Instance auto-repair

Created:

2012-Sep-03

Status:

Implemented

Ganeti-Version:

2.8.0

This is a design document detailing the implementation of self-repair and recreation of instances in Ganeti. It also discusses ideas that might be useful for more future self-repair situations.

Current state and shortcomings

Ganeti currently doesn’t do any sort of self-repair or self-recreate of instances:

  • If a drbd instance is broken (its primary of secondary nodes go offline or need to be drained) an admin or an external tool must fail it over if necessary, and then trigger a disk replacement.

  • If a plain instance is broken (or both nodes of a drbd instance are) an admin or an external tool must recreate its disk and reinstall it.

Moreover in an oversubscribed cluster operations mentioned above might fail for lack of capacity until a node is repaired or a new one added. In this case an external tool would also need to go through any “pending-recreate” or “pending-repair” instances and fix them.

Proposed changes

We’d like to increase the self-repair capabilities of Ganeti, at least with regards to instances. In order to do so we plan to add mechanisms to mark an instance as “due for being repaired” and then the relevant repair to be performed as soon as it’s possible, on the cluster.

The self repair will be written as part of ganeti-watcher or as an extra watcher component that is called less often.

As the first version we’ll only handle the case in which an instance lives on an offline or drained node. In the future we may add more self-repair capabilities for errors ganeti can detect.

New attributes (or tags)

In order to know when to perform a self-repair operation we need to know whether they are allowed by the cluster administrator.

This can be implemented as either new attributes or tags. Tags could be acceptable as they would only be read and interpreted by the self-repair tool (part of the watcher), and not by the ganeti core opcodes and node rpcs. The following tags would be needed:

ganeti:watcher:autorepair:<type>

(instance/nodegroup/cluster) Allow repairs to happen on an instance that has the tag, or that lives in a cluster or nodegroup which does. Types of repair are in order of perceived risk, lower to higher, and each type includes allowing the operations in the lower ones:

  • fix-storage allows a disk replacement or another operation that fixes the instance backend storage without affecting the instance itself. This can for example recover from a broken drbd secondary, but risks data loss if something is wrong on the primary but the secondary was somehow recoverable.

  • migrate allows an instance migration. This can recover from a drained primary, but can cause an instance crash in some cases (bugs).

  • failover allows instance reboot on the secondary. This can recover from an offline primary, but the instance will lose its running state.

  • reinstall allows disks to be recreated and an instance to be reinstalled. This can recover from primary&secondary both being offline, or from an offline primary in the case of non-redundant instances. It causes data loss.

Each repair type allows all the operations in the previous types, in the order above, in order to ensure a repair can be completed fully. As such a repair of a lower type might not be able to proceed if it detects an error condition that requires a more risky or drastic solution, but never vice versa (if a worse solution is allowed then so is a better one).

If there are multiple ganeti:watcher:autorepair:<type> tags in an object (cluster, node group or instance), the least destructive tag takes precedence. When multiplicity happens across objects, the nearest tag wins. For example, if in a cluster with two instances, I1 and I2, I1 has failover, and the cluster itself has both fix-storage and reinstall, I1 will end up with failover and I2 with fix-storage.

ganeti:watcher:autorepair:suspend[:<timestamp>]

(instance/nodegroup/cluster) If this tag is encountered no autorepair operations will start for the instance (or for any instance, if present at the cluster or group level). Any job which already started will be allowed to finish, but then the autorepair system will not proceed further until this tag is removed, or the timestamp passes (in which case the tag will be removed automatically by the watcher).

Note that depending on how this tag is used there might still be race conditions related to it for an external tool that uses it programmatically, as no “lock tag” or tag “test-and-set” operation is present at this time. While this is known we won’t solve these race conditions in the first version.

It might also be useful to easily have an operation that tags all instances matching a filter on some characteristic. But again, this wouldn’t be specific to this tag.

If there are multiple ganeti:watcher:autorepair:suspend[:<timestamp>] tags in an object, the form without timestamp takes precedence (permanent suspension); or, if all object tags have a timestamp, the one with the highest timestamp. When multiplicity happens across objects, the nearest tag wins, as above. This makes it possible to suspend cluster-enabled repairs with a single tag in the cluster object; or to suspend them only for a certain node group or instance. At the same time, it is possible to re-enable cluster-suspended repairs in a particular instance or group by applying an enable tag to them.

ganeti:watcher:autorepair:pending:<type>:<id>:<timestamp>:<jobs>

(instance) If this tag is present a repair of type type is pending on the target instance. This means that either jobs are being run, or it’s waiting for resource availability. id is the unique id identifying this repair, timestamp is the time when this tag was first applied to this instance for this id (we will “update” the tag by adding a “new copy” of it and removing the old version as we run more jobs, but the timestamp will never change for the same repair)

jobs is the list of jobs already run or being run to repair the instance (separated by a plus sign, +). If the instance has just been put in pending state but no job has run yet, this list is empty.

This tag will be set by ganeti if an equivalent autorepair tag is present and a a repair is needed, or can be set by an external tool to request a repair as a “once off”.

If multiple instances of this tag are present they will be handled in order of timestamp.

ganeti:watcher:autorepair:result:<type>:<id>:<timestamp>:<result>:<jobs>

(instance) If this tag is present a repair of type type has been performed on the instance and has been completed by timestamp. The result is either success, failure or enoperm, and jobs is a +-separated list of jobs that were executed for this repair.

An enoperm result is returned when the repair was brought on until possible, but the repair type doesn’t consent to proceed further.

Possible states, and transitions

At any point an instance can be in one of the following health states:

Healthy

The instance lives on only online nodes. The autorepair system will never touch these instances. Any repair:pending tags will be removed and marked success with no jobs attached to them.

This state can transition to:

  • Needs-repair, repair disallowed (node offlined or drained, no autorepair tag)

  • Needs-repair, autorepair allowed (node offlined or drained, autorepair tag present)

  • Suspended (a suspend tag is added)

Suspended

Whenever a repair:suspend tag is added the autorepair code won’t touch the instance until the timestamp on the tag has passed, if present. The tag will be removed afterwards (and the instance will transition to its correct state, depending on its health and other tags).

Note that when an instance is suspended any pending repair is interrupted, but jobs which were submitted before the suspension are allowed to finish.

Needs-repair, repair disallowed

The instance lives on an offline or drained node, but no autorepair tag is set, or the autorepair tag set is of a type not powerful enough to finish the repair. The autorepair system will never touch these instances, and they can transition to:

  • Healthy (manual repair)

  • Pending repair (a repair:pending tag is added)

  • Needs-repair, repair allowed always (an autorepair always tag is added)

  • Suspended (a suspend tag is added)

Needs-repair, repair allowed always

A repair:pending tag is added, and the instance transitions to the Pending Repair state. The autorepair tag is preserved.

Of course if a repair:suspended tag is found no pending tag will be added, and the instance will instead transition to the Suspended state.

Pending repair

When an instance is in this stage the following will happen:

If a repair:suspended tag is found the instance won’t be touched and moved to the Suspended state. Any jobs which were already running will be left untouched.

If there are still jobs running related to the instance and scheduled by this repair they will be given more time to run, and the instance will be checked again later. The state transitions to itself.

If no jobs are running and the instance is detected to be healthy, the repair:result tag will be added, and the current active repair:pending tag will be removed. It will then transition to the Healthy state if there are no repair:pending tags, or to the Pending state otherwise: there, the instance being healthy, those tags will be resolved without any operation as well (note that this is the same as transitioning to the Healthy state, where repair:pending tags would also be resolved).

If no jobs are running and the instance still has issues:

  • if the last job(s) failed it can either be retried a few times, if deemed to be safe, or the repair can transition to the Failed state. The repair:result tag will be added, and the active repair:pending tag will be removed (further repair:pending tags will not be able to proceed, as explained by the Failed state, until the failure state is cleared)

  • if the last job(s) succeeded but there are not enough resources to proceed, the state will transition to itself and no jobs are scheduled. The tag is left untouched (and later checked again). This basically just delays any repairs, the current pending tag stays active, and any others are untouched).

  • if the last job(s) succeeded but the repair type cannot allow to proceed any further the repair:result tag is added with an enoperm result, and the current repair:pending tag is removed. The instance is now back to “Needs-repair, repair disallowed”, “Needs-repair, autorepair allowed”, or “Pending” if there is already a future tag that can repair the instance.

  • if the last job(s) succeeded and the repair can continue new job(s) can be submitted, and the repair:pending tag can be updated.

Failed

If repairing an instance has failed a repair:result:failure is added. The presence of this tag is used to detect that an instance is in this state, and it will not be touched until the failure is investigated and the tag is removed.

An external tool or person needs to investigate the state of the instance and remove this tag when he is sure the instance is repaired and safe to turn back to the normal autorepair system.

(Alternatively we can use the suspended state (indefinitely or temporarily) to mark the instance as “not touch” when we think a human needs to look at it. To be decided).

A graph with the possible transitions follows; note that in the graph, following the implementation, the two Needs repair states have been coalesced into one; and the Suspended state disappears, for it becomes an attribute of the instance object (its auto-repair policy).

digraph "auto-repair-states" { node [shape=circle, style=filled, fillcolor="#BEDEF1", width=2, fixedsize=true]; healthy [label="Healthy"]; needsrep [label="Needs repair"]; pendrep [label="Pending repair"]; failed [label="Failed repair"]; disabled [label="(no state)", width=1.25]; {rank=same; needsrep} {rank=same; healthy} {rank=same; pendrep} {rank=same; failed} {rank=same; disabled} // These nodes are needed to be the "origin" of the "initial state" arrows. node [width=.5, label="", style=invis]; inih; inin; inip; inif; inix; edge [fontsize=10, fontname="Arial Bold", fontcolor=blue] inih -> healthy [label="No tags or\nresult:success"]; inip -> pendrep [label="Tag:\nautorepair:pending"]; inif -> failed [label="Tag:\nresult:failure"]; inix -> disabled [fontcolor=black, label="ArNotEnabled"]; edge [fontcolor="orange"]; healthy -> healthy [label="No problems\ndetected"]; healthy -> needsrep [ label="Brokeness\ndetected in\nfirst half of\nthe tool run"]; pendrep -> healthy [ label="All jobs\ncompleted\nsuccessfully /\ninstance healthy"]; pendrep -> failed [label="Some job(s)\nfailed"]; edge [fontcolor="red"]; needsrep -> pendrep [ label="Repair\nallowed and\ninitial job(s)\nsubmitted"]; needsrep -> needsrep [ label="Repairs suspended\n(no-op) or enabled\nbut not powerful enough\n(result: enoperm)"]; pendrep -> pendrep [label="More jobs\nsubmitted"]; }

Repair operation

Possible repairs are:

  • Replace-disks (drbd, if the secondary is down), (or other storage specific fixes)

  • Migrate (shared storage, rbd, drbd, if the primary is drained)

  • Failover (shared storage, rbd, drbd, if the primary is down)

  • Recreate disks + reinstall (all nodes down, plain, files or drbd)

Note that more than one of these operations may need to happen before a full repair is completed (eg. if a drbd primary goes offline first a failover will happen, then a replace-disks).

The self-repair tool will first take care of all needs-repair instance that can be brought into pending state, and transition them as described above.

Then it will go through any repair:pending instances and handle them as described above.

Note that the repair tool MAY “group” instances by performing common repair jobs for them (eg: node evacuate).

Staging of work

First version: recreate-disks + reinstall (2.6.1) Second version: failover and migrate repairs (2.7) Third version: replace disks repair (2.7 or 2.8)

Future work

One important piece of work will be reporting what the autorepair system is “thinking” and exporting this in a form that can be read by an outside user or system. In order to do this we need a better communication system than embedding this information into tags. This should be thought in an extensible way that can be used in general for Ganeti to provide “advisory” information about entities it manages, and for an external system to “advise” ganeti over what it can do, but in a less direct manner than submitting individual jobs.

Note that cluster verify checks some errors that are actually instance specific, (eg. a missing backend disk on a drbd node) or node-specific (eg. an extra lvm device). If we were to split these into “instance verify”, “node verify” and “cluster verify”, then we could easily use this tool to perform some of those repairs as well.

Finally self-repairs could also be extended to the cluster level, for example concepts like “N+1 failures”, missing master candidates, etc. or node level for some specific types of errors.