ExecutionHook API Design

[xing-yang]

This PR proposes ExecutionHook API design.

[xing-yang]

@jingxu97 @saad-ali

[resouer]

What's the relationship with the existing container lifecycle hook and why need to introduce a new one?

[xing-yang]

The lifecycle hook is called immediately after a container is created or immediately before a container is terminated. The proposed execution hook is not tied to the start or termination time of the container. Instead it is called before/after taking a snapshot while the container is still running. So we can't use the lifecycle hook. I'll add some clarification to the spec.

[resouer]

Thanks for explanation!

While as we are introducing a new hook in vanilla container struct, it will be better if there're more general use cases/user stories instead of vol snapshot only.

[xing-yang]

Other than Lifecycle hook, there is also Liveness Probe and Readiness Probe hooks in Container to check the health of a container. So it seems that the existing hooks all have a specific purpose? It is possible that a user may want to do some preparation work before an action and then do some post-processing after an action. I am just not sure what those actions are, other than snapshotting. Alternatively we can make this a more general-purpose pre-action and post-action hook.

[resouer]

Yeah, I am thinking there're probably more general purposes, and it deserves some thinking/writing and would be great to be included in the user stories part as well. I am not against adding hooks for specific purpose of course, but then I would suggest to name it as sth more specific like VolSnapshotHook instead of ExecutionHook.

What we are trying to avoid is, we have a ExecutionHook which sounds like a general purpose hook, but oops, we are telling users that it can only be used for prep snapshot from design doc, code and all the way to user doc.

[xing-yang]

Sure. Let me discuss with Jing about this.

[xing-yang]

See updated spec.

[justaugustus]

Please remove any references to NEXT_KEP_NUMBER and rename the KEP to just be the draft date and KEP title.
KEP numbers will be obsolete once #703 merges.

[xing-yang]

@justaugustus @resouer Addressed your comments. PTAL. Thanks.

[justaugustus]

Thanks @xing-yang!

[gnufied]

We should add more examples of what these hooks can do.

[xing-yang]

Clarified in the updated spec.

[humblec]

Is this correct url kubernetes/kubernetes#177 ?

[xing-yang]

Oh, this is wrong. It should be 177 under enhancements: #177

[humblec]

@xing-yang What happens if the container get a terminate event while executionhook is in progress ? whats the recovery path for execution hook ?

[xing-yang]

If container is terminated and quiesce is in the middle of running it, we should get an error from stdout. We will fail snapshotting in this case.
If container is terminated and unquiesce is in the middle of running it, then unquiesce should automatically happen in this case.

[jingxu97]

if container terminate means container is no long running, both quiesce/unquiesce commands will not be executed and it will fail, executionHook should report the errors in the status

[thockin]

To be crystal clear, this is along the lines of a feature I want, but it is a tricky feature, and I think this just scratches the surface at the hard parts.

kubernetes/kubernetes#24957 for history

[thockin]

I presume that this is not SPECIFIC to snapshotting, but a more general mechanism? That's what the name implies.

[resouer]

Just left same review comment here #705 (comment)

@xing-yang I think we can actually "borrow" some narratives from #705 (comment), which is really great thread.

[xing-yang]

@resouer @thockin Yes. If we make this a more general mechanism, we need to provide more use cases in addition to snapshotting.

[xing-yang]

Comments addressed in the updated spec.

[thockin]

Under what conditions will it retry? Just timeout? Or will it retry if it fails?

[xing-yang]

Removed "NumRetries". Now "TimeoutSeconds" will be the total duration of trying to run the hook, whether retries happen or not.

[thockin]

Is this aggregate (across all retries) or per attempt? Naming is weird to me.

[xing-yang]

Changed to "TimeoutSeconds". This will be the total duration of trying to run the hook, regardless of retries.

[thockin]

First the name - this is very hard to spell. In fact this doc gets it wrong as often as not. Can we adopt simpler naming? Pause/Resume or something that is meaningful but less difficult?

[thockin]

As a point to discuss - why do we want this as a specific hook? Assuming we do this at all, would we rather a general "notification" or "imperative" API or N specific hooks?

An advantage of being specific is that we can make specific sub-resources that we can ACL specifically.

An advantage of being generic is that we don't have to keep solving this in almost-identical ways.

@liggitt @lavalamp @deads2k

[xing-yang]

Please see the updated spec. Introduced a generic ExecutionHook but also added a type to indicate it is for "Freeze"/"Thaw". Support for new types can be added later.

[thockin]

We need to talk about delivery and define the guarantees.

Who delivers this? The controller or kubelet?

If the storage controller: How is it authenticated (e.g. it can't be arbitrarily open to anyone)? How do they actually trigger an exec?

If the kubelet: How do we tell kubelet to go do it? What is the trigger from the storage controller?

What guarantees do we make about delivery? Do we guarantee it gets delivered at all? Do we guarantee it gets delivered exactly once? Do we guarantee it gets delivered at least once?

How does the controller know it is done? Does the app indicate somehow that it is complete, or is this expected to be synchronous?

How do we access-control this?

We need to have answers to all these (and more, I am sure) and they need to be documented. See kubernetes/kubernetes#24957 for more exploration of this idea.

[xing-yang]

Sure. We need to provide a lot more details in the spec. Will take a look of kubernetes/kubernetes#24957 for ideas.

[kow3ns]

queiscing an application in order to achieve application consistent snapshots using block level snapshots is tricky. The general outline of what you probably want to do looks like this

1. Call the queisce hook to flush any memory and/or WALs to the filesystem, sync the filesystem storage media, freeze the file system, and block and application level writes.
2. Take the block level snapshot.
3. Call unqueisce to unfreeze the filesystem and allow application level writes.

I think the lifecycle of all the operations is tied.

The hook in (1) needs to return success or failure. If it fails the system should not do (2). If (1) succeeds, without respect to (2), the system must do (3). If (1) succeeds, again without respect to (2), and (3) fails, you've probably broken the application, and you need a way to deal with it. If (2) fails at any point in time, you still need to do (3).

I think it follows that (1) needs to be implemented as idempotent with at least once delivery guarantees. If you do (2) without (1) you are at best crash consistent (and probably not even that).

(3) needs to be idempotent as well.

I think you need to describe how the system will function in more detail in order to motivate the API addition and for people to consider the API in the context of its proposed implementation.

[xing-yang]

Addressed comments in the updated spec.

[bgrant0607]

cc @kow3ns since I requested thinking about lifecycle hooks more holistically

kubernetes/community#1171 (comment)

[lavalamp]

Did you consider adding new entries to the already existing "lifecycle" section of the container spec?

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#lifecycle-v1-core

They do extremely similar things.

[xing-yang]

That's a good point. We have not considered this. Will look into it.

[xing-yang]

Discussed with Jing about this. We added Alternatives which would include the new ExecutionHook directly inside "Lifecycle". Please take a look. Thanks.

[lavalamp]

Type doesn't seem necessary. Will a given item need multiple freeze hooks and multiple thaw hooks?

[lavalamp]

I was expecting

Freeze *Handler
Thaw *Handler

[lavalamp]

If you don't have a list of these, this isn't necessary.

[lavalamp]

This can potentially be solved with documentation.

[lavalamp]

You can also embed, e.g.

type NamedHandler struct {
  Name string
  Handler
}

[thockin]

I don't have time to get on this right now, but I do want to have a look, so please give me a ping when it's baked and I will try to make time

[jingxu97]

There's been a lot of chatter on this. Is it ready for another pass from me?

@lavalamp Yes, I think so :)
We have been simplifying the API quite a bit so that at least for alpha version, we are trying to achieve a minimum set of APIs (CRD without modifying core API) for user to trigger user command in a group pod/containers and be able to update/watch the status of the execution.

[liyinan926]

/lgtm

[saad-ali]

Overall this looks good. Much cleaner then original proposal and sufficient (to me) for an alpha implementation. Left a few comments for cleanup.

For beta we will need kubelet executing these instead of a standalone controller, some mechanism (e.g. PodSecurityContext or pod fields) to white-list "allowed" actions, etc. but that is understood, this is to get an alpha kick the tires implementation out.

[saad-ali]

In the comments we should clarify the guarantees around this (e.g. if controller loses its state, counter restarts so maybe say that controller will retry for at least this long, before stopping).

[xing-yang]

Added comments to clarify.

[saad-ali]

Also explain that once an action is started, controller has no way to stop it even if ActionTimeoutSeconds is exceeded. This simply controls if retry happens or not.

[xing-yang]

Added explanation.

[saad-ali]

Should also define the retry policy somewhere: what happens if ActionTimeoutSeconds is not specified (i.e. it retries until object is deleted). And is there any exponential backoff policy or is it just back to back retries on failures?

[xing-yang]

Added comments about retry policy.

[saad-ali]

Let's remove this since it is not strictly necessary (and a little confusing). We can reintroduce in the future if necessary).

[thockin]

From a non-code comment:

Let's talk about names. Looking forward to it being in Pod, I would propose "actions" or "notifications". You seem to like action, I am ok with that for now.

Since we want to keep the declarative request for action, I propose to rename ExecutionHook -> PodAction

Since we want to move the definition of the action itself into Pod, the name matters less. Rename HookAction -> PodActionTemplate or PodActionDefinition or something like that?

[thockin]

naming: I would call this field pods or target

[thockin]

naming: rename to names or pods. e.g. with the above it would be:

target:
    pods:
      - myapp-1234
      - myapp-5678

[thockin]

This qualifies as a union under emerging conventions and should have a discriminator field, e.g. type to indicate either "Pods" or "Selector".

@apelisse this is the second KEP I reviewed today that I have said this to. :)

[thockin]

I think this can just be called Selector and be a simple selector. Container Name should be in the action. If the action were defined in Pod, it would be under a container, so it belongs on the other side of this relationship.

[thockin]

I'm proposing to rename ExecutionHook to PodAction or Action and that (long-term) this be embedded into Pod.

[thockin]

"latest" is somewhat meaningless. How about saying "only one" result will be logged

[jingxu97]

I think what we mean here is that if controller retries, it will update the result which will overwrite the old result updated before.

[thockin]

As above, container name should go here.

[thockin]

to revisit a comment, this will replicate PodName if there are multiple containers in the pod. Is it worth structuring as

{
    podName: pod-1234
    containers:
        - name: app
          timestamp: 12345678
          success: true
        - name: sidecar
          success: false

?

[thockin]

OK. I expect it to come back.

[thockin]

Most of my comments are naming or API related, and this is not an API review. As such, I think the idea is OK and will approve the KEP. Please consider this feedback as you get the API pinned down, and let's do an thorough API review before you get too far into impl.

This maybe a good topic for sig-arch once we can show that it works well.

Thanks!

/lgtm
/approve

[saad-ali]

/approve

[saad-ali]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: j-griffith, liyinan926, saad-ali, thockin, xing-yang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/sig-storage/OWNERS [saad-ali]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[krmayankk]

is this a webhook or an executable hook ?

[jingxu97]

it is execution hook

[pablochacin]

I have a problem with the utilization of the term "hook" in this context. In general, a hook is used "to alter or augment the behaviour of a software system by intercepting function calls or messages or events passed between components" (adapted from Wikipedia entry). Hooks are related to specific events or actions, not are intended to be arbitrarily called as I understand from the proposal.

I understand the proposed mechanism facilitates implementing hooks for other components, as described in the example, but said mechanism is not, IMHO, a hook.

[jingxu97]

But do you have issues of using ExecutionHook as API name? What we want to say here is to propose a set of APIs to allow users trigger commands inside their containers

[krmayankk]

why is the hookAction a different object ? What do we loose if we combined the hookaction inside ExecutionHook ?