reincarnate instances with SagaUnwound VMMs
#6638
Comments
|
cc @gjcolombo, I'd love your take on the cooldown period bit. |
|
Honestly, we may even want to re-queue |
|
@gjcolombo pointed out that I'm wrong about omicron/nexus/db-queries/src/db/datastore/instance.rs Lines 157 to 163 in 165ddc2 I believe that, at the time, we did that because when |
|
A couple things come to mind here. One is that I don't think the start saga (currently) guarantees that all transitions to
As you pointed out just above, today SagaUnwound maps to the Stopped state; if we're going to do this, we'll either need to map this state to Failed or introduce some other way of conveying whether a Stopped instance is eligible to be automatically restarted or not. (I would prefer the former, along with allowing requests to stop a Failed instance, which should just move the instance from Failed to Stopped so that it will no longer be auto-started.) This is editorializing a bit, but in general, I think trying to reason about the user's intended instance state in the control plane is somewhat perilous, since a running guest can shut down and move its own instance to Stopped, and we don't ever really know whether that was intended or not (did the user do it on purpose? did the guest crash and halt itself? is some other malicious guest actor shutting the guest down without crashing it?). |
|
Yeah, I agree that, at least for now, we should apply the cooldown regardless of whether an instance is |
Currently, instances whose active VMM is `SagaUnwound` appear externally as `Stopped`. We decided to report them as `Stopped` because start sagas are permitted to run for instances with `SagaUnwound` active VMMs, and --- at the time when the `SagaUnwound` VMM state was introduced, `Failed` instances could not be started. However, #6455 added the ability to restart `Failed` instances, and #6652 will permit them to be stopped. Therefore, we should recast instances with `SagaUnwound` active VMMs as `Failed`: they weren't asked politely to stop; instead, we attempted to start them and something went wrong...which sounds like `Failed` to me. This becomes more important in light of #6638: if we will attempt automatically restart such instances, they should definitely appear to be `Failed`. The distinction between `Failed` and `Stopped` becomes that `Failed` means "this thing isn't running, but it's supposed to be; we may try to fix that for you if permitted to do so", while `Stopped` means "this thing isn't running and that's fine, because you asked for it to no longer be running". Thus, this commit changes `SagaUnwound` VMMs to appear `Failed` externally.
When an
instance-startsaga unwinds, any VMM it created transitions to theSagaUnwoundstate. This causes the instance's effective state to appear asFailedin the external API. PR #6503 added functionality to Nexus to automatically restart instances that are in theFailedstate ("instance reincarnation"). However, this code will not automatically restart instances whose instance-start sagas have unwound, because such instances are not actually in theFailedstate from Nexus' perspective.We should be automatically restarting instances whose start sagas have failed. From the user's perspective, the purpose of instance reincarnation is "if I say that I would like this instance to be running, the system should make sure it is running" --- it doesn't really matter if the reason it's not running is because it couldn't be started, or because it was running and then something happened to it. Furthermore, it seems not great to say "instances in the
Failedstate will be automatically restarted" and then have some class of instances which appear to be in theFailedstate in the UI but aren't actually automatically restarted. Therefore, we should add code to the instance-reincarnation RPW to reincarnate instances withSagaUnwoundVMMs.I don't really think it makes sense for the auto-restart cooldown period to apply to
SagaUnwoundinstances even if they have failed previously. The purpose of the cooldown period is to prevent "repeat offenders" that fail repeatedly from compromising overall availability, especially when those instances fail in ways that effect other instances on the same sled. However, if an instance's start saga fails, it was never actually running,1 so the failure was not due to a problem with the instance. Therefore, I think the cooldown period need not apply here. We may want to consider a separate cooldown period between start failures, to prevent an instance that, for some reason, consistently fail to be started (i.e. due to requesting an allocation of virtual resources which aren't actually available) from constantly being restarted in a hot loop...Footnotes
The last action in the
instance-startsaga is to send a request to the sled-agent, and thus Propolis, to tell it to start trying to boot the instance. If the instance boots and then crashes, that will go through the normalcpapi_instances_put->process_instance_updatepath that transitions the VMM toFailedrather than putting it inSagaUnwound. ↩The text was updated successfully, but these errors were encountered: