mgr: relax ok-to-stop condition

[xxhdx1985126]

Right now, the "ok-to-stop" condition is relatively rigorous, it allows
stopping an osd only if no PG on it is non-active or degraded. But there
are situations in which people want to concurrently stop multiple osds even if
they share pgs, as long as that wouldn't cause client requests to block.

This commit relax the "ok-to-stop" condition to something like: allow
osd to stop as long as all pgs on it are active AND there are more-than-min_size
pgs that are still up/in AND there are at least one OSD that have no missing
objects.

Signed-off-by: Xuehan Xu xxhdx1985126@gmail.com

Checklist

• References tracker ticket
• Updates documentation if necessary
• Includes tests for new functionality or reproducer for bug

---

Show available Jenkins commands

• jenkins retest this please
• jenkins test classic perf
• jenkins test crimson perf
• jenkins test signed
• jenkins test make check
• jenkins test make check arm64
• jenkins test submodules
• jenkins test dashboard
• jenkins test api
• jenkins test docs
• jenkins render docs
• jenkins test ceph-volume all
• jenkins test ceph-volume tox

[xxhdx1985126]

@dzafman Hi, could you take a look this PR, please? Thanks:-)

[dzafman]

It seems to that if the pg is DEGRADED, then pg_acting == avail_no_missing. So avail_no_missing has no extra information.

[dzafman]

Since !avail_no_missing.size() == (pg_acting.size() == 0), then it has no change whether dangerous_pgs is incremented since 0 should always be < min_size.

[xxhdx1985126]

@dzafman Um...It seems that an OSD can be a member of pg_acting even if it has missing objects, so I think when the pg is DEGRADED, pg_acting may not be the same as avail_no_missing, right? And for the same reason, pg_acting may not be necessarily empty even if no OSD has all objects, and I think that's why we have a concept of "unfound objects". Am I right?:-)

[dzafman]

When a pg is degraded the pg_acting is based on avail_no_missing. If not, pg_acting comes from acting. In any case the size of pg_acting must be >= min_size. Unfound is for objects that aren't stored on any OSD.

Now that think about it, I'm not clear how a pg with pg_acting.size() == min_size wouldn't be dangerous because stopping an OSD could then cause a PG to drop below min_size. Doesn't "available" imply writable.

[dzafman]

As it stands this change should not be merged.

[dzafman]

Since !avail_no_missing.size() == (pg_acting.size() == 0), then it has no change whether dangerous_pgs is incremented since 0 should always be < min_size.

[dzafman]

The description of the goals of this change "AND there are at least one OSD that have no missing
objects.", based on the code should read "OR there are at least one OSD that have no missing
objects." This means that the change would only apply to replicated pools, since erasure coded pools need more than 1 replica to rebuild.

[xxhdx1985126]

The description of the goals of this change "AND there are at least one OSD that have no missing
objects.", based on the code should read "OR there are at least one OSD that have no missing
objects." This means that the change would only apply to replicated pools, since erasure coded pools need more than 1 replica to rebuild.

So I think maybe I should distinguish replicated pools and ec pools, right?

[xxhdx1985126]

@dzafman hi, I've restrict the change to only affect osds of replicated pools, please take a look:-) Thanks.

[dzafman]

should be pi->type != pg_pool_t::TYPE_ERASURE

[dzafman]

I still think you aren't changing anything with this change. If pg_acting.size() == 0 then it will be less than min_size. Remember for degraded avail_no_missing == pg_acting which is also why you don't need the avail_no_missing set.

[xxhdx1985126]

When a pg is degraded the pg_acting is based on avail_no_missing. If not, pg_acting comes from acting. In any case the size of pg_acting must be >= min_size. Unfound is for objects that aren't stored on any OSD.

Yes, but pg_acting.size() >= min_size doesn't necessarily mean avail_no_missing is not empty, as it looks to me that pg_acting comes from acting and avail_no_missing is constructed when PeeringState do "update_calc_stats". What I wanted to express here is that "if after stopping the specified osds would mean that there's no OSD who has all the up-to-date objects of the pg is still up in the cluster, it's not ok to stop even if the pg can go into PG_STATE_ACTIVE".

Now that think about it, I'm not clear how a pg with pg_acting.size() == min_size wouldn't be dangerous because stopping an OSD could then cause a PG to drop below min_size. Doesn't "available" imply writable.

Yes, but if, say, a pool's size is 5 and min_size is 2, the current implementation doesn't allow stopping anymore OSDs, even if currently there's only one OSD is down. Actually, according to our online clusters' "ops" team, cases like this happens. So we think maybe the current ok-to-stop is a little bit rigorous. If we want to avoid pg_acting.size() == min_size, we can modify the code to something like:

if (pg_acting.size() <= pi->min_size)
    ++dangerous_pgs;

Am I right?

I still think you aren't changing anything with this change. If pg_acting.size() == 0 then it will be less than min_size. Remember for degraded avail_no_missing == pg_acting which is also why you don't need the avail_no_missing set.

Um...it looks to me that this is not the case. avail_no_missing may be less than pg_acting.

[xxhdx1985126]

should be pi->type != pg_pool_t::TYPE_ERASURE

Sorry, this must be a typo......will change it.

[dzafman]

Yes, but if, say, a pool's size is 5 and min_size is 2, the current implementation doesn't allow stopping anymore OSDs, even if currently there's only one OSD is down. Actually, according to our online clusters' "ops" team, cases like this happens. So we think maybe the current ok-to-stop is a little bit rigorous. If we want to avoid pg_acting.size() == min_size, we can modify the code to something like:

If there is already an OSD down in your example, then pg_acting might be size 4 which is 4 < 2 (min_size) is NOT dangerous as expected. I don't see why that would or should prevent another OSD from being stopped.

if (pg_acting.size() <= pi->min_size)
    ++dangerous_pgs;

Am I right?

Yes, I'm not sure why the code doesn't already have <=. Of course, that is more stringent.

I still think you aren't changing anything with this change. If pg_acting.size() == 0 then it will be less than min_size. Remember for degraded avail_no_missing == pg_acting which is also why you don't need the avail_no_missing set.

Um...it looks to me that this is not the case. avail_no_missing may be less than pg_acting.

See my other comment. Don't confuse the added local avail_no_missing and q.second.avail_no_missing nor pg_acting and q.second.acting.

[xxhdx1985126]

Yes, but if, say, a pool's size is 5 and min_size is 2, the current implementation doesn't allow stopping anymore OSDs, even if currently there's only one OSD is down. Actually, according to our online clusters' "ops" team, cases like this happens. So we think maybe the current ok-to-stop is a little bit rigorous. If we want to avoid pg_acting.size() == min_size, we can modify the code to something like:

If there is already an OSD down in your example, then pg_acting might be size 4 which is 4 < 2 (min_size) is NOT dangerous as expected. I don't see why that would or should prevent another OSD from being stopped.

Oh, sorry that I made this misunderstanding. What is preventing OSD to stop is not this line, but here

if (pg_acting.size() <= pi->min_size)
    ++dangerous_pgs;

Am I right?

Yes, I'm not sure why the code doesn't already have <=. Of course, that is more stringent.

I still think you aren't changing anything with this change. If pg_acting.size() == 0 then it will be less than min_size. Remember for degraded avail_no_missing == pg_acting which is also why you don't need the avail_no_missing set.

Um...it looks to me that this is not the case. avail_no_missing may be less than pg_acting.

See my other comment. Don't confuse the added local avail_no_missing and q.second.avail_no_missing nor pg_acting and q.second.acting.

Finally, I got your point. Will remove avail_no_missing set:-)

[dzafman]

Here you see that pg_acting AND avail_no_missing is set from q.second.avail_no_missing for degraded PGs. There is no place for a degraded PG that they can diverge.

In summary:
non-degraded pg -> pg_acting from q.second.acting
degraded pg -> pg_acting AND avail_no_missing identically set from q.second.avail_no_missing

[xxhdx1985126]

@dzafman I've just modified the code as suggested, please take a look again at your leisure, thanks:-)

[liewegas]

this changed from < to <=.. was that intentional? I think < is correct...

[dzafman]

If pg_acting.size() == pi->min_size then wouldn't write access be lost of another OSD is stopped? Isn't that the point of ok-to-stop checking?

[liewegas]

pg_acting is the anticipated acting set if the osd(s) are stopped (current acting, minus any of the osds provided as an argument)

[dzafman]

@xxhdx1985126 Change this back to pg_acting.size() < pi->min_size

[xxhdx1985126]

@dzafman Done:-)

[liewegas]

@dzafman, I'm still not sure about this, actually. If a PG is degraded, one or more of the OSDs in the acting set is missing objects. Is that what avail_no_missing is tracking? Which OSDs are missing no objects? Shouldn't we make sure that we have at least one of those in the final acting set? Otherwise, we might still end up with enough acting osds, but may have stopped the OSD(s) that have the only available copy of one or more objects...

[liewegas]

(@xuxuehan I definitely what to fix this! ok-to-stop is currently way too conservative.)

[dzafman]

@dzafman, I'm still not sure about this, actually. If a PG is degraded, one or more of the OSDs in the acting set is missing objects. Is that what avail_no_missing is tracking? Which OSDs are missing no objects? Shouldn't we make sure that we have at least one of those in the final acting set? Otherwise, we might still end up with enough acting osds, but may have stopped the OSD(s) that have the only available copy of one or more objects...

Yes, I assumed that avail_no_missing excludes OSDs with missing objects for that PG. The current code requires at least min_size OSDs with no missing objects for degraded PGs to exist. I don't understand how we can loosen this criteria. I think that this change originally was trying to allow read-only access for replicated pools that had at least 1 OSD with no missing. Writes would block which could not have been the original purpose of ok-to-stop.

[liewegas]

@dzafman, I'm still not sure about this, actually. If a PG is degraded, one or more of the OSDs in the acting set is missing objects. Is that what avail_no_missing is tracking? Which OSDs are missing no objects? Shouldn't we make sure that we have at least one of those in the final acting set? Otherwise, we might still end up with enough acting osds, but may have stopped the OSD(s) that have the only available copy of one or more objects...

Yes, I assumed that avail_no_missing excludes OSDs with missing objects for that PG. The current code requires at least min_size OSDs with no missing objects for degraded PGs to exist. I don't understand how we can loosen this criteria. I think that this change originally was trying to allow read-only access for replicated pools that had at least 1 OSD with no missing. Writes would block which could not have been the original purpose of ok-to-stop.

Oh! I missed that this code was already looking at avail_no_missing. I think this version is right. Thanks!!

[liewegas]

Sigh, I'm still confused...

[liewegas]

Okay, to summarize:

• We build a pg_acting set out of OSDs that are in avail_no_missing (if degraded) or acting, MINUS any of the osds we're trying to stop.
• Before, if the PG was in degraded state, we would always say it was dangerous, regardless of how big pg_acting was
• Now, we still say any degraded erasure coded pool pg is dangerous to touch (because avail_no_missing isn't enough info?). But for replicated pools, we can proceed if the pg_acting set (built with only avail_no_missing OSDs) is >= min_size.
  Right?

[dzafman]

Okay, to summarize:

• We build a pg_acting set out of OSDs that are in avail_no_missing (if degraded) or acting, MINUS any of the osds we're trying to stop.
• Before, if the PG was in degraded state, we would always say it was dangerous, regardless of how big pg_acting was
• Now, we still say any degraded erasure coded pool pg is dangerous to touch (because avail_no_missing isn't enough info?). But for replicated pools, we can proceed if the pg_acting set (built with only avail_no_missing OSDs) is >= min_size.
  Right?

@liewegas YES!!!!! I was confused but that summary makes it very clear.

[dzafman]

I'd like to see a tracker ticker, the commit message with the tracker specified and correction to the commit message which describes something that the final version doesn't do.

[dzafman]

@liewegas Now that you mention it, originally the code allowed 1 OSD to work presumably for read access (which was wrong). That case would only apply to replicated, so I asked for that be checked. Now in the final version, it should work for replicated or erasure coded.

[liewegas]

@liewegas Now that you mention it, originally the code allowed 1 OSD to work presumably for read access (which was wrong). That case would only apply to replicated, so I asked for that be checked. Now in the final version, it should work for replicated or erasure coded.

I opened https://tracker.ceph.com/issues/49392 ... @xuxuehan can you add this to the commit message?

@dzafman are you saying that check for replicated can be dropped? i.e., reduce this section

	  if (!(q.second.state & PG_STATE_ACTIVE) ||
              ((pi->type != pg_pool_t::TYPE_REPLICATED) &&
               (q.second.state & PG_STATE_DEGRADED))) {
	    ++dangerous_pgs;
	    continue;
	  }

to

	  if (!(q.second.state & PG_STATE_ACTIVE) {
	    ++dangerous_pgs;
	    continue;
	  }

?

[dzafman]

@liewegas I made change 9750061 to add degraded handling but didn't remove the PG_STATE_DEGRADED check here. So shouldn't this just read?

if (!(q.second.state & PG_STATE_ACTIVE)) {
	    ++dangerous_pgs;
 	    continue;
 	  }

[liewegas]

yep!

[liewegas]

how does liewegas@mgr-relax-ok-to-stop look?

[dzafman]

how does liewegas@mgr-rel look?

perfect

[dzafman]

@xxhdx1985126 @liewegas Do we have a functional test for this?

[xxhdx1985126]

@dzafman @liewegas Seems that the proposed commit is already inclosed in PR 39455, should I close this PR? :-)

[dzafman]

Now included in #39455