Adding a new Deallocator component

[wk8]

This patch adds a new manager/deallocator package.

The deallocator's job is to take over deletion of services and service-level
resources (as of right now, only networks, but e.g. volumes would also fall in
the same category.

The deallocator relies on the reaper correctly deleting tasks for services that
are shutting down, and only when no tasks are left within a service does it
then proceed to delete that service and its resources.

This patch does not yet actually put that new component to use; that will be
done in a future, separate patch, for the sake of easier reviews.

Includes unit tests.

[GordonTheTurtle]

Please sign your commits following these rules:
https://github.com/moby/moby/blob/master/CONTRIBUTING.md#sign-your-work
The easiest way to do this is to amend the last commit:

$ git clone -b "wk8/network_rm" [email protected]:wk8/swarmkit.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842354530096
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -f

Amending updates the existing PR. You DO NOT need to open a new one.

[anshulpundir]

there's no index on the PendingDelete field

can you plz clarify what this means?

[wk8]

I mean that there's no DB index on that field; so listing those which are marked for deletion requires iterating over them all.

[anshulpundir]

cool. maybe clarify then:
there's no index on the PendingDelete field in the store

[anshulpundir]

this may cause problems. Maybe its better to be safe and maybe retry?

[wk8]

I thought about it. Sure, I'm not opposed to re-trying, but that only delays the real problem: what happens after we're retried n times and keep failing? Do we never stop trying (in which case this could be dangerous at another level, namely resource consumption & performance)? Or do we still forget after a while?

[anshulpundir]

provided no other service uses them

How do we check that?

[wk8]

That's what the resourceDeallocator.servicesLocator callback is for

[anshulpundir]

Can you please clarify why we need to do this?

[wk8]

I'm not 100% sure I understand the question correctly, but basically this also boils down to separating the resource-specific code from the core of the deallocator: each resource-specific file defines the API event it cares about, and this is just aggregating all that to feed it to store.ViewAndWatch below.

Please let me know if I misunderstood the question!

[anshulpundir]

I don't think there's any major performance overheads, but I don't know i this is a good pattern. cc @dperny

[wk8]

I also tend to shy away from using reflection when I can, but I couldn't find any other way to achieve what I wanted here, namely: have different callbacks for different event types without hard-coding in this file all the event types and their callback - for the sake of cleanly separating the deallocator itself from the deallocation code for each type of resource.

But then I'd love to be hinted at a better way of doing this :) !

[anshulpundir]

Based on the conversation above, interface{} might be the easiest and simplest way to do this for now. However, I'm not a golang expert, so I would love @dperny and @stevvooe 's opinion here

[anshulpundir]

can we do map[interface{}]resourceDeallocator ? @wk8

[wk8]

I'm not sure I understand the idea of not making it a bit more specific (reflect.Type than just an empty interface) if we can?

[anshulpundir]

Is reflect.Type more specific than interface{} ?

[wk8]

Well yes, it's a well-defined type, as opposed to interface{} which matches anything, akin to C/C++'s void*?

[anshulpundir]

Fair, but do any of those properties of a relfect.Type apply to this use-case?

Here's something I found about generics in golang. https://appliedgo.net/generics/
TLDR the recommendation from this article is to avoid reflection. Maybe use interface{} and type assertions?

[wk8]

Thanks, interesting read.

The main argument against reflection here is performance (type safety is not a concern here, given the very controlled fashion in which it's used). And sure enough, it's slower than a case switch (see below). But at least that allows us to not hardcode in the package's main file the different resource types, and keep each resource cleanly separated from the deallocator's code.

If we wanted to keep that separation of concerns in the code, we could indeed use type assertion in a linked list of resource-specific implementations, but that might grow slow if we add a lot of resources (10+, according to the benchmark below).

A rough benchmark:

package foo

import (
	"reflect"
	"testing"
)

type Foo struct{}
type Bar struct{}

var a = []interface{}{Foo{}, Bar{}}

var foo = reflect.TypeOf(Foo{})
var bar = reflect.TypeOf(Bar{})

func BenchmarkTypeOf(b *testing.B) {
	x, y := 0, 0

	for n := 0; n < b.N; n++ {
		for _, i := range a {
			switch reflect.TypeOf(i) {
			case foo:
				x++
			case bar:
				y++
			}
		}
	}

	assertSuccess(b, x, y)
}

func BenchmarkSwitch(b *testing.B) {
	x, y := 0, 0

	for n := 0; n < b.N; n++ {
		for _, i := range a {
			switch i.(type) {
			case Foo:
				x++
			case Bar:
				y++
			}
		}
	}

	assertSuccess(b, x, y)
}

func BenchmarkTypeAssertion(b *testing.B) {
	x, y := 0, 0

	for n := 0; n < b.N; n++ {
		for _, i := range a {
			if _, isFoo := i.(Foo); isFoo {
				x++
			} else if _, isBar := i.(Bar); isBar {
				y++
			}
		}
	}

	assertSuccess(b, x, y)
}

func assertSuccess(b *testing.B, x, y int) {
	if x != y || x != b.N {
		b.Error("shouldn't happen")
	}
}

yields

BenchmarkTypeOf-8          	100000000	        20.9 ns/op
BenchmarkSwitch-8          	1000000000	         2.89 ns/op
BenchmarkTypeAssertion-8   	2000000000	         1.89 ns/op

so, happy to re-write as a list of type assertions if you want?

[wk8]

(also, we only do a call to reflect.Type when there's an update to a network (or another service-level resource down the line), so the 10 ns price might be okay?)

[dperny]

oh boy

[dperny]

oh lord this is over-engineered.

[wk8]

This is from the recent protoc upgrade from #2750

[anshulpundir]

OK lets rebase?

[wk8]

There's nothing to rebase against. The protoc upgrade change did not change this file, but it should have: regenerating the proto files after the upgrade will included these lines.

[wk8]

(and sure, I could make it a separate PR, but is it really worth it?)

[codecov]

Codecov Report

Merging #2759 into master will increase coverage by 0.08%.
The diff coverage is 77.16%.

@@            Coverage Diff             @@
##           master    #2759      +/-   ##
==========================================
+ Coverage   61.87%   61.95%   +0.08%     
==========================================
  Files         136      137       +1     
  Lines       21926    22047     +121     
==========================================
+ Hits        13566    13660      +94     
- Misses       6896     6912      +16     
- Partials     1464     1475      +11

[dperny]

instead of using reflection and writing a more general API, can we write a less-general API that requires some objects be hard-coded? we have absolute control over what components perform resource deallocation, so we can just bake them in.

[dperny]

I think it's over-engineered. This is what we'd build if we were providing this as a framework or something against arbitrary types, but the types we're actually acting on are constrained to a pretty small set.

[dperny]

why map service IDs to both the service object AND the count? what does keeping a pointer to the service object get us, as opposed to having a map[string]int?

[wk8]

We do need the service itself at deallocation time. Saves a lookup. I guess we could do away with that, but seems like a pretty minor choice either way?

[anshulpundir]

Sorry I didn't pay attention to this comment before, but I agree with @dperny that it is cleaner to just store service id => count.

My suggestion: when designing data structures, its better to have as reasonably strong reason to do it a certain wait rather than it being fine either way. @wk8

[wk8]

@anshulpundir : isn't saving a lookup a strong enough reason?

[anshulpundir]

One extra lookup for each service delete is not that big a overhead. But I guess you could argue either way. I'll let you make the call.

[dperny]

yeah the more that i think about this... we ought to just do

allNetworks, err = store.FindNetworks(readTx, store.All)

and then later on if we add new resources (i.e. volumes), we'll just add more code:

allVolumes, err := store.FindVolumes(readTx, store.All)

This does lead to duplication, but it's much more clear. If we were ever going to have more than a handful of object types that needed to be managed by this, it would be different, but we almost certainly won't.

[dperny]

you want to wrap this in a sync.Once to make calls to Stop idempotent.

[wk8]

I'll do that when I get around to actually using it, right now I'm not clear on this. That's what the comment right before it hints at. But good catch, keeping it in mind :)

[dperny]

lol typedEvent is a way better name than swtich ev := event.(type) { (which is what we have in other places iirc)

[dperny]

i was wondering how you fixed the bug here. i believe you issue an event on notifyEventChan after the setup phase?

a better pattern than doing that would be to add a variable to the deallocator:

type Deallocator struct {
    // other fields elided
    started chan struct{}
}

Then, after the deallocator has started, you do:

close(started)

Finally, instead of passing expectedUpdates, you should just check if the db state is in the state you want.

[wk8]

Honestly not sold on this one. Adds yet another field for no great reason, and checking whether the deallocator actually performed any DB operations is an additional check on top of just checking that the DB is in the state we expect (which we also do).

[dperny]

LGTM now.

[anshulpundir]

It'll probably be helpful to briefly mention how the deallocator uses this flag.

[wk8]

👍

[anshulpundir]

nit: all the => all of the

[wk8]

👍

[anshulpundir]

Is there a period before this sentence?

[wk8]

👍

[anshulpundir]

same as above.

[wk8]

👍

[anshulpundir]

nit: remove 'A' at the beginning?

[wk8]

👍

[anshulpundir]

it has been deemed over-engineered to have a clean generic way

yikes!

[wk8]

Removed "clean" ;) didn't mean this comment that way

[anshulpundir]

implements => implement

[wk8]

👍

[anshulpundir]

Please add a comment.

[wk8]

👍

[anshulpundir]

thx for calling this out!

[anshulpundir]

cool. maybe clarify then:
there's no index on the PendingDelete field in the store

[anshulpundir]

roflol. Perhaps say something less dramatic?

[wk8]

👍

[anshulpundir]

please add a comment on what processService() does

[wk8]

👍

[anshulpundir]

what events are we waiting for?

[wk8]

The ones that were listed as args to store.ViewAndWatch just a few lines above? I'm not sure how to say that without being redundant?

[anshulpundir]

please add a comment.

[wk8]

👍

[anshulpundir]

add a comment on what processNewEvent() returns and how its used.

[wk8]

👍

[anshulpundir]

should this ever be called where the deallocator.eventChan is nil?

[wk8]

Yes. Added comments.

[anshulpundir]

I don't think this is a good idea, especially because deletion can't be reversed. Also, I think its better to have a leaked service object than corruption (tasks running without a service object). What do you think?

[wk8]

The whole point of this patch is to start asynchronously deleting services and their resources. That means that if errors occur when actually deleting, we can't just surface those to the user who requested the deletion in the first place, since their request have long since returned.

That leaves us with just a few options in my opinion:

1. not actually deleting anything when we encounter an error (in which case it would be nice to give the user say a "request ID" they can use to check on the status of a delete they've requested, and also the ability to force a delete after the normal flow has errored out.
2. always do a best-effort deletion; in which case, sure, we can end up aggressively deleting services and resources that might actually still be in use; but then that's the current behaviour anyway, so it's not worse - and the hope then (as now) is that the system eventually self recovers when tasks eventually do shut down anyway
3. a refinement on 2 would be adding exponential retries instead, but that does strike me as over-engineered, given the low impact of an anticipated deletion, together with the very low likelihood of that happening in the 1st place (how often do store operations realistically fail, really? At leadership change?)

[anshulpundir]

I see your point with 2 that this behavior is the same as the previous behavior. Looks good as you have it currently.

[wk8]

👍

[anshulpundir]

add a comment.

[wk8]

👍

[anshulpundir]

How do you handle the return value from this function, failures etc?

[wk8]

See #2759 (comment)

[anshulpundir]

Should errors be at least logged?

[wk8]

Both processNetwork and processService log errors

[anshulpundir]

do errors need to be handled or just ignored?

[wk8]

See #2759 (comment)

[anshulpundir]

Should errors be at least logged?

[wk8]

See #2759 (comment)

[anshulpundir]

add comments for updateFunc. Also do we really need a function object?

[wk8]

We do. This method can be called either with or without an open transaction, depending on whether it's done as part of a service cleanup or not. See how it's used in the if tx == nil ... else just below.

[anshulpundir]

nit: deallocating => deallocate

[wk8]

👍

[anshulpundir]

Please add comments for each of the arguments accepted by the function. e.g. its not obvious what ignoreServiceID does.

[wk8]

👍

[anshulpundir]

plz add a comment. All functions should have comments unless its blatantly obvious.

[wk8]

👍

[anshulpundir]

nit:

When a user requests a deletion

When a user requests a deletion of this network

[anshulpundir]

Sorry I didn't pay attention to this comment before, but I agree with @dperny that it is cleaner to just store service id => count.

My suggestion: when designing data structures, its better to have as reasonably strong reason to do it a certain wait rather than it being fine either way. @wk8

[anshulpundir]

few minor comments. Looks good otherwise!

[anshulpundir]

I see your point with 2 that this behavior is the same as the previous behavior. Looks good as you have it currently.

[anshulpundir]

Should errors be at least logged?

[anshulpundir]

Should errors be at least logged?

[anshulpundir]

Thanks for adding this, but I don't think its obvious to a first time reader. Why is it OK to deallocated the network when the only one using it has ID ignoreServiceID ?