Use exponential backoff for failing migrations

[acardace]

What this PR does / why we need it:

When migrating a VM fails an increasingly exponential backoff will be applied before retrying.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #
https://bugzilla.redhat.com/show_bug.cgi?id=2124528

Special notes for your reviewer:

Release note:

Use exponential backoff for failing migrations

[acardace]

/uncc @maiqueb
/uncc @marceloamaral

[acardace]

/cc @vladikr
/cc @xpivarc
/cc @jean-edouard

[acardace]

Can you guys give a look and share thoughts about the approach/default values etc?

I still have to implement unit and e2e tests.

[larrydewey]

I will take a look at this today.

[jean-edouard]

/retest

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jean-edouard

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jean-edouard]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[enp0s3]

@acardace Hi, PR looks great! I have a few questions, please see below

[enp0s3]

we can have an err return if the c.listMigrationsMatchingVMI(vmi.Namespace, vmi.Name) fails, in that case the error type is not MigrationBackoffReason, we will need to check the returned error type before we generate an event

[xpivarc]

Good catch!

[acardace]

fixed, thank you for spotting that!

[enp0s3]

@xpivarc Hi, you mean to use status.migrtaionState.endTimestamp instead of PhaseTransitionTimestamp?

[enp0s3]

Why wouldn't run it in parallel?

[xpivarc]

We are deleting events. While with some effort we can make this parallel.

[acardace]

I'm just sticking to the existing functions.

[enp0s3]

@acardace Can we address the case of a cancelled migration?

[enp0s3]

+1

[acardace]

@enp0s3 isn't the canceled migration case handled at

kubevirt/pkg/virt-controller/watch/migration.go

Line 1172 in c0e4a6c

if migration.DeletionTimestamp != nil {

?

[acardace]

/retest-required

[enp0s3]

/lgtm
/unhold

@acardace Awesome, thanks for addressing the comments!

[kubevirt-bot]

@acardace: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubevirt-e2e-k8s-1.23-operator-nonroot	544e68e	link	true	/test pull-kubevirt-e2e-k8s-1.23-operator-nonroot
pull-kubevirt-e2e-k8s-1.25-sig-network	58ad400	link	false	/test pull-kubevirt-e2e-k8s-1.25-sig-network

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[acardace]

/cherrypick release-0.58

[kubevirt-bot]

@acardace: new pull request created: #8784

In response to this:

/cherrypick release-0.58

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rmohr]

Following the bugzilla discussion, I am curious on why we did not solve the pod accumulation and instead went for a back-off.

Here some thoughts where I would be happy to hear your thought-line:

• I could not identify a maximum back-off, do you rely in the gc for migration objects? Let's suppose the backoff kicked in 65 times (next retry would be in 10 minutes), I resolve a node problem, and for 10 minutes nothing would happen and delay my upgrade work? I would suggest to not rely on the garbage collection and add clear limits.
• What if the migration goes to another node? Would we try it faster?
• It feels slightly out-of-band with the default k8s behaviour. We also don't say: "user A posted now 10 times the same failing VM yaml, let's back-off". I know that maintenance with drains is tough. How fast does it retry? Did you consider it to retry too fast, compared to this back-off and just GCing the pods as insufficient?

[xpivarc]

Stating for others looking into this:

Following the bugzilla discussion, I am curious on why we did not solve the pod accumulation and instead went for a back-off.

Here some thoughts where I would be happy to hear your thought-line:

* I could not identify a maximum back-off, do you rely in the gc for migration objects? Let's suppose the backoff kicked in 65 times (next retry would be in 10 minutes), I resolve a node problem, and for 10 minutes nothing would happen and delay my upgrade work? I would suggest to not rely on the garbage collection and add clear limits.

Maximum backoff is 20 sec * 2 ^ (n-1) where n is const defaultFinalizedMigrationGarbageCollectionBuffer = 5. So we can expose this and make it tunable.

The second part. Right now the backoff would be applied even if you would fix the problem. Here we could only recommend a workaround - remove the last VMIM object.

* What if the migration goes to another node? Would we try it faster?

No. As of now we can't even know if the migration is targeted to another node.

* It feels slightly out-of-band with the default k8s behaviour. We also don't say: "user A posted now 10 times the same failing VM yaml, let's back-off".  I know that maintenance with drains is tough. How fast does it retry? Did you consider it to retry too fast, compared to this back-off and just GCing the pods as insufficient?

Eviction is often retried continuously. We can try to look into suggesting backoff to clients but they could still ignore the suggestion. Even with the pod GC the problem would remain. It seems reasonable to constrain ourselves only to VMIM created by eviction for now and revisit the overall backoff later.

[acardace]

Following the bugzilla discussion, I am curious on why we did not solve the pod accumulation and instead went for a back-off.

Here some thoughts where I would be happy to hear your thought-line:

* I could not identify a maximum back-off, do you rely in the gc for migration objects? Let's suppose the backoff kicked in 65 times (next retry would be in 10 minutes), I resolve a node problem, and for 10 minutes nothing would happen and delay my upgrade work? I would suggest to not rely on the garbage collection and add clear limits.

Yes it probably makes sense to make it explicit in code, the limit as Lubo said is implicit and governed by the migration object GC, it anyway is 320 seconds.

* What if the migration goes to another node? Would we try it faster?

No, but what if it's the source node that has issues? not sure if it makes sense to tweak it like this.

* It feels slightly out-of-band with the default k8s behaviour. We also don't say: "user A posted now 10 times the same failing VM yaml, let's back-off".  I know that maintenance with drains is tough. How fast does it retry? Did you consider it to retry too fast, compared to this back-off and just GCing the pods as insufficient?

[stu-gott]

/cherry-pick release-0.53

[kubevirt-bot]

@stu-gott: #8530 failed to apply on top of branch "release-0.53":

Applying: migration: use exponential backoff for failing migrations
Using index info to reconstruct a base tree...
M	pkg/virt-controller/watch/migration.go
M	pkg/virt-controller/watch/migration_test.go
M	pkg/virt-controller/watch/vmi.go
M	staging/src/kubevirt.io/api/core/v1/types.go
M	tests/migration_test.go
Falling back to patching base and 3-way merge...
Auto-merging tests/migration_test.go
CONFLICT (content): Merge conflict in tests/migration_test.go
Auto-merging staging/src/kubevirt.io/api/core/v1/types.go
Auto-merging pkg/virt-controller/watch/vmi.go
Auto-merging pkg/virt-controller/watch/migration_test.go
CONFLICT (content): Merge conflict in pkg/virt-controller/watch/migration_test.go
Auto-merging pkg/virt-controller/watch/migration.go
CONFLICT (content): Merge conflict in pkg/virt-controller/watch/migration.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 migration: use exponential backoff for failing migrations
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-0.53

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.