DEV Community: Ashish Barmaiya The latest articles on DEV Community by Ashish Barmaiya (@ashishbarmaiya). https://dev.to/ashishbarmaiya https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3599039%2F8c260876-69bb-46eb-b816-1161303af61c.jpg DEV Community: Ashish Barmaiya https://dev.to/ashishbarmaiya en Surviving Node.js Clusters: Graceful Teardowns, Windows Quirks, and Black-Box Testing Ashish Barmaiya Tue, 07 Apr 2026 01:40:34 +0000 https://dev.to/ashishbarmaiya/surviving-nodejs-clusters-graceful-teardowns-windows-quirks-and-black-box-testing-1aom https://dev.to/ashishbarmaiya/surviving-nodejs-clusters-graceful-teardowns-windows-quirks-and-black-box-testing-1aom <p>When I set out to build <strong>Torus</strong>, a reverse proxy in Node.js, the <code>node:cluster</code> module looked like the perfect solution to my biggest architectural hurdle. Because Node.js is natively single-threaded, this core module is the standard way to achieve multi-core scaling - it lets a single application spawn multiple worker processes that all share the same server port.</p> <p>It solved the problem immediately. But it quietly introduced a serious vulnerability I didn't catch until it was almost too late.</p> <h2> The Trap: Blind Resurrection </h2> <p>After scaffolding the cluster, I wrote the standard <code>if (cluster.isPrimary)</code> block, looped through CPU cores, called <code>cluster.fork()</code>, and attached an <code>exit</code> listener to respawn workers on crash:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">cluster</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">exit</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">worker</span><span class="p">,</span> <span class="nx">code</span><span class="p">,</span> <span class="nx">signal</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="s2">`Worker </span><span class="p">${</span><span class="nx">worker</span><span class="p">.</span><span class="nx">process</span><span class="p">.</span><span class="nx">pid</span><span class="p">}</span><span class="s2"> died. Booting a replacement...`</span><span class="p">);</span> <span class="nx">cluster</span><span class="p">.</span><span class="nf">fork</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <p>On the surface, this is exactly right. If a worker blows up with an Out-Of-Memory exception or a rogue regex tears down the V8 engine, the Master catches the exit event and spawns a fresh replacement. Capacity heals itself.</p> <p>The problem is that this code is completely blind. It doesn't know <em>why</em> a worker died. It only knows that a process stopped, and its only response is to immediately restart it.</p> <p>This breaks the moment you attempt a routine deployment.</p> <h3> The Kubernetes Tug-of-War </h3> <p>Imagine this code running in a Docker container orchestrated by Kubernetes. You push version 1.1 of your proxy. Kubernetes initiates a rolling update and sends a <code>SIGTERM</code> to your pod: "Finish your active requests and shut down cleanly."</p> <p>Your workers receive the signal, drain their active TCP sockets, and exit with code <code>0</code>.</p> <p>But the millisecond the first worker exits, your Master's <code>.on('exit')</code> listener fires. It doesn't see a coordinated graceful shutdown - it sees a dead process, and it immediately forks a replacement.</p> <p>While Kubernetes is trying to peacefully drain your pod, your Master is frantically spawning new workers to replace the ones shutting down. You're now locked in a fight with your own infrastructure.</p> <p>Eventually Kubernetes runs out of patience, fires a <code>SIGKILL</code>, and brutally terminates the Master along with every zombie worker it just spawned. Any clients that were mid-stream have their TCP connections severed instantly.</p> <p>The "zero-downtime deployment" was a lie.</p> <h2> The Fix: A State-Gated Lifecycle </h2> <p>To fix this, the Master process needs to distinguish between two very different events:</p> <ul> <li><p>An <strong>unexpected crash</strong> (a V8 segfault, an OOM exception) → resurrect immediately</p></li> <li><p>An <strong>intentional shutdown</strong> (a Kubernetes eviction, a <code>SIGTERM</code>) → stand down and let workers die cleanly</p></li> </ul> <p>That requires three things: a <strong>global state lock</strong>, an <strong>IPC broadcast</strong>, and a <strong>lifecycle manager with a hard timeout</strong>.</p> <h3> 1. The Global State Lock </h3> <p>In the Master process, a single boolean flag acts as the guillotine switch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">let</span> <span class="nx">isShuttingDown</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> </code></pre> </div> <p>The <code>.on('exit')</code> listener is rewritten to check this flag before doing anything:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">cluster</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">exit</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">worker</span><span class="p">,</span> <span class="nx">code</span><span class="p">,</span> <span class="nx">signal</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">isShuttingDown</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="s2">`Worker </span><span class="p">${</span><span class="nx">worker</span><span class="p">.</span><span class="nx">process</span><span class="p">.</span><span class="nx">pid</span><span class="p">}</span><span class="s2"> exited cleanly during shutdown.`</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">workers</span> <span class="o">||</span> <span class="p">{}).</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">"</span><span class="s2">All workers stopped. Master exiting with code 0.</span><span class="dl">"</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="s2">`Worker </span><span class="p">${</span><span class="nx">worker</span><span class="p">.</span><span class="nx">process</span><span class="p">.</span><span class="nx">pid</span><span class="p">}</span><span class="s2"> crashed. Forking a replacement...`</span><span class="p">);</span> <span class="nx">cluster</span><span class="p">.</span><span class="nf">fork</span><span class="p">();</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>If the cluster is shutting down, the Master lets workers die in peace and waits until the pool is empty before exiting cleanly. If the flag is <code>false</code>, a worker crashed unexpectedly and gets resurrected immediately.</p> <h3> 2. The Teardown Broadcast via IPC </h3> <p>When the OS sends <code>SIGTERM</code>, the Master intercepts it, flips the lock, and broadcasts a <code>SHUTDOWN</code> command to every worker over Node's native IPC channel - rather than killing them instantly and dropping active payloads:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">initiateClusterTeardown</span> <span class="o">=</span> <span class="p">(</span><span class="nx">signal</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">isShuttingDown</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="nx">isShuttingDown</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">({</span> <span class="nx">signal</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">Master received termination signal. Broadcasting shutdown to workers...</span><span class="dl">"</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">id</span> <span class="k">in</span> <span class="nx">cluster</span><span class="p">.</span><span class="nx">workers</span><span class="p">)</span> <span class="p">{</span> <span class="nx">cluster</span><span class="p">.</span><span class="nx">workers</span><span class="p">[</span><span class="nx">id</span><span class="p">]?.</span><span class="nf">send</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SHUTDOWN</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="p">};</span> <span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">SIGTERM</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">initiateClusterTeardown</span><span class="p">(</span><span class="dl">"</span><span class="s2">SIGTERM</span><span class="dl">"</span><span class="p">));</span> <span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">SIGINT</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">initiateClusterTeardown</span><span class="p">(</span><span class="dl">"</span><span class="s2">SIGINT</span><span class="dl">"</span><span class="p">));</span> </code></pre> </div> <h3> 3. The LifecycleManager and the 10-Second Guillotine </h3> <p>Inside each worker, the <code>SHUTDOWN</code> message is handled by a <code>LifecycleManager</code> singleton - a single object that owns the worker's entire teardown sequence and prevents the race conditions that come from ad-hoc async cleanup code.</p> <p>When it receives the command, it executes a strict sequence:</p> <ol> <li><p><strong>Stop the bleeding</strong> - immediately reject new incoming TCP connections</p></li> <li><p><strong>Destroy idle sockets</strong> - aggressively close idle Keep-Alive connections to free OS file descriptors</p></li> <li><p><strong>Drain active payloads</strong> - wait for in-progress streams to finish naturally</p></li> </ol> <p>Step 3 has a fatal edge case: a slow or malicious client trickling 1 byte per second will keep <code>server.close()</code> waiting indefinitely, hanging the deployment pipeline forever.</p> <p>The LifecycleManager solves this with a hard 10-second timeout:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Inside LifecycleManager.executeTeardown()</span> <span class="kd">const</span> <span class="nx">drainPromise</span> <span class="o">=</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span> <span class="k">this</span><span class="p">.</span><span class="nx">tasks</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">task</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">task</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="nx">err</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">A teardown task failed during shutdown.</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}),</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">timeoutPromise</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">_</span><span class="p">,</span> <span class="nx">reject</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">reject</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Shutdown timed out after </span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">SHUTDOWN_TIMEOUT_MS</span><span class="p">}</span><span class="s2">ms`</span><span class="p">));</span> <span class="p">},</span> <span class="k">this</span><span class="p">.</span><span class="nx">SHUTDOWN_TIMEOUT_MS</span><span class="p">).</span><span class="nf">unref</span><span class="p">();</span> <span class="c1">// unref() prevents the timer from keeping the event loop alive</span> <span class="p">});</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">race</span><span class="p">([</span><span class="nx">drainPromise</span><span class="p">,</span> <span class="nx">timeoutPromise</span><span class="p">]);</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">"</span><span class="s2">All systems cleanly drained. Exiting process gracefully.</span><span class="dl">"</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span> <span class="nx">err</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">Graceful shutdown aborted. Forcing exit.</span><span class="dl">"</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The worker handles the IPC message like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">message</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">msg</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">msg</span> <span class="o">&amp;&amp;</span> <span class="nx">msg</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">SHUTDOWN</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nx">Lifecycle</span><span class="p">.</span><span class="nf">executeTeardown</span><span class="p">(</span><span class="dl">"</span><span class="s2">IPC_SHUTDOWN</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>With this in place: if a worker segfaults, it heals in milliseconds. If Kubernetes sends <code>SIGTERM</code>, the proxy drains active connections cleanly, brutally severs any hanging connections after 10 seconds, and exits with code <code>0</code>.</p> <p>The theoretical architecture was solid. Proving it worked was a different problem entirely.</p> <h2> The Testing Nightmare: Why Jest Can't Test This </h2> <p>Standard Jest unit tests are fundamentally incapable of testing a multi-process cluster. Jest runs inside a single Node.js process. Calling <code>cluster.fork()</code> or <code>process.exit()</code> from inside a test will either crash the test runner or leave orphan processes silently eating RAM in the background.</p> <p>To prove Torus could survive a crash and execute a graceful teardown, I abandoned unit testing entirely and built a <strong>black-box integration test</strong>. The test treats the compiled proxy as a hostile external artifact: it boots it, wiretaps its output, attacks it, and evaluates how it responds.</p> <h3> Step 1: Boot the Cluster in Isolation </h3> <p>Using <code>child_process.spawn</code>, the test starts the compiled binary exactly as production would:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">entryPoint</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">"</span><span class="s2">../../dist/index.js</span><span class="dl">"</span><span class="p">);</span> <span class="nx">masterProcess</span> <span class="o">=</span> <span class="nf">spawn</span><span class="p">(</span><span class="dl">"</span><span class="s2">node</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">--env-file=.env</span><span class="dl">"</span><span class="p">,</span> <span class="nx">entryPoint</span><span class="p">],</span> <span class="p">{</span> <span class="na">stdio</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">pipe</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">pipe</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">pipe</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ipc</span><span class="dl">"</span><span class="p">],</span> <span class="p">});</span> </code></pre> </div> <p>The <code>ipc</code> channel in <code>stdio</code> is important - it's how the test sends commands to the Master later.</p> <h3> Step 2: Wiretap stdout and Assassinate a Worker </h3> <p>Because the proxy runs in an isolated background process, internal variables aren't accessible. Instead, the test intercepts raw stdout. When a worker logs that it's ready, the test extracts its PID and sends it a <code>SIGKILL</code> - bypassing any graceful shutdown handler entirely, simulating a fatal OOM crash:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">masterProcess</span><span class="p">.</span><span class="nx">stdout</span><span class="o">!</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">data</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">output</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nf">toString</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">targetWorkerPid</span> <span class="o">&amp;&amp;</span> <span class="nx">output</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">listening for Secure HTTPS traffic</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">match</span> <span class="o">=</span> <span class="nx">output</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="sr">/Worker</span><span class="se">\s</span><span class="sr">+</span><span class="se">(\d</span><span class="sr">+</span><span class="se">)\s</span><span class="sr">+listening/</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">match</span><span class="p">)</span> <span class="p">{</span> <span class="nx">targetWorkerPid</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">match</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="mi">10</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">kill</span><span class="p">(</span><span class="nx">targetWorkerPid</span><span class="p">,</span> <span class="dl">"</span><span class="s2">SIGKILL</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Instant, uninterceptable death</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// ...</span> <span class="p">});</span> </code></pre> </div> <p><code>SIGKILL</code> cannot be caught by any signal handler. This is the correct way to simulate catastrophic process death.</p> <h3> Step 3: Verify Resurrection and Trigger Teardown </h3> <p>The test continues monitoring stdout. Once it sees the Master log a resurrection, it locks a boolean and sends a shutdown command via IPC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">if </span><span class="p">(</span><span class="nx">targetWorkerPid</span> <span class="o">&amp;&amp;</span> <span class="nx">output</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">crashed. Forking a replacement</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">workerResurrected</span><span class="p">)</span> <span class="p">{</span> <span class="nx">workerResurrected</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">masterProcess</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">TEST_SHUTDOWN</span><span class="dl">"</span> <span class="p">});</span> <span class="p">},</span> <span class="mi">500</span><span class="p">);</span> <span class="c1">// Give the cluster 500ms to stabilize before triggering teardown</span> <span class="p">}</span> </code></pre> </div> <h3> Step 4: The Final Verdict </h3> <p>When the last worker exits, the Master closes. The test uses the <code>close</code> event as its final assertion gate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">masterProcess</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">close</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">code</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">workerResurrected</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="c1">// Cluster self-healed after crash</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">shutdownInitiated</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="c1">// IPC teardown broadcast worked</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">code</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="c1">// Master exited cleanly</span> <span class="nf">resolve</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nf">reject</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>The test was flawless. It spawned the cluster, assassinated the worker, verified the resurrection, and cleanly exited.</p> <p>But notice that <code>TEST_SHUTDOWN</code> command in Step 3? I didn't write it that way originally. Originally, I just told the test to send a standard SIGINT to the Master. But when I ran it, my Windows machine silently choked to death.</p> <h2> The Windows Problem: POSIX Signals Are a Lie </h2> <p>The black-box test spawned the cluster, killed a worker, and watched the Master resurrect it. The final step was to prove the <code>LifecycleManager</code> could execute a zero-downtime graceful shutdown.</p> <p>To simulate a Kubernetes pod eviction or a developer hitting Ctrl+C, the integration test needed to send a termination signal to the Master process.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">masterProcess</span><span class="p">.</span><span class="nf">kill</span><span class="p">(</span><span class="dl">"</span><span class="s2">SIGINT</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>I ran the test. It failed instantly.</p> <p>The Master didn't gracefully drain the TCP sockets. It didn't trigger the 10-second timeout. It just died on the spot. The logs went completely silent.</p> <p>On Linux and macOS, sending a termination signal to the Master process works perfectly. <code>SIGINT</code> is a native POSIX signal that politely knocks on the process's door and allows the Node.js event loop to execute its <code>.on('SIGINT')</code> handler.</p> <p>Windows doesn't have native POSIX signals.</p> <p>When a Node.js process programmatically calls <code>.kill()</code> with <code>SIGINT</code> on Windows, the OS can't route it through the event loop. Instead, it bypasses the signal handler entirely and terminates the target process immediately. My Master process wasn't failing to drain its sockets - Windows was killing it before the <code>LifecycleManager</code> could even start.</p> <p>The fix was to bypass the OS signal layer entirely. I added a dedicated IPC backdoor directly in the Master's message handler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Testing Backdoor for Windows OS limitations</span> <span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">message</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">msg</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">msg</span> <span class="o">&amp;&amp;</span> <span class="nx">msg</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">TEST_SHUTDOWN</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nf">initiateClusterTeardown</span><span class="p">(</span><span class="dl">"</span><span class="s2">TEST_SHUTDOWN</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>And in the test, <code>.kill("SIGINT")</code> became:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">masterProcess</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">TEST_SHUTDOWN</span><span class="dl">"</span> <span class="p">});</span> <span class="p">},</span> <span class="mi">500</span><span class="p">);</span> </code></pre> </div> <p>This sends a plain JSON payload over the IPC channel - no OS signal routing required. The Master receives it, flips the <code>isShuttingDown</code> flag, broadcasts teardown to the workers, and the LifecycleManager executes the full drain sequence.</p> <h2> The CI/CD Trap: Environment Drift </h2> <p>With the Windows fix in place, the local test suite passed cleanly. I pushed to GitHub and waited for the green checkmark.</p> <p>The pipeline spun for 15 seconds and failed silently.</p> <h3> Diagnosing the Silence </h3> <p>When the black-box test's wiretap never hears the expected log line, it just sits there until Jest's timeout guillotine drops. To find out what was actually happening in the CI runner, I temporarily dumped raw stdout:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">masterProcess</span><span class="p">.</span><span class="nx">stdout</span><span class="o">!</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">data</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nf">toString</span><span class="p">());</span> <span class="c1">// Raw output — for CI diagnostics only</span> <span class="c1">// ...</span> <span class="p">});</span> </code></pre> </div> <p>On the next run, the pipeline printed the truth:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ENOENT: no such file or directory, open '/home/runner/work/torus-proxy/certs/key.pem' </code></pre> </div> <h3> Missing Certificates </h3> <p>TLS certificates belong in <code>.gitignore</code>. On my local machine they existed. On GitHub Actions' naked Ubuntu runner, they didn't. Workers hit the TLS configuration block, threw an <code>ENOENT</code>, and died before ever binding to a port.</p> <p>Because the proxy runs as a real detached process, <code>jest.mock('fs')</code> isn't an option - the isolated binary needs real files on disk. The fix was to generate dummy self-signed certificates in the CI pipeline before the test runs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Generate Dummy TLS Certificates</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">mkdir -p certs</span> <span class="s">openssl req -nodes -new -x509 \</span> <span class="s">-keyout certs/key.pem \</span> <span class="s">-out certs/cert.pem \</span> <span class="s">-days 365 \</span> <span class="s">-subj "/CN=localhost"</span> </code></pre> </div> <h3> Missing Environment Variables </h3> <p>The pipeline failed again. This time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: JWT Secret is required to boot JWT Authenticator. </code></pre> </div> <p>The <code>.env</code> file was also gitignored. Rather than writing a fake <code>.env</code> to the runner disk, I injected the dummy secret directly into the <code>spawn</code> environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">envPath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nf">cwd</span><span class="p">(),</span> <span class="dl">"</span><span class="s2">.env</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">nodeArgs</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">envPath</span><span class="p">)</span> <span class="p">?</span> <span class="p">[</span><span class="dl">"</span><span class="s2">--env-file=.env</span><span class="dl">"</span><span class="p">,</span> <span class="nx">entryPoint</span><span class="p">]</span> <span class="p">:</span> <span class="p">[</span><span class="nx">entryPoint</span><span class="p">];</span> <span class="nx">masterProcess</span> <span class="o">=</span> <span class="nf">spawn</span><span class="p">(</span><span class="dl">"</span><span class="s2">node</span><span class="dl">"</span><span class="p">,</span> <span class="nx">nodeArgs</span><span class="p">,</span> <span class="p">{</span> <span class="na">stdio</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">pipe</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">pipe</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">pipe</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ipc</span><span class="dl">"</span><span class="p">],</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">,</span> <span class="na">JWT_SECRET</span><span class="p">:</span> <span class="dl">"</span><span class="s2">dummy_test_secret_for_ci_pipeline_only</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>I pushed the final commit. The pipeline generated the certificates, injected the secret, booted the Master, assassinated a worker, watched it resurrect, triggered teardown, drained sockets, and exited with code <code>0</code>.</p> <p>Green checkmark.</p> <h2> Conclusion: Trust Nothing </h2> <p>The standard Node.js cluster tutorials are dangerously incomplete. Blindly resurrecting workers on every <code>exit</code> event creates a system that will fight your deployment pipelines and drop active TCP connections mid-stream.</p> <p>Building something production-grade requires:</p> <ul> <li><p><strong>Deterministic state machines</strong> - not reflexive code that acts without knowing why things happened</p></li> <li><p><strong>Structured teardown sequences</strong> - not ad-hoc async cleanup that races itself</p></li> <li><p><strong>Skepticism about the OS</strong> - signals behave differently across platforms in ways the documentation doesn't always make clear</p></li> <li><p><strong>Black-box integration tests</strong> - not unit tests that mock away the exact failure modes you're trying to protect against</p></li> <li><p><strong>CI environment parity</strong> - assume the runner has nothing your <code>.gitignore</code> excluded</p></li> </ul> <p>The cluster module is powerful. But its standard usage pattern gives you the illusion of resilience, not the real thing.</p> <p>If you'd like to see the full implementation, the source code for Torus Proxy is on <a href="https://github.com/Ashish-Barmaiya/torus-proxy" rel="noopener noreferrer">GitHub</a>.</p> node devops backend testing Why I Ripped stream.pipe() Out of My Node.js API Gateway Ashish Barmaiya Fri, 27 Mar 2026 16:09:13 +0000 https://dev.to/ashishbarmaiya/why-i-ripped-streampipe-out-of-my-nodejs-api-gateway-2ekl https://dev.to/ashishbarmaiya/why-i-ripped-streampipe-out-of-my-nodejs-api-gateway-2ekl <p>When I started building Torus, a multi-core Layer 7 Edge API Gateway from scratch in Node.js, I handled incoming network requests the way I had always seen it done in standard web applications:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">TypeScript</span> <span class="kd">let</span> <span class="nx">body</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">chunk</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">body</span> <span class="o">+=</span> <span class="nx">chunk</span><span class="p">.</span><span class="nf">toString</span><span class="p">();</span> <span class="p">});</span> <span class="nx">req</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">end</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">forwardToBackend</span><span class="p">(</span><span class="nx">body</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>It worked perfectly for lightweight tests. But as I started pushing concurrent loads and larger payloads through the proxy, my server began to choke. CPU usage spiked to 100%, the event loop lagged, and memory consumption grew uncontrollably until the process crashed.</p> <p>I had fallen into a classic architectural trap: I was dragging raw TCP payload bytes directly into the V8 JavaScript engine's memory heap.</p> <p>Because the V8 heap has a strict memory limit, pulling massive payloads into user-space memory forces the Node.js Garbage Collector (GC) to work overtime. The GC halts the single-threaded event loop to clean up the allocated memory, effectively stalling every other active network connection in the proxy.</p> <p>I learned a fundamental rule of proxy engineering the hard way: </p> <blockquote> <p>Proxies shouldn't read data; they should just move it.</p> </blockquote> <p>To build a production-grade gateway, I realized I had to bypass the V8 heap entirely. I needed to keep the data in raw C++ memory blocks and move it to the Operating System level. But as I refactored my routing logic to achieve this, I stumbled into a silent, catastrophic flaw in the standard Node.js stream API that brought my entire test suite to a halt.</p> <h2> The First Evolution: Bypassing V8 with <code>.pipe()</code> </h2> <p>The architectural fix required a fundamental shift in how I viewed the data. I had to stop treating payloads as static variables and start treating them as flowing water.</p> <p>I didn't need to load an entire 50MB file into memory before forwarding it. I only needed to hold a few kilobytes in a temporary buffer, flush it to the destination, and reuse that memory space.</p> <p>In Node.js, this is exactly what the <code>node:stream</code> module and <code>Buffer</code> objects are designed for.</p> <p>A Buffer in Node.js allocates memory outside the V8 JavaScript engine. It utilizes raw C++ memory blocks mapped directly to the OS. By keeping the network chunks as raw Buffers, the payload never enters the JavaScript heap. Because it never enters the heap, the V8 Garbage Collector completely ignores it, leaving the event loop free to handle other connections.</p> <p>To wire this up, I utilized the native <code>.pipe()</code> method to connect the readable client stream to the writable backend stream:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">TypeScript</span> <span class="c1">// Connects the incoming ReadableStream directly to the outgoing WritableStream</span> <span class="nx">clientReq</span><span class="p">.</span><span class="nf">pipe</span><span class="p">(</span><span class="nx">proxyReq</span><span class="p">);</span> </code></pre> </div> <p>This single line of code acts as an OS-level plumbing system. It takes the incoming TCP stream, reads the raw C++ buffers, automatically manages the backpressure (ensuring a fast client doesn't overwhelm a slow backend connection), and pushes the bytes directly out to the routing pool.</p> <p>My CPU usage plummeted. The memory footprint stayed flat, regardless of how large the incoming payloads were. It felt like I had solved the scaling problem entirely.</p> <p>But <code>.pipe()</code> was hiding a massive, silent vulnerability.</p> <h2> The Plot Twist: The Silent Socket Leak </h2> <p>I thought I had engineered the perfect solution. The proxy was fast, the CPU was idle, and the memory footprint stayed completely flat, regardless of payload size.</p> <p>Then I ran my integration test suite.</p> <p>All the assertions passed. I got the green checkmarks. But the terminal just froze. Jest refused to exit, eventually spitting out that infuriating warning: "Jest did not exit one second after the test run has completed."</p> <p>My initial reaction was to treat it like a standard web app bug. I meticulously checked my teardown logic, making sure <code>proxyServer.close()</code> was being called and my Redis clients were fully disconnected. I ran the tests again. It still hung.</p> <p>I had to drop down to the OS level to understand what was actually happening. The Node.js event loop is mathematically programmed to never exit as long as there is an active I/O handle (like a <code>net.Socket</code>) in its queue. Something was keeping a socket alive.</p> <p>The culprit was <code>.pipe().</code></p> <p>When my Jest test fired a dummy request through the proxy and then disconnected, the client-side socket closed gracefully. But I learned a lesson about Node.js streams: <code>.pipe()</code> blindly pushes data; it does not propagate lifecycle events.</p> <p>When the client dropped, <code>.pipe()</code> did not send an error or close event to the destination stream. It left the backend connection completely open. The proxy was sitting there holding a dead connection to the backend, waiting for network bytes that would never arrive.</p> <p>I had built a machine that generated half-open sockets. In a production environment, this would silently exhaust the Operating System's File Descriptors (FDs). Every dropped client connection would permanently lock up an FD until the OS hit its limit and violently crash the Node process with an <code>EMFILE</code> error.</p> <h2> The Fix: stream.pipeline() </h2> <p>The Node.js core maintainers knew <code>.pipe()</code> was dangerously naive for production infrastructure. That is exactly why they introduced <code>stream.pipeline()</code>.</p> <p>Instead of blindly shoving data from one socket to another, <code>.pipeline()</code> acts as a unified state machine that monitors the entire stream chain. It pushes the responsibility of socket teardown back to the Node.js core networking stack where it belongs.</p> <p>If any stream in the pipeline fails, throws an error, or abruptly closes (like a client dropping off with an <code>ECONNRESET</code>), <code>.pipeline()</code> automatically intercepts it. It destroys all other connected streams in that specific chain and bubbles up a single error for you to catch.</p> <p>I removed every instance of <code>.pipe()</code> and the dozens of lines of manual <code>.on('error')</code> spaghetti I had written. Because raw TCP proxying requires bidirectional data flow, I replaced it with two parallel, sequential pipelines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">TypeScript</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span> <span class="nf">pipeline</span><span class="p">(</span><span class="nx">clientSocket</span><span class="p">,</span> <span class="nx">backendSocket</span><span class="p">),</span> <span class="nf">pipeline</span><span class="p">(</span><span class="nx">backendSocket</span><span class="p">,</span> <span class="nx">clientSocket</span><span class="p">)</span> <span class="p">]);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// If either side drops, the pipeline throws, and we clean up natively.</span> <span class="nx">clientSocket</span><span class="p">.</span><span class="nf">destroy</span><span class="p">();</span> <span class="nx">backendSocket</span><span class="p">.</span><span class="nf">destroy</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>The moment I swapped to this architecture and ran my integration suite, the terminal didn't hang. Jest executed all 18 network tests and exited flawlessly in 2.7 seconds. The event loop was instantly cleared. The silent socket leak was completely eradicated.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fercx9tbcdrgcidzs0u7m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fercx9tbcdrgcidzs0u7m.png" alt="Terminal screenshot showing 18 Jest network tests passing flawlessly in 2.7 seconds."></a></p> <h2> Conclusion: Trust Nothing, Understand Everything </h2> <p>Building a multi-core Edge Gateway from scratch taught me that I cannot blindly trust high-level abstractions.</p> <p><code>stream.pipe()</code> looks elegant in a standard web tutorial, but in the trenches of raw TCP networking, it is a massive liability. If you are building infrastructure that handles thousands of concurrent connections, you must understand the Operating System-level lifecycle of your File Descriptors and your sockets. If you don't, your system will slowly bleed to death under load, and logs won't even tell you why.</p> <p>If you want to see the exact implementation of this bidirectional TCP routing, you can check out the raw source code for <a href="https://github.com/Ashish-Barmaiya/torus-proxy" rel="noopener noreferrer">Torus Proxy on my GitHub</a>.</p> node backend performance systemdesign