Node upgrades: basic mechanism #6082
Comments
mbforbes
added
priority/important-soon
mbforbes
added
the
sig/cluster-lifecycle
|
I thought salt was supposed to drive things to a specified end-state. Ideally, each salt stanza is idempotent, such that running it from e.g. base containerVM results in the same state as re-running it a second time on its previous output? If so, would it also be reasonable to audit those salt blocks and make sure they can also take outputs from previous versions of the salt config and drive the node to the same state as running against bare container VM? Would that be more robust than an "unsalt" config? That would be something like:
I wonder if we really wanted to bet on salt, would we make each stanza also responsible for stopping any relevant server before it twiddles the config if there's a change? Might be too prone to race conditions, though, so pausing the various servers might also be easier. |
|
I realize I may have misunderstand: does "stop running binaries" mean e.g. kubelet, or do you mean all containers as well? Also, if the kernel version is changing, will need a reboot in there somewhere...? |
|
This sounds much much harder than just destroying and re-creating the machine from scratch. Idempotency in machine setup is a minefield none have yet crossed. There are so many gotchas, and it won't work at all if you happen to hit an inconsistent intermediate state, if a machine hangs, etc. There are a lot of ways it can break. Given that kubernetes is designed primarily for virtualized environments... What's the advantage of trying to use already set up machines instead of just chucking them and getting new ones? |
|
Basically, I'm arguing that fast machine setup is a far easier problem than idempotent machine setup. |
|
We wanted to start with the "throw each node away" plan, but as pointed out At the limit, though, we believe that people aren't going to want to deal
|
|
Aaahh, thanks for the explanation. That makes some sense. It would certainly be nice if you can get it to work... it's just that it working 98% would be very very bad. |
|
@alex-mohr: Salt is only as state aware as the stanza files dictate. The biggest problem is that this is very brittle. If you do something like add a file in version X and forget to add a file.delete for it in version Y, but it's no longer applicable and yet still has a systemic effect, you just failed. So now you have to figure out how to test that, etc. This is why I was talking about crazy things like ephemeral boot disks. But let me finish #6070 so we stop talking about generalities. |
|
After a couple days of implementation, we discussed this path yesterday, and it turns out this actually isn't what we want to build. The following matrix has rows of "what we're going to upgrade" and columns of "how:"
(This issue is the one in the bottom-left.) The problem is that because we will have set version tuples (#4855), doing a kernel/OS upgrade with There are also the problems that @multilinear pointed out (and heavily discussed in #3333) about leftover node state. #6099 won't entirely avoid this either, but given we'll only be upgrading kukbe-* binaries, the considerations will be smaller in scope. I'm closing this issue now as it's a non-priority, and moving work over to #6099 (as #6088 is still blocked by #6087). |
See issue #6079 as the roll-up for node upgrades, including the specification of the minimum requirement that this issue will fulfill, as well as improvements that will come after.
This is the worklist item for a minimum viable node upgrade mechanism for 1.0.
Plan:
Outline:
Provisioning a new node is blocked on allowing new nodes to dynamically join a running cluster (#6087). In the mean time, the mechanism will do an in-place upgrade, blowing away as much as is necessary.
The text was updated successfully, but these errors were encountered: