VM CrashLoop Detection and Exponential Backoff

[davidvossel]

CrashLoop detection

A VM crashloop is being defined as a VM with runStrategy = Always|RerunOnFailure with VMIs that continually fail to reach vmi.Status.Phase == Running... Meaning a VM's VMI continually gets scheduled and fails before ever successfully launching the qemu process.

During such an event, the VM crashloop detection will begin to exponentially back off re-launching new VMIs to replace the failed VMIs. Once a VM's VMI reaches the "running" phase (or the VM is manually stopped) the crashloop tracking will be reset.

Implementation

Crashloop detection is tracked by a new field on the VM status call StartFailure which tracks the number of concurrent start failures as well as tracking when the next start can be retried after a failure.

When a crashloop occurs, users receive feedback that their VM is in a crash loop via the VM.Status.PrintableStatus being set to "CrashLoop"

Changes in existing behavior

Users can now call virctl stop my-vm for VMs with runStrategy Always|RerunOnFailure even when an active VMI is not present. This allows someone to "stop" a VM which is in a crash loop. Without this change in logic, a user wouldn't be able to use virtclt stop during a crash loop because the virt-api subresource endpoint always expects an active VMI in order to stop.

Testing

Unit test coverage exists for all new and altered functionality

New functional tests exist to invoke a crashloop, verify exponential backoff occurs, and verify crash loops recover as expected once a VM's vmi eventually hits a running phase.

related to: https://bugzilla.redhat.com/show_bug.cgi?id=1973852

Release note:

VM CrashLoop detection and Exponential Backoff

[zcahana]

Hi @davidvossel, this looks like a very useful addition!
I've included several minor comments inline.

And another general comment:
Currently, the crash loop detection only considers VMIs that never reached the Running phase. However, "Running" VMIs too might end up in some crash loop scenario, in which the guest is launched successfully but quickly fails (boot error, misconfigured liveness probe, ...). Would it make sense to extend it to detect such scenarios too?

[zcahana]

I'm wondering whether there's some existing VM/VMI configuration we could use that will cause virt-launcher to crash (i.e., without needing an explicit virt-launcher flag/VMI annotation). Maybe very low resource requests that won't allow the qemu process to proceed?

On the other hand, I'd expect that if there's such a known configuration, then we should reject it during validation and/or fix virt-launcher.

[davidvossel]

yeah, i'm not aware of a reliable method that will immediately fail.

[zcahana]

Should we add the randomized offset only after capping at maxDelay? Otherwise we might end up with multiple failing VMs all stuck at maxDelay. Alternatively, if we want to be strict over maxDelay, we can subtract a randomized offset.

[davidvossel]

Otherwise we might end up with multiple failing VMs all stuck at maxDelay

we're adding jitter to the backoff which causes multiple VMs stuck in crash loops not get retried at the same time. by the time max delay is hit, all VMs which are stuck in a crash loop will at least offset from one another due to the randomization leadign up to the max delay

[zcahana]

nit: can extract this for loop into a wasVMIRunning(vmi) bool or wasVMIInRunningPhase(vmi) bool and use it both here and in vmiFailedEarly().

[davidvossel]

+1 fixed

[zcahana]

nit: I'm a bit confused by this function name. Should it be called getStartFailureBackoffTimeLeft?

[davidvossel]

fixed

[zcahana]

These two lines are redundant.

[davidvossel]

yup, good catch, fixed

[zcahana]

Would it be better to have this const defined as 300 * time.Second

[davidvossel]

I like working with ints here, i think the issue is i didn't specify that this variable is in seconds.

I renamed this to defaultMaxCrashLoopBackoffDelaySeconds

[zcahana]

Here too, would it be better to return a time.Duration?

[davidvossel]

since all the calculations are dealing with seconds represented as ints, i'd rather keep it that way.

[zcahana]

Good catch here!
There's a corner case in which an ownerless VMI is created a crashes, after which a VM is created and adopts the VMI. In this case, the adoption logic should add the VirtualMachineControllerFinalizer too.

[zcahana]

For consistency with pods, should this be "CrashLoopBackOff"?

[davidvossel]

yup, fixed

[davidvossel]

Currently, the crash loop detection only considers VMIs that never reached the Running phase. However, "Running" VMIs too might end up in some crash loop scenario, in which the guest is launched successfully but quickly fails (boot error, misconfigured liveness probe, ...). Would it make sense to extend it to detect such scenarios too?

it's possible we can extend this backoff behavior to failing liveness probes. I feel better about the liveness probe situation as it is now because it at least involves some timeout period before the VMI will get rescheduled. That wasn't the case for VMIs that hit some critical error that prevented the qemu process from ever launching successfully (which is represented by Phase: Running)

[zcahana]

I feel better about the liveness probe situation as it is now because it at least involves some timeout period before the VMI will get rescheduled

I see your point. I think the main benefit of the CrashLoop detection for Running VMs is the fact that this now gets reported to the user, which otherwise would only see Stopped --> Starting --> Running cycle.

[rmohr]

Can we also re-evaluate the need for this timeout when the pod hits the running phase? I am not sure we should still keep it. Maybe we should just keep running and wait.

[davidvossel]

@zcahana Thanks for the review. I think I've addressed all your feedback

@rmohr I added jitter to the virt-launcher qemu timeout. The timeout is now a randomized range between 4 and 6 minutes

[zcahana]

@zcahana Thanks for the review. I think I've addressed all your feedback

Thanks David.
/lgtm

[zcahana]

This makes me think whether it can happen in a real cluster (i.e., the finalizer is removed because the VMI controller incorrectly determines that there's no owner VM). Would it be safer if hasOwnerVM() would attempt to read the VM from the API server, instead of from the local cache?

[davidvossel]

the VM controller and VMI controller share the same VM informer. There has to be a VM in the informer cache for the VM controller to create the VMI.

I do need to add a vmInfomer.HasSynced() at the vmi controller startup though to prevent the VMI controller from starting until the VM informer is up to date.

[zcahana]

I see your point, so basically this can only happen at the test since the VM and VMI are fed to the informers "in parallel".
Anyway, looking at the code, you've already added a vmInformer.HasSynced() to the VMI controller's Run() method, so it's good to go.

[davidvossel]

I do need to add a vmInfomer.HasSynced() at the vmi controller startup though to prevent the VMI controller from starting until the VM informer is up to date.

ah, i already did that, never mind

[zcahana]

/lgtm

[davidvossel]

/retest

[zcahana]

/lgtm

Will need an approver too.

[davidvossel]

Will need an approver too.

/cc @rmohr

[rmohr]

@davidvossel can you explain a little bit in the PR description why a finalizer is now needed?

[rmohr]

This sounds like something which I would want to see as a warning event.

[rmohr]

I think you mentioned that you want this to avoid issues if the VMI disappears. For me that means that this can still happen (since nothing blocks one from removing finalizers).

It is ok for me to have the finalizer if we have to clean up things. Is that the case? Otherwise I would prefer not to add a finalizer.

[rmohr]

/approve

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rmohr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rmohr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[zcahana]

I realize this is merged for quite some time, but resurrecting this following a unit tests failure I saw on the CI (this).
Looking closely at this test, I reckon that:

• In table entries 1 and 3, expected is always 0, so nothing is actually being asserted (if expected > 0 { ... }).
• In entry 2, if test execution happens >30 seconds after the evaluation of the entry, it's bound to fail, and otherwise silently pass without any assertion being made.

Actually, I'm not entirely sure what the purpose of this specific test. Also, given the logic of calculateStartBackoffTime() is quite simple and is anyway covered by the larger testcases in the Context("crashloop backoff tests"), do you think we could just remove it?

@davidvossel WDYT?

[zcahana]

#6203