Wait until backend storage PVC is ready before starting VMIs

[jean-edouard]

What this PR does

Before this PR:
VMIs can encounter a (non-fatal) error while starting if the PVC is not ready.

After this PR:
VMIs will wait until the PVC is ready and not run into any error.

Fixes #

Why we need it and why it was done in this way

The following tradeoffs were made:

The following alternatives were considered:

Links to places where the discussion took place:

Special notes for your reviewer

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

• Design: A design document was considered and is present (link) or not required
• PR: The PR description is expressive enough and will help future contributors
• Code: Write code that humans can understand and Keep it simple
• Refactor: You have left the code cleaner than you found it (Boy Scout Rule)
• Upgrade: Impact of this change on upgrade flows was considered and addressed if required
• Testing: New code requires new unit tests. New features and bug fixes require at least on e2e test
• Documentation: A user-guide update was considered and is present (link) or not required. You want a user-guide update if it's a user facing feature / API change.
• Community: Announcement to kubevirt-dev was considered

Release note

NONE

[fossedihelm]

Thank you @jean-edouard! Some comments below! Thanks

[fossedihelm]

Maybe do it inline?

Suggested change

	var backendStoragePending bool
	backendStoragePending, err = backendstorage.IsPVCPending(vmi, c.clientset)
	backendStoragePending, err := backendstorage.IsPVCPending(vmi, c.clientset)

[fossedihelm]

What happens if PVC goes to Lost state?

[jean-edouard]

Maybe do it inline?

'err' redeclared in this block

What happens if PVC goes to Lost state?

Good point, changed to an error in that case

[fossedihelm]

This is used from the vmi controller which has a pvcInformer. How about using it?

[jean-edouard]

Well if the PVC just got created, the informer might not have been updated yet, triggering an error.
In general, it seems like a better idea to get the latest status instead of risking failing the whole sync() on an outdated phase.

[jean-edouard]

Moving to draft since storage tests are failing.

[akalenyu]

Moving to draft since storage tests are failing.

Are you holding off VMI start when pvc.phase == pending? In that case, this is breaking WaitForFirstConsumer based storage
which will only have the PVC bind once a workload exists that consumes it

[jean-edouard]

Moving to draft since storage tests are failing.

Should be fixed now, we had to error out to ensure the VMI gets re-enqueued.

[jean-edouard]

Are you holding off VMI start when pvc.phase == pending?

Yes, but this is limited to the backend storage PVC, which is not a volume of the VMI

In that case, this is breaking WaitForFirstConsumer based storage which will only have the PVC bind once a workload exists that consumes it

I believe this is not a concern for RWX PVCs, is that correct?

[akalenyu]

I believe this is not a concern for RWX PVCs, is that correct?

More often than not, RWX storage backends won't be topology-constrained (accessible from all nodes in the cluster),
but we've witnessed large ceph WFFC setups as well to contradict this.

Yes, but this is limited to the backend storage PVC, which is not a volume of the VMI

Hmm, interesting. How does the backend storage PVC bind today with WFFC storage? Who is mounting it?

/cc @mhenriks

[jean-edouard]

I believe this is not a concern for RWX PVCs, is that correct?

More often than not, RWX storage backends won't be topology-constrained (accessible from all nodes in the cluster), but we've witnessed large ceph WFFC setups as well to contradict this.

Yes, but this is limited to the backend storage PVC, which is not a volume of the VMI

Hmm, interesting. How does the backend storage PVC bind today with WFFC storage? Who is mounting it?

/cc @mhenriks

It's a RWX FS PVC created like that: https://github.com/kubevirt/kubevirt/blob/main/pkg/storage/backend-storage/backend-storage.go#L99-L114
It is mounted inside virt-launcher as volume mounts, see https://github.com/kubevirt/kubevirt/blob/main/pkg/virt-controller/services/rendervolumes.go#L401-L422

By the way, everything works fine today, but on first VM start we sometimes get a failure logged because the PVC wasn't ready (the VM then successfully starts).
What I'm trying to do here is to get rid of that failure.

[mhenriks]

I believe this is not a concern for RWX PVCs, is that correct?

RWX PVCs may be WFFC

[jean-edouard]

I believe this is not a concern for RWX PVCs, is that correct?

RWX PVCs may be WFFC

Good to know, thanks! So I guess we need to check for that and start the "doppleganger" pod if needed.
/hold

[mhenriks]

I believe this is not a concern for RWX PVCs, is that correct?

RWX PVCs may be WFFC

Good to know, thanks! So I guess we need to check for that and start the "doppleganger" pod if needed. /hold

You shouldn't have to do the "doppleganger" for TPM/EFI PVCs. I would simply suggest checking if the PVC is WFFC. If it is WFFC, you can create the pod right away otherwise you can wait for it to be bound

EDIT: maybe you will still get the error you are trying to avoid in the WFFC case but it should be rare and as you said it is non fatal.

doppleganger is probably the only way to avoid the error entirely

[jean-edouard]

I believe this is not a concern for RWX PVCs, is that correct?

RWX PVCs may be WFFC

Good to know, thanks! So I guess we need to check for that and start the "doppleganger" pod if needed. /hold

You shouldn't have to do the "doppleganger" for TPM/EFI PVCs. I would simply suggest checking if the PVC is WFFC. If it is WFFC, you can create the pod right away otherwise you can wait for it to be bound

Ah, so if bound || WFFC then start pod else re-enqueue?

[mhenriks]

I believe this is not a concern for RWX PVCs, is that correct?

RWX PVCs may be WFFC

Good to know, thanks! So I guess we need to check for that and start the "doppleganger" pod if needed. /hold

You shouldn't have to do the "doppleganger" for TPM/EFI PVCs. I would simply suggest checking if the PVC is WFFC. If it is WFFC, you can create the pod right away otherwise you can wait for it to be bound

Ah, so if bound || WFFC then start pod else re-enqueue?

Yes that what I was thinking

[mhenriks]

You can test RWX WFFC in kubevirtci with rook-ceph-block-wffc storageclass

[jean-edouard]

/cc @acardace

[jean-edouard]

/retest

[fossedihelm]

Thanks a lot @jean-edouard! Everything looks good from my side.
Just a very small note :)
/lgtm

[fossedihelm]

nit: s/WaitForFirstCustomer/WaitForFirstConsumer/

[fossedihelm]

nit: s/WaitForFirstCustomer/WaitForFirstConsumer/

[fossedihelm]

Thank You! Great work!
/lgtm

[mhenriks]

/approve

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mhenriks

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mhenriks]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubevirt-commenter-bot]

Required labels detected, running phase 2 presubmits:
/test pull-kubevirt-e2e-windows2016
/test pull-kubevirt-e2e-kind-1.27-vgpu
/test pull-kubevirt-e2e-kind-sriov
/test pull-kubevirt-e2e-k8s-1.29-ipv6-sig-network
/test pull-kubevirt-e2e-k8s-1.27-sig-network
/test pull-kubevirt-e2e-k8s-1.27-sig-storage
/test pull-kubevirt-e2e-k8s-1.27-sig-compute
/test pull-kubevirt-e2e-k8s-1.27-sig-operator
/test pull-kubevirt-e2e-k8s-1.28-sig-network
/test pull-kubevirt-e2e-k8s-1.28-sig-storage
/test pull-kubevirt-e2e-k8s-1.28-sig-compute
/test pull-kubevirt-e2e-k8s-1.28-sig-operator

[kubevirt-bot]

@jean-edouard: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubevirt-unit-test-arm64	bba9c9e	link	false	/test pull-kubevirt-unit-test-arm64
pull-kubevirt-conformance-arm64	bba9c9e	link	false	/test pull-kubevirt-conformance-arm64

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[acardace]

/cherrypick release-1.2

[kubevirt-bot]

@acardace: #11373 failed to apply on top of branch "release-1.2":

Applying: Wait until backend storage PVC is ready before starting VMIs
Using index info to reconstruct a base tree...
M	pkg/virt-controller/watch/BUILD.bazel
M	pkg/virt-controller/watch/vmi.go
M	pkg/virt-controller/watch/vmi_test.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/virt-controller/watch/vmi_test.go
CONFLICT (content): Merge conflict in pkg/virt-controller/watch/vmi_test.go
Auto-merging pkg/virt-controller/watch/vmi.go
Auto-merging pkg/virt-controller/watch/BUILD.bazel
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Wait until backend storage PVC is ready before starting VMIs
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherrypick release-1.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[acardace]

@jean-edouard can you do a manual backport for this?