Content management: managing state

[enykeev]

Problems:

• Action runners run code that appear to be on the disk at the moment of the run.
• We don't have a story on how entry point code ends up on the disk for the remote runner.
• We assuming that multiple users would never edit the same pack at the same time.
• We have no way of knowing what was the state of filesystem at the moment of execution and have no guarantees that the action did that it supposed to do.
• Our dependency management story to this point revolves around failing if the current version of the pack doesn't match the required one

My proposal is to give every component its own state and the ability to mutate it between a shared set of states. As far as implementation goes, git fits the bill perfectly and we already picked it to be at the core of our pack management solution.

What we're now calling /opt/stackstorm/packs should be replaced with a set of bare git repositories. This repositories should accept pushes from the user and be programmatically pulled by pack management module (it might be an st2api or a designated component) during pack update. Bare in this case means that repo doesn't have a working copy, it doesn't have a current state, no one can edit it manually and there is no problem with stashing it to switch to other state.

Instead, every component should have its own /opt/stackstorm/packs which he himself (or pack management component of choice) should have to keep up to date with the main repository.

ActionRunner would be able to checkout the particular git hash for every execution he's about to run given us an ability to define a particular version of the code we want to run. It would allow us to do dependency management per execution and it would also allow multiple users run different versions of the same pack on the same machine. The repo should be fetched asynchronously and the cost of checking out a new hash is relatively low. We would still have a problem with potential venv and system dependencies mismatch, though. First can be solved by having a set of virutalenvs addressed by the hash of requirements.txt. The second one most likely would require us to run ActionRunners inside the containers and manage this containers inside st2. Neither of the two is covered by this proposal.

Sensors are very much alike to ActionRunners in their requirements to the code, but they are restarting way less frequently and may start duplicating the events if more than one instance is running at a time. In case of sensors, the version we want to run should be defined upfront and their management is completely up to the user.

Rules, Aliases and Triggers are similar to Sensors in the sense that it is impossible to predict how multiple instances would react in a certain situations. Defining a version of the code during registration (or switching between versions with API call) would at least give us an insight into the state of the system at any given moment and would allow us to build collaboration tool of some kind that would allow multiple users to work on the same instance without interference.

As far as the registration goes, we would need to figure out how we're going to approach having multiple versions of the meta. We can either load every version of the meta to the db, load only the one considered master at the given moment and load specific ones from the disk or pretty much everything in between. I don't see how we can decide that without profiling.

Another part of having core repository bare is that it allows us to expose it through the API or SSH for users to push their versions of the packs they've been working on on their own machines. User would not need to login to st2 instance anymore to edit the pack. And thanks to ActionRunner state, user should be able to run a specific version of the action he just uploaded.

Giving every ActionRunner its own state also solves the problem of code distribution in HA environment. As soon at new code has been pushed, all the runners would get a request to fetch it from the core repo. The process of synchronizing the data may create some delays on executions waiting for the particular version of the code to arrive, but having to consistency to what being executed by the node seems miles worse to me.

If we decide that we want to conserve disk space, we need to came up with synchronization mechanics. We can register rules and triggers from the same storage providing we do it serially. We may not be able to avoid races for multiple action runners reading the same storage.

One of the requirement was so that st2 should still be able to work as it is working right now without all this fancy new stuff. Potentially, we can just point all the individual stagings to the same folder and check for the config flag to pass all the synchronization routines. Personally, it seems to me that the "old way" of using st2 should not stick for long considering that we would absolutely not being able to backport all the new features to the old single state approach.

There is still a ton of tiny details such as how new pluggable runners fit the picture, how configs should be distributed, permission control, connectivity implications and such. But in the broad strokes:

• switch from using files to working with repositories in package management (clone, fetch)
• every component should have its own staging or a way of synchronizing access to a common staging
• ActionRunner should be able to run a specific version of the code defined in work order
• decide how we going to approach registering multiple versions of meta for st2api and st2reactor to get a proper set of parameters for the work order
• expose core repository through API or SSH for user to push his code to st2 instance

The task could (and probably should be) further broken apart on a smaller steps, though we need to keep in mind and try not to expose our user to the changes in their workflow too often as they may easily became fatigued.

[emedvedev]

TL;DR: an installed pack, instead of being a bunch of files, becomes a git repo. Action runners check out the necessary revision every time an action is launched, users push changes to the repo instead of editing files, and if there's a dependency on another pack, you can specify a version/revision that will be checked out. Sync issues go away, version conflicts go away, HA pack deployment is solved.

This is a very radical proposal, but I like its potential. If we can agree on this approach, iron out the kinks, and come up with a plan/roadmap, it just might be the solution to most problems we currently have with content management.

[Kami]

In general I do like the git idea and in high level it's very similar to what I proposed in the past (git repos on disk, some kind of hook which pulls on update, etc.).

I do think every component having it's own copy of packs and checking out a specific revision when an action is executed is also the ideal end scenario (easy to audit, ensure which version ran, etc.).

Having said that, is it possible to scope it down a bit and make it simpler for v1 - perhaps only one global repo (/opt/stackstorm/packs) per server, but all of the git stuff still applies. I think this would solve a lot of problems which get introduced if we want version per component and it would also be a good prototype to try out.

[Kami]

And for actual deployment of new content to all the servers, we could also dog food and leverage StackStorm by leveraging git sensor and rules and implementing some changes which are a good idea in any case:

• Runner capabilities and affinity - allow user to specify "capability" / tags / similar which need to be met by the runner where execution will run. In short, this basically allows user to select server on which execution will run (something which has been requested and debated in the past).
• User needs to run action runner process on each server. That's not a bad idea, and by leveraging affinity, we would dedicate one action runner on each server just for managing and syncing the content - this way there would be no contention and this runner would never be overloaded so we could guarantee sync in some reasonable time frame (in the end it's still a distributed and eventually consistent system though)

[emedvedev]

leveraging git sensor and rules

IIRC @enykeev's idea is to checkout the action when the execution's been requested (with caching, of course). So we don't even need a sensor, but this is going to add some occasional delay, so need to measure carefully here.

[enykeev]

Yes, I personally don't see how we can use git sensor here as the change proposed in supposed to work on the lower level and the requirement for the system to have an active git sensor for runners to work at all will make our life a living hell.

For affinity, I do like an idea on paper and I have to admit it was probably the best part of Taskflow design back in the days when I evaluated how we can merge them with Mistral. But I'm having a hard time to came up with use cases that would justify the amount of redesign required for that. And I'm absolutely positive it is going to be the pain on the scale we've never encountered before. Surely, I'd rather not mix it with this proposal. I'd rather us not even mention it in this thread ;)

As for the scoping it down, there is several places we can cut it, but for now I see very little benefits for us to having only part of the solution and we surely have to do more work at the end. In general, I agree, it would be nice not to do it all at once and DZ shares the notion too. I'll spend some more time trying to figure out HOW.

[enykeev]

Since we decided that it's time to go for a stage two of pack management, here's the steps I see:

- Downplay the runner meta

Runners do not have any other use in the system outside of their parameters being merged\overriden by action parameters during execution.

On practice, changes to runners happen so rarely, there's little to no point to merge the parameters JIT. Instead, in my opinion, it should happen once on action registration. The properties inherited from the runner should then be marked as such and filtered on the API layer if needed.

This way, components other than the one registering the actions doesn't need to know of runners existance at all.

We still may have a problem with different versions of the runners installed on different st2action nodes, but at the very least, we don't have to worry about st2api and the rest of the nodes anymore.

- Add command and notification exchanges for pack management

Right now, we use execution exchange for pack management commands which requires us to have pack management actions - a chicken\egg problem.

Pack management capabilities should be integrated into runners themselves so that every pack (even core) could have been installed without any dark magic required.

We should also stop assuming workers have shared access to the FS and pack files are simply magically appear on disk where the worker expects them to be. For each distributed node there should be a worker that actually goes and pulls pack data, creates venvs and so forth. We can make the command queue (one that will contain a command to install\remove a pack) a fanout and then add some form of a lock to prevent other workers on the same node from installing the same pack again (which is costly and can introduce an unexpected behaviour).

Notification exchange is a back channel for workers to report on their progress on installing the pack. If we use a fanout exhange, command and notification exchanges could be the same. st2stream should listen to this exchange and translate the messages to the clients.

- Extend action ref with version part

User should be able to define a particular version of the action he wants to run (ex. core.local:dead34beef...) as git ref. Worker should check out the particular reference before running the action.

It is important to remember that actions may vary in their behavior quite widely between versions. In some cases, they may have a different set of parameters or different defaults. In others, they will depend on different versions of venv. Sometimes, there may not even be the action in the version requested.

The task could be split onto multiple parts:

1. allow git ref as a part of action ref and raise an error when requested ref doesn't match the one checked out on the worker
2. check out proper reference, but raise an error when meta or venv is different
3. require pack reference to be registered before being executed, create new venv for every git reference
4. create new venv only when requirements.txt changes. Use file has as a key and only install new venv if it wasn't previously installed for this key.

- Add dependencies section to pack.yml

User should be able to define dependencies on the pack level. After that, each mention of the action inside the pack that doesn't specify the version, should default to the version defined in dependencies.

All dependent version of the packs should be installed during pack installation. Additionally, it would have been great to go through all the workflows to ensure we also installed all the packs where user did mention the pack version in the reference, but it might not be feasable. As a middle ground, we can either (A) allow defining multiple dependent versions for a single pack (implying AND logic as "required both version A and version B") and treat first of them as default one or (B) having a separate list of additional pack dependencies for the purpose of speeding up the runtime.

Option A would look something like that:

...
dependencies:
    core: 1.1.0
    linux:
        - 1.0.0 # <- this is the version `linux.mv` will resolve to
        - 0.9.8
        - 0.8.0
...

Option B might look like that:

dependencies:
    core: 1.1.0
    linux: 1.0.0
alternativeDependencies:
    - linux: 0.9.8
    - linux: 0.8.0

- Rules, sensors, aliases

For now, I'd rather us avoid introducing versioning anywhere else. For one, I didn't hear anyone asking for it. The challenges seem obvious to me, the solutions on the other hand are not.

- System dependencies

At some point in time, we should make it available for user to also define a set of system-wide dependencies that should be present for pack to install\run. I don't think st2 should manage system dependecies, but it could (and probably should) warn user in case pack's system dependencies do not match what's installed on their system.

This mechanism could also be used to define a version of st2 itself that is required to run the pack.

[enykeev]

Ok, 1k words time:

1. is how our pack installation works today. Even though there is a certain benefit in dogfooding ourselves by using primitives we build internally, this approach limits us in a number of ways, especially when it comes to docker\HA.

2. is how I think it should look. Pack management should became an integral part of st2action worker and the command to install a pack should come through separate fanout exchange to all the workers currently live. Workers need then report back with their progress so the UI could be properly updated.

3. is how pack registration looks now. It happens completely outside the st2. This limits our control over registration process and prevents us from implementing features like live updates of action list or reacting on new content via rules.

4. is one of the ways we can relatively cheaply implement a proper flow for pack registration with the same separation of responsibilities as with pack installation. As with pack install, registration command should go through separate fanout exchange.

5. is the preferred, but costly way of implementing content registration. It doesn't have a particular benefit at the moment, but it paves the way to the future when st2action won't have any access to DB and instead is either going to expect all the data it might need during the execution to arrive with initial request or have a way to request additional data via MQ.

[Kami]

Thanks for the write up.

I think we are getting closes to a consensus :)

I also agree that 4 is a reasonable and incremental way to solve this problem. Instead of inventing a new special queue and pipeline for this, I think it would be great if we could utilize existing primitives and executions.

This way same functionality (execute on all action runners or execute on action runners having tag "windows for example - thing runner affinity which has been requested in the past) can be re-used for other use cases and we improve existing pipelines and primitives.

It's also worth noting that even though operations should be and are idempotent multiple action runners can run on the same host so we will need some filtering based of the action runner metadata (e.g. host attribute in the action runner host / process metadata) to ensure it only runs once per host.

[enykeev]

This way same functionality (execute on all action runners or execute on action runners having tag "windows for example - thing runner affinity which has been requested in the past) can be re-used for other use cases and we improve existing pipelines and primitives.

If I understand you correctly, you're talking about the same thing I call "job board", the way for st2actionrunner to pick and choose which executions he's capable of executing. It could be based on an abstract tag, a runner type of the execution or on some other property like a number of executions that are currently running on the node.

While I see a benefit of this approach, I also see it as a task entirely separate of pack management. And the one that could have became much simpler if we first figured out\documented the internal MQ communication protocol. Because right now it's a mess.

Also, using the same channel and existing primitives doesn't address my concern regarding the need for packs pack to be present for any pack to be installed. Something I consider a fundamental chicken\egg problem that prevents us from moving pack management forward and causes problems on the docker side.

It's also worth noting that even though operations should be and are idempotent multiple action runners can run on the same host so we will need some filtering based of the action runner metadata (e.g. host attribute in the action runner host / process metadata) to ensure it only runs once per host.

I wonder if instead of trying to figure out whether the particular node needs to run the installation process we instead come up with a type of idempotence that allows every node to run the command, but only the first call per node would actually do the work and the rest will just pause\silently finish.

[Kami]

If I understand you correctly, you're talking about the same thing I call "job board", the way for st2actionrunner to pick and choose which executions he's capable of executing. It could be based on an abstract tag, a runner type of the execution or on some other property like a number of executions that are currently running on the node.

Thanks correct.

Also, using the same channel and existing primitives doesn't address my concern regarding the need for packs pack to be present for any pack to be installed. Something I consider a fundamental chicken\egg problem that prevents us from moving pack management forward and causes problems on the docker side.

Also, using the same channel and existing primitives doesn't address my concern regarding the need for packs pack to be present for any pack to be installed. Something I consider a fundamental chicken\egg problem that prevents us from moving pack management forward and causes problems on the docker side.

I guess I still don't understand this problem - I still view it as installation / distribution problem.

Can you please elaborate on the docker problem? Is it an issue with needing a DB connection to register content and this initial packs pack?

I wonder if instead of trying to figure out whether the particular node needs to run the installation process we instead come up with a type of idempotence that allows every node to run the command, but only the first call per node would actually do the work and the rest will just pause\silently finish.

I would like to keep it simple, yeah. I think the simplest way to do it would be using UID for every node or similar which is unique and based on the host. Then we dispatch a task based on that UID (how to do the routing is TBD - we may or may not want to use RabbitMQ routing primitives).

And if needed (in addition or separately) we can also do locking based on that UID - simply use fan out queue where every action runner gets a message and first one which obtains the lock wins and performs the operation and others result in no-op.

[enykeev]

I still view it as installation / distribution problem

What it changes?

• It is a problem.
• It makes docker side harder to impossible.
• It is pack management related.
• We have a solution for it.

If we are considering pack management to be inalienable part of st2, it's time for us to make it so.

Keeping pack management functionality a pack requires us to always ship st2 with that pack and with the runners required to run that pack.

If you need to have a pack to install a pack, then you need to have two mechanics of how packs end up inside the system. You can not simply say st2 pack install packs.

I'm saying that for the sake of clarity and control, there should be only one way for pack to be installed - via API. Which by itself means that pack installation functionality should be integrated inside one of st2 components. We agreed that this component should be st2actions worker because it is the one that is going to lately run the pack content it had just installed.

I think the simplest way to do it would be using UID for every node or similar which is unique and based on the host.

Still seem too complicated for me. Our pack is a git repo. Can't we just say "hey, if the repo is is already fetching, don't do anything". Same with venv, "if some other process already installing the dependencies, don't sweat". We store all this stuff on the disk. Can't we just use fs-based locking primitives for that?

[enykeev]

I think the simplest way to do it would be using UID for every node or similar which is unique and based on the host.

Still seem too complicated for me. Our pack is a git repo. Can't we just say "hey, if the repo is is already fetching, don't do anything". Same with venv, "if some other process already installing the dependencies, don't sweat". We store all this stuff on the disk. Can't we just use fs-based locking primitives for that?

Actually, I've spend some more time reading the git docs and I don't think that we even can share the same git repo between two runners. You see, we're expecting workers to be able to check out the particular version of the pack they are about to execute. If two workers would try to check out different versions of the same pack at about the same time, one of them may end up with not exactly what he had asked for due to race. To avoid the race, each worker should have its own git repo.

Another option is to keep git repo bare, but then we'll need to find a way to read a file from bare repo without checking it out into working copy (bare repo has no working copy, it's just the .git folder). I was unable to find it yet and given that we'll have to teach every runner we have to look for imports in git repo instead of file system, the task becomes simply too costly. Way more expensive than the amount of disk space the pack is going to take on the disk.

[enykeev]

I also wonder what would be a performance penalty of using something like gitfs (FUSE fs from git repo). It is a long shot, but might be the one worth exploring.

[arm4b]

Right now, we use execution exchange for pack management commands which requires us to have pack management actions - a chicken\egg problem.
Pack management capabilities should be integrated into runners themselves so that every pack (even core) could have been installed without any dark magic required.

👍
From the installation/packaging perspective this will make the system more reliable. +100 having core components built-in and available ready-to-use without explicit registration command, on app start/init. This way, user has "ready-to-use" system right after installing a StackStorm deb/rpm.

It's a nonsense to run so much post-install bootstrap to have minimal StackStorm functionality and it bite us many times in different ways since it's error-prone, non-intuitive and fragile by nature, - ideally is to have those dependencies bundled into core.

Honestly, I believe that using st2 actions (which are pluggable) for st2 pack install (which is a core cmd) was an easy & fast hack, obviously adding difficulties in other sides, including installation/distribution.

---

Adding to that, I believe that core pack actions should be part of the core platform itself as well or at least available/bootstrapped/ready on app init/startup (more hacky).
The easy rule to follow: If we force user to run some additional post command (st2ctl reload) for making core StackStorm functionality available, - we're doing it wrong.
See StackStorm/st2#3942 (comment) explanation.

[arm4b]

• Add dependencies section to pack.yml

[...]

dependencies:
   core: 1.1.0
   linux:
       - 1.0.0 # <- this is the version `linux.mv` will resolve to
       - 0.9.8
       - 0.8.0
...

or

dependencies:
   core: 1.1.0
   linux: 1.0.0
alternativeDependencies:
   - linux: 0.9.8
   - linux: 0.8.0

Pack dependencies and pack dependencies pinning is good, but does it make sense to avoid re-inventing the wheel in specifying many versions/intervals now and make it really rich in some future iteration?

Having just the same syntax (single-version/branch pinning) as we already do in CLI:

st2 pack install \
  github \
  servicenow=v2.3.5 \
  ansible=devel \
  https://external_pack_in_git/ \

would look consistent with single-version pinning in pack.yml:

dependencies:
  github
  servicenow: v2.3.5
  ansible: devel
  https://external_pack_in_git/

When we'll be ready, we can add syntax similar to any existing pack manager allowing us to do more advanced pack requirements like <=, >=, etc and that will affect both 2 places: dependencies of pack.yml and CLI.

---

BTW, by adding dependencies to pack.yml we're getting somewhere similar to npm package.json (considering json <> yaml compat).