Extend watch queue with a timeout and size limit

[alexmavr]

This PR extends the watch package with the following items:

• A new Queue-like sink called the LimitQueue. This is near-identical to the implementation of a Queue from https://github.com/docker/go-events/blob/master/queue.go with the difference that the queue has an upper size limit. When that limit is reached, a channel is closed and it's up to the user to determine the desired behavior from there
• A sink wrapper called the TimeoutSink which wraps another sink with a timeout. If the timeout is reached, the wrapped sink is closed and an error is returned to the writer.
• A ChannelSinkGenerator interface which can be used to configure the sink-chain that watch.Queue creates for each watcher.
• Support for contexts on watch.Queue
• A new set of constructors that tie these concepts together, such as NewTimeoutLimitQueue, or the more genericNewQueueWithOpts. Edit: Feature replaced with a functional options constructor

To avoid disruption on existing users, the existing NewQueue constructor will return the previous configuration of sinks.

Unit test times:

ok  	github.com/docker/swarmkit/watch	1.005s
ok  	github.com/docker/swarmkit/watch/queue	0.093s

cc @aaronlehmann @nishanttotla

Signed-off-by: Alex Mavrogiannis alex.mavrogiannis@docker.com

[aaronlehmann]

The vendoring error is something weird that came up through colliding merges that both vendored different things. We fixed it earlier today on master, so if you rebase, it should resolve that problem.

I'm uncertain whether watch/queue and the new sinks belong in swarmkit, because they aren't even used by swarmkit. Possibly go-events is a better home? I'll do a review pass anyway though.

[aaronlehmann]

This seems to be unused. If it's meant for external users, it seems like a strange function to expose.

[aaronlehmann]

How about queue closed due to size limit?

[aaronlehmann]

Lowercase timeout in the message

[aaronlehmann]

I'd suggest using time.NewTimer explicitly here instead of time.After, so that the timer can be stopped in the common case that the write succeeds before the timer fires. There's no functional difference, but it's a little more optimal from a resource management perspective.

[aaronlehmann]

To me this is begging for functional arguments: https://dave.cheney.net/2014/10/17/functional-options-for-friendly-apis

[aaronlehmann]

grpc has a variant of Dial which takes a context that they call DialContext, so WatchContext?

[stevvooe]

I think we could have something like this in go-events.

We may want to back this with a buffered channel, depending on whether or not runtime does lazy allocation for buffered channel.

[aaronlehmann]

I'd rather avoid an extra goroutine for every watch. This will be a large number for swarmkit, and it's already quite hard to read stack dumps. Either it should be opt-in with a special variant of CallbackWatch, or we should just return the extra channels and let the caller implement this select if it wants to.

[stevvooe]

What happens when it is no longer full?

Typically, "full" and "empty" act pretty racy for concurrent queues. When would this be used?

If we want to act on full, might want a clamping function.

[alexmavr]

The channel is closed when a Write causes the queue to reach its limit. The queue can stop being full afterwards, and this channel is not meant as a mechanism for viewing the current full-ness state of the queue.

The main use case for this is to notify that least one Event has been dropped, and then it's up to the listener to determine if any action should be taken.

In the case of docker events, all API server implementations can receive a /events?since parameter to backfill past events, and the events stream is expected to be reliable in some versions of the CLI (1.13 to 17.03). Therefore, when a slow listener fills up its queue it's preferred to close their event stream entirely and have them re-establish it with an appropriate since parameter, rather than silently dropping events.

[stevvooe]

Couldn't this be handled with a callback on each dropped message? This seems very fragile.

[alexmavr]

Rebased off of master and added a commit which addresses all review comments until this point.

[aaronlehmann]

"some event-based systems"?

[aaronlehmann]

Looks like this test will leak a goroutine; is ch.C ever closed? If not, can you add another channel for this goroutine to select on so it will terminate when the test is finished?

[aaronlehmann]

Why is this in a separate goroutine?

[aaronlehmann]

or when?

[aaronlehmann]

I guess you don't want to change the signature of NewQueue, so how about a panic here instead?

[aaronlehmann]

Hmm, I know I suggested this, but looking at the code I'm not sure there's any reason it can't be supported. It would just inhibit the optimization of returning ch.C (which is fine). Am I missing anything?

[stevvooe]

@alexmavr Any plans to PR this to go-events? This really belongs there as a primitive.

[alexmavr]

@stevvooe go-events is definitely the right location for this package or a subset of it. We were hoping to discuss such a migration as followup step in order to facilitate dependent bugfix work such as docker-archive/classicswarm#2747

[aaronlehmann]

Let's instead define functions like

func WithTimeout(timeout time.Duration) func(*Queue) error
func WithLimit(limit uint64) func(*Queue) error
func WithCloseOutChan(closeOutChan bool) func(*Queue) error

Then you can create a queue with something like:

NewQueue(WithTimeout(30*time.Second), WithCloseOutChan(true))

It's a bit more flexible that way.

[GordonTheTurtle]

Please sign your commits following these rules:
https://github.com/moby/moby/blob/master/CONTRIBUTING.md#sign-your-work
The easiest way to do this is to amend the last commit:

$ git clone -b "watch-extensions" git@github.com:alexmavr/swarmkit.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842353884240
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -f

Amending updates the existing PR. You DO NOT need to open a new one.

[codecov]

Codecov Report

Merging #2285 into master will increase coverage by 0.08%.
The diff coverage is 92.5%.

@@            Coverage Diff             @@
##           master    #2285      +/-   ##
==========================================
+ Coverage   60.96%   61.04%   +0.08%     
==========================================
  Files         126      128       +2     
  Lines       20391    20531     +140     
==========================================
+ Hits        12431    12534     +103     
- Misses       6589     6632      +43     
+ Partials     1371     1365       -6

[stevvooe]

@stevvooe go-events is definitely the right location for this package or a subset of it. We were hoping to discuss such a migration as followup step in order to facilitate dependent bugfix work such as docker-archive/classicswarm#2747

So, the bounded queue model makes a lot of sense in go-events and I think we can do it with less code (maybe). I understand the time pressure, but I think if we are making a commitment to quality, we should try to land this in the right place, rather than defer to later. Once it is tested and in the code base, there will be little incentive to move it over.

[aaronlehmann]

minor: errClose := sink.Close() instead of predeclaring

[aaronlehmann]

Minor: defer close(doneChan) right after the channel is created.

[stevvooe]

I'm not sure how much time you have to make this work, but if you can instrument the entrance and exit of a regular queue, you can avoid having to replicate all of this logic.

[stevvooe]

I think we can do a callback here. That would avoid spilling the internal channel manipulation outside of the internals.

Make sure to release the locks, then return ErrQueueFull. That will allow writer and out of band notification. It also doesn't poison the queue.

[alexmavr]

I agree that a callback would be a better pattern here. Let's do it this way for the go-events followup

[stevvooe]

@aaronlehmann Did we not remove this error message?

[aaronlehmann]

It's suppressed by a wrapper sink in swarmkit. Discussion here: docker/go-events#11

[aaronlehmann]

just do mutex sync.Mutex; then it doesn't need to be initialized.

[aaronlehmann]

That's cool; I didn't know about this feature.

[aaronlehmann]

Comment is outdated

[aaronlehmann]

I think the race detector will consider this a data race. If we make it a channel that gets closed, it avoids the problem. I'd kind of like to unify this goroutine with the select below anyway. How about something like this:

timeoutTimer := time.NewTimer(time.Minute)
defer timeoutTimer.Stop()

selectLoop:
for {
        select {
        case <-eventsClosed:
                break selectLoop
        case <-time.After(writerSleepDuration):
                q.Publish("new event")
        case <-timeoutTimer.C:
                require.Fail("Timeout exceeded")
        }
}

[alexmavr]

That's a great way to restructure this, thanks for the insight.

[stevvooe]

Didn't look into details, but sync.Once may help in certain areas...

[aaronlehmann]

Do you have to take the lock here to make the race detector happy?

[alexmavr]

Addressed final comments and squashed

[stevvooe]

LGTM

[aaronlehmann]

LGTM