OWLS-89106 - Potential fix for pod startup issue in GBU CNE environment after node drain/repave operation

[ankedia]

OWLS-89106 - In GBU CNE environment with a large k8s cluster, some pods are not started after a node drain operation. The event notifications are not generated for pod delete/start and fiber gets stuck in a suspended state due to this. This change will interrupt the fiber in the WaitForPodReady step after a timeout interval (2 min) and execute a make-right domain operation.

The WaitForJobReady step logic is not changed because the introspector job for the JRF domain is not fully idempotent. We also don't store the state of job pods in DomainPresenceInfo. Hence it doesn't need to be refreshed with an explicit relisting in case of a missed watch event.

This PR also contains a change to ItParameterizedDomain.testMultiClustersRollingRestart as that test performs extra validation using domain events. With this change, the DomainProcessingCompleted event may not always be generated in time during the test validation. We cover domain events testing in ItKubernetesEvents and this extra validation is not necessary.

The integration test run is clean with current set of changes - https://build.weblogick8s.org:8443/job/weblogic-kubernetes-operator-kind-new/5310/

[doxiao]

I am not sure if it is always correct for all cases to use the existing MakeRightDomainOperation object. For example, if the original object has an EventData, we may not know if the event has been generated already or not in the previous attempt.

[ankedia]

Thanks, Dongbo. That's a good point. In the latest integration test run, I'm seeing some new failures in ItKubernetesEvent and ItPodsRestart related to event generation. It looks like these failures are intermittent and timing-dependent. I'm not sure if I can create a new MakeRightDomainOperation object in this step. I'll continue looking into this tomorrow.

[rjeberhard]

@doxiao, I'm not sure but I wouldn't be surprised if there are some bug in our flow. The intended design is that the operator could die at any code point and have a new operator start and have to recover. Therefore, it's a bug if any of our code paths depend on in-memory state. Since updating the Domain status and generated Events is not transactional then there may be some gaps that are impossible to close, but we should for instance be able to start a rolling, have the operator die, be restarted, and then have the new operator complete the roll and properly generate the rolling completed event. I see these timeouts as being analogous. If a wait timesout and the make-right loop goes back to the "top" then it ought to complete similarly.

[doxiao]

Ryan, I agree with you that the operator's processing flow should not depend on in-memory states. We could review the flow to make sure that is the case. But the issue here is a little different, I think - we are reusing a DomainMakeRightOperation object to do a new execution. I don't think the operator does this prior to this PR. EventData is just one piece of the data in the MakeRightDomainOperation object. We are probably better off creating a new MakeRightDomainOperation; the new code here already overrides some of the data in the existing object prior to calling execute().

[rjeberhard]

I'm not quite sure what you are proposing. What Anil and I originally discussed was to, on timeout, cancel the current fiber and start a new fiber for a new make-right operation. He found that he could instead take the current Fiber back to the top step using this pattern. That sounds reasonable. Is there just some other state in the current make right operation and/or Fiber that he needs to clear.

[doxiao]

My suggestion is to create a new MakeRightDomainOperation passing in the new DomainPresenceInfo, instead of reusing the current make right domain operation. This suggestion does not change the logic/spirit of the current changes. I discussed with Anil offline, and found out that apparently he had problem in creating a new make right domain operation instance within PodWatcher's static context. We could add a static method somewhere for this. For example, we could refactor the Main class a little and add a static factory method there for PodWatcher to use to create a new make right domain operation instance. What I like about using a new instance is that the code here would have full control of what it needs to do. Alternatively, we could have a clear() method on MakeRightDomainOperation to start clean if we know for sure there is no other fiber running using this make right domain operation instance. Then we have to keep the clear() method up-to-date when we add new variables into it in the future. I personally prefers the first option.

[ankedia]

I have implemented the clear() method on MakeRightDomainOperation to reset its state before executing the new make-right operation in MakeRightDomainStep. Thanks.

[rjeberhard]

Here you reread the domain, but don't we also need to reread the pod and/or other services?

[ankedia]

I was following the approach in handleModifiedDomain where we call the make-right domain with just the domain object received in the watch event.

  private void handleModifiedDomain(Domain domain) {
    LOGGER.fine(MessageKeys.WATCH_DOMAIN, domain.getDomainUid());
    createMakeRightOperation(new DomainPresenceInfo(domain))
        .interrupt()
        .withEventData(EventItem.DOMAIN_CHANGED, null)
        .execute();
  }

[doxiao]

we probably need to call removeCallback here.

[ankedia]

I made the change to remove callback here.

[doxiao]

I don't understand why we need to check callback.didResume here. How would the operator get here again if the callback has been resumed already?

[ankedia]

The check callback.didResume is to avoid the race condition. We do the periodic listing of the introspector job to check if it's ready and also dispatch the callback when the watch event is received. In this scenario, the watch event notifications are flowing. After the intro job completed watch notification is received, the callback is removed and the fiber is resumed. After this, the intro job gets deleted but the child fiber that's listing the job periodically to check for readiness doesn't see the job as ready since it got deleted. Hence the child fiber never finishes and times out. The above check will terminate the child fiber after intro job has been deleted.

[doxiao]

If I understand it correctly, check for didResume (didResumeFiber now) is only needed for the job case. If so, we need to remove the check in the pod code path,

[ankedia]

The didResumeFiber will return true only when the fiber is resumed and the resource should be ready at that time. I think there's no harm in keeping the check as that should avoid any potential race condition in pod case as well.

[ankedia]

The integration tests are passing with current set of changes - https://build.weblogick8s.org:8443/job/weblogic-kubernetes-operator-kind-new/5310/

[doxiao]

Do we need to reset the recheckCount here?

[ankedia]

I moved the recheckCount variable from DomainPresenceInfo to the Callback object since we create a separate callback instance for each resource. The WaitForReady step registers a new Callback instance in the resumeWhenReady method and the previous callback will be removed once the fiber is resumed. With this approach, there's no need to reset the recheckCount since previous callback instance will be garbage collected once the resource is ready.

[doxiao]

Looks good to me.

We need to add unit test cases to cover the timeout code path.

[ankedia]

Looks good to me.

We need to add unit test cases to cover the timeout code path.

Added new unit test whenPodCreatedAndNotReadyAfterTimeout_executeMakeRightDomain in PodWatcherTest to cover the timeout code path in 1c3b6a0. The integration test run is clean after this change - https://build.weblogick8s.org:8443/job/weblogic-kubernetes-operator-kind-new/5349/

[doxiao]

The "next" parameter is not used.

[doxiao]

LGTM