Page MenuHomePhabricator

Add a command queue to Drydock to manage lease/resource release
ClosedPublic

Authored by epriestley on Sep 23 2015, 5:35 AM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Dec 17, 8:26 AM
Unknown Object (File)
Tue, Dec 17, 5:45 AM
Unknown Object (File)
Tue, Dec 17, 2:33 AM
Unknown Object (File)
Sun, Dec 15, 4:03 AM
Unknown Object (File)
Thu, Dec 12, 7:15 AM
Unknown Object (File)
Tue, Dec 3, 10:16 AM
Unknown Object (File)
Nov 20 2024, 8:16 PM
Unknown Object (File)
Nov 20 2024, 12:24 PM
Subscribers
None

Details

Summary

Ref T9252. Broadly, Drydock currently races on releasing objects from the "active" state. To reproduce this:

  • Scatter some sleep()s pretty much anywhere in the release code.
  • Release several times from web UI or CLI in quick succession.

Resources or leases will execute some release code twice or otherwise do inconsistent things.

(I didn't chase down a detailed reproduction scenario for this since inspection of the code makes it clear that there are no meaningful locks or mechanisms preventing this.)

Instead, add a Harbormaster-style command queue to resources and leases. When something wants to do a release, it adds a command to the queue and schedules a worker. The workers acquire a lock, then try to consume commands from the queue.

This guarantees that only one process is responsible for writes to active resource/leases.

This is the last major step to giving resources and leases a single writer during all states:

  • Resource, Unsaved: AllocatorWorker
  • Resource, Pending: ResourceWorker (Possible rename to "Allocated?")
  • Resource, Open: This diff, ResourceUpdateWorker. (Likely rename to "Active").
  • Resource, Closed/Broken: Future destruction worker. (Likely rename to "Released" / "Broken"; maybe remove "Broken").
  • Resource, Destroyed: No writes.
  • Lease, Unsaved: Whatever wants the lease.
  • Lease, Pending: AllocatorWorker
  • Lease, Acquired: LeaseWorker
  • Lease, Active: This diff, LeaseUpdateWorker.
  • Lease, Released/Broken: Future destruction worker (Maybe remove "Broken"?)
  • Lease, Expired: No writes. (Likely rename to "Destroyed").

In most phases, we can already guarantee that there is a single writer without doing any extra work. This is more complicated in the "Active" case because the release buttons on the web UI, the release tools on the CLI, the lease requestor itself, the garbage collector, and any other release process cleaning up related objects may try to effect a release. All of these could race one another (and, in many cases, race other processes from other phases because all of these get to act immediately) as this code is currently written. Using a queue here lets us make sure there's only a single writer in this phase.

One thing which is notable is that whatever acquires a lease can not write to it! It is never the writer once it queues the lease for activation. It can not write to any resources, either. And, likewise, Blueprints can not write to resources while acquiring or releasing leases.

We may need to provide a mechinism so that blueprints and/or resource/lease holders get to attach some storage to resources/leases for bookkeeping. For example, a blueprint might need to keep some kind of cache on a resource to help it manage state. But I think we can cross that bridge when we come to it, and nothing else would need to write to this storage so it's technically straightforward to introduce such a mechanism if we need one.

Test Plan
  • Viewed buttons in web UI, checked enabled/disabled states.
  • Clicked the buttons.
  • Saw commands show up in the command queue.
  • Saw some daemon stuff get scheduled.
  • Ran CLI tools, saw commands get consumed and resources/leases release.

Event Timeline

epriestley retitled this revision from to Add a command queue to Drydock to manage lease/resource release.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added reviewers: chad, hach-que.

I think it's fairly likely that we'll never actually have any other commands beyond "release" supported by the queue (I can't really come up with any offhand), but I think having the transparency of when commands were issued (and where they were issued from) justifies it on its own even if we don't.

It's also nice that it works the same way Harbormaster does, at least broadly, so you can understand one system and use that to inform your understanding of the other system, and the UIs are similar.

I could imagine at least three other commands eventually -- some sort of "pause", "update", and "unpause". For example, maybe in the future we check how much disk is available on a host when we allocate a resource for it. This gets cached on the Resource so the allocator can be smart about handing it out. You run out of space, so you pause the resource, detach the disk, attach a new bigger disk, update the resource, then unpause it. This updates the Resource so it has the right amount of disk space and the allocator can work correctly without invalidating existing leases on the resource.

I think there's a fairly low chance we ever build out this particular scenario (it's usually easier to just throw that resource away and bring up a new good one, and operational tools and practices are all moving in this direction), but it or some similar scenario doesn't seem totally implausible to me.

chad edited edge metadata.
This revision is now accepted and ready to land.Sep 23 2015, 6:14 AM
This revision was automatically updated to reflect the committed changes.