man gnt-cluster: mention ipolicy check

[ganeti-local] / doc / design-autorepair.rst

====================
Instance auto-repair
====================

.. contents:: :depth: 4

This is a design document detailing the implementation of self-repair and
recreation of instances in Ganeti. It also discusses ideas that might be useful
for more future self-repair situations.

Current state and shortcomings
==============================

Ganeti currently doesn't do any sort of self-repair or self-recreate of
instances:

- If a drbd instance is broken (its primary of secondary nodes go
  offline or need to be drained) an admin or an external tool must fail
  it over if necessary, and then trigger a disk replacement.
- If a plain instance is broken (or both nodes of a drbd instance are)
  an admin or an external tool must recreate its disk and reinstall it.

Moreover in an oversubscribed cluster operations mentioned above might
fail for lack of capacity until a node is repaired or a new one added.
In this case an external tool would also need to go through any
"pending-recreate" or "pending-repair" instances and fix them.

Proposed changes
================

We'd like to increase the self-repair capabilities of Ganeti, at least
with regards to instances. In order to do so we plan to add mechanisms
to mark an instance as "due for being repaired" and then the relevant
repair to be performed as soon as it's possible, on the cluster.

The self repair will be written as part of ganeti-watcher or as an extra
watcher component that is called less often.

As the first version we'll only handle the case in which an instance
lives on an offline or drained node. In the future we may add more
self-repair capabilities for errors ganeti can detect.

New attributes (or tags)
------------------------

In order to know when to perform a self-repair operation we need to know
whether they are allowed by the cluster administrator.

This can be implemented as either new attributes or tags. Tags could be
acceptable as they would only be read and interpreted by the self-repair tool
(part of the watcher), and not by the ganeti core opcodes and node rpcs. The
following tags would be needed:

ganeti:watcher:autorepair:<type>
++++++++++++++++++++++++++++++++

(instance/nodegroup/cluster)
Allow repairs to happen on an instance that has the tag, or that lives
in a cluster or nodegroup which does. Types of repair are in order of
perceived risk, lower to higher, and each type includes allowing the
operations in the lower ones:

- ``fix-storage`` allows a disk replacement or another operation that
  fixes the instance backend storage without affecting the instance
  itself. This can for example recover from a broken drbd secondary, but
  risks data loss if something is wrong on the primary but the secondary
  was somehow recoverable.
- ``migrate`` allows an instance migration. This can recover from a
  drained primary, but can cause an instance crash in some cases (bugs).
- ``failover`` allows instance reboot on the secondary. This can recover
  from an offline primary, but the instance will lose its running state.
- ``reinstall`` allows disks to be recreated and an instance to be
  reinstalled. This can recover from primary&secondary both being
  offline, or from an offline primary in the case of non-redundant
  instances. It causes data loss.

Each repair type allows all the operations in the previous types, in the
order above, in order to ensure a repair can be completed fully. As such
a repair of a lower type might not be able to proceed if it detects an
error condition that requires a more risky or drastic solution, but
never vice versa (if a worse solution is allowed then so is a better
one).

If there are multiple ``ganeti:watcher:autorepair:<type>`` tags in an
object (cluster, node group or instance), the least destructive tag
takes precedence. When multiplicity happens across objects, the nearest
tag wins. For example, if in a cluster with two instances, *I1* and
*I2*, *I1* has ``failover``, and the cluster itself has both
``fix-storage`` and ``reinstall``, *I1* will end up with ``failover``
and *I2* with ``fix-storage``.

ganeti:watcher:autorepair:suspend[:<timestamp>]
+++++++++++++++++++++++++++++++++++++++++++++++

(instance/nodegroup/cluster)
If this tag is encountered no autorepair operations will start for the
instance (or for any instance, if present at the cluster or group
level). Any job which already started will be allowed to finish, but
then the autorepair system will not proceed further until this tag is
removed, or the timestamp passes (in which case the tag will be removed
automatically by the watcher).

Note that depending on how this tag is used there might still be race
conditions related to it for an external tool that uses it
programmatically, as no "lock tag" or tag "test-and-set" operation is
present at this time. While this is known we won't solve these race
conditions in the first version.

It might also be useful to easily have an operation that tags all
instances matching a  filter on some charateristic. But again, this
wouldn't be specific to this tag.

If there are multiple
``ganeti:watcher:autorepair:suspend[:<timestamp>]`` tags in an object,
the form without timestamp takes precedence (permanent suspension); or,
if all object tags have a timestamp, the one with the highest timestamp.
When multiplicity happens across objects, the nearest tag wins, as
above. This makes it possible to suspend cluster-enabled repairs with a
single tag in the cluster object; or to suspend them only for a certain
node group or instance. At the same time, it is possible to re-enable
cluster-suspended repairs in a particular instance or group by applying
an enable tag to them.

ganeti:watcher:autorepair:pending:<type>:<id>:<timestamp>:<jobs>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(instance)
If this tag is present a repair of type ``type`` is pending on the
target instance. This means that either jobs are being run, or it's
waiting for resource availability. ``id`` is the unique id identifying
this repair, ``timestamp`` is the time when this tag was first applied
to this instance for this ``id`` (we will "update" the tag by adding a
"new copy" of it and removing the old version as we run more jobs, but
the timestamp will never change for the same repair)

``jobs`` is the list of jobs already run or being run to repair the
instance (separated by a plus sign, *+*). If the instance has just
been put in pending state but no job has run yet, this list is empty.

This tag will be set by ganeti if an equivalent autorepair tag is
present and a a repair is needed, or can be set by an external tool to
request a repair as a "once off".

If multiple instances of this tag are present they will be handled in
order of timestamp.

ganeti:watcher:autorepair:result:<type>:<id>:<timestamp>:<result>:<jobs>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(instance)
If this tag is present a repair of type ``type`` has been performed on
the instance and has been completed by ``timestamp``. The result is
either ``success``, ``failure`` or ``enoperm``, and jobs is a
*+*-separated list of jobs that were executed for this repair.

An ``enoperm`` result is returned when the repair was brought on until
possible, but the repair type doesn't consent to proceed further.

Possible states, and transitions
--------------------------------

At any point an instance can be in one of the following health states:

Healthy
+++++++

The instance lives on only online nodes. The autorepair system will
never touch these instances. Any ``repair:pending`` tags will be removed
and marked ``success`` with no jobs attached to them.

This state can transition to:

- Needs-repair, repair disallowed (node offlined or drained, no
  autorepair tag)
- Needs-repair, autorepair allowed (node offlined or drained, autorepair
  tag present)
- Suspended (a suspend tag is added)

Suspended
+++++++++

Whenever a ``repair:suspend`` tag is added the autorepair code won't
touch the instance until the timestamp on the tag has passed, if
present. The tag will be removed afterwards (and the instance will
transition to its correct state, depending on its health and other
tags).

Note that when an instance is suspended any pending repair is
interrupted, but jobs which were submitted before the suspension are
allowed to finish.

Needs-repair, repair disallowed
+++++++++++++++++++++++++++++++

The instance lives on an offline or drained node, but no autorepair tag
is set, or the autorepair tag set is of a type not powerful enough to
finish the repair. The autorepair system will never touch these
instances, and they can transition to:

- Healthy (manual repair)
- Pending repair (a ``repair:pending`` tag is added)
- Needs-repair, repair allowed always (an autorepair always tag is added)
- Suspended (a suspend tag is added)

Needs-repair, repair allowed always
+++++++++++++++++++++++++++++++++++

A ``repair:pending`` tag is added, and the instance transitions to the
Pending Repair state. The autorepair tag is preserved.

Of course if a ``repair:suspended`` tag is found no pending tag will be
added, and the instance will instead transition to the Suspended state.

Pending repair
++++++++++++++

When an instance is in this stage the following will happen:

If a ``repair:suspended`` tag is found the instance won't be touched and
moved to the Suspended state. Any jobs which were already running will
be left untouched.

If there are still jobs running related to the instance and scheduled by
this repair they will be given more time to run, and the instance will
be checked again later.  The state transitions to itself.

If no jobs are running and the instance is detected to be healthy, the
``repair:result`` tag will be added, and the current active
``repair:pending`` tag will be removed. It will then transition to the
Healthy state if there are no ``repair:pending`` tags, or to the Pending
state otherwise: there, the instance being healthy, those tags will be
resolved without any operation as well (note that this is the same as
transitioning to the Healthy state, where ``repair:pending`` tags would
also be resolved).

If no jobs are running and the instance still has issues:

- if the last job(s) failed it can either be retried a few times, if
  deemed to be safe, or the repair can transition to the Failed state.
  The ``repair:result`` tag will be added, and the active
  ``repair:pending`` tag will be removed (further ``repair:pending``
  tags will not be able to proceed, as explained by the Failed state,
  until the failure state is cleared)
- if the last job(s) succeeded but there are not enough resources to
  proceed, the state will transition to itself and no jobs are
  scheduled. The tag is left untouched (and later checked again). This
  basically just delays any repairs, the current ``pending`` tag stays
  active, and any others are untouched).
- if the last job(s) succeeded but the repair type cannot allow to
  proceed any further the ``repair:result`` tag is added with an
  ``enoperm`` result, and the current ``repair:pending`` tag is removed.
  The instance is now back to "Needs-repair, repair disallowed",
  "Needs-repair, autorepair allowed", or "Pending" if there is already a
  future tag that can repair the instance.
- if the last job(s) succeeded and the repair can continue new job(s)
  can be submitted, and the ``repair:pending`` tag can be updated.

Failed
++++++

If repairing an instance has failed a ``repair:result:failure`` is
added. The presence of this tag is used to detect that an instance is in
this state, and it will not be touched until the failure is investigated
and the tag is removed.

An external tool or person needs to investigate the state of the
instance and remove this tag when he is sure the instance is repaired
and safe to turn back to the normal autorepair system.

(Alternatively we can use the suspended state (indefinitely or
temporarily) to mark the instance as "not touch" when we think a human
needs to look at it. To be decided).

A graph with the possible transitions follows; note that in the graph,
following the implementation, the two ``Needs repair`` states have been
coalesced into one; and the ``Suspended`` state disapears, for it
becames an attribute of the instance object (its auto-repair policy).

.. digraph:: "auto-repair-states"

  node     [shape=circle, style=filled, fillcolor="#BEDEF1",
            width=2, fixedsize=true];
  healthy  [label="Healthy"];
  needsrep [label="Needs repair"];
  pendrep  [label="Pending repair"];
  failed   [label="Failed repair"];
  disabled [label="(no state)", width=1.25];

  {rank=same; needsrep}
  {rank=same; healthy}
  {rank=same; pendrep}
  {rank=same; failed}
  {rank=same; disabled}

  // These nodes are needed to be the "origin" of the "initial state" arrows.
  node [width=.5, label="", style=invis];
  inih;
  inin;
  inip;
  inif;
  inix;

  edge [fontsize=10, fontname="Arial Bold", fontcolor=blue]

  inih -> healthy  [label="No tags or\nresult:success"];
  inip -> pendrep  [label="Tag:\nautorepair:pending"];
  inif -> failed   [label="Tag:\nresult:failure"];
  inix -> disabled [fontcolor=black, label="ArNotEnabled"];

  edge [fontcolor="orange"];

  healthy -> healthy [label="No problems\ndetected"];

  healthy -> needsrep [
             label="Brokeness\ndetected in\nfirst half of\nthe tool run"];

  pendrep -> healthy [
             label="All jobs\ncompleted\nsuccessfully /\ninstance healthy"];

  pendrep -> failed [label="Some job(s)\nfailed"];

  edge [fontcolor="red"];

  needsrep -> pendrep [
              label="Repair\nallowed and\ninitial job(s)\nsubmitted"];

  needsrep -> needsrep [
              label="Repairs suspended\n(no-op) or enabled\nbut not powerful enough\n(result: enoperm)"];

  pendrep -> pendrep [label="More jobs\nsubmitted"];


Repair operation
----------------

Possible repairs are:

- Replace-disks (drbd, if the secondary is down), (or other storage
  specific fixes)
- Migrate (shared storage, rbd, drbd, if the primary is drained)
- Failover (shared storage, rbd, drbd, if the primary is down)
- Recreate disks + reinstall (all nodes down, plain, files or drbd)

Note that more than one of these operations may need to happen before a
full repair is completed (eg. if a drbd primary goes offline first a
failover will happen, then a replce-disks).

The self-repair tool will first take care of all needs-repair instance
that can be brought into ``pending`` state, and transition them as
described above.

Then it will go through any ``repair:pending`` instances and handle them
as described above.

Note that the repair tool MAY "group" instances by performing common
repair jobs for them (eg: node evacuate).

Staging of work
---------------

First version: recreate-disks + reinstall (2.6.1)
Second version: failover and migrate repairs (2.7)
Third version: replace disks repair (2.7 or 2.8)

Future work
===========

One important piece of work will be reporting what the autorepair system
is "thinking" and exporting this in a form that can be read by an
outside user or system. In order to do this we need a better
communication system than embedding this information into tags. This
should be thought in an extensible way that can be used in general for
Ganeti to provide "advisory" information about entities it manages, and
for an external system to "advise" ganeti over what it can do, but in a
less direct manner than submitting individual jobs.

Note that cluster verify checks some errors that are actually instance
specific, (eg. a missing backend disk on a drbd node) or node-specific
(eg. an extra lvm device). If we were to split these into "instance
verify", "node verify" and "cluster verify", then we could easily use
this tool to perform some of those repairs as well.

Finally self-repairs could also be extended to the cluster level, for
example concepts like "N+1 failures", missing master candidates, etc. or
node level for some specific types of errors.

.. vim: set textwidth=72 :
.. Local Variables:
.. mode: rst
.. fill-column: 72
.. End: