Improve operation workflow definition

[didier-wenzek]

Proposed changes

Proposal for improvements on how to specify a custom workflow:

• Next step determined by script exit status
• Next step determined by script output
• Using a script to trigger a restart
• New syntax for restart action
• Setting script execution timeout
• Deprecating the owner and next fields

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
• Documentation Update (if none of the other choices apply)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue

#2478

Checklist

• I have read the CONTRIBUTING doc
• I have signed the CLA (in all commits with git commit -s)
• I ran cargo fmt as mentioned in CODING_GUIDELINES
• I used cargo clippy as mentioned in CODING_GUIDELINES
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Further comments

[codecov]

Codecov Report

Merging #2496 (dc06274) into main (2935e42) will increase coverage by 0.0%.
The diff coverage is 73.4%.

Additional details and impacted files

Files	Coverage Δ
crates/core/tedge_api/src/messages.rs	83.4% <0.0%> (ø)
crates/core/tedge_api/src/workflow/error.rs	0.0% <0.0%> (ø)
crates/core/tedge_agent/src/agent.rs	0.0% <0.0%> (ø)
crates/core/tedge_api/src/workflow/supervisor.rs	65.9% <65.9%> (ø)
...tedge_agent/src/tedge_operation_converter/actor.rs	46.8% <0.0%> (-3.6%)	⬇️
crates/core/tedge_api/src/workflow/mod.rs	61.1% <61.1%> (ø)
crates/core/tedge_api/src/workflow/state.rs	77.7% <77.7%> (ø)
crates/core/tedge_api/src/workflow/script.rs	81.9% <81.9%> (ø)
crates/core/tedge_api/src/workflow/toml_config.rs	70.4% <70.4%> (ø)

... and 2 files with indirect coverage changes

[albinsuresh]

The proposed enhancements look good. Here are a few more enhancements that I can think of (a few taken from older PRs, just for the sake of having everything documented at one place):

1. Including the previous state also in the payload when a state transition occurs. This helps in defining generic states like a timeout or failure state that can be used to just report the state from which the failure happened. It would also help in defining any cleanup/rollback logics in those states based on the previous state.
2. Ability to execute custom scripts as part of terminal states: successful and failed: This would enable users to attach any post-workflow cleanup logics to these states, like clearing any temp resources, clearing the command status etc. When combined with the previous-state info, they can be even smarter.

[albinsuresh]

One additional benefit that I see with having this state explicitly is the freedom that the user gets to override the inbuilt waiting-for-restart validation logic as well.

[didier-wenzek]

Yes, this would be nicer. I will give a try to this representation to see the impact on the code.

[albinsuresh]

Despite the redundancy, I really liked the explicitness of the keywords like on_success, on_failure etc, esp since we have added more variants like on_kill, on_timeout etc. The moment you have more than 2 values in that next array, it starts to become unclear.

[didier-wenzek]

So let's go in that direction. Removing the next field from the configuration file.

[albinsuresh]

Suggested change

	timeout_second = 300
	on_timeout = { status = "failed", reason = "timeout" }
	on_timeout = { duration_seconds = 300, status = "failed", reason = "timeout" }

How about merging them so that everything related to timeouts are at one place?

[github-actions]

Robot Results

✅ Passed	❌ Failed	⏭️ Skipped	Total	Pass %	⏱️ Duration
369	0	3	369	100	50m10.534s

[didier-wenzek]

1. Including the previous state also in the payload when a state transition occurs. This helps in defining generic states like a timeout or failure state that can be used to just report the state from which the failure happened. It would also help in defining any cleanup/rollback logics in those states based on the previous state.

Why not. Adding an updated-at timestamp might also be useful to control timeouts.

This has to be considered in a larger scope to fix that issue: #2495.

2. Ability to execute custom scripts as part of terminal states: successful and failed: This would enable users to attach any post-workflow cleanup logics to these states, like clearing any temp resources, clearing the command status etc. When combined with the previous-state info, they can be even smarter.

Here, I'm less convinced. Sure we need to fix #2484,
but attaching an action to these states leads to a race condition, as both the agent and the mapper will react on those and the mapper clearing the state once done.

My proposal, is to augment the builtin workflows with intermediate states, e.g. successful-software-update and failed-software-update with default transitions to successful and failed. These default transitions can then be overwritten to include clean-up or rollback logic, as you suggest. The difference is a clear ownership: successful-software-update and failed-software-update are handled by the agent, and successful and failed by the mapper.

[albinsuresh]

The code looks good. A few missing points that I noticed:

1. Documentation of the on_stdout handler
2. Even though the default exit handler feature is mentioned in the timeout handling section, a dedicated section would be nice, highlighting that default handlers can be defined for any exit case.

[albinsuresh]

Not sure if that restriction is really needed. Might come in handy before a long running script is triggered.

[didier-wenzek]

Sure. But this would be more something along what is proposed here: https://github.com/thin-edge/thin-edge.io/pull/2496/files#diff-0bc2ab86d1dc663436d9764c1ee3b48333013f3d52ce410aac0af84705f0bf7cR364

.i.e. to have two states.

["agent-restart"]
background_script = "sudo systemctl restart tedge-agent"
on_exec = "waiting-for-restart"

["waiting-for-restart"]
script = "/some/script.sh checking restart"
on_success = "successful_restart"
on_error =  "failed_restart"
on_timeout = "waiting-for-restart"

[albinsuresh]

I'm guessing you forgot to assert the rest of the states.

[didier-wenzek]

Oops!

[albinsuresh]

Are we making the user list out the expected state values here, just so that it is easier to figure out the entire control flow of a workflow, without having to audit the scripts? Or there are some other benefits as well?

I see that they are unused now. Are we planning to validate that the output of the script is definitely one of the values provided in this list?

[didier-wenzek]

Are we making the user list out the expected state values here, just so that it is easier to figure out the entire control flow of a workflow, without having to audit the scripts? Or there are some other benefits as well?

Being able to compute the list of possible following states when in a given state will be a key to solve #2495.

I see that they are unused now. Are we planning to validate that the output of the script is definitely one of the values provided in this list?

Indeed, not used for now. My former plan was to fail a command when moving to some unexpected state. But to solve the former issue we might have to be more subtle.

[albinsuresh]

Why restrict that overriding rule to non-successful status codes alone? It can be applied for all exit cases, right? If an explicit exist handler is provided in the workflow, for any exit code, including the successful ones, it trumps over the status returned in the output.

[didier-wenzek]

Yes, definitely.

• Currently, even stronger. If the script is non successful its output is ignored.
• But maybe this is not what you have in mind. Do you think consuming the output can also be useful in case of exit code with a specific handler? Somehow these are expected errors.

[didier-wenzek]

After discussion, it appears that things are a bit more subtle:

• the status given in the workflow definition trumps any status value published on stdout (the idea is that sequence of states is statically defined)
• the reason published on stdout trumps the reason provided in the workflow definition (the rational being that an error message is dynamically provided by the running process).
• these rules applies only for the exit codes which are somehow expected .i.e. with a defined on_exit handler.

[albinsuresh]

Commenting out that with_context was intentional?

[didier-wenzek]

I will fix that. Adding a context here is in fact worse: not only there is no context but also the root error is lost and not logged.

As highlighted by @jarhodes314 the main issue is elsewhere: https://github.com/thin-edge/thin-edge.io/pull/2496/files#diff-03553c8b7afdbd134b09403b3f4a3931fee4c368f4a4f8a0c38bfdacbacc5018R330. One needs {err:?} as anyhow only shows the full error message in Debug, not Display.

[albinsuresh]

Suggested change

	on_stdout = ["waiting-for-restart", "successful_restart", "failed_restart"]
	on_stdout = ["successful_restart", "failed_restart"]

Expecting the same state that the workflow is currently in, is highly unlikely, right?

[didier-wenzek]

Removed.

However, not so unlikely even it's surely better to have a blocking wait with a timeout. This is the main issue with restart : one needs a way to detect a restart and this check must be patient (as the restart might be still pending) and robust (as the restart might fail).

[albinsuresh]

Suggested change

	builtin_action = "restart"
	background_script = "sudo systemctl restart tedge-agent"

Since builtin_action is only introduced in the next section, this might be better for continuity.

[didier-wenzek]

The issue is that the former works but not the latter. More precisely, using a background script raises the question on how to detect success and failure.

[albinsuresh]

Suggested change

	```toml
	["device-restart"]
	action = "restart"
	on_exec = "waiting-for-restart"
	on_success = "successful_restart"
	on_error = "failed_restart"
	```
	Alternative proposal:
	```toml
	["device-restart"]
	action = "restart"
	on_exec = "waiting-for-restart"
	["waiting-for-restart"]
	action = "waiting restart"
	on_success = "successful_restart"
	on_error = "failed_restart"
	```
	```toml
	["reboot_required"]
	action = "restart"
	on_exec = "restarting"
	["restarting"]
	action = "waiting restart"
	on_success = "successful_restart"
	on_error = "failed_restart"

Removed the first proposal as we settled with the second one. Also adjusted it to reflect the state names mentioned in the description above.

[didier-wenzek]

Unfortunately, the second is not implemented yet. The main reason being that the "waiting restart" needs more thinking. The failing system test (aka "Trigger native-reboot within workflow (on_error) - missing sudoers entry for reboot"), highlights one of these points: the behavior in case of an error is not clear.

[albinsuresh]

That delegate needs some doc. In the restart example it was the restart keyword. These would be a set of pre-defined keywords like that or it can be any text that represents an eternal process?

[didier-wenzek]

The simplest is to remove that from the doc for now.

Something is wrong / missing / unclear when we combine this with error detection. See 4db304c

[albinsuresh]

Suggested change

	The action for the `"init"` state is a `"proceed"` action, meaning nothing specific is done by the __tedge-agent__
	and that a user can provide its own implementation.
	The action for the `"init"` state is a `"proceed"` action, meaning nothing specific is done by the __tedge-agent__.

The proceed action directly moves the workflow to the on_success state, right? So, I don't see how the user can provide his own implementation while using proceed.

[didier-wenzek]

This can be changed by providing a new workflow definition as done here: https://github.com/thin-edge/thin-edge.io/pull/2496/files#diff-0bc2ab86d1dc663436d9764c1ee3b48333013f3d52ce410aac0af84705f0bf7cR491

[albinsuresh]

Suggested change

	pub fn forceful_timeout(&self) -> Option<Duration> {
	pub fn forceful_timeout_extension(&self) -> Option<Duration> {

[didier-wenzek]

Changed.

But honestly, I don't think a name has to convey all the details of a contract.

[didier-wenzek]

The following commits will be removed:

• 5074b3f
• 03c8aea
• 4db304c
• e5db59d

Indeed, adding an on_error handler along an on_exec handler needs clarification. Indeed, this creates two threads of execution when an error is detected executing the script. This breaks the main assumption of a single thread of execution per command instance.

[albinsuresh]

LGTM

[didier-wenzek]

This PR improves the way an operation workflow can be specified by a user.

• docs: https://github.com/thin-edge/thin-edge.io/blob/main/docs/src/references/agent/operation-workflow.md#user-defined-operation-workflow
• tests: https://github.com/thin-edge/thin-edge.io/tree/main/tests/RobotFramework/tests/tedge_agent/workflows

[gligorisaev]

QA has thoroughly checked the feature and here are the results:

• Test for ticket exists in the test suite.
• QA has tested the function and it's functioning according description.