RSDK-9591 - Kill all lingering module process before exiting #4657
Conversation
viambot
added
the
safe to test
| @@ -280,6 +283,9 @@ func (s *robotServer) serveWeb(ctx context.Context, cfg *config.Config) (err err | |||
| case <-doneServing: | |||
There was a problem hiding this comment.
While we're here, I'd recommend removing this whole case <-doneServing stuff (and incidentally the select statement) and move straight to the killing/logging.
There was a problem hiding this comment.
why is that? I thought the justification above for the code as it is makes sense
There was a problem hiding this comment.
Ug -- it does. But it's a self-inflicted mess. I'll make a change after this goes in.
web/server/entrypoint.go
Outdated
| @@ -280,6 +283,9 @@ func (s *robotServer) serveWeb(ctx context.Context, cfg *config.Config) (err err | |||
| case <-doneServing: | |||
| return true | |||
| default: | |||
| if myRobot != nil { | |||
There was a problem hiding this comment.
If myRobot can be nil here -- this is a data race.
There was a problem hiding this comment.
would that be an issue? I can see that myRobot could have started some processes but not yet returned, but I don't know if we can protect against that completely.
There was a problem hiding this comment.
Same remark as the other cases
There was a problem hiding this comment.
added some locking around this
robot/impl/local_robot.go
Outdated
| // Kill will attempt to kill any processes on the system started by the robot as quickly as possible. | ||
| // This operation is not clean and will not wait for completion. | ||
| func (r *localRobot) Kill() { | ||
| if r.manager != nil { |
There was a problem hiding this comment.
Can we justify this isn't a data race?
There was a problem hiding this comment.
r.manager could be nil if startup fails/hangs, but yes, it could also be a data race.
There was a problem hiding this comment.
We talked offline -- I agree that the a mutex doesn't fix the "logical" race where we may observe the manager is nil a moment before it gets assigned.
But TSAN/Go's data race detection will notice this. Strictly speaking if one has two threads reading and writing a variable/memory address at the same time:
X initialized to 0
| Writer | Reader |
|--------------+--------|
| Write(X = 1) | Read X |
While our program may be OK with the reader seeing 0 or the reader seeing 1, it's not necessarily the case that for all architectures the Reader can only see 0 or 1.
There was a problem hiding this comment.
looking at this again, this isn't a data race - there's no chance for Kill() to be called before r.manager is assigned (Kill() can only be called if robot exists, and robot only exists if r.manager is assigned)
There was a problem hiding this comment.
Great -- much prefer to be able to assume members are non-nil.
| @@ -280,6 +283,9 @@ func (s *robotServer) serveWeb(ctx context.Context, cfg *config.Config) (err err | |||
| case <-doneServing: | |||
There was a problem hiding this comment.
Ug -- it does. But it's a self-inflicted mess. I'll make a change after this goes in.
robot/impl/local_robot.go
Outdated
| // Kill will attempt to kill any processes on the system started by the robot as quickly as possible. | ||
| // This operation is not clean and will not wait for completion. | ||
| func (r *localRobot) Kill() { | ||
| if r.manager != nil { |
There was a problem hiding this comment.
We talked offline -- I agree that the a mutex doesn't fix the "logical" race where we may observe the manager is nil a moment before it gets assigned.
But TSAN/Go's data race detection will notice this. Strictly speaking if one has two threads reading and writing a variable/memory address at the same time:
X initialized to 0
| Writer | Reader |
|--------------+--------|
| Write(X = 1) | Read X |
While our program may be OK with the reader seeing 0 or the reader seeing 1, it's not necessarily the case that for all architectures the Reader can only see 0 or 1.
robot/impl/resource_manager.go
Outdated
| // TODO: Kill processes in processManager as well. | ||
|
|
||
| // moduleManager may be nil in tests | ||
| if manager.moduleManager != nil { |
There was a problem hiding this comment.
I suspect this can be a data race as well?
There was a problem hiding this comment.
yep! added some locking around this
web/server/entrypoint.go
Outdated
| @@ -280,6 +283,9 @@ func (s *robotServer) serveWeb(ctx context.Context, cfg *config.Config) (err err | |||
| case <-doneServing: | |||
| return true | |||
| default: | |||
| if myRobot != nil { | |||
There was a problem hiding this comment.
Same remark as the other cases
web/server/entrypoint.go
Outdated
| @@ -261,6 +262,8 @@ func (s *robotServer) serveWeb(ctx context.Context, cfg *config.Config) (err err | |||
| forceShutdown := make(chan struct{}) | |||
| defer func() { <-forceShutdown }() | |||
|
|
|||
| var myRobot robot.LocalRobot | |||
|
|
|||
| utils.PanicCapturingGo(func() { | |||
There was a problem hiding this comment.
Would be awesome if this force shutdown goroutine was its own method/function as we've been doing for our various unnamed async lambdas.
There was a problem hiding this comment.
I agree, but would like to defer that work to https://viam.atlassian.net/browse/RSDK-9708. There's a bit of refactoring that has to be done (it'd look pretty ugly unless we add some vars to the server object), and I'd rather do it separately
viambot
added
safe to test
| // Kill will attempt to kill any processes on the system started by the robot as quickly as possible. | ||
| // This operation is not clean and will not wait for completion. | ||
| func (r *localRobot) Kill() { | ||
| r.manager.Kill() |
There was a problem hiding this comment.
It feels a little awkward that localRobot.Kill only calls kill on the resource manager.
And the resource manager only calls kill on the mod manager.
And localRobot already has a handle on the modmanager. So why doesn't it call kill directly? Or just have the part that's about to do the log.Fatal/os.Exit call kill on the modmanager?
There was a problem hiding this comment.
keeping the abstractions I think is better in the long run - the resource manager will eventually call kill on the process manager.
the part that's about to do log.Fatal doesn't have a handle to the modmanager, since it only has access to the LocalRobot interface.
There was a problem hiding this comment.
keeping the abstractions I think is better in the long run
If I'm adding some plumbing from local robot -> modmanager, when should I use localRobot.modmanager directly and when should I add additional plumbing through localRobot.manager?
There was a problem hiding this comment.
FWIW, I'm fine with leaving this as-is. The above is me just coming to the realization that there's some abstraction that I didn't know existed.
There was a problem hiding this comment.
localRobot.modmanager
I'm not aware of an existing localRobot.modmanager field? Or are you suggesting adding one?
There was a problem hiding this comment.
I think @dgottlieb is asking whether he should use localRobot.manager.modmanager.
To @dgottlieb's question, I don't have a good answer. I feel like localRobot and resource manager are already a bit mangled, and I think adding the plumbing will end up making the unmangling slightly more manageable if we ever decide to do it
viambot
added
safe to test
viambot
added
safe to test
viambot
added
safe to test
|
this is ready for full review! added 2 small-ish tests that test the expected behavior. hopefully they pass on CI or I might just skip them (ran into a lot of issues with the manage goroutine not returning from its Wait() in the goutils tests) |
web/server/entrypoint.go
Outdated
| if robot != nil { | ||
| robot.Kill() | ||
| } | ||
| theRobotLock.Unlock() |
There was a problem hiding this comment.
I believe this is accidental? Unless Kill is funny, this looks like a double unlock.
viambot
added
safe to test
| mgr.Kill() | ||
|
|
||
| testutils.WaitForAssertion(t, func(tb testing.TB) { | ||
| test.That(tb, logs.FilterMessageSnippet("Killing module").Len(), |
There was a problem hiding this comment.
not the most robust test, but using the Status() method didn't work
There was a problem hiding this comment.
Using the
Status()method didn't work.
Any idea why? Still reported being alive?
There was a problem hiding this comment.
err is returning nil, so I assume so. Maybe a quirk of how it works on CI, because the test with Status() worked fine locally
module/modmanager/manager.go
Outdated
| @@ -211,6 +211,21 @@ func (mgr *Manager) Close(ctx context.Context) error { | |||
| return err | |||
| } | |||
|
|
|||
| // Kill kills module processes. This is best effort as we do not | |||
There was a problem hiding this comment.
Kill kills modules processes.
Per my nits on the other PR, we're technically killing module process groups here. Could we make sure that's at least clear in documentation here and wherever else we're calling managedProcess.Kill and describing what we're doing? The group vs. process thing led to some initial (and perhaps continued) confusion for me, so, while this looks pretty good code-wise, I'd love to not be confused looking back at this stuff.
| mgr.Kill() | ||
|
|
||
| testutils.WaitForAssertion(t, func(tb testing.TB) { | ||
| test.That(tb, logs.FilterMessageSnippet("Killing module").Len(), |
There was a problem hiding this comment.
Using the
Status()method didn't work.
Any idea why? Still reported being alive?
| // Kill will attempt to kill any processes on the system started by the robot as quickly as possible. | ||
| // This operation is not clean and will not wait for completion. | ||
| func (r *localRobot) Kill() { | ||
| r.manager.Kill() |
There was a problem hiding this comment.
localRobot.modmanager
I'm not aware of an existing localRobot.modmanager field? Or are you suggesting adding one?
| func TestKill(t *testing.T) { | ||
| // this test will not pass in CI as the managed process's manage goroutine | ||
| // will not return from Wait() and thus fail the goroutine leak detection. | ||
| t.Skip() |
There was a problem hiding this comment.
I appreciate that this test exists, but is it even meaningful to have it around? A t.Skip with no TODO to unskip feels wrong to me. Or were you meaning to remove this t.Skip?
There was a problem hiding this comment.
it's meaningful to be able to run locally, but added a ticket as well https://viam.atlassian.net/browse/RSDK-9722
robot/impl/resource_manager.go
Outdated
| @@ -50,6 +51,8 @@ type resourceManager struct { | |||
| resources *resource.Graph | |||
| processManager pexec.ProcessManager | |||
| processConfigs map[string]pexec.ProcessConfig | |||
| // modManagerLock controls access to the moduleManager | |||
There was a problem hiding this comment.
[nit] Can we just elaborate a bit on comment explaining that a Kill from local robot may try to access the module manager concurrently with resource manager accesses?
viambot
added
safe to test
This is part two of two PRs that will hopefully help with shutting down all module processes before viam-server exits. Part one is here
Before doing this, I looked into assigning module processes to the same process group as the viam server and just kill the process group. However, we already have each module and process assign to unique process groups, and we use that property to kill each modules and processes separately if necessary. Changing that behavior would be risky, so did not pursue that path further.
We could kill each process in mod manager directly using the exposed unixpid, but figured we could just do it within each managed process, that way we get support in windows as well. It does mean I added Kill() in a few interfaces, but it will hopefully be extensible in case anything else may need killing.
The idea behind this is for a Kill() call to propagate from the viam-server at the end of 90s, and we should not block on anything if possible. The Kill() does not care about the resource graph, only that we kill processes/module processes spawned by the server. I did not do the killing in parallel, since the calls will not block. I can see things racing with Close(), but I think the mitigation would be to make sure that kill/close is idempotent and will not panic if overlapping. This Kill() call does happen in the same goroutine that eventually calls log.Fatal, is that good enough for now or should we create a different goroutine so that we can guarantee that the viam-server exits by the 90s mark?
Ideas for testing? I've tested on a python module and observed that the module process does get killed, and would be good to test on setups where this is happening.