MIR-1159: keep ephemeral pools at 1 sandbox and fix lease URL races

[evanphx]

Summary

On garden, the ephemeral preview deploy for mirendev-preview ended up with a sandbox pool of desired_instances: 8 and requests timing out in the browser. Two distinct bugs were involved:

1. Ephemeral pools scaled like normal auto-mode pools. Every saturating burst caused the activator to bump DesiredInstances, ratcheting the pool up under traffic instead of queueing on the single preview sandbox.
2. The activator could return a Lease with an empty URL, and could leave waiters asleep when the URL became available outside of a status transition. Combined with a 50s cap that was too tight for cold image pulls, requests never reached the new sandbox.

Ephemeral pool: cap at 1 instance (commit 28644c7)

• New SandboxPool.ephemeral bool. Set by Launcher.ensurePoolForService whenever the backing AppVersion.EphemeralLabel != "", and for those versions desiredInstances is forced to 1 regardless of the configured concurrency mode.
• findMatchingPool now filters by ephemeral status so a non-ephemeral version cannot inherit an ephemeral pool (or vice versa) and end up with the wrong scaling policy.
• Activator.AcquireLease short-circuits to incrementPool=false for ephemeral pools, and requestPoolCapacity defensively refuses to patch DesiredInstances when Ephemeral && DesiredInstances >= 1.
• On pool reuse for an ephemeral version, any stale DesiredInstances > 1 is clamped back to 1.

Tests cover both the pool-creation path and the activator's refusal to scale.

Activator request routing: fix lease URL races and bump wait budget (commit 4823db8)

• waitForSandbox.checkForSandbox now requires s.url != "" on both the inner scan and the locked double-check, matching the predicate already present in AcquireLease. Previously, a sandbox tracked as RUNNING before its URL had been populated could be returned as a Lease with URL: "", causing httpingress to fail proxying with unsupported protocol scheme "".
• watchSandboxes captures oldURL before updating, and now also fires the notification fan-out when a RUNNING sandbox's URL transitions from empty to non-empty. Without this, waiters that woke on the status flip but saw url="" stayed asleep until the 30s fallback ticker.
• The per-request wait cap goes from 50s to 120s. Default PortWaitTimeout is 15s and a first-time image pull on a cold node can take 30-90s, so 50s was returning ErrPoolTimeout while sandboxes were still booting. Stays comfortably under httpingress' leaseAcquisitionTimeout (2m). The fallback ticker moves from 30s to 60s to keep the same "half-way" semantics.

Test plan

• make lint clean
• make test (iso): 4422 passes, 0 fails
• New unit tests pass:
  • TestCreatePoolForVersionEphemeral
  • TestNonEphemeralPoolUnaffected
  • TestFindMatchingPoolFiltersByEphemeral
  • TestRequestPoolCapacityRefusesEphemeralPool
  • TestRequestPoolCapacityNonEphemeralStillScales
  • TestWaitForSandboxSkipsEmptyURL
  • TestAcquireLeaseSucceedsAfterURLArrives
• Manual e2e on dev cluster:
  • Deploy an ephemeral version, hammer the preview URL, confirm desired_instances stays at 1 and requests succeed.
  • Confirm a non-ephemeral deploy still scales normally.
• On garden: existing pre-fix ephemeral pools keep ephemeral=false until they're recreated. Either let TTL expire them or backfill ephemeral=true on pools whose backing AppVersion.EphemeralLabel != "".

Notes

• Saturated previews will queue on the single sandbox up to the 120s wait budget. This is acceptable for preview environments — predictable resource cost over high concurrency.
• The hasPending race between requestPoolCapacity patching the store and watchSandboxes reflecting the new PENDING sandbox is the underlying reason normal auto-mode pools can also overshoot. The ephemeral guard sidesteps it for previews; addressing it for normal pools is a separate follow-up.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR replaces the single-value DesiredInstances() strategy with a MinInstances()/MaxInstances() capacity model, adds an EphemeralStrategy and NewStrategyForVersion(), applies version-aware strategies across the activator and pool manager, enforces non-empty sandbox URLs before issuing leases (with wait time increased to 120s), caps pool DesiredInstances using strategy.MaxInstances(), uses strategy.MinInstances() when seeding or scaling down pools, and adds tests validating these behaviors.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

components/activator/activator_test.go (1)

2675-2750: ⚡ Quick win

Add an uncached-pool ephemeral regression test.

This test pre-seeds activator.pools[key], so it only validates the cached-state guard. Please add a case where activator.pools is empty and the pool is found via store lookup, to ensure ephemeral pools still refuse increment there.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@components/activator/activator_test.go` around lines 2675 - 2750,
TestRequestPoolCapacityRefusesEphemeralPool only exercises the cached-path
because activator.pools is pre-seeded; add a second subcase where
activator.pools is empty to force a store lookup: create the same ephemeral
SandboxPool in the in-memory server (as already done), clear activator.pools (or
create a fresh localActivator with empty pools), then call
activator.requestPoolCapacity(ctx, testVer, "web") and assert the returned pool
has DesiredInstances == 1, stored entity remains Ephemeral with DesiredInstances
1, and the revision did not change; reference the existing test function name
TestRequestPoolCapacityRefusesEphemeralPool, the activator.requestPoolCapacity
method, the activator.pools map and the verKey used to locate the pool to
implement this additional branch.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@components/activator/activator_test.go`:
- Around line 3001-3003: The test's call to activator.waitForSandbox is using an
unbounded context (ctx) and can hang; wrap the call with a short timeout context
instead by creating a context.WithTimeout (e.g., a few seconds) and passing that
context to waitForSandbox, ensuring you call the returned cancel() via defer to
clean up; update the invocation of activator.waitForSandbox(ctx, testVer, "web",
false) to use the timeout context variable and keep error/lease handling
unchanged.

In `@components/activator/activator.go`:
- Around line 602-611: The ephemeral-pool guard is only applied for the
cached-path (the block checking state.pool.Ephemeral and DesiredInstances) but
not applied in the cache-miss / foundPoolWithRev code path where
DesiredInstances is incremented; update the code path that handles
foundPoolWithRev (the branch that patches/increments DesiredInstances after a
cache miss) to perform the same guard: if pool.Ephemeral &&
pool.DesiredInstances >= 1 then log a debug message (including pool.ID and
service) and return the pool without incrementing or patching, thereby
preventing ephemeral pools from being scaled above 1 via the foundPoolWithRev
path.

---

Nitpick comments:
In `@components/activator/activator_test.go`:
- Around line 2675-2750: TestRequestPoolCapacityRefusesEphemeralPool only
exercises the cached-path because activator.pools is pre-seeded; add a second
subcase where activator.pools is empty to force a store lookup: create the same
ephemeral SandboxPool in the in-memory server (as already done), clear
activator.pools (or create a fresh localActivator with empty pools), then call
activator.requestPoolCapacity(ctx, testVer, "web") and assert the returned pool
has DesiredInstances == 1, stored entity remains Ephemeral with DesiredInstances
1, and the revision did not change; reference the existing test function name
TestRequestPoolCapacityRefusesEphemeralPool, the activator.requestPoolCapacity
method, the activator.pools map and the verKey used to locate the pool to
implement this additional branch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1a496ffe-0be8-4480-bef2-5cc414776db1

📥 Commits

Reviewing files that changed from the base of the PR and between 0611dce and 4823db8.

📒 Files selected for processing (6)

• api/compute/compute_v1alpha/schema.gen.go
• api/compute/schema.yml
• components/activator/activator.go
• components/activator/activator_test.go
• controllers/deployment/launcher.go
• controllers/deployment/launcher_test.go

[phinze]

Hi, it's us. You know who and you know what.

The fixes are clean but we think we see a better abstraction here worth chasing. Going to request-changes on the pool.Ephemeral field specifically. The incident pieces themselves (empty-URL predicate, late-URL notification, wait budget bump) look right and should land as-is.

Here's the thread we pulled on: ephemeral is already a really well-localized AppVersion-level concept (ephemeral_label, ephemeral_ttl, ephemeral_expires_at, plus pkg/ephemeral and the GC controller). Every existing site derives ephemeral-ness on demand from the version. The new pool bool would be the first place we copy it onto a sub-entity, with the clamp-on-reuse code in the launcher to keep the copy in sync. CodeRabbit also caught a missed check site in the cache-miss path, which is decent evidence the bool-and-conditionals approach is fragile in the way you'd predict.

The cleaner shape uses an abstraction already in the codebase: route ephemeral through the strategy interface at construction. FixedStrategy{numInstances: 1} covers the "don't scale" semantic for free (its checkCapacity always returns true, so requestPoolCapacity is never reached). The activator changes here mostly disappear, schema stays untouched.

Grabbing the pen on this one. Going to push a commit or two showing what we mean. Hold off from your side while we cook, and we'll be back with another review when they're up.

[phinze]

Hi again from us. Pushed three commits to demonstrate what we meant.

0182906b (floor) routes ephemeral versions through FixedStrategy{1} at strategy construction. Equivalent behavior to what this PR shipped, without the pool.Ephemeral schema field, the three activator guards, the launcher clamp, or the find-matching filter. Strategy gains a NewStrategyForVersion(ver, service, svc) wrapper that does the dispatch in one place.

33412293 (stretch) introduces EphemeralStrategy proper: scale-to-zero capped at 1, with a default 15-minute idle window so browsing a preview tab doesn't churn through cold starts. The cap mechanism becomes MinInstances()/MaxInstances() on the strategy interface, and the activator's >= MaxPoolSize checks now consult strategy.MaxInstances() so the cap is type-driven per pool. The launcher consults strategy.MinInstances() for seed and reuse, so it no longer needs to know anything about ephemeral routing.

5be88ca4 picks up CodeRabbit's suggestion to bound the wait context in TestAcquireLeaseSucceedsAfterURLArrives so a regression fails in 2s rather than hanging for 120s.

A couple of things that came up while we were in here but didn't act on:

• The requestPoolCapacity cache layer has a non-trivial amount of "is the cache stale?" defensive logic. We bumped into exactly the smell that MIR-596 already tracks; out of scope here.
• The bare "web" literal used as the routing-target check in NewStrategyForVersion is one of many sites in the codebase that hardcode that string. Filed MIR-1169 to track sweeping it into a named constant; left bare in our changes to match the surrounding convention.

Take a look when you have a moment. Happy to talk through any of it.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/concurrency/strategy.go`:
- Around line 180-182: EphemeralStrategy.releaseCapacity is a no-op while
ConcurrencyTracker.AcquireLease increments used, so ephemeral sandboxes never
return to Used()==0 and prevent scaling to zero; update
EphemeralStrategy.releaseCapacity to decrement the tracker by the given size
(call the appropriate ConcurrencyTracker release method or subtract from its
used counter), perform a nil check on tracker, and clamp/validate so used never
goes negative; keep the change contained to the
EphemeralStrategy.releaseCapacity implementation so
MinInstances()/ScaleDownDelay() semantics are restored.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 96d06cc4-05f9-430e-b1a3-5221524c0c09

📥 Commits

Reviewing files that changed from the base of the PR and between 5be88ca and e65f091.

📒 Files selected for processing (7)

• components/activator/activator.go
• components/activator/activator_test.go
• controllers/deployment/launcher.go
• controllers/deployment/launcher_test.go
• controllers/sandboxpool/manager.go
• pkg/concurrency/strategy.go
• pkg/concurrency/strategy_test.go

🚧 Files skipped from review as they are similar to previous changes (4)

• pkg/concurrency/strategy_test.go
• controllers/deployment/launcher.go
• controllers/deployment/launcher_test.go
• components/activator/activator.go