enable etcd watch cache for k8s types

[liggitt]

related to #8392

[liggitt]

[test] [extended:core]

[liggitt]

@smarterclayton @timothysc

[timothysc]

imo we can safely up this to 600, b/c we plan to override @ scale today. Smaller installations would be unaffected.

The legacy # of 400 was chosen back in the 1.0 release.

[liggitt]

This is per master

[smarterclayton]

Also, Kube doesn't always do their options "right" so we don't get the tap
on the shoulder in the code where the new options are obviously missing.

On Wed, Apr 6, 2016 at 6:19 PM, Jordan Liggitt [email protected]
wrote:

In
Godeps/_workspace/src/k8s.io/kubernetes/pkg/genericapiserver/server_run_options.go
#8395 (comment):

@@ -46,6 +46,7 @@ func NewServerRunOptions() *ServerRunOptions {
InsecureBindAddress: net.ParseIP("127.0.0.1"),
InsecurePort: 8080,
LongRunningRequestRE: defaultLongRunningRequestRE,

•   MaxRequestsInFlight:  400,
  

This is per master

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
https://github.com/openshift/origin/pull/8395/files/714b88b4308eb44f74ead7e66395fd98aa98207c#r58792210

[jeremyeder]

Question out of my ignorance for the process...when we rebase kube into origin, wouldn't these things be included?

[liggitt]

We get the capability for k8s resources, but we drive server startup from our config, not from command line flags. We continually have to verify that new kubernetes options we want are enabled, and new kubernetes options we don't want are not enabled.

[timothysc]

A configdump option seems like it's going from a nice-to-have, to essential... pretty fast.

[liggitt]

Not sure what you mean by "config dump option"

[timothysc]

The main idea was to dump all the values of all the knobs. kubernetes/kubernetes#14916

[liggitt]

Ah. Unfortunately, at the point where the config, defaults, and flags have been transformed into the actual options structs used to run the components, about a third of the fields are no longer serializable values, but are instantiated runtime objects.

[derekwaynecarr]

I am in favor of enabling this change.

[ncdc]

This is probably something we should turn on, considering it's a big performance win in Kube 1.2. My only hesitation is how late in the release cycle we are, but I think we're better off enabling it and keeping an eye out for weird/unexpected issues. And then make supporting the watch cache for origin resources a P0 but maybe not strictly required for 3.2.

[jeremyeder]

@derekwaynecarr thoughts on this being related to web UI scaling issues, as well?

[liggitt]

It's definitely related. Multiple identical watches should not all be hitting the etcd backend with this cache turned on

[ncdc]

Even more reason to enable it, and add support for the Origin resources too

[jeremyeder]

@abhgupta this one should be on your list.

[liggitt]

Totally agree, just a question of risk. I'm 65% in favor of enabling the but we have now (k8s resource watch cache)

[ncdc]

Let's enumerate the possible known risks?

[timothysc]

I'm testing by explicitly setting right now.

[jeremyeder]

I've also asked @rflorenc to re-run his webUI tests with

kubernetesMasterConfig: 
  apiServerArguments:
    watch-cache:
      - "true"

[liggitt]

You need this PR to make the setting effective

[smarterclayton]

Why wouldn't that be enabled? It's on the APIServer struct that we would pass down?

[smarterclayton]

.... we don't use the APIServer object we create anywhere later?

[liggitt]

only to populate the genericapiserver config struct at https://github.com/openshift/origin/pull/8395/files#diff-05523003a782d7b3b61c2608a29dfb39R255

[liggitt]

The main risk is that the watch cache behaves differently than the watch directly against etcd. Looks like one of the test runs failed with this:

FAILURE after 1.311s: test/cmd/admin.sh:364: executing 'oc get user/~ --token="$( oc sa new-token my-sa-name )"' expecting success and text 'system:serviceaccount:.+:my-sa-name': the output content test failed
Standard output from the command:
NAME           UID       FULL NAME   IDENTITIES
system:admin                         
Standard error from the command:
error: unxepected action: token was added after initial creation

which means we got an Added event on a watch started from the resource version of a newly created object. That sounds like different behavior to me.

[smarterclayton]

Just seeing this makes me say this is too risky for 1.2. We'll have to get
a much longer bake time.

On Thu, Apr 7, 2016 at 1:49 PM, Jordan Liggitt [email protected]
wrote:

The main risk is that the watch cache behaves differently than the watch
directly against etcd. Looks like one of the test runs failed with this:

FAILURE after 1.311s: test/cmd/admin.sh:364: executing 'oc get user/~ --token="$( oc sa new-token my-sa-name )"' expecting success and text 'system:serviceaccount:.+:my-sa-name': the output content test failed
Standard output from the command:
NAME UID FULL NAME IDENTITIES
system:admin
Standard error from the command:
error: unxepected action: token was added after initial creation

which means we got an Added event on a watch started from the resource
version of a newly created object. That sounds like different behavior to
me.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#8395 (comment)

[timothysc]

Could we default off, and vet for openshift?

[liggitt]

sure

[timothysc]

What is weird to me is storage is configured per-resource, and each resource sets the boundary for it's cache.

[timothysc]

So in digging into the reason for the error it looks like openshift is triggering on implied watch event semantics, where upstream does not.

Upstream tests on the cacher clearly show semantics as
watch.Added then watch.Modified

Where the code in https://github.com/openshift/origin/blob/master/pkg/cmd/cli/sa/newtoken.go#L219 could probably just read as:

case watch.Added, watch.Modified:

@liggitt are there other failures besides this one, that I'm not seeing?

[liggitt]

hadn't dug yet, and that failure blocked later tests from running

[liggitt]

without the cache, watching from resourceVersion N, the first delivered event is the first resourceVersion past N

watching from resource version 325
Got MODIFIED event for resource version 326

with the cache, watching from resourceVerson N, the first delivered event is resourceVersion N.

watching from resource version 311
Got ADDED event for resource version 311

that means the cache is not a transparent change... we'll need to fix that before we can enable it

and that behavior just shipped in 1.2 upstream :(

[smarterclayton]

We definitely need to fix upstream - that's a breaking, non backwards compatible change, and it's horrifying no one noticed.

[liggitt]

opened kubernetes/kubernetes#24004

[liggitt]

updated with upstream watch cache fix, rerunning tests

[jeremyeder]

@liggitt so ... with that should we re-test at this point?

[liggitt]

won't really affect performance numbers, it'll just let our tests and controllers that really care about exact resourceVersion starting points work correctly

[jeremyeder]

ah. ok. thank you.

[smarterclayton]

[test]

On Fri, Apr 8, 2016 at 10:55 AM, OpenShift Bot [email protected]
wrote:

continuous-integration/openshift-jenkins/test NOTFOUND (
https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/2827/)
(Extended Tests: core)

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#8395 (comment)

[openshift-bot]

Evaluated for origin test up to 3639830

[openshift-bot]

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/2850/) (Extended Tests: core)

[liggitt]

clean origin test runs. 2 failures in extended tests:

Summarizing 2 Failures:

[Fail] deployments: parallel: test deployment test deployment [It] should run a deployment to completion and then scale to zero
/data/src/github.com/openshift/origin/test/extended/deployments/deployments.go:29

[Fail] Kubectl client Update Demo [It] should scale a replication controller [Conformance]
/data/src/github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/test/e2e/util.go:1469

[smarterclayton]

Those are known flakes

On Apr 8, 2016, at 3:21 PM, Jordan Liggitt [email protected] wrote:

clean origin test runs. 2 failures in extended tests:

Summarizing 2 Failures:

[Fail] deployments: parallel: test deployment test deployment [It] should
run a deployment to completion and then scale to zero
/data/src/
github.com/openshift/origin/test/extended/deployments/deployments.go:29

[Fail] Kubectl client Update Demo [It] should scale a replication
controller [Conformance]
/data/src/
github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/test/e2e/util.go:1469

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#8395 (comment)

[timothysc]

Are we in the clear then?

We're fixing the dep issues on the e2es upstream, btw.

[smarterclayton]

Approved Lgtm [merge]

[smarterclayton]

[merge] now that Sams fix is in the queue

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/5566/) (Image: devenv-rhel7_3952)

[smarterclayton]

Wonderful:

--- FAIL: TestTryOrdering (0.02s)
    rate_limited_queue_test.go:179: order was wrong: [first third second]
FAIL
coverage: 61.4% of statements

[smarterclayton]

Spawned kubernetes/kubernetes#24125

[merge]

[liggitt]

Not new to this PR

[openshift-bot]

Evaluated for origin merge up to 3639830