.
|
|
|
|
|
|
The returned value will have anything type, it will be converted as sample of
|
|
|
the near HAProxy type. The conversion rules from Lua variables to HAProxy
|
|
|
samples are:
|
|
|
|
|
|
Lua | HAProxy sample types
|
|
|
-----------+---------------------
|
|
|
"number" | "sint"
|
|
|
"boolean" | "bool"
|
|
|
"string" | "str"
|
|
|
"userdata" | "bool" (false)
|
|
|
"nil" | "bool" (false)
|
|
|
"table" | "bool" (false)
|
|
|
"function" | "bool" (false)
|
|
|
"thread" | "bool" (false)
|
|
|
|
|
|
The function used for registering a converter is:
|
|
|
|
|
|
core.register_converters()
|
|
|
|
|
|
The task entry point
|
|
|
--------------------
|
|
|
|
|
|
The function "core.register_task(fcn)" executes once the function "fcn" when the
|
|
|
scheduler starts. This way is used for executing background task. For example,
|
|
|
you can use this functionality for periodically checking the health of another
|
|
|
service, and giving the result to each proxy needing it.
|
|
|
|
|
|
The task is started once, if you want periodic actions, you can use the
|
|
|
"core.sleep()" or "core.msleep()" for waiting the next runtime.
|
|
|
|
|
|
Storing Lua variable between function in the same session
|
|
|
---------------------------------------------------------
|
|
|
|
|
|
All the functions registered as action or sample fetch can share an Lua context.
|
|
|
This context is a memory zone in the stack. sample fetch and action use the
|
|
|
same stack, so both can access to the context.
|
|
|
|
|
|
The context is accessible via the function get_priv and set_priv provided by an
|
|
|
object of class TXN. The value given to set_priv replaces the current stored
|
|
|
value. This value can be a table, it is useful if a lot of data can be shared.
|
|
|
|
|
|
If the value stored is a table, you can add or remove entries from the table
|
|
|
without storing again the new table. Maybe an example will be clearer:
|
|
|
|
|
|
local t = {}
|
|
|
txn:set_priv(t)
|
|
|
|
|
|
t["entry1"] = "foo"
|
|
|
t["entry2"] = "bar"
|
|
|
|
|
|
-- this will display "foo"
|
|
|
print(txn:get_priv()["entry1"])
|
|
|
|
|
|
HTTP actions
|
|
|
============
|
|
|
|
|
|
... coming soon ...
|
|
|
|
|
|
Lua is fast, but my service require more execution speed
|
|
|
========================================================
|
|
|
|
|
|
We can write C modules for Lua. These modules must run with HAProxy while they
|
|
|
are compliant with the HAProxy Lua version. A simple example is the "concat"
|
|
|
module.
|
|
|
|
|
|
It is very easy to write and compile a C Lua library, however, I don't see
|
|
|
documentation about this process. So the current chapter is a quick howto.
|
|
|
|
|
|
The entry point
|
|
|
---------------
|
|
|
|
|
|
The entry point is called "luaopen_<name>", where <name> is the name of the ".so"
|
|
|
file. An hello world is like this:
|
|
|
|
|
|
#include <stdio.h>
|
|
|
#include <lua.h>
|
|
|
#include <lauxlib.h>
|
|
|
|
|
|
int luaopen_mymod(lua_State *L)
|
|
|
{
|
|
|
printf("Hello world\n");
|
|
|
return 0;
|
|
|
}
|
|
|
|
|
|
The build
|
|
|
---------
|
|
|
|
|
|
The compilation of the source file requires the Lua "include" directory. The
|
|
|
compilation and the link of the object file requires the -fPIC option. That's
|
|
|
all.
|
|
|
|
|
|
cc -I/opt/lua/include -fPIC -shared -o mymod.so mymod.c
|
|
|
|
|
|
Usage
|
|
|
-----
|
|
|
|
|
|
You can load this module with the following Lua syntax:
|
|
|
|
|
|
require("mymod")
|
|
|
|
|
|
When you start HAProxy, this module just print "Hello world" when it is loaded.
|
|
|
Please, remember that HAProxy doesn't allow blocking method, so if you write a
|
|
|
function doing filesystem access or synchronous network access, all the HAProxy
|
|
|
process will fail.
|
|
|
|