Page MenuHomePhabricator
Create Task
Maniphest T184715

pybal's "can-depool" logic only takes downServers into account
Open, Stalled, HighPublic
Actions

Description

When a server is detected as down, PyBal tries to depool it. Before doing so however, PyBal checks whether the operation can be performed. Every service has a configurable depool-threshold limiting the number of servers that can be depooled. The current "can-depool" logic looks like this:

return len(self.servers) - len(downServers) >= len(self.servers) * self.lvsservice.getDepoolThreshold()

If the above condition is true, the server can be depooled. However, the logic currently only takes servers marked as "down" into account, failing to consider servers administratively disabled.

Let's consider the following scenario:

depool-threshold0.5
total-servers4
down-servers0
disabled-servers2

In the given situation, canDepool currently returns true (4 - 0 >= 4 * 0.5), allowing the depool operation to proceed and leaving the service with only one pooled server. In this scenario we want instead to have a minimum of 2 servers always enabled and pooled. To enforce such constraint, the logic needs to be changed as follows:

return len(self.servers) - len(downServers) - len(disabledServers) >= len(self.servers) * self.lvsservice.getDepoolThreshold()

Details

ProjectBranchLines +/-Subject
operations/debs/pybalmaster+56 -0Ensure that depool threshold is being honored on new/updated configs
operations/debs/pybalmaster+38 -2Don't depool pooledDownServers in refreshPreexistingServer
operations/debs/pybalmaster+81 -8Test Server invariants
operations/debs/pybal1.14+113 -4Use up-and-enabled servers in can-depool logic
operations/debs/pybalmaster+113 -4Use up-and-enabled servers in can-depool logic
Customize query in gerrit

Related Objects

Event Timeline

ema created this task.Jan 11 2018, 1:18 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 11 2018, 1:18 PM
ema triaged this task as High priority.Jan 11 2018, 1:19 PM
ema added a subscriber: fgiunchedi.
ema edited projects, added PyBal; removed Puppet.Jan 11 2018, 2:03 PM
ema moved this task from Backlog to In Progress on the PyBal board.Jan 11 2018, 3:11 PM
gerritbot added a subscriber: gerritbot.Jan 11 2018, 3:20 PM

Change 403677 had a related patch set uploaded (by Ema; owner: Ema):
[operations/debs/pybal@master] Use pooled-and-up servers in can-depool logic

https://gerrit.wikimedia.org/r/403677

gerritbot added a project: Patch-For-Review.Jan 11 2018, 3:20 PM
Joe added a subscriber: Joe.Jan 12 2018, 10:03 AM

I don't think this is entirely correct.

Pybal has 3 states:

  1. enabled/disabled: the logical state in etcd, so pooled=yes or pooled=no; servers with pooled=inactive are removed from pybal completely
  2. up/down: the state according to pybal's monitoring
  3. pooled/not pooled: the status of the server in the ipvs pool

So the problem is that what we want to achieve is "have at least N% of servers in the pool serving traffic", thus we're interested in the pooled/depooled state, not in the up/down state. So when we want to depool a server, either logically or because of monitoring, we should first check that we have enough pooled servers to be able to depool the current machine.

The problem is tricky to tackle, though, in the case we're depooling logically a server in a pool and one server that went down prevents it from being depooled - will pybal later recheck and depool it? I'm not sure.

ema added a comment.Jan 12 2018, 11:18 AM
In T184715#3896284, @Joe wrote:

pooled/not pooled: the status of the server in the ipvs pool

As we've found out today, pooled is actually defined as enabled and up. This should translate to "pooled in ipvs", but there's no guarantee about that.

ema moved this task from Triage to LoadBalancer on the Traffic board.Jan 15 2018, 10:16 AM
gerritbot added a comment.Jan 17 2018, 2:41 PM

Change 403677 merged by Ema:
[operations/debs/pybal@master] Use up-and-enabled servers in can-depool logic

https://gerrit.wikimedia.org/r/403677

gerritbot added a comment.Jan 17 2018, 2:56 PM

Change 404680 had a related patch set uploaded (by Ema; owner: Ema):
[operations/debs/pybal@1.14] Use up-and-enabled servers in can-depool logic

https://gerrit.wikimedia.org/r/404680

gerritbot added a comment.Jan 17 2018, 2:57 PM

Change 404680 merged by Ema:
[operations/debs/pybal@1.14] Use up-and-enabled servers in can-depool logic

https://gerrit.wikimedia.org/r/404680

Stashbot added a subscriber: Stashbot.Jan 17 2018, 4:52 PM

Mentioned in SAL (#wikimedia-operations) [2018-01-17T16:52:43Z] <ema> upgrade secondary LVSs to pybal 1.13.4 T184715, T184721

Stashbot mentioned this in T184721: Alert instrumentation returning 500 errors.Jan 17 2018, 4:52 PM
Stashbot added a comment.Jan 17 2018, 5:06 PM

Mentioned in SAL (#wikimedia-operations) [2018-01-17T17:06:10Z] <ema> upgrade pybal on primary LVSs to 1.14.3 T184715, T184721

ema closed this task as Resolved.Jan 17 2018, 5:20 PM
ema claimed this task.
238482n375 removed ema as the assignee of this task.Jun 15 2018, 8:03 AM
238482n375 lowered the priority of this task from High to Lowest.
238482n375 moved this task from Next Up to In Code Review on the Analytics-Kanban board.
238482n375 added projects: Analytics-Kanban, acl*security, Wikimedia-VE-Campaigns (S2-2018), Scap (Scap3-Adoption-Phase2), AbuseFilter, Data-release, Hashtags, LabsDB-Auditor, Ladies-That-FOSS-MediaWiki, Language-2018-Apr-June, Language-2018-Jan-Mar, HHVM, HAWelcome.
238482n375 edited subscribers, added: 238482n375; removed: Aklapper.
This comment was removed by Vgutierrez.
Aklapper assigned this task to ema.Jun 15 2018, 1:07 PM
Aklapper raised the priority of this task from Lowest to High.Jun 15 2018, 1:07 PM
Aklapper removed projects: HAWelcome, HHVM, Language-2018-Jan-Mar, Language-2018-Apr-June, Ladies-That-FOSS-MediaWiki, LabsDB-Auditor, Hashtags, Data-release, AbuseFilter, Scap (Scap3-Adoption-Phase2), Wikimedia-VE-Campaigns (S2-2018), acl*security, Analytics-Kanban.
Aklapper edited subscribers, added: Aklapper; removed: 238482n375.
Vgutierrez added a subscriber: Vgutierrez.Jun 26 2018, 9:50 AM
Joe reopened this task as Open.Jun 27 2018, 1:57 PM
mark added a subscriber: mark.Jun 27 2018, 1:58 PM
Joe added a comment.Jun 27 2018, 2:00 PM

Reopened as this is still not fixed, see https://wikitech.wikimedia.org/wiki/Incident_documentation/20180626-LoadBalancers

Vgutierrez added a comment.EditedJul 4 2018, 4:43 PM

the incident described in https://wikitech.wikimedia.org/wiki/Incident_documentation/20180626-LoadBalancers is not related to a bug in the canDepool logic itself, but with the fact that canDepool() is not being checked when a new configuration is received through EtcdConfigurationObserver.

these are the steps done when a new configuration is received by EtcdConfigurationObserver:

  1. EtcdConfigurationObserver calls coordinator.onConfigUpdate() and handles the newConfig to the coordinator
  2. The coordinator merges the config for each existing server, adds new servers and removes the ones that are not present on the newly received configuration. For the existing servers, coordinator.refreshModifiedServers refreshes server.pool value, using server.pool = server.enabled and server.up
  3. After any potential new server are initialized, coordinator._serverInitDone is called.
  4. coordinator._serverInitDone calls coordinator.assignServers to send the new config to IPVS

The bug is inside coordinator.assignServers:

coordinator.assignServers
# Hand over enabled servers to LVSService
self.lvsservice.assignServers(
    set([server for server in self.servers.itervalues() if server.pool]))

assignServers is only sending to LVSService.assignServers the servers that are marked as pooled (enabled and up) in the new configuration. So the depooled servers are going to get removed from IPVS in LVSService.assignServers:

LVSService.asignServers
def assignServers(self, newServers):
        cmdList = (
            [self.ipvsManager.commandAddServer(self.service(), server)
             for server in newServers - self.servers] +
            [self.ipvsManager.commandEditServer(self.service(), server)
             for server in newServers & self.servers] +
            [self.ipvsManager.commandRemoveServer(self.service(), server)
             for server in self.servers - newServers]
        )

the culprit is the third cmd, that gets rid of the servers that aren't present on the newServers parameter. That effectively depools all servers marked as enabled = False in etcd without honoring the canDepool logic

gerritbot added a comment.Jul 5 2018, 1:13 PM

Change 443967 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/pybal@master] Ensure that depool threshold is being honored on new/updated configs

https://gerrit.wikimedia.org/r/443967

mark added a comment.Jul 5 2018, 4:40 PM

Nice work! :)

We should however think through the semantics of these boolean variables. I believe your current patchset violates some of the invariants set in server.py:

  1. P0: pool => enabled /\ ready
  2. P1: up => pool \/ !enabled \/ !ready
  3. P2: pool => up \/ !canDepool

Specifically, once the amount of "up" servers does not meet the threshold, pybal will pick any arbitrary servers to pool that are not both enabled and up, violating P0.

The intention of this ticket seems to be to make sure Pybal always keeps enough servers pooled, whether there are enough enabled servers or not. However the intention of that feature was originally to guard against not enough up servers, while disabled servers would never be pooled under any circumstances. (Rumor has it that it did in the past, but I haven't seen evidence of it yet, and if it did, that may have been a bug.) We may of course decide to change that, but this may cause issues in other places if we don't think it through.

mark added a comment.Jul 11 2018, 12:51 PM

We had a long and interesting discussion about this on IRC.

Summary:

  1. Pybal until now only attempts to guard against its own monitoring decisions, but does not attempt to guard against bad external input (i.e. setting servers as disabled in etcd, in file-based config server lists or k8s).
  2. While we could have Pybal enforce external/etcd disabled thresholds as well, that by itself will not influence behavior of other (deployment) tools like scap without additional modifications there.
  3. Pybal currently has no way to reject a server depooling, other than rather passively choosing not to act on it when certain thresholds are exceeded (e.g. verbosely rejecting the latest etcd config) and/or emitting warnings through monitoring. External tools like conftool could however monitor Pybal's behavior using Pybal's API.
  4. This is somewhat complicated by the fact that we have multiple Pybal instances running, and determining the currently active on is not trivial. Alternatively, all known (configured) Pybal instances could be tracked.

Various mid-to-long-term plans for Pybal and environment were also discussed on IRC.

gerritbot added a comment.Jul 18 2018, 10:29 AM

Change 445207 had a related patch set uploaded (by Mark Bergsma; owner: Mark Bergsma):
[operations/debs/pybal@master] Test Server invariants

https://gerrit.wikimedia.org/r/445207

gerritbot added a comment.Jul 25 2018, 9:49 AM

Change 447769 had a related patch set uploaded (by Mark Bergsma; owner: Mark Bergsma):
[operations/debs/pybal@master] Don't depool pooledDownServers in refreshPreexistingServers

https://gerrit.wikimedia.org/r/447769

gerritbot added a comment.Sep 28 2018, 1:01 PM

Change 445207 merged by jenkins-bot:
[operations/debs/pybal@master] Test Server invariants

https://gerrit.wikimedia.org/r/445207

gerritbot added a comment.Jan 11 2019, 3:47 PM

Change 447769 merged by jenkins-bot:
[operations/debs/pybal@master] Don't depool pooledDownServers in refreshPreexistingServer

https://gerrit.wikimedia.org/r/447769

gerritbot added a comment.Jan 11 2019, 3:52 PM

Change 443967 merged by jenkins-bot:
[operations/debs/pybal@master] Ensure that depool threshold is being honored on new/updated configs

https://gerrit.wikimedia.org/r/443967

Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 9:42 PM
Aklapper removed a project: Patch-For-Review.Oct 15 2020, 1:12 PM

@ema: All related patches in Gerrit have been merged. Can this task be resolved (via Add Action...Change Status in the dropdown menu), or is there more to do in this task? Asking as you are set as task assignee. Thanks in advance!

Vgutierrez changed the task status from Open to Stalled.Oct 16 2020, 10:41 AM

this hasn't been backported to the 1.15 branch so it's never been deployed in production, I'd keep the task open

BBlack edited projects, added Traffic-Icebox; removed Traffic.Sep 1 2021, 11:21 PM
BBlack added a subscriber: BBlack.

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

Aklapper removed ema as the assignee of this task.Mar 7 2022, 1:12 PM

Resetting inactive assignee

BBlack moved this task from Backlog to Close or Untag? on the Traffic-Icebox board.Apr 7 2022, 9:11 PM
BCornwall mentioned this in T245060: Pybal should reject a confctl configuration that indicates only one cp-text is pooled.Thu, Mar 16, 6:36 PM
Vgutierrez merged a task: T245060: Pybal should reject a confctl configuration that indicates only one cp-text is pooled.Tue, Mar 21, 9:34 AM
Vgutierrez added subscribers: CDanis, BCornwall, akosiaris.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL