Add StartupOptions for time-based retries on startup

[amerjusupovic]

StartupOptions and the Timeout property

This PR adds the new Startup property to AzureAppConfigurationOptions. You can set the Startup.Timeout property equal to a TimeSpan that represents how long the provider should continue retrying the store and replicas passed to the provider before failing.

Example usage:

config.AddAzureAppConfiguration(options =>
{
   // . . .
    options.ConfigureStartupOptions(startupOptions =>
    {
        startupOptions.Timeout = TimeSpan.FromMinutes(5);
    });
});

[avanigupta]

Is this change necessary?

[amerjusupovic]

Referenced it in StartupOptions to try and keep this value consistent for both files, but I could just use a constant there too. Also, not entirely sure about the MaxRetryDelay property being necessary anyway, so open to removing that/replacing it with others.

[avanigupta]

Do we want to support a different MaxRetryDelay for startup vs refresh?
@jimmyca15

[jimmyca15]

I don't see why we would.

[jimmyca15]

Looks like my second comment got swallowed. Although I expect we would use the same time, I don't think this should be shared in that manner. A separate field to reference where needed seems appropriate.

[zhenlan]

                if (_mappedData == null)

Is this only triggered during refresh? If so, it means the startup is already done (though initial configuration load had failed). We shouldn't use the startup logic here, because if anything fails here it will be tried again in the next refresh. #Closed

---

Refers to: src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs:211 in c8ada35. [](commit_id = c8ada35, deletion_comment = False)

[zhenlan]

Can we make this 1s a const? This is the minimum delay between retries. Not sure if we should have a maximal delay and slowly grow the delay between retries. Thoughts?

[avanigupta]

The actual server calls are already retried with some exponential backoff strategy. I dont see why we would need to slow down the overall startup retries.

[avanigupta]

Unless the concern is that this can be misused by customers if they set SDK retries to 0. If SDK is not retrying, we'll keep retrying every 1 second which is not good. So having this second layer of retries with exponential backoff might be good.

[zhenlan]

Imagining there is only one client, we don't want to beat that client in a tight loop.

[jimmyca15]

I think Amer will be reworking this a bit. I agree that we should backoff on the top level. I suggested a flow like below.

public async Task LoadAsync()
{
    var cts = new CancellationTokenSource(_startupOptions.Timeout);

    var errors = new List<Exception>();

    int attempts = 0;

    while (true)
    {
        attempts++;

        IEnumerable<ConfigurationClient> clients = _clientManager.GetClients(ignoreBackoff: true);

        if (await TryInitializeAsync(clients, errors, cts.Token))
        {
            break;
        }

        try
        {
            await Task.Delay(Timespan.FromSeconds(1).Backoff(attempts), cts.Token);
        }
        catch (OperationCanceledException)
        {
            throw new TimeoutException(
                new AggregateException(errors));
        }
    }
}

//
// TryInitializeAsync
// It swallows (returns false for) operation canceled exception
// It swallows failoverable exceptions
// It propagates non-failoverable exceptions
// It fills the 'errors' list with swallowed exceptions

[jimmyca15]

Default timeout of one minute seems a bit low. I'd go with 10 minutes.

[zhenlan]

I'm a bit concerned that we may get complaints like Azure/AppConfiguration#255 all over again if we set the default startup timeout to anything more than a minute.

[jimmyca15]

It doesn't make sense to pass the time and the ignore backoff parameter.

Perhaps a separate method is warranted. GetClients, which returns all clients. #Closed

[zhenlan]

How about GetAllClients() to better differentiate from GetAvailableClients?

[jimmyca15]

pr example usage needs an update.

[jimmyca15]

We shouldn't have a Constants namespace. it's not useful.

[jimmyca15]

Suggested change

	if (exception.InnerExceptions?.Any(e => e is RequestFailedException) ?? false)
	if (exception.InnerExceptions != null &&
	exception.InnerExceptions.Any(e => e is RequestFailedException))

A suggestion, I feel the ?? false is a bit weird to read.

[jimmyca15]

the timespan you are passing to the method has a different value than the one you have checked in the condition.

[jimmyca15]

To avoid the problem, you could cache elapsed in a variable, but I'd recommend an approach like

TimeSpan delay;
if (startupStopwatch.TryGetFixedBackoff(out Timespan backoff))
{
    delay = backoff;
}
else
{
    postFixedWindowAttempts++;

    delay = FailoverConstants.MaxFixedStartupBackoff.CalculateBackoff(
        attempts: postFixedWindowAttempts,
        maxDuration: FailOverConstants.MaxBackoffDuration
    );
}

await Task.Delay(delay, ct);

[zhenlan]

For a ratio of 0.5, do we expect a jitted time of 10s falls in [5, 15]? If so, above implementation is incorrect as it generates the range of [7.5, 12.5]. I hope something like below is easier to understand:

double jitter = ratio * (rand.NextDouble() * 2 - 1);
double interval = timeSpan.TotalMilliseconds * (1 + jitter);
return TimeSpan.FromMilliseconds(interval);

[jimmyca15]

jittering a 10s duration by a ratio of .5 introduces a 5 second (10 x .5) window. So the expectation is [7.5, 12.5]

[zhenlan]

The formula can be updated easily to achieve the desired results, but that's not intuitive to me. The 50% jitter doesn't give me 50% more (or less) than what I had. So if I want 100% more (or less) than what I had, I actually need a 200% jitter. Isn't that weird?

[jimmyca15]

Discussed separately with @zhenlan. Seems more people interpret the ratio here as the delta from the extreme end of the possible duration window to the original duration. In that case, we would benefit to change it.

So jitter(10, .5) yields [5, 15] rather than [7.5, 12.5]

[zhenlan]

Move this into the loop so you get new clients when replica auto discovery is enabled.

[zhenlan]

MinStartupBackoffDuration with comments

[jimmyca15]

Actually, the variable shouldn't even be needed.

[jimmyca15]

The maxBackoffDuration variable shouldn't be needed. The max backoff in this case should always be our 10 min max backoff.

[jimmyca15]

What's the point of the maxDuration parameter then? I don't see it used

[amerjusupovic]

I agree, I missed some things here. Zhenlan suggested just using CalculateBackoffDuration and adjusting that method to use jitter instead of the randomizing it does in the last line. At this point we're using the same backoff duration values, so unless there's a reason refresh is different from startup retries then I think it makes sense.

[jimmyca15]

A single method will be better. That's your suggestion right?

[amerjusupovic]

Right, just one method and removing the CalculateExponentialStartupBackoffDuration method

[jimmyca15]

Perfect, let's do it.

[jimmyca15]

Just update that implementation with this one should be good right?

[jimmyca15]

I really only see a need for this logic in TryGetFixedBackoff, and in that case the default return isn't needed since TryGetFixedBackoff would return false. I recommend moving it in there.

[zhenlan]

I believe @jimmyca15 prefers this to be 0.25.

[zhenlan]

[jimmyca15]

Seems solid, but the multiassignment to innerException threw me off a bit. I think it would help if the assignment to inner exception only happened once because it's really behaving in a branched manner.

I'd suggest

            if (rfe.Status == HttpStatusCodes.TooManyRequests ||
                rfe.Status == (int)HttpStatusCode.RequestTimeout ||
                rfe.Status >= (int)HttpStatusCode.InternalServerError)
            {
                return true;
            }

            Exception innerException;

            if (rfe.InnerException is HttpRequestException hre)
            {
                innerException = hre.InnerException;
            }
            else
            {
                innerException = rfe.InnerException;
            }

            // The InnerException could be SocketException or WebException when an endpoint is invalid and IOException if it's a network issue.
            return innerException is WebException ||
                   innerException is SocketException ||
                   innerException is IOException;