fix: agent leaves interrupted operations in non-final state

[didier-wenzek]

Proposed changes

• Reproduce tedge-agent can leave an operation in a non-final state if the service is restarted #3149
• Correctly emit over MQTT the state of commands interrupted by a restart.

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
• Documentation Update (if none of the other choices apply)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue

Reproduce #3149

Checklist

• I have read the CONTRIBUTING doc
• I have signed the CLA (in all commits with git commit -s)
• I ran cargo fmt as mentioned in CODING_GUIDELINES
• I used cargo clippy as mentioned in CODING_GUIDELINES
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Further comments

[github-actions]

Robot Results

✅ Passed	❌ Failed	⏭️ Skipped	Total	Pass %	⏱️ Duration
529	0	2	529	100	1h34m39.170237s

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
.../core/tedge_agent/src/operation_workflows/actor.rs	0.00%	3 Missing ⚠️

Additional details and impacted files

📢 Thoughts on this report? Let us know!

[didier-wenzek]

The test "Update tedge version from base to current using Cumulocity" failed for unrelated reasons. Not obviously flaky though:

$ invoke flake-finder --test-name "Update tedge version from base to current using Cumulocity" --iterations 10 --outputdir output_ff --clean
------------------------------
Overall: PASSED
Results: 10 iterations, 10 passed, 0 failed
Elapsed time: 0:10:42.849008

[albinsuresh]

Should we limit this republishing only for commands in their terminal state? If not, there's the risk of the even the intermediate command states like scheduled or executing getting resent, risking duplicate execution of the same logic by any external component listening on them.

[reubenmiller]

Though there isn't any official contract that says these messages will only be published exactly once. But generally such listeners are not doing control (as control logic should be in the workflow itself), so triggering twice on a status change should not be a problem.

[reubenmiller]

Just using qos 1 is enough to receive a duplicate message (without publishing the status change twice).

[didier-wenzek]

Should we limit this republishing only for commands in their terminal state?

This would introduce the same issue on intermediate states (.e.g the "executing" state being never published).

If not, there's the risk of the even the intermediate command states like scheduled or executing getting resent, risking duplicate execution of the same logic by any external component listening on them.

The agent protects itself from reacting to messages of which it is the publisher.

Other components, such as the mappers, should be prepared to receive a status twice.

Just using qos 1 is enough to receive a duplicate message (without publishing the status change twice).

It's also enough to restart, the messages being retained. If the c8y mapper stop after sending an EXECUTING 501 message and restart before the command is successful, a second EXECUTING 501 will be sent.

[albinsuresh]

Just using qos 1 is enough to receive a duplicate message (without publishing the status change twice).

I have always assumed that users would send critical messages like commands only with QoS 2, as they might expect once-and-only-once execution for such things. But yeah, if the users are already expected to be resilient to duplicate delivery, esp since most cloud platforms don't support QoS 2 either, I guess this is okay.

[albinsuresh]

LGTM