Change the router reload supression, and add some more controls

[knobunc]

The main purpose is to change the locking so that a reload doesn't
hold a lock of the router object for the duration of the reload so that updates that happen while the router is reloaded can be processed immediately and batched up and included when the next reload occurs. Before this, if a reload went longer than the reload interval, one event would be processed, and then trigger a new reload. Which would then lock out other event processing. So the router would not make any meaningful progress consuming events, and spend a lot of time and CPU reloading continually.

The router controls are:

• Max Reload Frequency (start-to-start of a reload)
• Gaps between reloads (end-to-start of a reload)
• Bunch events by waiting a little before reload (wait N ms between
  the time the event comes in and when the reload starts)

The commit routine is now changed to have a top and bottom half. The
top half checks to see if a reload is scheduled, and if it is, it
returns immediately. If there's no reload scheduled then it calls the
bottom half and returns.

The bottom half is in charge of determining if it can immediately
reload or if it has to wait. If it must wait, then it works out the
earliest time it can reload and schedules a callback to itself for
that time.

If it determines it can reload, then it runs the reload code
immediately. When the reload is complete, it calls itself again to
make sure there was no other pending reload that had come in while the
reload was running.

[imcsk8]

Code looks ok. The flow is actually a more clear this way.
Are there any suggested ways to test this?

[knobunc]

@imcsk8 Thanks for the review. I plan to add some tests soon.

[knobunc]

@openshift/networking @openshift/sig-networking FYI

[lihongan]

Can we use the controls' default value (RELOAD_INTERVAL=5s, RELOAD_GAP=100ms, RELOAD_EVENT_WAIT=10ms) to verify the bug https://bugzilla.redhat.com/show_bug.cgi?id=1471899 ? If not can you give the recommended value for that scenario of thousands routes?

And my understanding for this commit is: the max reload duration will be limited to 4890ms (5s-100ms-10ms), right ?

[knobunc]

@lihongan those values would work. You could drop RELOAD_INTERVAL to 1s and RELOAD_GAP and RELOAD_EVENT_WAIT to 0ms if you wanted. That might make it easier to reproduce and validate.

The duration is the longest of the times. So if a reload is desired, then it can reload if (and only if):

• The last attempt to reload was more than RELOAD_INTERVAL ago
• The last reload finished more than RELOAD_GAP ago
• The current time is more than RELOAD_EVENT_WAIT than the first message that triggered the reload (since we expect more than one message to come in in a bunch related to a route change)

So, the longest possible reload time is really unknowable. If the time taken to actually perform the haproxy reload is longer than the RELOAD_INTERVAL, it will be the actual reload time + RELOAD_GAP. Otherwise, if the actual reload time is less than RELOAD_INTERVAL - RELOAD_GAP, then it will reload at RELOAD_INTERVAL.

RELOAD_EVENT_WAIT will likely be ignored on a busy system since if you have events coming in all the time that would trigger a reload, then a reload will be requested long before RELOAD_INTERVAL and RELOAD_GAP will allow it. On the other hand, on a system with few route or endpoint changes, then before, the reload would happen immediately as soon as the first event was delivered, and the second event would have to wait for RELOAD_INTERVAL before it took effect, even though it was probably a route or endpoint change related to the first event, and the first event may not be useful without it. So, we now allow the router to hesitate to gather more events before actually triggering the reload.

[dcbw]

Kinda seems like these could be one function that takes the env var name and the default interval as arguments.

[knobunc]

Done

[dcbw]

I'm confused... if hasSynced = true that implies the state is fully synchronized, but then below r.synced can be false? maybe there's a better name.

[knobunc]

If the user tells us we have synced, but our internal state doesn't yet reflect that... update the internal state and emit a message

[dcbw]

What if you just defer r.lock.Unlock() at the top, and then in this block do defer r.commitWorker() so the locking is a bit simpler? The second defer should run after the unlock.

[knobunc]

We can't do it that way because the unlock would be called after the commitWorker because defers are called in reverse order from definition.

[JacobTanenbaum]

nit "commitRunning indicates whether the commitFunc is actively running"

[knobunc]

Thanks

[DirectXMan12]

couple of nits, otherwise good

[DirectXMan12]

these should just be time.Durations too...

[DirectXMan12]

godoc: reloadInterval is the minimum...

[DirectXMan12]

ditto the next few fields

[knobunc]

Done

[DirectXMan12]

you don't need * time.Second here, I believe

[knobunc]

Done

[DirectXMan12]

you should note the reason for the reset here as well ("we reset to give a chance to grab extra changes before a reload, but the maxReloadInterval above prevents us from resetting forever").

[knobunc]

Clarified in a comment.

[knobunc]

/approve

[openshift-merge-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: knobunc
We suggest the following additional approver: smarterclayton

Assign the PR to them by writing /assign @smarterclayton in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• contrib/completions/OWNERS
• pkg/cmd/OWNERS
• pkg/router/OWNERS [knobunc]
• test/end-to-end/OWNERS [knobunc]
• test/integration/OWNERS [knobunc]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[knobunc]

/assign @smarterclayton

[smarterclayton]

Typos

[smarterclayton]

How often are we really going to tune these? Adding lots of extra tunables comes with a cost - do these really need to be changeable or can they just be proportional to the overall duration?

Every tunable we add is more choices that someone can get wrong. Also, I couldn't understand how the flags are used from the descriptions, which is a problem.

[smarterclayton]

This should be in validate

[knobunc]

Should the other checks in here be in validate too? Or is there some pattern that I don't grok fully.

[smarterclayton]

Oh wow. This is a LOT of variables. This should be abstracted into some sort of separate object that is passed in because the rest of the template router has nothing to do with it.

[smarterclayton]

Please hide this complexity so that it doesn't get entangled with other places.

[smarterclayton]

Wow.

So this is incredibly complicated and really needs to be abstracted into something smaller and more well tested on its own. The original point of the "commit wrapper" was to have a function that you invoke that does the right thing, and then the rest of it is ignored. This has now become entangled with the template router.

Please separate all of this logic out into three pieces - the signal (from the rest of the template router to reload), the rate limiter / tracker (the bit that says when an actual commit should go), and the underlying commit action that controls how fast it happens.

I.e.:

1. router controller signals (changes happened)
2. a rate limiter / commit controller decides whether to pass it on (this code)
3. the underlying commit.

There really cannot be a connection between them, and the code here is too complicated for me to be confident it works.

[smarterclayton]

@liggitt can you help suggest here? i think of this as controller model - several caches:

informer cache -> feeding secondary cache -> controller loop that reads secondary cache and needs to sync up with secondary cache

[knobunc]

I think I have worked out a possible solution.

[liggitt]

does this make the router reply that it is healthy prior to having synced? is that correct? couldn't that cause traffic to be directed to it prior to actually having all the routes set up?

[knobunc]

We already cover that behavior in the router... the haproxy template is passed a synced flag. So it doesn't bind 80/443 until the sync happens, but it does bind the status port for health checks.

[liggitt]

That seems really odd. It reports healthy before it can serve traffic?

[pravisankar]

                  t1                    t2
   StartReload ----------> EndReload -----------> StartNextReload

t1 (time between start and end of reload) is variable as it depends on the number of routes/endpoints and also on cpu load on the router machine. So as routes/endpoints increase or decrease, what ever value we initially set may not be accurate/desired.
t2 (time between end and next start of reload) can be tuned irrespective of the number of routes or cpu load and this allows coalescing bunch of updates on router.
RELOAD_EVENT_WAIT may be unnecessary as RELOAD_GAP implicitly includes this case and also if we have a stream of events continuously then we may not reload for a long time.

I think instead of 3 knobs, just RELOAD_GAP knob will solve most of the reload problems and the current implementation of doing router reload and not blocking other in-memory router updates during this time will help a lot.

[knobunc]

Superseded by #17049