Add container events to pod

[zeari]

BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1496179

Container events were previously unhandled. They belong to their parent pod.
needs to be merged with:
ManageIQ/manageiq-providers-kubernetes#181
ManageIQ/manageiq-content#225

@cben @moolitayer @enoodle Please review
cc @simon3z @bazulay

@miq-bot add_label bug, providers/containers, automate

[zeari]

@agrare @Ladas @cben @gmcculloug
I cant quite tell if we need to take care of event reconnection or not: #16497

I successfully tested this locally but im not sure in production we will get the same results:

1. A failure event comes in for a brand new pod with container that has an unresolavable image name.
   • after this change the event should show up as" Pod Container Failed"
2. We didnt collect that pod through refresh
3. the event triggers a refresh so we get the new pod, the correct policy action occurs.

Can we expect the same results with a large openshift env? does the refresh triggered by the event ALWAYS happen before the policy actions?
does refreshing after each pod event even make sense? 😕

[zeari]

Looking into it and i still see occasionaly

evm.log:[----] W, [2017-12-03T17:13:18.139644 #8150:8e7114]  WARN -- : MIQ(EmsEvent#parse_policy_parameters) Unable to find target [container_group], skipping policy evaluation

so maybe the event fires several times. oc get events on the provider side yields a few:

13m        14m         3         goodbye-openshift                   Pod       spec.containers{goodbye-openshift}   Normal    BackOff                    kubelet, ocp-compute01.10.35.48.187.xip.io   Back-off pulling image "openshift/hello-openshiftaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
13m        14m         3         goodbye-openshift                   Pod       spec.containers{goodbye-openshift}   Warning   Failed                     kubelet, ocp-compute01.10.35.48.187.xip.io   Error: ImagePullBackOff

Looks to me like we do need to reconnect targetless events on refresh as per #16497

[Ladas]

@zeari

1. missing image for Container will cause missing STI, then a lot of code can explode Make sure Container has always the right STI type manageiq-providers-kubernetes#177

2,3) So even with refresh + reconnect, the refresh is async so the policy will probably be executed before the refresh happens, so it will not have the container/pod associated.

In bigger env it's expected that any event tied to creating of entity will not have the refreshed entity in time (processing of refresh takes much more time than processing of the policy)

The policy or the state machine invoking the policy should have an async waiting loop (code that will check Pod/Container is in our DB and send Automate :retry if not). Then of course we will need the post refresh event reconnect, so the association is filled.

---

In h-release, we will be creating the Pod/Container with the event(no reconnect should be needed) and it will be targeted refresh based on the event, so it will be much quicker. We will still need the waiting loop though, to make sure the policy has the record and all the record's attributes needed for the processing.

[cben]

❤️ the names with "Pod" at the beginning, this is presently the only way for user to know which events belong in which policies

[zeari]

@Ladas

My plan was to call handle a second time on each ems_event I managed to reconnect after refresh: #16497 (comment)

So the flow would be:

1. event comes in for a pod that not in the db
2. unable to find target message appears
3. next refresh gets the pod
4. after refresh, the event reconnects and handle is called on the events we reconnected

Do you think its a good intermediate solution?

EDIT: this is also a good approach for alerts

[cben]

@Ladas, Do you mean we should delay policy until we have both container spec AND status? Current criteria for both normal policy execution and proposed reconnect is pod existing which only guarantees spec.

[Ladas]

@cben yeah I think we need a waiting step in the event handle (async wait), waiting for entity to be in the DB. This might apply for more events, not just events upon creation, since the refresh can take a long time.

@zeari what you you mean by the :handle, calling the Event handle again after the reconnect?

@agrare I wonder, what is the way we solve this usually? Was the refresh_new_target the way? Was it sync, I know the current refresh_sync is blocking, so that is not an option. The async waiting step sounds like the best option.

[zeari]

@zeari what you you mean by the :handle, calling the Event handle again after the reconnect?

@Ladas yes

[Ladas]

@zeari not sure what would be the correct way to process that, we would have to send the Event again, to invoke the handle. We should not be calling handle directly from the refresh worker.

[zeari]

@zeari not sure what would be the correct way to process that, we would have to send the Event again, to invoke the handle. We should not be calling handle directly from the refresh worker.

@gmcculloug Do you know the downsides to calling handle again on an event after the first time yielded Unable to Find Target? (expecting that this time the event will have a target)

[lfu]

@zeari The only downside that I can think of with raising the event the second time is that refresh would be called again.

[lfu]

LGTM 👍

[cben]

Continuing the event reconnect discussion on #16497. This PR LGTM 👍

[moolitayer]

LGTM 👍

[zeari]

@lfu @gmcculloug
Can we go forward with this PR and ManageIQ/manageiq-content#225 ?

[zeari]

@miq-bot add_label gaprindashvili/yes

[zeari]

@miq-bot add_label fine/yes

[agrare]

@agrare I wonder, what is the way we solve this usually? Was the refresh_new_target the way

For VMs we raise a creation_event during post_refresh which is what people usually attach their policy events to (so @gmcculloug tells me). Can we do this for containers/container_groups as well? Looks like we already have a creation_event on container_images.

[cben]

Yes, there is separate BZ to add such creation events for pods etc. These are nice because they're guaranteed to already have inventory.

But discussion here (moved to #16497) was about processing "real" external events that arrive before inventory.

[Ladas]

@agrare as @cben says, it the world of long refresh and fast events, any event can have the target missing

so it can be:

• pod_1_created_event
• refresh(started+finished)
• pod_1_created_policy
• pod_1_any_other_event_policy -> ( 🎉 yaay, target is in the DB)

or:

• pod_1_created_event
• refresh (started)
• pod_1_any_other_event_policy -> (this goes 💥 , since the target is not in the DB yet)
• refresh (finished)
• pod_1_created_policy

[agrare]

So my biggest issue with just running the event handler again is if a customer adds some action which isn't idempotent in addition to triggering the policy event it could break their workflows.

This is a pretty fundamental change in how event handlers are run and we cannot say for certain that this won't cause regressions for customers.

Today if a customer puts a policy event on a native VmCreatedEvent from VMware it isn' guaranteed that the target is in the DB so this is no different, which is why we have the synthesized events when a VM is created in the DB.

[cben]

@lfu @gmcculloug @agrare so, can we go forward with this PR, ManageIQ/manageiq-content#225, and ManageIQ/manageiq-providers-kubernetes#181?
I think all 3 got positive reviews, it's just we got into a discussion about reconnecting & re-processing events — which these 3 PR do not do.

[lfu]

Sounds good to me.

[Ladas]

@cben I would probably wait with ManageIQ/manageiq-content#225 ? Since that might cause a lot of failures with missing targets? Unless we solve the 'wait for target to be in the DB' somehow.

[agrare]

@zeari @cben can you explain a bit better why you want to switch all of these from being associated with the container to being associated with the pod? It isn't clear to me why this would help.

My plan was to call handle a second time
Do you think its a good intermediate solution?

Right now I'm 👎 on this unless @gmcculloug tells me I'm way off base on this and there's nothing to worry about 😄. This is a big change and we can't just spring this on customers with custom automate methods that might not behave well when run multiple times.

If we were waiting to execute the policy until the item was in the DB maybe, but that won't handle if the container will never be in the DB

[zeari]

@agrare Well there isnt code to associate those events with Container in the first place: https://github.com/manageiq/manageiq/blob/master/app/models/ems_event.rb#L140

While there was some pre-work to have them attached to Container here
in the current state, container events arent handled just as the BZ says.
Having those events target the pod fixes the issue as well as makes sense because:

1. Users are likely to attach policies to pods
2. containers are an inseparable part of their pods(on the openshift side) so the events target the pod anyway.
3. @cben Come up with a Added missing routes. #3?

[zeari]

on customers with custom automate methods that might not behave well when run multiple times.

I dont think these events currently working for any customer as they were never associated correctly with containers 😅

[cben]

These MiqEvents weren't even defined. We're not switching them, we're adding them to pods. If you mean why not add Container Policies and target them there - no deep reasons, we discussed this back and forth, @simon3z and @bazulay decided on pods.

On Dec 17, 2017 12:37 PM, "Ari Zellner" ***@***.***> wrote: > on customers with custom automate methods that might not behave well when run multiple times. I dont think these events currently work for any customer 😅

EDIT: Also, can we please separate discussion of calling .handle twice? That's a separate PR, it's an orthogonal goal to make *all* node/pod/container events robust. Unless I'm missing some way it affects this PR?

[zeari]

EDIT: Also, can we please separate discussion of calling .handle twice? That's a separate PR, it's an orthogonal goal to make all node/pod/container events robust. Unless I'm missing some way it affects this PR?

I think we are over the discussion. Its not a viable solution and i closed the other PR.

[zeari]

@agrare
I removed the containers prefixes in the containers specific events
Changed pod_containercreated to just pod_created

[zeari]

@agrare I think we should at least keep the labels more indicative: Pod Container Created

[miq-bot]

Checked commits zeari/manageiq@81db841~...99bbac4 with ruby 2.3.3, rubocop 0.47.1, haml-lint 0.20.0, and yamllint 1.10.0
0 files checked, 0 offenses detected
Everything looks fine. 🍰

[agrare]

👍 LGTM

[simaishi]

Gaprindashvili backport details:

$ git log -1
commit a9d71962b5e148c43fdb540a7d992ccdd1f032c4
Author: Adam Grare <agrare@redhat.com>
Date:   Thu Dec 21 08:43:48 2017 -0500

    Merge pull request #16583 from zeari/container_events_to_pod
    
    Add container events to pod
    (cherry picked from commit 8e2bfac33e7e335d07e07ca72b7f63769028527d)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1530651

[simaishi]

Fine backport details:

$ git log -1
commit fd945e735def672519fa40f48fc1ef909ae3a462
Author: Adam Grare <agrare@redhat.com>
Date:   Thu Dec 21 08:43:48 2017 -0500

    Merge pull request #16583 from zeari/container_events_to_pod
    
    Add container events to pod
    (cherry picked from commit 8e2bfac33e7e335d07e07ca72b7f63769028527d)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1530653