implement (re)store of proxy's state

[dvoytik]

Introduce the high availability feature of cc-proxy by implementing
store/restore of proxy's state to/from disk. This feature depends
on the ability of shim to reconnect to cc-proxy if connection is lost.

Fixes #4.

Signed-off-by: Dmitry Voytik dmitry.voytik@huawei.com

[sboeuf]

@dvoytik sorry but we are kind of rushing those days because we have some milestones to reach. And unfortunately, what you implemented is not in the scope of our P1 issues right now, that's why the slow reviews.
But don't think we don't appreciate your contribution, and I wanted to let you know that it will take some time to review both clearcontainers/shim#54 and #107 because they introduce core changes to the shim and proxy.
BTW, did you try some real/functional use cases where you have both the shim and the proxy patched with your patches, in order to make sure it works well ? Those tests should be added to the github.com/clearcontainers/tests repo, so that we run them on every PR.

[dvoytik]

Hi @sboeuf,
No problem, I understand this. Please take your time, I don't hurry.
I tested manually both patches. It works well except that hyperstart has it's own internal time-out (around 5-7 seconds) and if proxy doesn't recover quick enough then hyperstart can hang. I didn't invest much time in debugging hyperstart because it is being replaced with agent. My plan is to wait until agent is stabilised and check if the same problem happens.
I plan to submit a functional test case to tests repo later, but without merging these patches I'm not sure if it makes sense to do it before.

[coveralls]

Coverage decreased (-0.3%) to 73.933% when pulling 7a2f972 on dvoytik:store_restore_state into d7a4dd8 on clearcontainers:master.

[jodh-intel]

Shouldn't this be tokens []Token? Also, what if vm == nil?

[dvoytik]

Unfortunately proxy.allocateTokens() returns []string. I'd like to avoid writing a conversion loop from []string to []Token in registerVM() and revert conversion loop in storeVMState().

[jodh-intel]

Gotcha.

[jodh-intel]

Again, tokens []Token?

[jodh-intel]

What if proxy and vm are nil?

[dvoytik]

I'll add checks.

[jodh-intel]

Missing checks on params. Also, this is a very long function - I think it must be close the the cyclomatic complexity limit so I'd consider refactoring it into smaller chunks.

[dvoytik]

Ok, will do.

[jodh-intel]

Can you move this to the top of the file? Its value should also be passed in from Makefile so that at the top it's something like:

// XXX: set by build
var storeStateDir string

[dvoytik]

Got it. Will do. Should it be set up to "/var/lib/clear-containers/proxy/" in Makefile?

[jodh-intel]

Well, it should probably be set to $PKGLIBDIR/proxy/ (feel free to steal that chunk of code from the runtime's Makefile ;)

[jodh-intel]

Something to consider: what happens when we change the proxy state file format? The 3 main approaches are:

• Don't handle it and just error if the on-disk state doesn't match what the proxy expects.
• Add a version field to vmStateOnDisk to allow the proxy to determine how to deal with a different format state file.
• Make the code "sniff" the state file data and see which fields it contains and their types to determine how to handle such state file differences (the "autoconf approach" ;)

Clearly, here, there is only 1 possible on-disk format, but I think it would be worth thinking about this and documenting the strategy for how we plan to handle any changes to vmStateOnDisk.

[dvoytik]

IMHO adding a version field to the format would be easiest way to handle this kind of issues.

[jodh-intel]

Typo that could be fixed now I've spotted it ;-) "rigth" => "right".

[dvoytik]

Thanks, will do.

[jodh-intel]

This take a new lock. I don't know if there is an issue here in that the state could change between the call to Unlock() and the call to storeState()?

[dvoytik]

Here proxy.vms hash-map is protected. I regularly run code with -race parameter to see if data races appear.

[jodh-intel]

Not a major problem, but in the runtime for new code we've started creating a assert variable to avoid having to hass the testing.T each time:

assert := assert.New(t)
  :
  :
assert.Equal(rig.proxy.restoreState(), false)

[dvoytik]

Got it. Thanks. Will do.

[jodh-intel]

Can you add some new tests where the restore fails due to an invalid state file (zero size, invalid contents (non-json, pure text (hello world or something ;-)))

[dvoytik]

Sure, will do.

[jodh-intel]

Hi @dvoytik - thanks for raising this! It looks good. I've done a first-pass review and given some suggestions. There are 2 other areas to mention:

• Tests

  Thanks for adding a new test. However, this is a relatively big change and although you've added a new test, the coverage level has dropped. Ideally, it would be going up ;-)

• Locking code

  I think the locking calls will need a more thorough review.

[dvoytik]

@jodh-intel, thank you for the review!
It seems like today I won't have enough time to address all comments thoroughly, and during next two weeks I'm on a vacation without access to a proper internet connection. If you don't mind, I'm going to respond to the comments and rework the PR after September, 18th.

[jodh-intel]

Hi @dvoytik - no problem! And enjoy your holiday! 😎

[dvoytik]

@jodh-intel, thanks! 😃

[jodh-intel]

Hi @dvoytik - hope you had a good holiday. Are you still planning to update this branch? Let me know if there is anything I can do to help.

[dvoytik]

@jodh-intel, thanks! Sorry, for delaying on the PR. I'll rework it and address the comments today after my main job. Unfortunately for the time being I can finish this only in my spare time :(

[jodh-intel]

Hi @dvoytik - understood. I'm happy to help with this if you are tied up with other things.

[dvoytik]

HI @jodh-intel, thank you! I feel responsibility to finish this anyway, so I'm going to work on the PR today evening. Sorry again for delaying this.

[dvoytik]

Hi @jodh-intel, I've update the PR. Could you please take a look at it again?

[jodh-intel]

Well, it should probably be set to $PKGLIBDIR/proxy/ (feel free to steal that chunk of code from the runtime's Makefile ;)

[jodh-intel]

Ah - sorry, yes I see now.

[jodh-intel]

This is a pretty significant feature which I think justifies moving all the state handling code into a state.go.

[dvoytik]

Ok, I'll do it.

[jodh-intel]

Gotcha.

[jodh-intel]

Do you need to assert that token != "" here? AllocateTokenAs() will handle it I see, but it's not an expected scenario I think?

[dvoytik]

Good catch! Thanks!

[jodh-intel]

• Can you add a check for containerID == "".
• Can you add the containerID to the log message to aid debugging?

[dvoytik]

Will do, thanks.

[jodh-intel]

We can't deal with the scenario where proxyState.Version > Version as that implies the state is from a newer version of the proxy than is running (forced downgrade), but I think we do need to handle the scenario where proxyState.Version <= Version as the running proxy should be able to handle the state of all previous versions.

I'm still not 100% convinced that a version field is the right approach: even if we have one, the code will still need to sanity-check all the state values read off disk to ensure:

• they are of the correct type.
• they have a "reasonable" value.

However, it doesn't hurt to include a version.

[jodh-intel]

It would be great if you could convert all the new log messages on this PR to use the structured logging approach. For example, this one could become:

proxyLog.WithFields(logrus.Fields{
  "container": regVM.ContainerID,
  "control-channel": regVM.CtlSerial,
  "io-channel": regVM.IoSerial,
  "console": regVM.Console,
}).Info("restoring state")

[dvoytik]

Ok, will do.

[jodh-intel]

This is the storing the protocol version. We need a separate version to describe the state file version as that might need to change more frequently.

[dvoytik]

Ok. I'll rework this part.

[jodh-intel]

Can you add tests for all the functions added? (This might necessitate splitting them into smaller functions to make them more easily testable).

[dvoytik]

Ok, I'll try :)

[jodh-intel]

Hi @dvoytik - thank you again raising this PR. It's a very significant new feature and because of its sensitivity, I'm afraid my pedantic knob is up to 11 😄

A couple of general points not already mentioned in the review:

• Can you space the code out a little so that there are blank lines between logical blocks / if tests, etc. That will make it a lot easier to read.

• I like the simplicity of the current approach but I do feel it would be better to have all functions return a bool or an error and allow the higher-levels to determine whether the error should be fatal or not. That also makes writing tests much easier as there is something concrete to check.

• I think we should document how the proxy handles full and partial failure to restore state. It may be that we want to add a --error-on-failure-to-restore-type option for example for some users. The default should probably be to log as much as possible and continue to startup, but that might not be desirable in some environments.

As I've said before, I'm more than happy to help out with any of this. This is a big feature so if we can find a way to logically sub-divide the work, just ping me so we can work together on this.

[dvoytik]

Hi @jodh-intel, thank you again for reviewing the PR! No problems with a pedantic attitude at all! Actually I value this a lot, especially when it's reasonable.

All your points are valid, I agree. I'll rework the PR with your comments in mind.

If you don't mind I'll try to finish this PR. It's just going to take a little longer because for the time being I can only work on this at evenings.

IMHO, --error-on-failure-to-restore make sense to implement as a separate PR.

[jodh-intel]

Thanks @dvoytik! ;)

[dvoytik]

The PR has been updated.

[jodh-intel]

Thanks @dvoytik - reviewing and testing with clearcontainers/shim#54 ...

[jodh-intel]

Cute! 😄

[jodh-intel]

I'm not wholly clear on this. Should the token be removed if findSessionByToken() fails below?

[dvoytik]

Practically if vm.findSessionByToken(token) fails here then the vm object, which owns tokens, is being released later by delVMAndState, thus tokens are being also released.
But maybe I should release them here with such code:

			vm.Lock()
			for token := range vm.tokenToSession {
				_ = vm.freeTokenUnlocked(token)
				delete(vm.tokenToSession, token)
			}
			vm.Unlock()

Slightly more complicated code but more future-proof?

[jodh-intel]

Yes, I think that looks good. What do you think @sboeuf?

[sboeuf]

Yes fine with me.

[jodh-intel]

This is looking very nice.

@sboeuf, @amshinde - could you take a look please?

[sboeuf]

@jodh-intel sure I'll take a look

[jodh-intel]

I think for clarity this should be called something like restoreAllState() because it is not doing the opposite job to storeState():

• storeState(): only stores proxy state.
• restoreState(): restores both proxy state and state of all VMs.

(alternatively, you could split the VM restore code in restoreState() into a separate function I guess).

[dvoytik]

OK, I'll rename it.

[jodh-intel]

Missing blank line above the if (here and in various other places).

[dvoytik]

Oops :) I'll fix these, thanks!

[jodh-intel]

I'd put the err on this line as it looks a bit odd down there on its own (same comment for a few other occurrences).

[dvoytik]

Thanks, I'll fix these.

[jodh-intel]

Yes, I think that looks good. What do you think @sboeuf?

[sboeuf]

Sorry I could not review that, but I'll do that tomorrow first thing! And I know I am gonna spend some time since that's a pretty huge PR

[sboeuf]

@dvoytik thanks for this huge PR. I have several comments, but I have also one concern (unless I am missing something). From my understanding, you basically STORE during RegisterVM() and RESTORE during UnregisterVM(). The issue is that you're not covering all cases here. You will miss all the tokens/sessionID created during a pod lifecycle. For instance, after the VM has been started and that we have stored all the info, if we create new containers/processes, new tokens/sessionIDs are gonna be generated by the proxy. Am I missing something or this is something expected ? Cause that means that we are not covering a lot of crashing cases otherwise.
@sameo could you please also take a look since this is a significant PR/feature.

[sboeuf]

$(LOCALSTATEDIR)/run/clear-containers/proxy/ would be more appropriate since we're gonna store some data generated at runtime.

[dvoytik]

Yep, I agree. I'll change this. Thanks.

[sboeuf]

I guess you could fix the other variables as they don't need to be upper case since they don't need to be exported.

[dvoytik]

I'd like not to mix other refactoring in one patch if you don't mind. But if you insist, I could write a separate patch and make it as a part of this PR though.

[sboeuf]

I think we should make the difference between the three cases: clean start / restoration succeeded / restoration failed. IMO, that's the caller responsibility to decide what to do with the different output combinations.

func (proxy *proxy) restoreAllState() (bool, error) {

Or we could have one function to detect if we are in a clean start case by checking if we have something in .../run/clear-containers/proxy/..., and another function for the actual restoration.

[sboeuf]

BTW, you should not define methods belonging to the proxy object outside of proxy.go.

[dvoytik]

I'll rework this function.

[sboeuf]

Not clear enough. See my comment about restoreAllState() function.

[dvoytik]

OK, thanks. I'll rework this.

[sboeuf]

Using path/filepath package is usually clearer/cleaner when creating/modifying a path.

filepath.Join(storeStateDir, "vm_" + id + ".json")

[dvoytik]

Thank you for the hint! I'll rework this function as you suggested.

[sboeuf]

This is very generic, it should go into log.go or utils.go, but I don't think it should stay here.

[dvoytik]

I'm OK to move it to a distinct file, but maybe it'd be better to do this as a separate refactoring PR? If you insist I can rework this as a part of my PR.

[sboeuf]

You should not define methods belonging to the proxy object outside of proxy.go.

[dvoytik]

I'll change this.

[sboeuf]

Yes fine with me.

[sboeuf]

Please use the format

if err := ...; err != nil {

[dvoytik]

No problem, as you wish ;)

[sboeuf]

Actually, I think you should define a storeState() and fetchState() methods both for vm and proxy. That way, it would be more consistent with the overall naming of those new functions that you're introducing.

[dvoytik]

Originally the code was in proxy.go but @jodh-intel asked me to move it out to a separate file. If I define the methods on vm and proxy then I have to move them to proxy.go and vm.go back according to what you ask :)

[dvoytik]

Hi @sboeuf, thank you for the review!

From my understanding, you basically STORE during RegisterVM() and RESTORE during UnregisterVM().

No, restoring is done only when proxy starts and detects a stored state on disk. During unregisterVM() we call delVMAndState(), which in turn updates proxy's state and deletes the requested vm's state on disk.

The issue is that you're not covering all cases here. You will miss all the tokens/sessionID created during a pod lifecycle. For instance, after the VM has been started and that we have stored all the info, if we create new containers/processes, new tokens/sessionIDs are gonna be generated by the proxy. Am I missing something or this is something expected ? Cause that means that we are not covering a lot of crashing cases otherwise.

Tokens are stored in a state. Please see vmStateOnDisk.Tokens.

[sboeuf]

No, restoring is done only when proxy starts and detects a stored state on disk. During unregisterVM() we call delVMAndState(), which in turn updates proxy's state and deletes the requested vm's state on disk.

Yes sorry I used wrong explanation, but basically you're saving things only at the RegisterVM() time, and you restore when the proxy get restarted and it goes through init().

Tokens are stored in a state. Please see vmStateOnDisk.Tokens.

Yes sure, but you're doing the STORE only when the VM is registered. And according to a full pod lifecycle, you're gonna miss almost everything. I mean that you're only be able to RESTORE the very first configuration that you saved when the VM has been created... Lots of containers and process could be pending at the time the proxy had crashed, and you would miss all of that. I think that you need to store in lot more places in the code. Does that make sense ?

[dvoytik]

Yes sure, but you're doing the STORE only when the VM is registered. And according to a full pod lifecycle, you're gonna miss almost everything. I mean that you're only be able to RESTORE the very first configuration that you saved when the VM has been created... Lots of containers and process could be pending at the time the proxy had crashed, and you would miss all of that. I think that you need to store in lot more places in the code. Does that makes sense ?

Oops, actually you are right! I've just checked again all API methods and totally forgot about attachVM(). Originally in my previous versions it was there and somehow disappeared :) I remember I was testing attaching manually and it worked.
If you can find other places where I've missed storing/updating something please let me know. Thanks!

[dvoytik]

@sboeuf, thank you for the review again!
I've updated the PR.

[jodh-intel]

@sboeuf - ping.

[devimc]

Hi All
I think the best way to avoid restoring proxy's state is a redesign in the way we connect cc-shims and the container, we can hot plug virtio serial ports and associate them directly with cc-shim when a new container/workload is created, cc-proxy will be only used to negotiate with the agent (create, stop, delete containers, etc). That mean 1 serial port to control the container (CTL) and N serial ports to communicate cc-shim and workload (TTY)

Currently:

cc-shim <->  cc-proxy <-> TTY serial port <-> cc-agent <-> workload

With a redesign:

cc-shim <-> TTY N serial port <-> cc-agent <-> workload

in that way containers will not be affected if the cc-proxy dies since part of the logic of the cc-proxy will be moved to cc-agent

[sboeuf]

@devimc that could work, sure. But the drawback of such a solution is that we would get a larger attack surface because you would create as much serial ports as we have processes.

[sboeuf]

@jodh-intel @dvoytik I'll look into this today

[sboeuf]

I have noticed that you're missing to save all the container IDs (the one you can find into ioSession structure). We make a difference between the containerID in the vm structure which means the podID and the containerID in the ioSession structure which means a containerID. There is one session per container and one VM per pod.
I think that you need to figure out a way to save the containers related to each pod/vm, otherwise we could not be able to perform proper action like killing the container process after the proxy restarted.
Take a look here: https://github.com/clearcontainers/proxy/blob/master/vm.go#L363 and here: https://github.com/clearcontainers/proxy/blob/master/vm.go#L572-L581

[sboeuf]

@dvoytik have you made the change here ?

[sboeuf]

According to your logic, if there's no VM, we should not have a state file, I am fine with that, but this means you should return nil after you properly removed the file, right ?

[dvoytik]

Good catch! Thank you. I'll add here return nil.

[sboeuf]

You don't need to allocate dynamically the size of the buffer. Calling into append() will do that for you.

[dvoytik]

Yeah, I know that. It looks like a premature optimization, but on the other hand does it really hurt?

[sboeuf]

Well I don't consider this as an optimization since you could directly remove this line.

[dvoytik]

If you insist, I'll remove this line, no problem. My intention was to avoid re-allocations on each append operation.

[sboeuf]

Does not need dynamic allocation since you're using append right after.

[sboeuf]

Same here.

[dvoytik]

@sboeuf, thank you again for the review.
You are right about ioSession. I'll take a look how to store/restore this state in coming days.

[sboeuf]

@dvoytik no problem ! Let me know when you have something ready.

[dvoytik]

Hi @sboeuf, could you please take a look?