Use subreaper to kill unowned subprocesses in raylet.

[rynewang]

Currently when user code spawns subprocess (from core worker), we don't have a good way to track them. We do best effort to kill direct child procs on core worker exit (#33976), but if a worker crashed (e.g. sigkill'd), or there are grandchild processes those processes leak. They may still hold valuable resources e.g. GPU memory.

This patches adds a feature to kill any recursive children from a core worker on its death. It's gated by a flag RAY_kill_child_processes_on_worker_exit_with_raylet_subreaper default disabled.

Once enabled:

• raylet as Linux subreaper.
• raylet tracks "known subprocesses" it spawned.
• raylet auto-kills unknown children every 10s.
• core worker as Linux subreaper, no auto-kills.

so that

• if a core worker is running, a (grand)child dies -> all other (grand)children keeps running
• if a core worker dies -> all (grand)children killed by raylet.

To avoid zombies, sets core worker to auto reap zombies by ignoring SIGCHLD. The raylet already reaps zombies, but now it also removes the dead children in the "known subprocesses".

Added a linux only unit test, and a doc page.

Fixes #42861, #26118

[rynewang]

removeOwnedChild needs a redo. Now we call it in ProcessFD dtor. However there are times we deallocate ProcessFD and does not track the process anymore, yet we don't want to kill it immediately either, e.g. when you spawn a one time util script. So we really need to track exit of those processes, i.e. in sigchld handler.

while (waitpid(&pid)) {
if pid in children {
    children.remove(pid)
  }
}

[cadedaniel]

is it possible for the reference to be invalid during shutdown

[cadedaniel]

what does this case mean?

[rkooo567]

+1. Can you comment here? Also it is no-op if it is an error. Is this the legit behavior?

[cadedaniel]

seems we should check for EINVAL to fail loudly.

[cadedaniel]

Does this replace existing raylet-side process cleanup in MacOS / when the new code path is disabled on linux? I am not familiar with the double forking stuff in Ray but if it's meant to replace it then will need to think a bit to make sure edge cases are handled

[cadedaniel]

You need a signal block between process creation and adding it to the owned set. Otherwise there is a race where the process dies before it is added to the owned set. I'll leave to you whether this is something that should be fixed now or not.

[cadedaniel]

(maybe boost magic solves this for you)

[cadedaniel]

seems the constructor is public, what happens if someone creates a process using another mechanism? tricky

[cadedaniel]

why do we need the notion of ownership at all? seems this will only run for dead child procs which need to be reaped anyways

[rkooo567]

I will review this by today!

[rkooo567]

Current status: it is not working yet. Waiting for it to work

[rynewang]

Updated, now the subreaper test works. i.e. if the worker is dead, its subprocesses are sigkilled.

[rynewang]

Note:

1. we may not want a hard sigkill at first. We can do something like "sigterm, after 5s then sigkill".
2. I am wondering how waterproof is this approach. If we spawn a one time command (bash start_something.sh) which spawns a tool, will it be killed? Maybe we can bring back the "decouple" arg and only care about the "coupled" processes, i.e. workers.

[rkooo567]

In general, it lgtm. But I feel like we don't need SigchldHandlerPlain for this PR? I think it is the best we only handle killing unowned children in this PR, and replace stdin read -> wait on child procs in another PR. wait on child procs will also improve observabiilty.

we may not want a hard sigkill at first. We can do something like "sigterm, after 5s then sigkill".

SGTM

I am wondering how waterproof is this approach. If we spawn a one time command (bash start_something.sh) which spawns a tool, will it be killed? Maybe we can bring back the "decouple" arg and only care about the "coupled" processes, i.e. workers.

Do we ever do this from raylet though? Besides, agreed to keep decouple here.

[rkooo567]

I think this makes sense

[rkooo567]

What's going to happen to this behavior?>

  // Ignore SIGCHLD signals. If we don't do this, then worker processes will
  // become zombies instead of dying gracefully.

[rkooo567]

also do you have any guess when this happens? This seems like an old behavior (when workers don't fate share with raylet)?

[rynewang]

we added it in subreaper.cc when the flag was disabled https://github.com/ray-project/ray/pull/42992/files#diff-b0a94cc61107f7633adfcda0a86e9472617b35b4931b182fab82785e0d4a81ebR138

[rkooo567]

can you explain me what this argument was for?

[rkooo567]

nit, but just use absl::MutexLock lock(&mutex_);? (we use this for locks)

[rkooo567]

Consider RAY_LOG(FATAL) here?

[rkooo567]

Is it possible for owned children (the workers), we just handle it in the same way as before? I think it is probably unnecessary change for this PR?

[rkooo567]

how slow is this?

[rynewang]

1 file read per process in the current linux. so not very fast. Fortunately we are not blocking anything here.

[rkooo567]

maybe this should just exit here and we shouldn't even start this function if it is not linux

[rkooo567]

why do we need a lock btw? is it happening in a different thread?

[rynewang]

if 1 thread is spawning a child process, while another thread is gathering this owned children list.

[rkooo567]

Use WARNING here. ERROR will be printed to the user driver.

[rkooo567]

btw to be more clear about feedback (not 100% sure if it is possible);

• Keep everything (decouple or how we track child process' health) as it is.
• Ignore sigchld from owned children
• Only handle sigchld from unonwned children and sigkill.
• We can remove owned children pid when a worker is killed (there must be some sort of hook here)
• Make sure things are logged properly with pid with INFO.
• The behavior should be clearly specified from core doc.
• Probably we can remove parent core worker killing child workers and convert it to this mechanism?

Some other comments;

• Do you think we need a way to exclude subprocesses from being killed? E.g., if an actor start a new job (.sh file) and exits, is there a way to not kill it? My guess is it is probably not a requirement given we already kill child procs and no one complained (meaning no regression)
• I wonder if we want to do this for subprocesses started from agent.py. Maybe it is okay (because agent.py fate share with raylet).

[rkooo567]

Btw, can we accelerate the progress of this PR as the branch cut is coming? We'd like to merge this by this week to meet 2/29

[rkooo567]

please remove the label when it is ready to review again! I will take a look asap

[rynewang]

Only failure is a linkcheck which is in rllib, not relevant. Should be ok now.

[jjyao]

What we provide is more like a last resort. We should mention that ideally child processes should catch the death of the parent and self-exit so this feature doesn't need to be turned on.

[rynewang]

Since I reversed the default sigchld handler in core worker to reap-all-dead, users need to toggle it back to really do the signal handling. See the new ⚠️ Caution section.

[jjyao]

Oh, I mean not the signal handle on the parent side but on the child side: https://stackoverflow.com/questions/284325/how-to-make-child-process-die-after-parent-exits.

[rynewang]

Understood. Added Note in the last section in the intro.

[jjyao]

What's the plan to turn this on by default and remove the other one?

[rkooo567]

I think we should never remove the flag as the behavior is kind of inconsistent with pure python

[rkooo567]

maybe better way is to allow this per task/actor eventually (if there's a request)

[jjyao]

I mean removing the other RAY_kill_child_processes_on_worker_exit flag and the related code since we don't need two cleanup mechanisms.

[jjyao]

Is it more of an issue if the core work is long live since otherwise they will be killed by raylet.

[rkooo567]

yes, long running driver for example

[rynewang]

I can reverse the default on core worker: it defaults to reap all zombies, and if users want to call waitpid they can set the signal handler to default (no waiting).

[rkooo567]

Generally LGTM!

PR description still relevant? can you update it?

[rkooo567]

e.g. double forked, it will not be killed by this mechanism.

I don't think people can understand this. Either remove it or add more details?

[rynewang]

changed to "grandchild processes" which should be more understandable.

[rkooo567]

Let's improve this a bit.

When you spawns child processes from Ray workers, you are responsible for managing the lifetime of child processes. However, it is not always possible, especially when worker crashes and child processes are spawned from libraries (torch dataloader).

To avoid leak...

[rynewang]

done

[rkooo567]

is this tested? can you add a test?

[rynewang]

added.

[rkooo567]

so it is the default behavior now right? Can you add info here?

[rkooo567]

We should not mention "core worker". It should be just "worker"

[rynewang]

renamed all core worker to the worker

[rkooo567]

Can you add a test where adding signal can reap grandchildren?

[rynewang]

no need, reversed to core worker to default-reap all children.

[rkooo567]

got it! please make sure you added a test case for reap. (and document how to diable automatic reap)

[rkooo567]

is this necessary? no better API from asio that does this automatically?

[rynewang]

Not any I know of. I did a quick search in github and did not find a good one

[rkooo567]

this should be non-blocking right? (since proc should have already dead)

[rynewang]

Non-blocking, yes. It's controlled by the WNOHANG. If there's no child dead already, it returns -1

[rkooo567]

should we just return here? what kind of error can happen?

[rynewang]

The only error is "signal set cancelled" as boost::asio::error::operation_aborted but we won't ever cancel it.

https://www.boost.org/doc/libs/1_84_0/doc/html/boost_asio/reference/basic_signal_set/async_wait.html

It does not hurt to waitpid anyway.

[rkooo567]

can you comment in code? Also comment in the waitpid that it is non blocking (so reader can know although it is due to abort, it is okay)

[rynewang]

added comments for the error and WNOHANG.

[rkooo567]

Q: Is this automatically optimized by compiler?

[rynewang]

I think it can do guaranteed copy elision but not 100% sure

[rkooo567]

we don't need a lock when we create a child proc?

pid_t pid = create_child_fn();
absl::MutexLock lock(&m_);
children_.insert(pid);

[rynewang]

We don't want the creation of a pid (in procfs) happen when we are reading the procfs for pids, I assume

[rynewang]

e.g. if 2 racing threads:

1. create process
   a. then add pid to the known list
2. kill unknown children

If the order is 1 -> 2 -> a, the new process is killed which is not what we want. We have to make 1 and a be atomic on the list.

[fishbone]

Why call the create child fn inside the AddKnownChild function? It should be cleaner if the creation and adding is decoupled. Like, in the caller:

child = create()
tracker.addknownchild(child)

[rynewang]

see the race condition I gave: if a killing happens between create() and addknownchild it may kill the newborn child process.

[fishbone]

When kill_child_processes_on_worker_exit_with_raylet_subreaper is set, why do we still need to set the core worker ? The raylet should just work as the reaper I think?

[rynewang]

See https://github.com/ray-project/ray/pull/42992/files#diff-f6c49babcc6278c29b15f311f28011254c7e7d20a0ff06b03a1ac17a6fe352bbR103

tldr: if a child of core worker spawns a grandchild and dies, the grandchild is reparented to the nearest subreaper. But we don't want it to be killed (since the core worker is still alive), so we set the core worker as a subreaper as well to avoid it be noticed and killed by raylet.

[fishbone]

Hmm, let me know if I understand it wrong:

• if the core worker is dead => the grand child reparented to the raylet
• if the raylet is dead => the core worker is still alive => later it'll kill itself => before it exits, it'll kill all the children?

[rynewang]

it handles this case:

raylet -> core worker -> A -> B

then

A exited, we don't want to kill B.

Now, B is reparented to core worker who does NOT kill B, so it's good. If we don't do that, B'd be reparented to raylet and be killed, which is what we don't want

[fishbone]

Thanks!

[fishbone]

Why do we pass the lambda to the function instead of just move the lambda to the function body?

[rynewang]

This is to ensure the KnownChildrenTracker only cares about the lock on the hash set, and it separates from the children finding code.

[fishbone]

Hmm, I doubt the separation making things simpler, but I'm fine with it.

[fishbone]

This probably is not an issue. Maybe we can put the linux into the SetThisProcessAsSubreaper.

For the platform specific code, the lower level we put it, the better.

[fishbone]

Overall it looks good.

Question is that, should we just turn it on by default? At least let raylet be the reaper?

The lifecycle of subprocess now becomes complicated, in different cases, the behavior is different.

IMO, if we just turned it on by default for most cases, and let the user know this might be better. Some special flag in remote options to turn it off for corner cases.

[rkooo567]

@fishbone we will turn it on by default. It is off because it is merged in the last minute and a bit of breaking change.

[rkooo567]

LGTM if tests pass. Let's make sure the core worker reaping grand children is the default behavior

[rkooo567]

also before merge, let's make sure to run mac test/window test/release test

[jjyao]

I'll merge this for now. @angelinalg could you still review the doc related changes and we will address comments in the follow up PR.