ws-manager: ensure it can reconcile orphaned PVCs without VolumeSnapshot is created #10531
Comments
|
@jenting we use workspace pod to keep track of PVC. basically we use workspace pod (that have finalizer) to keep track of pvc and ensure clean up is done (convert pvc into volume snapshot). I suspect we need to ensure that if wsman crashes, that it can recover the work if it was in the process of converting pvc into volume snapshot. Another edge case: if we find PVC that is unmounted. Meaning pod was deleted somehow without finalizer running. But that is a tricky case. What if user restarted WS and already has a newer backup? We cannot just convert that orphaned pvc into volume snapshot, as it might override newer snapshot. 🤔 Maybe there is some other edge case then we need to handle. |
Some ideas come to my mind that we need to tackle. Correct me if I'm wrong. The node crashes/reboots (the ws-manager locates) or the ws-manager Pod crashes: during the ws-manager start, the user stops the workspace. Then, there is no corresponding ws-manager to handle the request from the server to create the VolumeSnapshot resource. For the above case, I could only think of having HA ws-manager or the server have a retry mechanism once the ws-manager is unreachable. WDYT? |
|
@kylos101 could you please describe some scenarios that the PVC could be orphaned? Thank you. |
|
Hi @jenting, I defer to @sagor999 on helping build a list of scenarios (and which ones are deemed edge cases). He shared some thoughts, and you did too, perhaps you two can sync up? Another option might be for you to make a brainstorm/picture to 'see' the use cases, or a table of use cases (ranking most likely to least likely). Some considerations for this exercise:
|
That is fine I think. WS pod will be waiting in terminating state until wsman will be available to process it. (at least that is how it should work) |
|
@sagor999 what do you think for when the "cluster" is gone (yikes), but persistent disks remain for the prior PVCs (who's disks are now orphaned, where this is no terminating pod). |
|
that should not happen. It would mean we killed (removed finalizer) from the WS pod without letting it go through finalizer. |
|
@sagor999 wonderful idea, I added as a task in this issue, under Ops, in a new jobs section |
|
Here are the scenarios I have tested so far. Case 1. During the workspace stop, restart the ws-manager Deployment ❌
Case 2. During the ws-manager restart, stop the workspace ❌
After that, I disable the PVC feature flag and re-test cases 1 & 2, and the workspace Pod keeps in a Terminating state. Therefore, it's a bug/behavior even without PVC. (The workspace Pod would be cleaned up after 1 hour). |
|
Some ideas and thoughts on how to fix it. During the workspace Pod in the finalizer loop, we call the APIs to perform backs up. The APIs are
We need to make sure these:
|
|
We should also look to handle the case if GCP is having an outage affecting snapshots. For example, what if we cannot create a snapshot for extended amount of time? Should we keep accumulating workspaces in terminating state while keep on retrying snapshot creation? |
|
Related to #5846 (comment) I feel this issue now is similar to #5846 if we only talk about backing up and restoring the PVC? |
|
@jenting I agree it is similar, but it is not the same. We're talking about the same action being done under two different scenarios:
|
|
I simulate the node being removed in workspace-preview, the corresponding workspace Pod being removed as well, and the orphaned PVC appears. |
|
Since the orphaned PVC appeared if the node be evicated by auto-scaler. Therefore, I'd like to propose Kubernetes controller patten reconcile the PVC, which means to have to persistent_volume_claim_controller to reconcile the PVC, the steps would be
@sagor999 @aledbf, are there any other approaches to take snapshot of orphaned PVC other the Kubernetes controller pattern? |
|
hm. if we take volume snapshot, we also need to tell webapp server about it. and there is also a question of potentially overwriting newer volume snapshot for that workspace (example workspace failed, user opened workspace with previous snapshot and did some changes and closed it, and we try to create volume snapshot out of band here we will overwrite newer data). |
|
you said you removed the node and pvc became orphaned. |
Let me check the webapp server part, thanks. I think workspace failed != orphaned PVC case. So basically, we would not trigger take volume snapshot.
No, the ws-manager is on a different node. |
I am curious then how and why did we lose the pod and did not finish PVC backup process. |
Make sense. I will check the auto-scale scale-down code logic to see if it matches the way I was tested. My testing is a bit hacked, by removing the worker node from workspace-preview |
|
According to the autoscaler doc and the PR, we use the annotation Therefore, the node shouldn't be removed by autoscaler if there is still have workspace Pods running on top of it. Extra doc on how auto-scaler scale down the node |
that is a good test, as I think in this case we still should be able to backup PVC correctly. |
|
The workspace pod in ...
deletionTimestamp: "2022-07-12T06:07:13Z"
finalizers:
- gitpod.io/finalizer
...
containerStatuses:
- containerID: containerd://f9a34830e71beac227d7eb38d527ead553a3bf39a847c29b62d7363dbf4aefde
image: reg.g37a8ca0daf64f13cc37955.workspace-preview.gitpod-io-dev.com:20000/remote/a89526c6-0444-4ea7-a24f-9ff1dba23d98:latest
imageID: reg.g37a8ca0daf64f13cc37955.workspace-preview.gitpod-io-dev.com:20000/remote/a89526c6-0444-4ea7-a24f-9ff1dba23d98@sha256:81d3aa67984a54e1c7b96b3212270096a79ae1b388cde193be7f5e52f1f669bf
lastState: {}
name: workspace
ready: true
restartCount: 0
started: true
state:
running:
startedAt: "2022-07-12T06:04:28Z"So, the code does not be executed. No VolumeSnapshot object be created if we enable the PVC feature flag. Manually create the VolumeSnapshot object (Pod is in Terminating state), and the VolumeSnapshot + VolumeSnapshotContect creates successfully. |
|
oh. that is quite interesting state. |
|
Okay, so my next thing is to find a way to make the orphaned PVC happen. |
|
👋 Hey @kylos101 as we discussed, we tried to simulate a scenario where the admin or on-caller accidentally deleted the workspace Pod and removed the finalizer, to see if we can make the orphaned PVC happen. I have tried the below three cases:
For case 2, the orphaned PVC is created however, the VolumeSnapshot is created as well (and is ready to use). I can't think of other cases that the orphaned PVC created however, the VolumeSnapshot does not create. |
|
Regarding scenario 2 (delete pod and remove pod finalizer), it sounds like:
Is that right? |
🎯 Correct! The snapshot is ready to use. |
|
Interesting. So we have a path where we do the right thing...except tell server to set the workspace status to Stopped. 🤔 Does this seem like something that would be doable to intercept/catch/respond to? I ask because, it would be ideal if the Gitpod workspace were in a final state, so that the user could access and use the data. |
Okay, the problem is that we depend on the workspace Pod annotation In the scenario, the workspace pod is forced to remove the finalizer before the volume snapshot is ready to use, so the ws-manager has no way to update/add the annotation We need to think of a way to update the pod status even if the workspace pod is gone, ref code of the ws-manager subscriber
|
|
@jenting given this issue pertains to many different scenarios, and is being discussed for almost 2 months, could you please keep the description of the issue up to date with a summary of the scenarios and conclusions? It will help others not involved in the conversation from the start to contribute 🎈 |
jenting
changed the title
|
Definition: The orphaned PVC means the workspace pod is gone, and the PVC has the user's content but the corresponding VolumeSnapshot object is not created by the ws-manager. Context: The PVC has a finalizer to protect it, and the PVC would be removed only when the corresponding Pod is gone. Scenarios We Tested: We have tested against lots of different scenarios so far to simulate orphaned PVC happens. Sadly, we can't reproduce it. Luckily, we found other issues when we test different scenarios.
Therefore, so far we can't find a way to make orphaned PVC happens (no workspace pod and no VolumeSnapshot object), I think we are okay to close it issue. |
|
@jenting thank you for the detailed breakdown! Given this, I agree, it makes sense to stop on this effort. As such, I will close this issue. |
Is your feature request related to a problem? Please describe
Find a way to make the orphaned PVC happen without the corresponding VolumeSnapshot object.
For example, will the following scenario trigger the orphaned PVC to happen without the corresponding VolumeSnapshot object?
Describe the behaviour you'd like
Describe alternatives you've considered
If we can't find a way to make the orphaned PVC happen, this issue is not needed.
Additional context
The workspace Pod has the finalizer to protect the pod itself. The finalizer is added when the workspace pod enters the Running state.
gitpod/components/ws-manager/pkg/manager/monitor.go
Line 407 in e0579ef
The finalizer is removed either
gitpod/components/ws-manager/pkg/manager/monitor.go
Line 496 in e0579ef
gitpod/components/ws-manager/pkg/manager/monitor.go
Line 506 in e0579ef
The PVC has a finalizer to protect it, the PVC would be removed only when the corresponding Pod is gone.
Therefore, in general, the Pod would be removed first and then the PVC.
So, the orphaned PVC would happen only when the workspace Pod is removed (which means the workspace pod finalizer is removed before the VolumeSnapshot object is created).
The text was updated successfully, but these errors were encountered: