[sled-agent] Refactor service management out of StorageManager
#2946
Conversation
…zones, zone_name -> zone_type, config -> ledger
smklein
added
storage
| // pretty tight; we should consider merging them together. | ||
| let storage_manager = | ||
| StorageManager::new(&log, underlay_etherstub.clone()).await; | ||
| let storage_manager = StorageManager::new(&log).await; |
sled-agent/src/services.rs
Outdated
| .join(STORAGE_SERVICES_CONFIG_FILENAME) | ||
| } | ||
|
|
||
| // TODO(ideas): |
sled-agent/src/services.rs
Outdated
| // - ... Writer which *knows the type* to be serialized, so can direct it to the | ||
| // appropriate output path. | ||
| // | ||
| // - TODO: later: Can also make the path writing safer, by... |
There was a problem hiding this comment.
Maybe move this technique out into an issue?
There was a problem hiding this comment.
See: #2972 - I just finished implementing this.
sled-agent/src/services.rs
Outdated
| ); | ||
| } | ||
| self.load_non_storage_services().await?; | ||
| // TODO: These will fail if the disks aren't attached. |
There was a problem hiding this comment.
I'm having a hard time reasoning about when we'd want to retry, since it's unclear to me when a disk would become attached within a retry period. My admittedly, somewhat uninformed, take at this moment is that we shouldn't retry.
I think the distinction between these calls not retrying and NTP retrying is twofold:
- NTP retries even on successful startup, since we are waiting for time sync
- NTP is a barrier to starting other services. If it fails later services will not work.
There was a problem hiding this comment.
This definitely deserves a follow-up bug - it's only relevant in the "cold boot" case, but that does matter!
Here's the deal:
- When we boot the sled agent, it's possible that not all disks have been parsed (e.g., suppose there's a U.2 that's slow to bind a driver).
- When we call this function, we'll read the service ledger from the M.2s, see what services should be started, and try starting them.
- If any of those services...
- ... have datasets in the U.2s
- ... have zone filesystems in the U.2s
- ... then we'd fail to start them.
But that doesn't mean we should never launch the service - if it's in the M.2 service ledger, either RSS or Nexus provisioned that service, so we should keep giving it a shot. "The driver did bind, but it just took a while" and "The U.2 was unplugged, but someone put it back" are both cases where we should be able to launch these services, even if we might initially fail.
If, after a long enough period of time, we determine that we cannot launch that service (if the U.2 is detached, fails, etc), then we'd have an opportunity to do some notification through the fault tolerance system (we either tell Nexus that the service isn't booting, or Nexus notices on its own somehow).
There was a problem hiding this comment.
Filed #2973 , will mention it in this PR
There was a problem hiding this comment.
Mentioned in ed20fff
There was a problem hiding this comment.
Thanks for the explanation. Those justifications make sense to me.
| pub all_svcs_config_path: PathBuf, | ||
| // The path for the ServiceManager to store information about | ||
| // all running services. | ||
| all_svcs_ledger_path: PathBuf, |
There was a problem hiding this comment.
Why the change from config to ledger here?
Also, if we are going to change the names, we may also want to change the constants to refer to LEDGER instead of CONFIG.
There was a problem hiding this comment.
I think I got confused between the following overloaded use of the term "config":
- We use "config" to describe parameters for a variety of modules within the sled agent, to describe tweaks on how they should be executed. For example, the sled agent has a "config", the bootstrap agent has a "config", the storage manager also has a "config".
- totally separately, we're storing the list of services that the sled manages. I had previously called this "config", but I think the name was not-totally-accurate, so I'm updating it to ledger. After all, it's just a ledger of "what am I responsible for running".
RE: the constants, will do!
History
The Sled Agent has historically had two different "managers" responsible for Zones:
ServiceManager, which resided over zones that do not operate on DatasetsStorageManager, which manages disks, but also manages zones which operate on those disksThis separation is even reflected in the sled agent API exposed to Nexus - the Sled Agent exposes:
PUT /servicesPUT /filesystemFor "add a service (within a zone) to this sled" vs "add a dataset (and corresponding zone) to this sled within a particular zpool".
This has been kinda handy for Nexus, since "provision CRDB on this dataset" and "start the CRDB service on that dataset" don't need to be separate operations. Within the Sled Agent, however, it has been a pain-in-the-butt from a perspective of diverging implementations. The
StorageManagerandServiceManagerhave evolved their own mechanisms for storing configs, identifying filesystems on which to place zpools, etc, even though their responsibilities (managing running zones) overlap quite a lot.This PR
This PR migrates the responsibility for "service management" entirely into the
ServiceManager, leaving theStorageManagerresponsible for monitoring disks.In detail, this means:
storage_manager.rsintoservices.rsStorageManagerno longer requires an Etherstub device during constructionServiceZoneRequestcan operate on an optionaldatasetargument/var/oxide/services.tomland/var/oxide/storage-services.tomlfor each group.filesystem_ensure- which previously asked theStorageManagerto format a dataset and also launch a zone - now asks theStorageManagerto format a dataset, and separately asks theServiceManagerto launch a zone.