New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
osd: add osd_fast_shutdown option (default true) #31677
Conversation
If we get a SIGINT or SIGTERM or are deleted from the OSDMap, do a fast shutdown by exiting immediately. This has a few important benefits: - We immediately stop responding (binding) to any sockets, which means other OSDs will immediately decide we are down (and dead!). This minimizes IO interruption. - We avoid the complex "clean" shutdown process, which is historically a source of bugs. In reality, the only purpose of the "clean" shutdown is to try to tear down everything in memory so we can do memory leak checking with valgrind. Set this option to false for valgrind QA runs so we can still do that. Not that with the new read leases in octopus, we rely on the default behavior that a ECONNREFUSED is taken to mean that the OSD is fully dead, so that we don't have to wait for any leases to time out. This works in sane environments with normal IP networks, but that behavior could conceivably be a bad idea if there are some weird network shenanigans going on. If osd_fast_fail_on_connection_refused were disabled, then this fast shutdown procedure might be *worse* than the clean shutdown because we would have to wait for the heartbeat timeout. Signed-off-by: Sage Weil <sage@redhat.com>
In my vstart testing this gives me a sub-second IO interruption when killing an OSD. |
Seems like this would expose potential consistency bugs in the objectstore/rocksdb more frequently, so it would be good for master, but not backport without plenty of testing |
Hmm is that fast IO interruption going to scale okay to real clusters, since it's relying on the monitor OSD failure tracking? |
That used to be true. These days (since luminous or kraken maybe?) when we get ECONNREFUSED we infer that the OSD process is really gone and mark it down immediately. |
Stopping the OSD doesn't guarantee that it will be marked down. Signed-off-by: Sage Weil <sage@redhat.com>
8d53cc9
to
30eb7dd
Compare
A kill doesn't induce a mark-down of the OSD with osd_fast_shutdown=true. Signed-off-by: Sage Weil <sage@redhat.com>
30eb7dd
to
3a62d16
Compare
* refs/pull/31677/head: qa/standalone/ceph-helpers.sh: remove osd down check qa/standalone/ceph-helpers.sh: destroy_osd: mark osd down osd: add osd_fast_shutdown option (default true) Reviewed-by: Sébastien Han <seb@redhat.com> Reviewed-by: Josh Durgin <jdurgin@redhat.com> Reviewed-by: Neha Ojha <nojha@redhat.com>
Are we going to backport this? |
Eventually, probably... but not in any hurry |
If we get a SIGINT or SIGTERM or are deleted from the OSDMap, do a fast
shutdown by exiting immediately. This has a few important benefits:
other OSDs will immediately decide we are down (and dead!). This
minimizes IO interruption.
source of bugs.
In reality, the only purpose of the "clean" shutdown is to try to tear down
everything in memory so we can do memory leak checking with valgrind. Set
this option to false for valgrind QA runs so we can still do that.
Not that with the new read leases in octopus, we rely on the default
behavior that a ECONNREFUSED is taken to mean that the OSD is fully dead,
so that we don't have to wait for any leases to time out. This works in
sane environments with normal IP networks, but that behavior could
conceivably be a bad idea if there are some weird network shenanigans
going on. If osd_fast_fail_on_connection_refused were disabled, then this
fast shutdown procedure might be worse than the clean shutdown because
we would have to wait for the heartbeat timeout.
Signed-off-by: Sage Weil sage@redhat.com