| ============ |
| HRoller tool |
| ============ |
| |
| .. contents:: :depth: 4 |
| |
| This is a design document detailing the cluster maintenance scheduler, |
| HRoller. |
| |
| |
| Current state and shortcomings |
| ============================== |
| |
| To enable automating cluster-wide reboots a new htool, called HRoller, |
| was added to Ganeti starting from version 2.7. This tool helps |
| parallelizing cluster offline maintenances by calculating which nodes |
| are not both primary and secondary for a DRBD instance, and thus can be |
| rebooted at the same time, when all instances are down. |
| |
| The way this is done is documented in the :manpage:`hroller(1)` manpage. |
| |
| We would now like to perform online maintenance on the cluster by |
| rebooting nodes after evacuating their primary instances (rolling |
| reboots). |
| |
| Proposed changes |
| ================ |
| |
| New options |
| ----------- |
| |
| - HRoller should be able to operate on single nodegroups (-G flag) or |
| select its target node through some other mean (eg. via a tag, or a |
| regexp). (Note that individual node selection is already possible via |
| the -O flag, that makes hroller ignore a node altogether). |
| - HRoller should handle non redundant instances: currently these are |
| ignored but there should be a way to select its behavior between "it's |
| ok to reboot a node when a non-redundant instance is on it" or "skip |
| nodes with non-redundant instances". This will only be selectable |
| globally, and not per instance. |
| - Hroller will make sure to keep any instance which is up in its current |
| state, via live migrations, unless explicitly overridden. The |
| algorithm that will be used calculate the rolling reboot with live |
| migrations is described below, and any override on considering the |
| instance status will only be possible on the whole run, and not |
| per-instance. |
| |
| |
| Calculating rolling maintenances |
| -------------------------------- |
| |
| In order to perform rolling maintenance we need to migrate instances off |
| the nodes before a reboot. How this can be done depends on the |
| instance's disk template and status: |
| |
| Down instances |
| ++++++++++++++ |
| |
| If an instance was shutdown when the maintenance started it will be |
| considered for avoiding contemporary reboot of its primary and secondary |
| nodes, but will *not* be considered as a target for the node evacuation. |
| This allows avoiding needlessly moving its primary around, since it |
| won't suffer a downtime anyway. |
| |
| Note that a node with non-redundant instances will only ever be |
| considered good for rolling-reboot if these are down (or the checking of |
| status is overridden) *and* an explicit option to allow it is set. |
| |
| DRBD |
| ++++ |
| |
| Each node must migrate all instances off to their secondaries, and then |
| can either be rebooted, or the secondaries can be evacuated as well. |
| |
| Since currently doing a ``replace-disks`` on DRBD breaks redundancy, |
| it's not any safer than temporarily rebooting a node with secondaries on |
| them (citation needed). As such we'll implement for now just the |
| "migrate+reboot" mode, and focus later on replace-disks as well. |
| |
| In order to do that we can use the following algorithm: |
| |
| 1) Compute node sets that don't contain both the primary and the |
| secondary of any instance, and also don't contain the primary |
| nodes of two instances that have the same node as secondary. These |
| can be obtained by computing a coloring of the graph with nodes |
| as vertexes and an edge between two nodes, if either condition |
| prevents simultaneous maintenance. (This is the current algorithm of |
| :manpage:`hroller(1)` with the extension that the graph to be colored |
| has additional edges between the primary nodes of two instances sharing |
| their secondary node.) |
| 2) It is then possible to migrate in parallel all nodes in a set |
| created at step 1, and then reboot/perform maintenance on them, and |
| migrate back their original primaries, which allows the computation |
| above to be reused for each following set without N+1 failures |
| being triggered, if none were present before. See below about the |
| actual execution of the maintenance. |
| |
| Non-DRBD |
| ++++++++ |
| |
| All non-DRBD disk templates that can be migrated have no "secondary" |
| concept. As such instances can be migrated to any node (in the same |
| nodegroup). In order to do the job we can either: |
| |
| - Perform migrations on one node at a time, perform the maintenance on |
| that node, and proceed (the node will then be targeted again to host |
| instances automatically, as hail chooses targets for the instances |
| between all nodes in a group. Nodes in different nodegroups can be |
| handled in parallel. |
| - Perform migrations on one node at a time, but without waiting for the |
| first node to come back before proceeding. This allows us to continue, |
| restricting the cluster, until no more capacity in the nodegroup is |
| available, and then having to wait for some nodes to come back so that |
| capacity is available again for the last few nodes. |
| - Pre-Calculate sets of nodes that can be migrated together (probably |
| with a greedy algorithm) and parallelize between them, with the |
| migrate-back approach discussed for DRBD to perform the calculation |
| only once. |
| |
| Note that for non-DRBD disks that still use local storage (eg. RBD and |
| plain) redundancy might break anyway, and nothing except the first |
| algorithm might be safe. This perhaps would be a good reason to consider |
| managing better RBD pools, if those are implemented on top of nodes |
| storage, rather than on dedicated storage machines. |
| |
| Full-Evacuation |
| +++++++++++++++ |
| |
| If full evacuation of the nodes to be rebooted is desired, a simple |
| migration is not enough for the DRBD instances. To keep the number of |
| disk operations small, we restrict moves to ``migrate, replace-secondary``. |
| That is, after migrating instances out of the nodes to be rebooted, |
| replacement secondaries are searched for, for all instances that have |
| their then secondary on one of the rebooted nodes. This is done by a |
| greedy algorithm, refining the initial reboot partition, if necessary. |
| |
| Future work |
| =========== |
| |
| Hroller should become able to execute rolling maintenances, rather than |
| just calculate them. For this to succeed properly one of the following |
| must happen: |
| |
| - HRoller handles rolling maintenances that happen at the same time as |
| unrelated cluster jobs, and thus recalculates the maintenance at each |
| step |
| - HRoller can selectively drain the cluster so it's sure that only the |
| rolling maintenance can be going on |
| |
| DRBD nodes' ``replace-disks``' functionality should be implemented. Note |
| that when we will support a DRBD version that allows multi-secondary |
| this can be done safely, without losing replication at any time, by |
| adding a temporary secondary and only when the sync is finished dropping |
| the previous one. |
| |
| Non-redundant (plain or file) instances should have a way to be moved |
| off as well via plain storage live migration or ``gnt-instance move`` |
| (which requires downtime). |
| |
| If/when RBD pools can be managed inside Ganeti, care can be taken so |
| that the pool is evacuated as well from a node before it's put into |
| maintenance. This is equivalent to evacuating DRBD secondaries. |
| |
| Master failovers during the maintenance should be performed by hroller. |
| This requires RPC/RAPI support for master failover. Hroller should also |
| be modified to better support running on the master itself and |
| continuing on the new master. |
| |
| .. vim: set textwidth=72 : |
| .. Local Variables: |
| .. mode: rst |
| .. fill-column: 72 |
| .. End: |
