[core] Add release test to simulate network transient error via ip tables

[Sparks0219]

Description

Briefly describe what this PR accomplishes and why it's needed.

To simulate transient network errors we were initially going to use AWS FIS testing but there's a couple problems:
1.) The minimum timeout is 60 seconds causing node death. We weren't able to determine whether we could fix this by tuning ray_config env variables or whether this was due to some mechanism in Anyscale. It would probably take a decent amount of time to figure out + coordination with infra so decided to try the IP table route first
2.) The FIS experiment will introduce cross AZ transient network errors across all clusters in staging

Hence we instead explored an approach of ssh-ing into each node and modifying the IP tables to drop all ingoing/outgoing traffic except intra-node traffic to simulate cross AZ fault tolerance. It actually wasn't so bad to implement, and it works pretty well. You can tune the timeout to what you want and it only affects the nodes in your cluster hence avoids the cons of both listed above. Adding the script into prod since I think it could be helpful for future chaos testing.

[gemini-code-assist]

Code Review

This pull request introduces a new script to simulate transient network failures across availability zones by manipulating iptables on Ray nodes. This is a useful tool for testing fault tolerance.

My review focuses on improving the robustness and maintainability of the script. The main points are:

• The iptables commands should be made idempotent by using a custom chain to avoid potential issues with leftover rules.
• The script should use public Ray APIs instead of internal ones to ensure it doesn't break with future Ray updates.
• The default concurrency for SSH connections is very high and could be lowered to prevent resource exhaustion.

Overall, the script is well-structured and the approach is sound. The suggested changes will make it more reliable and easier to maintain.

[gemini-code-assist]

The current implementation of iptables_cmd is not idempotent. If the script is run twice on the same node without the first run completing its cleanup, it will add a second set of rules. The cleanup phase will only remove one set, potentially leaving DROP rules in place and causing a permanent network partition.

A more robust approach is to use a dedicated iptables chain. This makes the operation atomic and idempotent, as you can flush and delete the chain at the start and end of the script.

def iptables_cmd(self_ip: str) -> str:
    return f"""\
nohup setsid bash -lc '
  CHAIN_NAME="RAY_NETWORK_BLACKOUT"
  # Clean up previous runs if any, ignoring errors if chain/rules don't exist
  sudo iptables -w -D INPUT -j $CHAIN_NAME 2>/dev/null || true
  sudo iptables -w -D OUTPUT -j $CHAIN_NAME 2>/dev/null || true
  sudo iptables -w -F $CHAIN_NAME 2>/dev/null || true
  sudo iptables -w -X $CHAIN_NAME 2>/dev/null || true

  # Create a new chain
  sudo iptables -w -N $CHAIN_NAME
  # Rules for allowed traffic
  sudo iptables -w -A $CHAIN_NAME -p tcp --dport 22 -j ACCEPT
  sudo iptables -w -A $CHAIN_NAME -p tcp --sport 22 -j ACCEPT
  sudo iptables -w -A $CHAIN_NAME -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
  sudo iptables -w -A $CHAIN_NAME -s {self_ip} -d {self_ip} -j ACCEPT
  # Drop everything else in this chain
  sudo iptables -w -A $CHAIN_NAME -j DROP

  # Insert the chain at the top of INPUT and OUTPUT
  sudo iptables -w -I INPUT 1 -j $CHAIN_NAME
  sudo iptables -w -I OUTPUT 1 -j $CHAIN_NAME

  sleep {SECONDS}

  # Cleanup
  sudo iptables -w -D INPUT -j $CHAIN_NAME
  sudo iptables -w -D OUTPUT -j $CHAIN_NAME
  sudo iptables -w -F $CHAIN_NAME
  sudo iptables -w -X $CHAIN_NAME
' &>/dev/null &
"""

[dayshah]

didn't the other ai want chains too...

[Sparks0219]

I tried this and something is breaking 💀

[gemini-code-assist]

A value of 500 for PARALLEL is quite high and may cause issues. A ThreadPoolExecutor with 500 worker threads can consume a significant amount of memory (for thread stacks) on the machine running the script. Additionally, opening 500 concurrent SSH sessions might hit system limits (like file descriptors or MaxStartups on the SSH server). It would be safer to use a more conservative number, or make it configurable based on the environment. For example, a value closer to the number of CPU cores or a number like 32 or 64 is often a safer default.

[dayshah]

this is amazing 🤩

[dayshah]

why 500? If you just need to keep all active at the same time just launch and join threads?

[Sparks0219]

This is just to limit the number of max concurrent ssh connections. Should only be a problem for like super large clusters.

[dayshah]

didn't the other ai want chains too...

[dayshah]

can you add a release test to run this with the 250 node data job

[Sparks0219]

can you add a release test to run this with the 250 node data job

working on that right now, should get something up by EOD

[Sparks0219]

@dayshah Main change was I modified the ip table script to take in the map_benchmark data release test as a parameter.
Ideally I want the ip table script to be used with any future release test, so it periodically runs the iptable blackout as a separate thread. Wasn't really sure where to put the ip table script though, stuck it in the release test directory since I think it should be only used there?

[dayshah]

i can feel the vibes from the code lol 👀

[dayshah]

I'm a little worried anyscale will say the job succeeded even if it actually failed since the actual job is this wrapper script. Can you test with it failing to make sure it actually says the release test failed if it does fail

[Sparks0219]

weirdly enough running the map_benchmark.py on anyscale workspace by itself (so not even through the wrapper script) and triggering a failure doesn't mark the job as Failed. However via the release test anyscale_job_wrapper.py, it seems like it's being reported correctly... 🤷

[dayshah]

in the past when you found the check failure was it 5 second or 10 second injection?

[Sparks0219]

I actually just ran into the check failure in the lease dependency thingy again using 5 seconds since my image wasn't nightly. Can try bumping it up though

[Sparks0219]

i can feel the vibes from the code lol 👀

Bro I vibed so hard on this that I should be called VibeCoder 😎

[dayshah]

🚢

Just to confirm when the data script fails buildkite says it failed right

[dayshah]

do you need all of these? Maybe just the gcs connect one?

[Sparks0219]

I think I needed to adjust these when I went to 15 seconds for the timeout, probably good to leave in so people in the future know what env variables they need to tune?

[Sparks0219]

Just to confirm when the data script fails buildkite says it failed right

Yup, when I forgot to add the RAY_gcs_rpc_server_connect_timeout_s the test failed and it showed an error. https://console.anyscale-staging.com/cld_vy7xqacrvddvbuy95auinvuqmt/prj_xqmpk8ps6civt438u1hp5pi88g/jobs/prodjob_n783fmtyqs6zlhlvbcstdevqpp?job-logs-section-tabs=application_logs&job-tab=overview