Page MenuHomePhabricator
Create Task
Maniphest T349823

[Event Platform] Gracefully handle pod termination in eventgate Helm chart
Closed, ResolvedPublic
Actions

Description

When restarting eventgate-main using helmfile -e ENV_NAME --state-values-set roll_restart=1 sync it seems that many client requests are failing during the process, i.e. I've seen a spike of 5k mw jobs failing with T249745 (Could not enqueue jobs) during the restart procedure.

Watching the pods during that procedure I had the impression that many pods were restarted at once.

Failing some requests during a rolling restart is probably to be expected but more than 5000k does not seem normal?

In discussion below, it was noted that this was solved for MW as part of T331609: Gracefully handle pod termination in mw-on-k8s. We should do the same for the eventgate Helm chart.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
eventgate chart - set default cpu limits to 1operations/deployment-chartsmaster+2 -2
eventgate-main - set prestop_sleep and terminiation timeoutsoperations/deployment-chartsmaster+7 -1
wgEventServices - add docs about timeout settingsoperations/mediawiki-configmaster+5 -0
eventgate chart - graceful restart policy with relative timeout/prestop_sleep valuesoperations/deployment-chartsmaster+38 -1
Customize query in gerrit

Related Objects

Event Timeline

dcausse created this task.Oct 26 2023, 2:23 PM
Restricted Application added a project: Data-Engineering. · View Herald TranscriptOct 26 2023, 2:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
dcausse added a comment.Oct 26 2023, 2:26 PM

image.png (825×1 px, 124 KB)

Joe subscribed.Oct 26 2023, 3:05 PM

The problem can also be that we have one component in front of the service (envoyproxy) that gets terminated immediately, while terminating the application on the backend takes more time, so connections are truncated immediately. We just added a pause before terminating envoy in mediawiki for example to overcome this problem.

But also - why are we not retrying to enqueue jobs if it fails? We should probably add a retry on 5xx to the mesh component calling eventgate-main.

Ottomata added a comment.EditedOct 27 2023, 1:30 PM

This will be a problem not just for jobs, but for all events sent by EventBus.

Is there a way we could force envoyproxy to wait until other containers are shut down?

Also, this seems like it will be a problem for many services, not just EventGate, no? It's just acute in EventGate because it means messages are lost. Ideally k8s wouldn't shut down a pod until it has finished processing any in flight messages (or after some timeout), right? Is there some way to remove ingress while the pod shuts down, so it won't receive any new requests?

Ottomata added subscribers: lbowmaker, gmodena, tchin and 2 others.Oct 27 2023, 1:34 PM
JMeybohm subscribed.Oct 27 2023, 1:47 PM
In T349823#9287341, @Ottomata wrote:

Is there some way to remove ingress while the pod shuts down, so it won't receive any new requests?

This happens by default, see https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination But ofc. there is no way for k8s to know if a process is still serving in flight requests, so that needs to be handled by the processes themselves. See T331609: Gracefully handle pod termination in mw-on-k8s / https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/928791 for what has been implemented for mediawiki on k8s.

Ottomata added a comment.Oct 27 2023, 2:10 PM

Ah, great. Okay so IIUC, we should

  • upgrade relevant vendor templates in eventgate chart,
  • Add support for main_app.prestop_sleep to eventgate chart container as done for MW here
  • Add support for terminationGracePeriodSeconds on eventgate chart container as done for MW here
  • Set terminationGracePeriodSeconds, mesh.prestop_sleep and main_app.prestop_sleep in the chart's default values.yaml file. And possibly override if needed in helmfiles.

@JMeybohm does that sound right?

Ottomata renamed this task from A rolling restart of eventgate-main seems to cause many client failures to [Event Platform] Gracefully handle pod termination in eventgate Helm chart.Oct 27 2023, 2:11 PM
Ottomata updated the task description. (Show Details)
JMeybohm added a comment.Oct 27 2023, 2:17 PM
In T349823#9287469, @Ottomata wrote:

@JMeybohm does that sound right?

Yes. Although this will still not make envoy actively drain connections. As you can see from the task this is not what we went with in the end.

In T349823#9284544, @Joe wrote:

But also - why are we not retrying to enqueue jobs if it fails? We should probably add a retry on 5xx to the mesh component calling eventgate-main.

Regardless of the the above, this is still a valid question I'd say.

Ottomata added a comment.Oct 27 2023, 6:26 PM

Regardless of the the above, this is still a valid question I'd say.

Indeed!

Although this will still not make envoy actively drain connections

Right, but, if we make this longer than the request timeout, I think the behavior should suffice?

Ottomata added a comment.Oct 28 2023, 2:19 PM

Looks like relevant vendor templates are being upgraded in https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/959181

Thank you!

Ottomata mentioned this in T349919: Apply common settings to publish events from Lift Wing staging to EventGate.Oct 30 2023, 1:32 PM
JMeybohm added a comment.Nov 1 2023, 3:28 PM
In T349823#9288286, @Ottomata wrote:

Although this will still not make envoy actively drain connections

Right, but, if we make this longer than the request timeout, I think the behavior should suffice?

Yes

Ottomata mentioned this in T346136: Outlink returns 500 when EventGate returns 503 Service Unavailable.Nov 2 2023, 7:03 PM
Ottomata added a comment.Nov 2 2023, 9:09 PM

But also - why are we not retrying to enqueue jobs if it fails? We should probably add a retry on 5xx to the mesh component calling eventgate-main.

@Joe, past you did this already? :)

Ottomata added a comment.Nov 2 2023, 9:10 PM

envoy proxy request timeout to eventgate-main is currently 61 seconds though, and EventBus MW PHP sets request timeout to 62 seconds in CommonSettings.php.

Ottomata added a comment.EditedNov 2 2023, 9:20 PM

Also q: per_try_timeout: "20s" is set on eventgate-main services_proxy, but I don't see this key being used anywhere in the helm charts. I see it mentioned in several helmfile fixtures, but nowhere in the mesh configuration. Should we remove this?

JMeybohm added a comment.Nov 3 2023, 8:19 AM
In T349823#9303470, @Ottomata wrote:

Also q: per_try_timeout: "20s" is set on eventgate-main services_proxy, but I don't see this key being used anywhere in the helm charts. I see it mentioned in several helmfile fixtures, but nowhere in the mesh configuration. Should we remove this?

No. We loop over the retry_policy hash in https://gerrit.wikimedia.org/r/plugins/gitiles/operations/deployment-charts/+/refs/heads/master/modules/mesh/configuration_1.4.3.tpl#370

Ottomata added a comment.Nov 6 2023, 2:14 PM

Ah, got it. It is an envoy setting.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-retrypolicy-per-try-timeout

TY

gerritbot added a comment.Nov 6 2023, 2:44 PM

Change 971963 had a related patch set uploaded (by Ottomata; author: Ottomata):

[operations/deployment-charts@master] eventgate chart - graceful restart policy with relative timeout/prestop_sleep values

https://gerrit.wikimedia.org/r/971963

gerritbot added a project: Patch-For-Review.Nov 6 2023, 2:44 PM
Ottomata edited projects, added Data Engineering and Event Platform Team (Sprint 4); removed Data Engineering and Event Platform Team.Nov 6 2023, 3:10 PM
gerritbot added a comment.Nov 6 2023, 4:23 PM

Change 971963 merged by jenkins-bot:

[operations/deployment-charts@master] eventgate chart - graceful restart policy with relative timeout/prestop_sleep values

https://gerrit.wikimedia.org/r/971963

gerritbot added a comment.Nov 6 2023, 4:26 PM

Change 971986 had a related patch set uploaded (by Ottomata; author: Ottomata):

[operations/mediawiki-config@master] wgEventServices - add docs about timeout settings

https://gerrit.wikimedia.org/r/971986

gerritbot added a comment.Nov 6 2023, 4:28 PM

Change 971986 merged by jenkins-bot:

[operations/mediawiki-config@master] wgEventServices - add docs about timeout settings

https://gerrit.wikimedia.org/r/971986

Maintenance_bot removed a project: Patch-For-Review.Nov 6 2023, 4:30 PM
gerritbot added a comment.Nov 6 2023, 4:33 PM

Change 971989 had a related patch set uploaded (by Ottomata; author: Ottomata):

[operations/deployment-charts@master] eventgate-main - set prestop_sleep and terminiation timeouts

https://gerrit.wikimedia.org/r/971989

gerritbot added a project: Patch-For-Review.Nov 6 2023, 4:33 PM
gerritbot added a comment.Nov 6 2023, 4:37 PM

Change 971989 merged by jenkins-bot:

[operations/deployment-charts@master] eventgate-main - set prestop_sleep and terminiation timeouts

https://gerrit.wikimedia.org/r/971989

Stashbot mentioned this in T300033: Use cert-manager for service-proxy certificate creation.Nov 6 2023, 4:41 PM

Mentioned in SAL (#wikimedia-operations) [2023-11-06T16:41:11Z] <ottomata> beginning deployments of eventgate clusters: mesh and cert chart updates, as well as sleep timeout values for graceful envoy+eventgate container termination - T349823 T300033 T346638

Stashbot mentioned this in T346638: Rename the envoy's uses_ingress option to sets_sni .Nov 6 2023, 4:41 PM
Maintenance_bot removed a project: Patch-For-Review.Nov 6 2023, 5:10 PM
gerritbot added a comment.Nov 6 2023, 5:37 PM

Change 972000 had a related patch set uploaded (by Ottomata; author: Ottomata):

[operations/deployment-charts@master] eventgate chart - set default cpu limits to 1

https://gerrit.wikimedia.org/r/972000

gerritbot added a project: Patch-For-Review.Nov 6 2023, 5:37 PM
gerritbot added a comment.Nov 6 2023, 5:40 PM

Change 972000 merged by jenkins-bot:

[operations/deployment-charts@master] eventgate chart - set default cpu limits to 1

https://gerrit.wikimedia.org/r/972000

Maintenance_bot removed a project: Patch-For-Review.Nov 6 2023, 6:10 PM
Ottomata added a comment.Nov 6 2023, 9:49 PM

Okay, I just applied the prestop_sleep settings to all eventgates. eventgate-main sleeps the longest, a little over 1 minute.

I don't think we have enough evidence yet to call this a huge success, but[[ https://logstash.wikimedia.org/goto/97c528b5b468c1e86f5e285ee4937eb1 | I did not see any JobQueue related failures ]] during my deployment.

Ottomata claimed this task.Nov 6 2023, 9:54 PM
Ottomata moved this task from Next Up to Ready to Deploy on the Data Engineering and Event Platform Team (Sprint 4) board.
Ottomata added a comment.Nov 7 2023, 5:15 PM

Did another eventgate-main deployment just now. I don't see any flood of delivery failures.

Ottomata mentioned this in T249745: Could not enqueue jobs: "Unable to deliver all events: 503: Service Unavailable".Nov 7 2023, 5:17 PM
Ottomata moved this task from Ready to Deploy to Done on the Data Engineering and Event Platform Team (Sprint 4) board.
lbowmaker moved this task from Incoming (new tickets) to Event Platform Maintenance (current quarter) on the Data-Engineering board.Nov 10 2023, 1:43 PM
lbowmaker closed this task as Resolved.Nov 10 2023, 1:49 PM
Krinkle mentioned this in T375174: "PHP Warning: API call failed to get remote JsonConfig" due to HTTP 503.Apr 30 2025, 6:15 PM
Krinkle mentioned this in T350717: Math image replaced with "Math extension cannot connect to Restbase." due to "upstream connect error or disconnect/reset before headers".Apr 30 2025, 6:56 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits