Automatic service rollback on failure

[aaronlehmann]

This PR adds support for a "rollback" failure action. When this is selected, the orchestrator will automatically roll back to the previous version of a service if an update hits the failure threshold.

It adds the following options to control the behavior of rollbacks. They are kept separate from the existing --update-* options, since there are situations where the behavior should be different for rollbacks. For example, an administrator may wish to roll out a new version of a service very slowly, but if failure thresholds are exceeded, switch back to the old version quickly. Arguably, we may be able to live with hardcoded defaults for some of these options, but it seemed better to stay consistent with the --update-* options than to introduce arbitrary differences.

• --rollback-delay
• --rollback-failure-action
• --rollback-max-failure-ratio
• --rollback-monitor
• --rollback-parallelism

I'm open to reducing the set of options if desired, but at a minimum we should keep --rollback-delay and --rollback-parallelism.

This PR also switches the manually invoked service update --rollback to work on the server side, instead of being a purely client side operation. This allows manually-initiated rollbacks to respect the new rollback parameters, and it also has the benefits of avoiding some nasty hacks we previously used. The client is version-aware, so it will still use the old method against an older daemon.

Note that --rollback has been changed so that it can't be used in combination with other service update flags. This is a compromise to avoid adding further hacks. While it's unfortunate to be restricting this functionality, it does make the implementation much cleaner.

cc @aluzzardi @dongluochen

[yu8833]

add "|rollback"?
📝

[aaronlehmann]

Fixed, thanks

[aaronlehmann]

Rebased

[dongluochen]

=> Amount of time between rollback iterations,

[dongluochen]

default?

[aaronlehmann]

If the value from GRPC is unrecognized, there is nothing we can really do here. We could return an error, but I think that would be too extreme. This is not changing the old behavior, just reorganizing the code and adding a new case.

[dongluochen]

Is there a reason this PR is mixed with rollback change?

[aaronlehmann]

This was causing problems testing the change. I can break it out to a separate PR if you want.

[dongluochen]

I'm fine if this will be merged soon. This PR might be cherry-picked.

[aboch]

I agree we should not block the shutdown because a failure in the deactivate service binding, unless user is given a command to fix it. I was just looking at it, while I came to know from @dongluochen this was taken care in this PR as a side change.

Given this PR may take some time to go through, I am also thinking it would be good to have a separate PR which can be quickly merged.

[aaronlehmann]

I pulled this part out into #31279

[dongluochen]

(pause|continue|rollback) => (pause|continue)

[aaronlehmann]

My mistake, this was a rebase issue.

[dongluochen]

no rollback on rollback failure.

[aaronlehmann]

My mistake, this was a rebase issue.

[aaronlehmann]

@dongluochen: Addressed your comments, thanks.

[dongluochen]

LGTM

[aluzzardi]

LGTM

[aaronlehmann]

Rebased

[vdemeester]

LGTM 🐯

[yongtang]

Docs change LGTM.

[yongtang]

bash and zsh completion could be done in the follow up PRs.

[yongtang]

I think it might be good to add a simple example section in the docs, and docs/api/version-history.md may need to be updated to reflect the changes in API.

Also, the PR needs a rebase.

[aaronlehmann]

Thanks @yongtang. I've updated the API version history and added some content to service_update.md.

[yongtang]

LGTM. Thanks!

[yongtang]

/cc @albers @sdurrheimer for bash/zsh completion.