[#2760] Improved handling of MQTT adapter shutdown.

[n-deliyski]

Introduced unregister-cmd-consumers method at Command Router API.
That is a batch version of unregister-cmd-consumer.
The API is used only while the adapter is stopping or device is disconnected.

Signed-off-by: Nikolay Deliyski Nikolay.Deliyski@bosch.io

[sonatype-lift]

Severe Vulnerability:

pkg:maven/org.eclipse.hono/hono-client-telemetry-kafka@2.2.0-SNAPSHOT

0 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies

Components

pkg:maven/io.netty/netty-handler@4.1.78.Final

SEVERE Vulnerabilities (1)




Channel Accessible by Non-Endpoint

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-300

---

ℹ️ Learn about @sonatype-lift commands

You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.

Command	Usage
@sonatype-lift ignore	Leave out the above finding from this PR
@sonatype-lift ignoreall	Leave out all the existing findings from this PR
@sonatype-lift exclude <file|issue|path|tool>	Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file

Note: When talking to LiftBot, you need to refresh the page to see its response.
_{Click here to add LiftBot to another repo.}

---

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

[sonatype-lift]

Severe Vulnerability:

pkg:maven/org.eclipse.hono/hono-client-telemetry-amqp@2.2.0-SNAPSHOT

0 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies

Components

pkg:maven/io.netty/netty-handler@4.1.78.Final

SEVERE Vulnerabilities (1)




Channel Accessible by Non-Endpoint

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-300

---

ℹ️ Learn about @sonatype-lift commands

You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.

Command	Usage
@sonatype-lift ignore	Leave out the above finding from this PR
@sonatype-lift ignoreall	Leave out all the existing findings from this PR
@sonatype-lift exclude <file|issue|path|tool>	Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file

Note: When talking to LiftBot, you need to refresh the page to see its response.
_{Click here to add LiftBot to another repo.}

---

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

[sophokles73]

FMPOV we should put this into a private method returning a primitive boolean so that there is no need to bother if it is null ...

[n-deliyski]

agree, will do.

[sophokles73]

can we rename this to e.g. processUnregisterMultipleCommandConsumers so that it is easier to distinguish from the existing processUnregisterCommandConsumer method? Maybe we should even rename the existing method to processUnregisterSingleCommandConsumer ...

[n-deliyski]

Agree, that having Single and Multiple as part of the name is easier to read.
What about the CommandRouterAction enum? Does it make sense to have the same naming as part of the enum predefined constants?

[sophokles73]

static ?

[sophokles73]

is there a case where this will be false? my understanding of the discussion in #2760 is that we want to completely move the responsibility for sending the connected/disconnected events to the Command Router, or am I mistaken?

[n-deliyski]

As agreed with @calohmn this PR is about the MQTT adapter only. For the moment the other adapters will use false.
Later with other PRs we could adjust the others. But in general I think the direction is to move that responsibility to the Command Router for all adapters. As there is no difference between them on that.

[calohmn]

formatting: span param in new line.

[calohmn]

Since no event gets sent here anymore, the log output a few lines above should be adapted, dropping the skip sending disconnected event part.

[calohmn]

I think a method name releaseCommandConsumer would fit better here. The first param could be changed to contain the CommandConsumer.

[calohmn]

I think the changes in this class should better go into a new CommandConsumer class in the adapter-base package.
This lets us differentiate between CommandConsumers in the adapter classes, needing the added functionality, and other CommandConsumer usages, where only close(SpanContext) is needed.

FMPOV, the close(SpanContext) method in the new class should be removed then, so that always the close method with the sendEvent parameter has to be used, making it more explicit what the behaviour should be.

[n-deliyski]

Do we need to use the same name CommandConsumer for the old and new interface?
There are two CommandConsumerFactory too. For me it is a bit misleading.
What about DeviceCommandConsumer (new) and TenantCommandConsumer (old)?

[calohmn]

A note could be added here, that the default implementation calls the close method.

[calohmn]

connected or disconnected

[calohmn]

If sendEvent is true, the event should also be sent if removeCommandHandlingAdapterInstance failed. Sending should only be skipped if there was a HTTP_PRECON_FAILED error status on removeCommandHandlingAdapterInstance.
See the logic in the old AbstractVertxBasedMqttProtocolAdapter.onCommandSubscriptionRemoved() method.

[n-deliyski]

Right, I have missed that flow. Will fix that.

[calohmn]

typo: consumera

[calohmn]

must not be

[calohmn]

must not be

[calohmn]

-1 isn't defined as an impossible timer id value. Therefore, I think it's better to use a Boolean and assign null here.

[n-deliyski]

ok, I will adapt.

[calohmn]

Is it really needed to create a CommandRouterDeviceInfo copy here?

[n-deliyski]

Good catch, not needed, it seems a left not cleared code.

[calohmn]

Currently, count is always set to pendingConsumersToClose.size() here, making the parameter look superfluous.

Just looking at the code of this method, it also should better be made obvious that pendingConsumersToClose.remove(0) below can't produce an IndexOutOfBoundsException.

[n-deliyski]

I will improve.
At least the first call should use batchSize instead of pendingConsumersToClose.size() as first parameter.

[calohmn]

How about cancelling an existing timer here? Otherwise that timer execution could cause a unregisterCommandConsumers request with only a few items, being sent ahead of batchMaxTimeout.

[n-deliyski]

It makes sense, will adapt.

[calohmn]

Time unit should be mentioned here.

[sophokles73]

The API is used only while the adapter is stopping or device is disconnected.

So, let's say we have 10.000 devices connected to an MQTT adapter instance and we want to shut it down. How many unregister-cmd-consumers requests do you envision the adapter to send, i.e. how many devices per request can we unregister? How long is this supposed to take? It looks like in the CommandRouterImpl we would still unregister the consumers one-by-one from the Infinispan cache, or am I mistaken? I am not convinced that doing all of this during shutdown of the adapter will be very practical.

[calohmn]

One of the original ideas was to fully skip the removeCommandConsumer invocations on adapter shutdown, as if there had been a hard kill of the container. But, for previously subscribed MQTT/AMQP devices that don't reconnect to another adapter instance, there should better still be disconnected events being sent.

I think, to further improve on this "adapter-shutdown with 10.000 subscribed devices" case, we could let the adapter send maybe just one or two big batch unregisterCommandConsumers requests to the command router. The command router could acknowledge (i.e. send the disposition update for) these requests immediately. For the actual processing of such batch requests, the command router could first wait a certain time (e.g. 5s). The assumption would be, that devices reconnect during that time. When doing the actual unregisterCommandConsumers processing, cache entry removal and sending of disconnected event could be skipped if the cache entry was updated with a new adapter instance in between.

[sophokles73]

One of the original ideas was to fully skip the removeCommandConsumer invocations on adapter shutdown, as if there had been a hard kill of the container. But, for previously subscribed MQTT/AMQP devices that don't reconnect to another adapter instance, there should better still be disconnected events being sent.

We seem to agree that we need to make sure that whatever mechanism we devise, it works for both the graceful shutdown of an adapter as well as the crashing of an adapter. FMPOV this means that the mechanism can not require the adapter to unregister the command consumer for all connected devices before stopping/crashing, or am I mistaken?

[calohmn]

We seem to agree that we need to make sure that whatever mechanism we devise, it works for both the graceful shutdown of an adapter as well as the crashing of an adapter.

Not necessarily, FMPOV. I think we have to consider the implications of letting the tasks here be done without any trigger from the adapter itself. The trigger would have to come from the KubernetesBasedAdapterInstanceStatusService instead. That service can detect pods having gone offline, but only after a considerable delay to prevent false positives (see #3379). That delay could be higher than the what we want the disconnected event sending delay to be.

Thinking further about such an approach:
After the Command Router has detected via the status server that the adapter was shutdown, it has to find out which command subscriptions (devices) were involved with that adapter, in order to get the devices for which to send disconnected events.
That information could come from the Infinispan cache. But there, the adapter instance is the cache entry value, meaning a traversal over all keys would be needed. We would need an alternative approach, letting each Command Router instance only work with its local command subscription entries and corresponding device IDs. EDIT: This doesn't work, see last paragraph below. But that's ok since the above KubernetesBasedAdapterInstanceStatusService would trigger the actions on all Command Router instances anyway.

All in all, I think that this approach could work, but there is the downside of having the delay imposed by the KubernetesBasedAdapterInstanceStatusService in detecting the offline adapter pod.

Therefore, I think it would be ok to optimize for the usual scenario, that the adapter has a second or two on shutdown to do some requests.

We could however further reduce the work done by the adapter on shutdown.
Instead of big unregisterCommandConsumers batch requests to one Command Router instance, we could let the adapter only send a message to the messaging network, sending a new type of Hono-internal notification (like the Device Registry Notifications) that the adapter instance is now offline.

Each Command Router adapter instance could receive such a notification and use it as a faster and more reliable alternative to the KubernetesBasedAdapterInstanceStatusService information about an offline adapter.

With the trigger from the new kind of adapter notification event or from the KubernetesBasedAdapterInstanceStatusService, each Command Router instance could do the same kind of work then, going over it's local command subscriptions for the dead adapter instance ID and doing cache entry removal and sending disconnected events if needed.

EDIT:
Letting the Command Router use its local command subscriptions to get the relevant device IDs for an obsolete adapter doesn't actually work. There is no such local information in case of a newly restarted Command Router instance.
Therefore the above approach using the KubernetesBasedAdapterInstanceStatusService and trying to send disconnected events for all adapter-related devices (without information from the adapter and without traversing all cache-keys) doesn't seem feasible.

[n-deliyski]

The functionality will be implemented in #3422.