Throttled update rollouts

[bgilbert]

Build a system for gradually rolling out OS updates to Fedora CoreOS machines in a way that can be centrally managed by FCOS developers.

Background: Container Linux

Container Linux updates are rolled out gradually, typically over a 24 to 72 hour period. If a major bug is caught before the rollout is complete, we can suspend the rollout while we investigate.

On CL, rollouts are implemented in CoreUpdate by hashing the machine ID with the new OS version and comparing a few bits against a threshold which increases over time. If a machine automatically checks in but doesn't meet the current threshold, CoreUpdate responds that no update is available. If the user manually initiates an update request, the threshold is ignored and CoreUpdate provides the update.

Major bugs can be caught in two ways. CoreUpdate has a status reporting mechanism, so we can notice if many machines are failing to update. The status reports are not very granular, however, and thus not very debuggable. More commonly, a user reports a problem to coreos/bugs and we manually triage the issue and pause rollout if the problem appears serious.

For each update group (~= channel), CoreUpdate only knows about one target OS version at any given time. This is awkward for several reasons. If a machine running version A is not yet eligible for a new version C currently being rolled out, or if the rollout of C is paused, the machine should still be able to update to the previous version B, but CoreUpdate doesn't know how to do that. In addition, there's no way to require that machines on versions < P first update to P before updating to any version > P. (We call that functionality an "update barrier".) As a result, compatibility hacks for updating from particular old versions have to be carried in the OS forever, since there can be no guarantee that all older machines have updated.

CoreUpdate collects metrics about each machine that checks in: its update channel, its state in the client state machine, what OS version is running, what version was originally installed, the OEM ID (platform) of the machine, and its checkin history. This works okay but gives us an incomplete picture of the installed base: we do not receive any information about machines behind private CoreUpdate servers, behind a third-party update server such as CoreRoller, or which have updates disabled.

Fedora CoreOS

CoreUpdate, update_engine, and the Omaha protocol will not be used in Fedora CoreOS. A successor update protocol, Cincinnati, is being developed for OpenShift, and it appears that we'll be able to adapt it for Fedora CoreOS. I believe this involves:

1. Using the existing Cincinnati wire protocol and server code
2. Writing a graph builder to generate an update graph from FCOS release metadata
3. Writing an update client that queries a Cincinnati policy engine and invokes rpm-ostree

Server requirements

...and nice-to-haves, and reifications of the second-system effect:

• Knows about update streams, versions, etc.
• Updates are rolled out gradually over an administratively-selected period
• Rollouts are automatically paused based on client error reports
• Can be run on-premises
  • Can automatically fetch from an upstream server, or receive updates manually in air-gapped environments
• Supports update barriers
• Supports multiple layered rollouts, or at least a last-known-good base version
• When rollouts are paused, can fall back to offering an appropriate older release
• Provides insight into the client state machine

Client requirements

• Requests an update from the server and passes the resulting image reference to rpm-ostree
• Adequate status reporting, to the server and to the user
• Mechanism for forcing an update that overrides rate limits

Metrics

Metrics should be handled by a separate system. Coupling metrics to the update protocol would provide the same sort of incomplete picture as in CoreUpdate, and in any event Cincinnati is not designed to collect client metrics. This probably means that certain of the features above, such as automatic rollout suspension or insight into the client state machine, will need to be handled outside the update protocol.

cc @crawford for corrections and additional details.

[crawford]

@steveej and I have just started the process of defining how an admin provides a custom policy to the Policy Engine. FCOS will likely need a custom policy to implement channels and rate-limiting. We'll want to take into account your use-case as we finalize the design. Can you provide more specifics around your proposed update policy? It would be helpful to see things like inputs to the policy (e.g. the machine-id, admin-controlled rate limits), external services which must be consulted (e.g. the metrics collection server), and the criteria for offering a particular update payload.

[lucab]

I think for FCOS we can proceed top-to-bottom here, and design/prototype pieces starting from the graph-builder till we reach the update-client (and the reboot manager later on).

Regarding the graph-builder, I have the following points for which I'd like to see some inputs (from @bgilbert and @dustymabe especially):

1. Source schema/format for release metadata (I assume online and air-gapped cases share the same metadata format)
2. Metadata signing and key rotation
3. Metadata storage (random options: a remote bucket, a web directory, a local mount of a remote volume, a list of tags on a docker-registry repo, a list of tags on a git repo, a database)
4. Number of endpoints (possible dimensions for splitting: stream, oem, architecture, region)
5. Related to the answer above, client request parameters (for shared endpoints, to provide client-specific release metadata). Also, should this include a machine-specific ID?
6. Push vs pull based (former: release captain signals the server that a metadata change happened; latter: server periodically polls for metadata changes).
7. Failure mode (if the metadata source is unreachable, should the server provide a stale graph or should it return an error to the client?)

Other assorted comments:

Rollouts are automatically paused based on client error reports

This indeed requires a metrics collector in place, which has to be queried by the policy engine.

Supports update barriers

This can be done either at metadata source (by maintaining a linear chain as the update path, or by explicitly whitelisting/blacklisting all paths) or as a policy rule (by selecting specific edges to cut). The former is static at graph-ingestion time but verbose/cumbersome, the latter is dynamic and likely more flexible but needs to be computed at request-time. Not sure which one we prefer.

Provides insight into the client state machine

For anything outside of "client request parameters" point above, I think this belongs to the "metrics" topic. Do you have specific example of relevant state to be collected which may not be directly in the set of request key parameters?

[dustymabe]

Thanks @bgilbert for writing this up and for the context of how CoreUpdate worked in the past with CL.

I don't have any objections with the proposal and like a lot of what I hear. Update barriers will especially be useful in being able to drop legacy hacks/workarounds.

@crawford
Can you provide more specifics around your proposed update policy?

@bgilbert are we ready to answer this question yet? Should we brainstorm a bit soon in order to be able to provide more data?

[dustymabe]

@lucab
Regarding the graph-builder, I have the following points for which I'd like to see some inputs (from @bgilbert and @dustymabe especially):

1. Source schema/format for release metadata (I assume online and air-gapped cases share the same metadata format)

seems reasonable to me that they would share the same metadata format

2. Metadata signing and key rotation

I think we need to collaborate with fedora infra on this.

3. Metadata storage (random options: a remote bucket, a web directory, a local mount of a remote volume, a list of tags on a docker-registry repo, a list of tags on a git repo, a database)

all possible options. a list of tags on a git repo could be the most transparent way

4. Number of endpoints (possible dimensions for splitting: stream, oem, architecture, region)

I don't have any input on this. I guess it would be nice if we don't have too many options.

5. Related to the answer above, client request parameters (for shared endpoints, to provide client-specific release metadata). Also, should this include a machine-specific ID?

maybe this is part of the discussion about metrics?

6. Push vs pull based (former: release captain signals the server that a metadata change happened; latter: server periodically polls for metadata changes).

No strong opinion, but I think I prefer pull based.

7. Failure mode (if the metadata source is unreachable, should the server provide a stale graph or should it return an error to the client?)

maybe something in between? stale graph if metadata source has been down < 1 day (i.e. intermittent failure) and maybe error if more than that (systemic outage).

[cgwalters]

I am not opposed to any of this - there are some cool advantages - but the whole thing, particularly

Writing an update client that queries a Cincinnati policy engine and invokes rpm-ostree

makes me pause because in layering a totally new thing on top we're partially negating the testing and workflow that exists around ostree/rpm-ostree today.

Typing rpm-ostree upgrade will...error out? We're talking about a new CLI tool/config file to control a new daemon? Or would we teach rpm-ostree upgrade to handle this?

Big picture...it feels like the biggest win would be putting Cincinnati on top of both ostree and rpm-md (i.e. yum/dnf). Then things work more consistently. But that's clearly an even larger endeavor.

[bgilbert]

@cgwalters AIUI Cincinnati is designed to manage a single artifact (or meta-artifact) with a single version number, so I'm not sure how directly it'd map to rpm-md. Unless the version was the Pungi compose ID?

Do you think it'd make sense to support Cincinnati directly in rpm-ostree? I have no idea how relevant our profile of Cincinnati would be to other rpm-ostree-using distros.

The obvious use of rpm-ostree upgrade would be to force an upgrade to the tip of the current ref, bypassing Cincinnati. I'm not sure that that's a reasonable user operation, though. We should certainly provide a way to bypass rate limiting, but that should probably happen via a Cincinnati metadata item, since otherwise we'll bypass update barriers or improperly update EOL versions. So... erroring out might be the best move.

[jlebon]

Yeah, it would be nice indeed if it were possible to keep rpm-ostree as the "front-end" instead of something on top. E.g. rpm-ostree status is pretty nice today for displaying the current state of your OS. And there's all the other verbs too that we could expect users to use (kargs, initramfs, install, db, etc...)

The obvious use of rpm-ostree upgrade would be to force an upgrade to the tip of the current ref, bypassing Cincinnati. I'm not sure that that's a reasonable user operation, though. We should certainly provide a way to bypass rate limiting, but that should probably happen via a Cincinnati metadata item, since otherwise we'll bypass update barriers or improperly update EOL versions.

Re. update barriers, there's a related discussion in upstream libostree: ostreedev/ostree#1228.

If we can get this working in a satisfying way for other libostree users, then we could do something like this:

• disable rpm-ostreed-automatic.service
• a new e.g. cincinnati-client.{timer,service} does the polling etc... and initiates an rpm-ostree deploy $version_returned_by_cincinnati
• a manual rpm-ostree upgrade always forces an update, but it still respects update barriers

That's a big if though.

But then it wouldn't be hard to add some integration between the Cincinnati client and rpm-ostree, e.g. making rpm-ostree status print the last time checked for example, or if the service failed, or if the timer is disabled, etc... (these are all checks we do today for rpm-ostreed-automatic.{service,timer}).

[bgilbert]

a manual rpm-ostree upgrade always forces an update, but it still respects update barriers

I'd be concerned about trying to duplicate the full generality of the Cincinnati graph inside rpm-ostree. Even if we use a well-defined subset of the graph functionality today, it would complicate expanding that subset in the future.

And there's all the other verbs too that we could expect users to use (kargs, initramfs, install, db, etc...)

Hmm. Could it make sense to let the distro configure rpm-ostree upgrade to call out to a hook script instead?

[bgilbert]

#98 discusses stream metadata, which might be one of the sources of truth for the graph builder.