config: do not finish initialization on stream disconnection

[ramaraochavali]

Description: As part of #6151 we ensured that envoy initialization would not finish till a named response comes. I found that when Envoys sends EDS request for a cluster and the management server is disconnected/reconnected, Envoy proceeds with the initialization even if named response is not sent. That is because stream disconnection triggers a onConfigUpdate callback and we call onPreInitComplete when we get onConfigUpdate callback. This PR ensures that we don;'t call onPreInitComplete on stream disconnects.
Risk Level: Low
Testing: Added a case to test this in the the existing test case.
Docs Changes: N/A
Release Notes: N/A

[ramaraochavali]

/retest

[repokitteh-read-only]

🔨 rebuilding ci/circleci: asan (failed build)

🐱

Caused by: a #7427 (comment) was created by @ramaraochavali.

see: more, trace.

[ramaraochavali]

@mattklein123 @htuch Please see if this makes sense

[mattklein123]

IMO this is not safe, since a bad management server can cause Envoy to hang. It seems like maybe you want some kind of feature where you can have some number of retries during init before you give up?

[ramaraochavali]

@mattklein123 But the problem is an accidental network disconnection can wipe out the cluster members. Also I thought initial_fetch_timeout is meant to do that safety handling i.e. when no response comes with in the time, it just moves ahead with the initialization.

But looking at the initial fetch timeout timer callback implementation, unfortunately it is just passing nullptr assuming that onConfigUpdate would move forward with init which would be an issue with this change.

envoy/source/common/config/grpc_mux_subscription_impl.cc

Line 26 in ae02dc6

callbacks_.onConfigUpdateFailed(nullptr);

Should we pass a valid exception like TimeoutException here instead of nullptr - so that initial_fetch_timeout can be used as a safety belt here ?

[mattklein123]

@ramaraochavali my general feeling is that we need to have sane defaults. Personally, I would be in favor of making a default initial fetch timeout if none is specified. Perhaps 15s or so? If we have a default in place, as well as good documentation around this, I would be more inclined to do a change like this. @htuch WDYT?

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[ramaraochavali]

@mattklein123 I agree we should have sane defaults for initial_fetch_timout. There is inconsistency in the initialization behaviour when initial_fetch_timeout is not configured i.e if management server is connected and do not send any response, the initialzation process would wait (for whatever time it takes) and if there is an accidental network disconnection it would just finish the initialization process. So I think it is related but slightly different problem.

However I see your point about having some sane defaults for initial_fetch_timout` so that we are guaranteed not to hang in all cases.

So should I first push another PR to just change the initial_fetch_timeout to have default of 15s?

[mattklein123]

So should I first push another PR to just change the initial_fetch_timeout to have default of 15s?

IMO yes. @htuch any thoughts here?

[htuch]

What is the underlying temporal property we want here? Is it something like "When an Envoy is initialized, it will have the complete state from the management server of all its APIs" or more like "An Envoy is always guaranteed to initialize within a bounded period of time, with a best effort made to obtain the complete set of xDS configuration within that subject to the management server availability"?

Do we want to support both models? Either way, any PR should probably elaborate on the xDS docs and explain what the key properties we're shooting for here.

[ramaraochavali]

I think @mattklein123 is leaning towards ""An Envoy is always guaranteed to initialize within a bounded period of time, with a best effort made to obtain the complete set of xDS configuration within that subject to the management server availability"? which seems reasonable to me. Is that correct @mattklein123 ?

[mattklein123]

Yeah that is my thinking.

[htuch]

That's fair, I think this needs to be documented in the server initialization docs, since this is a key principle we need to respect going forward.

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[ramaraochavali]

This is waiting on this PR #7571

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[mattklein123]

Thanks for working on this. At a high level I think this change makes sense, but I would like to work on making the control flow more clear and less hacky. I'm going to also assign @htuch to review as he has worked on this code a lot more. Thank you!

/wait

[mattklein123]

You should be able to allocate an EnvoyException on the stack and pass it into the update failed function.

[mattklein123]

This seems very fragile to me that we are using exceptions in this way to figure out a timeout vs. not, etc. Can you rework this code to make the control flow a lot more obvious? It's possible that you might need to rework how the update failed functions work.

[ramaraochavali]

Agree this is fragile. I did not try to change that because it triggers more changes because of how the update failed functions work today and this existed earlier as well. But it would be good to clean this up. Let me try.

[ramaraochavali]

@mattklein123 @htuch Added ConfigUpdateFailedReason enum and changed the flow. PTAL. envoy-macos pipeline failure is not related to this PR? Can you trigger that build again?

[htuch]

LGTM modulo a comment. This is a nice improvement to the understandability of config update failure!
/wait

[htuch]

Why not use the ConfigUpdateFailureReason here rather than the indirect e == nullptr? This seems to be one of the few places (and motivating example) there is benefit from plumbing this reason in to the subscriber callbacks, but we 're not using it.

[ramaraochavali]

Great Catch @htuch. I meant to change this and forgot. Thanks. Changed now, PTAL.

[mattklein123]

Thanks this is a great improvement. A few small comments and will defer to @htuch for further review.

[mattklein123]

This is a bit of a strange error code to use here, but I understand why you did it. Maybe a small TODO/comment?

[mattklein123]

nit: e != nullptr

[mattklein123]

this default case should not be needed.

[mattklein123]

Can you add a comment here that this might hang init forever if the user has disabled the init timeout? Might be worth a TODO to warn in this case?

[ramaraochavali]

@mattklein123 @htuch addressed the feedback. PTAL.

[htuch]

Thanks!

[ramaraochavali]

@htuch merged master. PTAL

[ramaraochavali]

@htuch @mattklein123 can this be merged now tests have passed, it might get in to master merge issue because of the number of files?