modify troubleshooting guide

salonichf5 · salonichf5 · commit f3b103b867ac · 2024-06-14T07:45:52.000-06:00
diff --git a/site/content/how-to/monitoring/troubleshooting.md b/site/content/how-to/monitoring/troubleshooting.md
@@ -65,54 +65,350 @@ LAST SEEN   TYPE      REASON              OBJECT
 5s          Warning   ResourceDeleted     nginxgateway/ngf-config                          NginxGateway configuration was deleted; using defaults
 ```
 
+##### Get shell access to containers
+
+Getting shell access to containers allows developers and operators to view the environment of a running container, see its logs or diagnose any problems. To get shell access to the NGINX container, use `kubectl exec`:
+
+```shell
+kubectl exec -it [-n namespace] <ngf-pod-name> -c nginx /bin/sh
+```
+
 ##### Logs
 
 Logs from the NGINX Gateway Fabric control plane and data plane can contain information that isn't available to status or events. These can include errors in processing or passing traffic.
 
-To see logs for the control plane container:
+1. To see logs for the control plane container:
 
 ```shell
-kubectl -n nginx-gateway logs <ngf-pod-name> -c nginx-gateway
+kubectl [-n namespace] logs <ngf-pod-name> -c nginx-gateway
 ```
 
 To see logs for the data plane container:
 
 ```shell
-kubectl -n nginx-gateway logs <ngf-pod-name> -c nginx
+kubectl [-n namespace] logs <ngf-pod-name> -c nginx
+```
+
+1. To filter out error logs for control plane and data plane containers:
+
+For _nginx-gateway_ container, you can `grep` for the word `error` or change the log level to `error` by following steps in [Modify logging levels](#modify-logging-levels).
+
+```shell
+kubectl [-n namespace] logs <ngf-pod-name> -c nginx-gateway | grep error
+```
+
+For example, an error message when telemetry is not enabled for NGINX Plus installations:
+
+```text
+kubectl logs -n nginx-gateway nginx-gateway-nginx-gateway-fabric-77f8746996-j6z6v | grep error
+Defaulted container "nginx-gateway" out of: nginx-gateway, nginx
+{"level":"error","ts":"2024-06-13T18:22:16Z","logger":"usageReporter","msg":"Usage reporting must be enabled when using NGINX Plus; redeploy with usage reporting enabled","error":"usage reporting not enabled","stacktrace":"github.com/nginxinc/nginx-gateway-fabric/internal/mode/static.createUsageWarningJob.func1\n\tgithub.com/nginxinc/nginx-gateway-fabric/internal/mode/static/manager.go:616\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1\n\tk8s.io/apimachinery@v0.30.1/pkg/util/wait/backoff.go:259\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\tk8s.io/apimachinery@v0.30.1/pkg/util/wait/backoff.go:226\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\tk8s.io/apimachinery@v0.30.1/pkg/util/wait/backoff.go:227\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\tk8s.io/apimachinery@v0.30.1/pkg/util/wait/backoff.go:204\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext\n\tk8s.io/apimachinery@v0.30.1/pkg/util/wait/backoff.go:259\ngithub.com/nginxinc/nginx-gateway-fabric/internal/framework/runnables.(*CronJob).Start\n\tgithub.com/nginxinc/nginx-gateway-fabric/internal/framework/runnables/cronjob.go:53\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\tsigs.k8s.io/controller-runtime@v0.18.4/pkg/manager/runnable_group.go:226"}
+```
+
+For _nginx_ container:
+
+```shell
+kubectl [-n namespace] logs <ngf-pod-name> -c nginx-gateway | grep emerg
 ```
 
+For example, if a variable is too long, NGINX may display such an error message:
+
+```text
+kubectl logs -n nginx-gateway ngf-nginx-gateway-fabric-bb8598998-jwk2m -c nginx | grep emerg
+2024/06/13 20:04:17 [emerg] 27#27: too long parameter, probably missing terminating """ character in /etc/nginx/conf.d/http.conf:78
+```
+
+1. NGINX access logs are files that record all requests processed by the NGINX server. These logs provide detailed information about each request, which can be useful for troubleshooting, and analyzing web traffic.
+To view the access logs, get shell access to your NGINX container using the [steps](#get-shell-access-to-containers). The access logs are located in the file `/var/log/nginx/access.log` in the NGINX container.
+
 You can see logs for a crashed or killed container by adding the `-p` flag to the above commands.
 
+##### If NGINX Gateway Fabric Pod is not running or ready
+
+To understand why NGINX Gateway Fabric Pod has not started running or is not ready, first step is to check the state of the pod to get a detailed information about the current status and events happening in the pod. To do this, use `kubectl describe`:
+
+```shell
+kubectl describe pod <ngf-pod-name> [-n namespace]
+```
+
+The pod description includes details about the image name, tags, current status, and environment variables. Please verify that these details match your setup and cross-check with the events to ensure everything is functioning as expected. For example, the pod below has two containers that are running and the events reflect the same.
+
+```text
+Containers:
+  nginx-gateway:
+    Container ID:  containerd://06c97a9de938b35049b7c63e251418395aef65dd1ff996119362212708b79cab
+    Image:         nginx-gateway-fabric:sa.choudhary
+    Image ID:      docker.io/library/import-2024-06-13@sha256:1460d63bd8a352a6e455884d7ebf51ce9c92c512cb43b13e44a1c3e3e6a08918
+    Ports:         9113/TCP, 8081/TCP
+    Host Ports:    0/TCP, 0/TCP
+    State:          Running
+      Started:      Thu, 13 Jun 2024 11:47:46 -0600
+    Ready:          True
+    Restart Count:  0
+    Readiness:      http-get http://:health/readyz delay=3s timeout=1s period=1s #success=1 #failure=3
+    Environment:
+      POD_IP:          (v1:status.podIP)
+      POD_NAMESPACE:  nginx-gateway (v1:metadata.namespace)
+      POD_NAME:       ngf-nginx-gateway-fabric-66dd665756-zh7d7 (v1:metadata.name)
+  nginx:
+    Container ID:   containerd://c2f3684fd8922e4fac7d5707ab4eb5f49b1f76a48893852c9a812cd6dbaa2f55
+    Image:          nginx-gateway-fabric/nginx:sa.choudhary
+    Image ID:       docker.io/library/import-2024-06-13@sha256:c9a02cb5665c6218373f8f65fc2c730f018d0ca652ae827cc913a7c6e9db6f45
+    Ports:          80/TCP, 443/TCP
+    Host Ports:     0/TCP, 0/TCP
+    State:          Running
+      Started:      Thu, 13 Jun 2024 11:47:46 -0600
+    Ready:          True
+    Restart Count:  0
+    Environment:    <none>
+Events:
+  Type    Reason     Age   From               Message
+  ----    ------     ----  ----               -------
+  Normal  Scheduled  40s   default-scheduler  Successfully assigned nginx-gateway/ngf-nginx-gateway-fabric-66dd665756-zh7d7 to kind-control-plane
+  Normal  Pulled     40s   kubelet            Container image "nginx-gateway-fabric:sa.choudhary" already present on machine
+  Normal  Created    40s   kubelet            Created container nginx-gateway
+  Normal  Started    39s   kubelet            Started container nginx-gateway
+  Normal  Pulled     39s   kubelet            Container image "nginx-gateway-fabric/nginx:sa.choudhary" already present on machine
+  Normal  Created    39s   kubelet            Created container nginx
+  Normal  Started    39s   kubelet            Started container nginx
+```
+
+
+### Modify logging levels
+
+To debug NGINX Gateway Fabric, enable verbose logging by editing the `NginxGateway` configuration. This can be done either before or after deploying NGINX Gateway Fabric.
+
+#### Modify log levels before deploying
+
+1. If using manifests, edit `deploy/manifests/nginx-gateway.yaml` to update the logging level for `nginx-gateway-config`:
+
+```yaml
+apiVersion: gateway.nginx.org/v1alpha1
+kind: NginxGateway
+metadata:
+  name: nginx-gateway-config
+  namespace: nginx-gateway
+  labels:
+    app.kubernetes.io/name: nginx-gateway
+    app.kubernetes.io/instance: nginx-gateway
+    app.kubernetes.io/version: "edge"
+spec:
+  logging:
+    level: debug
+```
+
+1. If using helm, add `--set nginxGateway.config.logging.level=<log-level>` to your helm installation command.
+
+#### Modify log levels after deploying
+
+Once you have deployed NGINX Gateway Fabric, you can modify log levels by editing the config for NGINX Gateway as shown below:
+
+```shell
+kubectl [-n namespace] edit nginxgateways ngf-config
+```
+
+```yaml
+apiVersion: gateway.nginx.org/v1alpha1
+kind: NginxGateway
+metadata:
+  annotations:
+    meta.helm.sh/release-name: ngf
+    meta.helm.sh/release-namespace: nginx-gateway
+  creationTimestamp: "2024-06-12T18:35:05Z"
+  generation: 1
+  labels:
+    app.kubernetes.io/instance: ngf
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: nginx-gateway-fabric
+    app.kubernetes.io/version: edge
+    helm.sh/chart: nginx-gateway-fabric-1.3.0
+  name: ngf-config
+  namespace: nginx-gateway
+  resourceVersion: "62293"
+  uid: fa6d6a12-14e1-4168-95d5-595e7f63b270
+spec:
+  logging:
+    level: debug
+```
+
 ### NGINX fails to reload
 
 #### Description
 
+NGINX reload errors can occur for various reasons, including syntax errors in configuration files, permission issues, and more. To determine if NGINX has failed to reload, check logs for your _nginx-gateway_ and _nginx_ containers.
+You will see the following error in the _nginx-gateway_  logs `failed to reload NGINX:` followed by the reason for the failure. Similarly, you will see error logs in the _nginx_ container as `2024/06/12 14:25:11 [emerg] 12345#0: open() "/var/run/nginx.pid" failed (13: Permission denied)`.
+
+To debug why your reload has failed, start with verifying the syntax of your configuration files by opening a shell in the NGINX container following these [steps](#get-shell-access-to-containers) and running `nginx -T`. If there are errors in your configuration file, the reload will fail and specify why it has failed.
+
+### Understanding the generated config
+
+Understanding the NGINX configuration is key for fixing issues because it shows how NGINX handles requests. This helps tweak settings to make sure NGINX behaves the way you want it to for your application. The configuration file is found at /etc/nginx/nginx.conf within your NGINX Container. To understand the usage of NGINX Directives in the configuration file, consult this list of [NGINX Directives](https://nginx.org/en/docs/dirindex.html).
+
+In this section, we will see how the `nginx.conf` gets updated as we configure different services, deployments and routes with NGINX Gateway Fabric. In the configuration file, you'll often find several server blocks, each assigned to specific ports and server names. NGINX selects the appropriate server for a request and evaluates the URI against the location directives within that block. In cases, where no resources are defined, NGINX Gateway Fabric generates a basic configuration with a default server listening on port 80 for all requests and additional blocks to manage errors with status codes 500 or 502.
+
+This is a default `server` block listening on port 80:
+
+```text
+server {
+    listen 80 default_server;
+
+    default_type text/html;
+    return 404;
+}
+```
+
+Once routes with path matches and rules are defined, the nginx.conf is updated accordingly to determine which location block will manage incoming requests. To demonstrate how `nginx.conf` is changed, lets create some resources:
+
+1. A Gateway with single listener on port 80. The hostname specified is `*.example.com`, so all incoming requests matching that wildcard is accepted by this Gateway.
+2. A simple `coffee` application with hostname `cafe.example.com` and referenced to the Gateway we created.
+3. A HTTPRoute to expose `coffee` application outside the cluster using the listener created in step 1. The path and rule matches create different location blocks in `nginx.conf` to redirect requests as needed.
+
+For example, this `coffee` route matches requests with path `/coffee` and type `prefix`. Lets see how the `nginx.conf` is modified.
+
+```yaml
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: coffee
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http
+  hostnames:
+  - "cafe.example.com"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /coffee
+    backendRefs:
+    - name: coffee
+      port: 80
+```
+
+The modified `nginx.conf`:
+
+```shell
+server {
+    listen 80 default_server;
+
+    default_type text/html;
+    return 404;
+}
+
+server {
+    listen 80;
+
+    server_name cafe.example.com;
+
+
+    location /coffee/ {
+        proxy_set_header Host "$gw_api_compliant_host";
+        proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
+        proxy_set_header Upgrade "$http_upgrade";
+        proxy_set_header Connection "$connection_upgrade";
+        proxy_http_version 1.1;
+        proxy_pass http://default_coffee_80$request_uri;
+    }
+
+    location = /coffee {
+        proxy_set_header Host "$gw_api_compliant_host";
+        proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
+        proxy_set_header Upgrade "$http_upgrade";
+        proxy_set_header Connection "$connection_upgrade";
+        proxy_http_version 1.1;
+        proxy_pass http://default_coffee_80$request_uri;
+    }
+
+    location / {
+        return 404 "";
+    }
+
+}
+upstream default_coffee_80 {
+    random two least_conn;
+    zone default_coffee_80 512k;
+
+    server 10.244.0.13:8080;
+}
+```
+
+Some key things to note here:
+
+1. A new `server` block is created with the hostname of the HTTPRoute. When a request is sent to this hostname, it will be handled by this `server` block.
+2. Within the `server` block, three new `location` blocks are added for *coffee*, each with distinct prefix and exact paths. Requests directed to the *coffee* application with a path prefix `/coffee/hello` will be managed by the first location block, while those with an exact path `/coffee` will be handled by the second location block. Any other requests not recognized by the server block for this hostname will default to the third location block, returning a 404 Not Found status.
+3. Each `location` block has headers and directives that configure the NGINX proxy to forward requests to the `/coffee` path correctly, preserving important client information and ensuring compatibility with the upstream server.
+4. The `upstream` block in the given NGINX configuration defines a group of backend servers and configures how NGINX should load balance requests among them.
+
+Now let's check the behaviour when curl request is sent to the `coffee` application:
+
+Matches location /coffee/ block
+
+```shell
+curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/coffee/hello
+Handling connection for 8080
+Server address: 10.244.0.13:8080
+Server name: coffee-56b44d4c55-hwpkp
+Date: 13/Jun/2024:22:51:52 +0000
+URI: /coffee/hello
+Request ID: 21fc2baad77337065e7cf2cd57e04383
+```
+
+Matches location = /coffee block
+
+```shell
+curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/coffee
+Handling connection for 8080
+Server address: 10.244.0.13:8080
+Server name: coffee-56b44d4c55-hwpkp
+Date: 13/Jun/2024:22:51:40 +0000
+URI: /coffee
+Request ID: 4d8d719e95063303e290ad74ecd7339f
+```
+
+Matches location / block
+
+```shell
+curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/
+Handling connection for 8080
+<html>
+<head><title>404 Not Found</title></head>
+<body>
+<center><h1>404 Not Found</h1></center>
+<hr><center>nginx/1.25.4</center>
+</body>
+```
+
+#### Metrics for Troubleshooting
+
+Metrics can be useful to identify performance bottlenecks and pinpoint areas of high resource consumption within NGINX Gateway Fabric. To setup metrics collection, refer to this [guide]({{< relref "prometheus.md" >}}). The metrics dashboard will help you understand problems with the way NGINX Gateway Fabric is setup or potential issues that could show up with time.
+
+For example, metrics `nginx_reloads_total` and `nginx_reload_errors_total` offer valuable insights into the system's stability and reliability. A high `nginx_reloads_total` value indicates frequent updates or configuration changes, while a high `nginx_reload_errors_total` value suggests issues with the configuration or other problems preventing successful reloads. Monitoring these metrics helps identify and resolve configuration errors, ensuring consistent service reliability.
+
+In such situations, it's advisable to review the logs of both NGINX and NGINX Gateway containers for any potential error messages. Additionally, verify the configured resources to ensure they are in a valid state.
+
+### Common Errors
+
+##### Insufficient Privileges errors
+
 Depending on your environment's configuration, the control plane may not have the proper permissions to reload NGINX. The NGINX configuration will not be applied and you will see the following error in the _nginx-gateway_ logs:
 
 `failed to reload NGINX: failed to send the HUP signal to NGINX main: operation not permitted`
 
-#### Resolution
-
-To resolve this issue you will need to set `allowPrivilegeEscalation` to `true`.
+To **resolve** this issue you will need to set `allowPrivilegeEscalation` to `true`.
 
 - If using Helm, you can set the `nginxGateway.securityContext.allowPrivilegeEscalation` value.
 - If using the manifests directly, you can update this field under the `nginx-gateway` container's `securityContext`.
 
-### Usage Reporting errors
-
-#### Description
+##### Usage Reporting errors
 
 If using NGINX Gateway Fabric with NGINX Plus as the data plane, you will see the following error in the _nginx-gateway_ logs if you have not enabled Usage Reporting:
 
 `usage reporting not enabled`
 
-#### Resolution
-
-To resolve this issue, enable Usage Reporting by following the [Usage Reporting]({{< relref "installation/usage-reporting.md" >}}) guide.
+To **resolve** this issue, enable Usage Reporting by following the [Usage Reporting]({{< relref "installation/usage-reporting.md" >}}) guide.
 
-### 413 Request Entity Too Large
-
-#### Description
+##### 413 Request Entity Too Large
 
 If you receive the following error:
 
@@ -133,7 +429,9 @@ Or view the following error message in the NGINX logs:
 ```
 
 The request body exceeds the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size).
+To **resolve** this, you can configure the `client_max_body_size` using the `ClientSettingsPolicy` API. Read the [Client Settings Policy]({{< relref "how-to/traffic-management/client-settings.md" >}}) documentation for more information.
+
 
-#### Resolution
+### Further Reading
 
-You can configure the `client_max_body_size` using the `ClientSettingsPolicy` API. Read the [Client Settings Policy]({{< relref "how-to/traffic-management/client-settings.md" >}}) documentation for more information.
+You can checkout the [Kubernetes Troubleshooting Guide](https://kubernetes.io/docs/tasks/debug/debug-application/) for further assistance
