[DPE-4307] HA process interrupt tests #114
Conversation
juditnovak
force-pushed
the
DPE-4307/HA_process_interrupt
branch
2 times, most recently
from
f453c0a to
f519b99
Compare
juditnovak
changed the title
juditnovak
force-pushed
the
DPE-4307/HA_process_interrupt
branch
from
7c2e78f to
7cd0176
Compare
| return bool(self.dashboards.services[self.SNAP_APP_SERVICE]["active"]) and bool( | ||
| self.dashboards.services[self.SNAP_EXPORTER_SERVICE]["active"] | ||
| ) | ||
| return bool(self.dashboards.services[self.SNAP_APP_SERVICE]["active"]) |
There was a problem hiding this comment.
We had an ugly bug here. (@phvalguima is my witness :-) )
Reminder: OSD is a service that doesn't even come up (at all!) except in perfect conditions.
Meaning functional connection to Opensearch, etc. No, we do NOT even have a Status Page.
All we get is
The Prometheus Exproter process is very similar. It can't come up as long as there is no functional OSD available. It's failing right after re-start otherwise.
Now this resulted in an ugly, flaky behavior whenever OSD was considered active on a snap level -- yet the service was not running (for example: due to missing Opensearch connection). Meaning that the first part of the condition above was True -- while the 2nd part was True/False ... depending on the moment.
Debugging underlying data structures (representing snap service state):
The conclusion is this: we shouldn't check Prometheus Exporter state here.
One proposal could be to do it in a separate check. (I can propose a solution even in parallel on a separte branch. If we want to address the matter, it would be much nicer in a separate task.).
In my opinion, as long as we are not providing similar safety measures on Openserach (where monitoring is a WAY more crucial), it may be best to keep comlexity low and trus automatic snap restarts to cover Prometheus Exporter failures.
There was a problem hiding this comment.
@juditnovak yes, I think we need to break the concepts: alive() here means the main service is up and running.
juditnovak
force-pushed
the
DPE-4307/HA_process_interrupt
branch
5 times, most recently
from
20f8758 to
b597fb7
Compare
There was a problem hiding this comment.
There is a potential loop here:
The reconcile method may end calling for a restart
And, in the _restart, we end up calling reconcile again before the actual restart.
A charm leader in a deployment with no lock assigned would end up in a continuous loop where the charm calls:
reconcile() > detects unit is down > calls acquire_lock() > which emits a relation_changed > assigns itself the lock > calls the _restart > re-calls the reconcile and restarts the loop
My recommendation is to restart the workload right away on _restart method.
juditnovak
force-pushed
the
DPE-4307/HA_process_interrupt
branch
2 times, most recently
from
6b3e1ca to
83de696
Compare
juditnovak
force-pushed
the
DPE-4307/HA_process_interrupt
branch
from
83de696 to
9dc892b
Compare
juditnovak
force-pushed
the
DPE-4307/HA_process_interrupt
branch
from
cedd2a6 to
1322a51
Compare
|
@phvalguima You are right. Restart attempt on service down is removed from |
| clear_status(self.unit, [MSG_STARTING, MSG_STARTING_SERVER]) | ||
| self.on.update_status.emit() |
There was a problem hiding this comment.
Avoid a loop here, as described on: #114 (review)
There is no point in speeding up an update-status, it will happen anyways. In this case, it is better to leave some time between this _restart call and the next update-status for the system to settle.
There was a problem hiding this comment.
Looking at this code again, may be worthy to structure it instead as follows:
start_time = time.time()
unit_healthy, _ = self.health_manager.unit_healthy()
while not unit_healthy and time.time() - start_time < SERVICE_AVAILABLE_TIMEOUT:
time.sleep(5)
unit_healthy, _ = self.health_manager.unit_healthy()
if unit_healthy:
# We clean the status and finish
clear_status(self.unit, [MSG_STARTING, MSG_STARTING_SERVER])
else:
# this call will potentially retrigger a restart
self.on.update_status.emit()
There was a problem hiding this comment.
FYI, the proposal above reintroduces the risk of continuous restart loop if the unit is failing because of some other problem...
This change unites 2 tasks:
SIGSTOPto thenodeprocess) was not handled by the charm.update-statusupdate-statusas soon as the process (i.e. snap level) was considered up.Service unavailablestatus.