Initial basic bootstrap-checkpoint support

[timothysc]

What this PR does / why we need it:
Adds initial support for Pod checkpointing to allow for controlled recovery of the control plane during self host failure conditions.

fixes #49236
xref kubernetes/enhancements#378

Special notes for your reviewer:

Proposal is here: https://docs.google.com/document/d/1hhrCa_nv0Sg4O_zJYOnelE8a5ClieyewEsQM6c7-5-o/edit?ts=5988fba8#

1. Controlled tests work, but I have not tested the self hosted api-server recovery, that requires validation and logs. /cc @luxas
2. In adding hooks for checkpoint manager much of the tests around basicpodmanager appears to be stub'd. This has become an anti-pattern in the code and should be avoided.
3. I need a node-e2e to ensure consistency of behavior.

Release note:

Add basic bootstrap checkpointing support to the kubelet for control plane recovery

/cc @kubernetes/sig-cluster-lifecycle-misc @kubernetes/sig-node-pr-reviews

[timothysc]

I will rebase post review and conversation. I will also post the design proposal writeup from https://docs.google.com/document/d/1hhrCa_nv0Sg4O_zJYOnelE8a5ClieyewEsQM6c7-5-o/edit?ts=5988fba8# today.

[luxas]

Did a quick initial pass.
As we said earlier, the naming of this feature will be crucial to not cause unneeded confusion.

I didn't see anything that'd remove the Static Pod once the pivot is done; WIP, right?
Also I didn't review the overall flow in detail, but am starting the conversation with these basic comments.

[luxas]

--experimental-BOOTSTRAPPING-checkpoint-path 😉?
We talked about scoping this down a lot and being clear about the functionality at this time.

[timothysc]

@yujuhong ?

[yujuhong]

I'm ok with @smarterclayton's suggestion for the flag experimental-pod-preservation-path

[timothysc]

I'm changing to --bootstrap-checkpoint-path per: ' https://github.com/kubernetes/community/pull/1241/files '

Putting 'experimental' or 'alpha' into names has been known to cause issues during promotion and we've moved to updating descriptions and documentation. The name change should suffice.

[luxas]

alpha.node.kubernetes.io/bootstrapping-checkpointing?
node.alpha.kubernetes.io/bootstrapping-checkpointing?

I guess that when this gets graduated we'll use an alpha/beta/whatever field using the grand new proposal we have for that, right?

[timothysc]

Nope alpha has been removed from the naming conventions per api-machinery folks.

[luxas]

Cool! That's a great step forwards 👍

[timothysc]

I'm keeping the annotation name the same for the purpose of potential re-use. The documentation update will call out the details and limitations.

[luxas]

error?

[luxas]

BootstrappingCheckpointPath?

[luxas]

comment

[luxas]

use "k8s.io/kubernetes/pkg/volume/util".LoadPodFromFile(filename string) for this instead?

[timothysc]

Ohh hey, that is handy, I'll update.

[timothysc]

Fixed.

[luxas]

nit: checkAnnotations will check whether the bootstrapping checkpointing annotation is set on the pod object

[luxas]

This makes something like var _ Manager = &fileCheckPointManager{} not needed, right?

[timothysc]

Yeah, and it's consistent with the rest of the Kubelet.

[luxas]

Not implemented yet, right?
Should we consider adding this to the comment once we actually add this feature?

[timothysc]

I'll nix the configmaps bit there.

[timothysc]

Fixed.

[rphillips]

nit. spacing

[timothysc]

@yujuhong - I'm pending on your feedback before I rebase and address other comments.

/cc @roberthbailey

[timothysc]

/cc @liggitt - Did you have opinions on the startup ordering. This is a PoC and comments are solicited.

[liggitt]

won't this make the kubelet kill any currently running containers not in the checkpointed list?

[timothysc]

nope, it only seeds the cache which will need to run through the checks.

[liggitt]

are you sure? this will add the ApiserverSource to the sourcesReady list before we've actually gotten a full list from the API server. That allows AllReady() to return true, which allows housekeeping to run HandlePodCleanups() prior to us knowing what we should be running from the API server. Won't that delete running containers?

[yujuhong]

@liggitt is right. Kubelet assumes the first update from a source includes the complete list of pods. Once all sources are ready, GC will kick in to delete containers that do not belong to a known pod.

Wiring this so that kubelet considers the source is not ready is required.

[smarterclayton]

Can we rename the flag and pr so it's clear that this isn't actually checkpointing (as discussed on the meeting)? I haven't seen a checkpointing design, I've seen something much more limited with no design consideration given to the long term problems.

[liggitt]

this means that removing the checkpoint annotation from a pod will never clean it up (here or in DeletePod)

[timothysc]

Good point, I'll create a UID cache so updates that remove cause a checkpoint delete.

[timothysc]

Fixed.

[timothysc]

Can we rename the flag and pr so it's clear that this isn't actually checkpointing (as discussed on the meeting)?

Gotta name?

I haven't seen a checkpointing design, I've seen something much more limited with no design consideration given to the long term problems.

Per the meeting, it was explicitly stated we would defer future use of such facilities would require their own proposals, but I'll distill the 2 docs down into concise language stating it explicitly and push today.

[smarterclayton]

Maybe experimental-pod-preservation-path for the flag and call it Pod Preservation or Kubelet Pod Memory or something that implies recall without the more precise term.

[yujuhong]

There are some tricky cases to consider for implementation. Will need to think about it more...

[yujuhong]

Why is this needed in this PR?

[timothysc]

Removed

[yujuhong]

@liggitt is right. Kubelet assumes the first update from a source includes the complete list of pods. Once all sources are ready, GC will kick in to delete containers that do not belong to a known pod.

Wiring this so that kubelet considers the source is not ready is required.

[yujuhong]

What's the expected behavior if this happens? kubelet simply won't restore the pod at startup?

[timothysc]

Yes, at some point intervention will be required, and given this is for bootstrapping this is ok.

[yujuhong]

Another problem is that if the pod gets deleted from the apiserver while kubelet is down, you would NOT receive a DELETE event from pkg/kubelet/config/apiserver.go through the regular channel because the cache in the pkg/kubelet/config would be cold. That means you will keep the pods restored from the checkpoint forever.

That's one of the reasons why I suggested also looking into storing the checkpoints there (pkg/kubelet/config).

[timothysc]

Fixed following your example.

[yujuhong]

ioutil.WriteFile doesn't call f.Sync(). You'll likely end up with corrupted files, which we may not be able to detect due to the lack of checksum?

[yujuhong]

Also, is the write atomic? Do we need to write to a temp file and move it here?

[xiang90]

yes. we need to write a temp file, fsync it and rename.

[timothysc]

Fixed, using safefile instead.

[yujuhong]

I'm ok with @smarterclayton's suggestion for the flag experimental-pod-preservation-path

[timothysc]

/test pull-kubernetes-unit

[yujuhong]

The PR mostly looks good.

Besides the basic checkpoint write/restore testing (which should be a node e2e test suite), I'd like to see testing for the following cases:

1. Update the pods in the apiserver while kubelet is down. Ensure kubelet restores the pods from the checkpoints, AND gets the updates from the apiserver correctly (i.e., eventually gets the updated pods).
2. Delete the pods from the apiserver while kubelet is down. Ensure kubelet properly deletes pods (and the checkpoints).
3. Change annotation of a pod and observe checkpoints are handled properly.

As we agreed in our last meeting, manual testing is fine for these corner cases for now. Eventually, it'd be nice to have some test coverage in our CI.

[yujuhong]

s/json:"checkpointPath/json:"bootstrapCheckpointPath

[timothysc]

Fixed.

[yujuhong]

Spoke to @mtaufen offline. He has removed all Alpha features from the kubeletconfig, unless they are feature-gated.
To make it consistent with other fields, the suggestion is either

1. Remove this from the configuration, but keep it as a flag, or
2. Feature gate this properly.

[yujuhong]

BTW, removing this from the configuration may make node e2e testing harder, just FYI.

[mtaufen]

Yup, and just to add some context:

1. Removing it from the configuration for now doesn't prevent you from adding it back later, once you're more confident in the stability of your API and behavior (e.g. no longer an alpha feature).
2. If you do want an alpha feature in the API, these are the guidelines regarding feature gating it properly: https://github.com/kubernetes/community/blob/master/contributors/devel/api_changes.md#alpha-field-in-existing-api-version

[timothysc]

He has removed all Alpha features from the kubeletconfig, unless they are feature-gated.

@yujuhong This is patently untrue.

NodeLabels, VolumePluginDir, CPUManagerPolicy, LockFilePath are all alpha labeled features that exist in the kubeletconfig. The usage of componentconfig is also alpha, from what I've seen.

[timothysc]

I can do whatever, but your statement doesn't reconcile with what is there.

[mtaufen]

@timothysc CPUManagerPolicy is feature gated, which is why it remains.
NodeLabels, VolumePluginDir, and LockFilePath were all moved from KubeletConfiguration to KubeletFlags in #55562, because they are alpha but lack feature gates.
This is in preparation for moving KubeletConfiguration to beta.
Please feature gate your field if you want to leave it in KubeletConfiguration or otherwise move it to KubeletFlags.
If you have more questions, feel free to ping me on Slack.

[timothysc]

Fixed, following #55562 as reference.

[yujuhong]

Suggestion: add a comment to indicate that this is just for precaution; current implementation do/should not run multiple checkpoint managers.

[yujuhong]

+1 for making it a constant.

[yujuhong]

nit: I'd prefer %s too since it's more clear.

[yujuhong]

Don't think you need to Stat first.

	if err := os.Remove(podPath); !os.IsNotExist(err) {
         return err
    }
    return nil

[timothysc]

fixed.

[yujuhong]

Why changing this? I'm not familiar with the codecs, so just a question.

[timothysc]

In testing that f(n) it was a bug.

[yujuhong]

Add a comment warning that this must happen before creating the apiserver source below, or the checkpoint would override the source of truth (apiserver).

[timothysc]

Fixed.

[yujuhong]

Remove the original (now duplicated) comment below (line 1880)

[timothysc]

Fixed.

[yujuhong]

IIUC, every update of a regular pod without the checkpoint annotation will trigger a deletion, which either calls os.Stat or os.Remove. That doesn't seem good. If you plan to optimize that in the future, please add a TODO.

[timothysc]

The stat precedes any delete, and again this is an opt-in behavior on master nodes for control plane bootstrapping, not general purpose checkpointing, but I can add a TODO to optimize if more generally used.

[timothysc]

I updated below.

[k8s-github-robot]

[MILESTONENOTIFIER] Milestone Pull Request Current

@luxas @timothysc @yujuhong

Note: If this pull request is not resolved or labeled as priority/critical-urgent by Wed, Nov 22 it will be moved out of the v1.9 milestone.

Pull Request Labels

• sig/cluster-lifecycle sig/node: Pull Request will be escalated to these SIGs if needed.
• priority/important-soon: Escalate to the pull request owners and SIG owner; move out of milestone after several unsuccessful escalation attempts.
• kind/feature: New functionality.

Help

• Additional instructions
• Commands for setting labels

[timothysc]

/test pull-kubernetes-e2e-gce-device-plugin-gpu

[yujuhong]

Would this possibly contain temporary files written by safefile.WriteFile? Could you check and ignore them?

[yujuhong]

I think the code would print an warning, but it's quite annoying. Okay for an alpha feature though, as long as those temporary files are properly ignored. Please do check if that's the case.

[yujuhong]

Looks good overall. Look forward to seeing the followup test PRs.

[yujuhong]

/lgtm

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: timothysc, yujuhong
We suggest the following additional approver: thockin

Assign the PR to them by writing /assign @thockin in a comment when ready.

Associated issue: 49236

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• OWNERS

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions here.

[aoxn]

Is that mean that i have to power up the right machine which has apiserver.pod on to survive cluster power failure? I cant bring up my failed cluster back after power up the right node. Am i right? @timothysc

[luxas]

@spacexnice Please discuss that in an issue or on Slack. Thanks