[core] Introduce pull based health check to GCS.

[fishbone]

Why are these changes needed?

This PR introduced the pull-based health check to GCS. This is to fix the false positive issues when GCS is overloaded and incorrectly marks the healthy node as dead.

The health check service in each ray component is implemented using gRPC built-in services. This PR focus on the client-side health check.

The following features are supported:

• Initial delay when a new node is added. This is for the new node to be able to ramp up.
• Timeout for an RPC: in case of network issues, we introduce timeout, and the request fails to return within timeout is considered a failure.
• If the health check failed X times consecutively, the node will be considered as dead.
• We also introduce the interval that can be configured between two health checks sent.

This client doesn't send two health checks in parallel, so the next one always waits until the first one is finished.

This work has reference to k8s's healthiness probe features.

A feature flag is introduced to turn it on or off and it's turned on in #29536

Related issue number

Checks

• I've signed off every commit(by using the -s flag, i.e., git commit -s) in this PR.
• I've run scripts/format.sh to lint the changes in this PR.
• I've included any doc changes needed for https://docs.ray.io/en/master/.
• I've made sure the tests are passing. Note that there might be a few flaky tests, see the recent failures at https://flakey-tests.ray.io/
• Testing Strategy
  • Unit tests
  • Release tests
  • This PR is not tested :(

[scv119]

would health_checked_nodes_ or simply nodes_ be a better name?

[fishbone]

maybe health_check_contexts_?

[scv119]

failure_threshold -> num_consecutive_failures_threshold?

[fishbone]

I borrow the terminology from k8s (https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes)

Since the whole protocol also has referred a lot from that, I think maybe we should keep it?

(no strong opinion).

[scv119]

Looks very clean! just minor comments.

[fishbone]

mac unit test failed //:gcs_health_check_manager_test
checking

[rkooo567]

@iycheng can you give me one more day. I will try reviewing this by EoD tomorrow in my time zone

[rkooo567]

Consider adding metrics for pull based heartbeat too?

[rkooo567]

could be in other PR

[fishbone]

I could add it in this PR

[fishbone]

@rkooo567 I think we should do a better job to monitor the RPC requests.
The cpp -> python -> opencensus is not a good practice I believe.

I can add gRPC metrics here. But in long term, we should do cpp -> opencensus agent directly.
We can use tools builtin gRPC to do this (https://github.com/grpc/grpc/blob/5f6c357e741207f4af7e3b642a486bdda12c93df/include/grpcpp/opencensus.h#L35)

[rkooo567]

Feel like it is unnecessary? It'd take 30 seconds until the node is marked as dead anyway?

[fishbone]

No. 30s is old protocol. This is the new protocol. So here, if a node is dead, it only need to take 3s to mark the node dead.

[rkooo567]

Why don't we run this in heartbeat_manager_io_service_?

[fishbone]

I'm trying to make it simple. As we know, it doesn't help a lot putting it on a separate thread for this case (we are doing this and seeing issues) since the bottleneck is not there.

I would prefer this way and if it's the bottleneck, tuning it later.

[rkooo567]

Hmm still prefer not to rely on this sort of critical operation on the main thread as I've seen main thread being blocked > 10 seconds pretty often in current GCS

[fishbone]

But that's not the because of the health check right? Think about this, if it's overloaded, it'll check with lower frequency. My theory is that it's not going to make any difference and introducing a thread is not going to fix this issue.

[rkooo567]

maybe we can also have Initialize API? This seems to be a consistent API across modules

[fishbone]

This couples it with the GCS and make the API more complicated. The convention here doesn't make sense.
To make it the same API as the others, this module needs to depend on GCS Init data and also Raylet pool and also needs to know how to construct the address and get the channel. That's overhead for maintenance.
A good practice is to think which way simplify writing the unit test (the less dependence the better).

[rkooo567]

can you add a check at least one of gcs_heartbeat_manager_ or gcs_healthcheck_manager_ must be nullptr?

[rkooo567]

Is there any way to check if this is running inside io_service?

[fishbone]

I don't think it's easy to do.
Also I don't think we should do this. It's totally normal for the callback running on another thread.
As how to make sure it's thread safe that's another story.
I think one practice is to always dispatch in the callback (this component is doing this, check the public api)

[rkooo567]

why do we not include this to existing RPC paths? Like raylet_client.cc. Seems more complicated to have a separate code path like this.

[fishbone]

I think the exiting path is way more complicated than this one. We shouldn't do it just because we are doing it.
Think about this, how to write unit test with this kind of deep coupling.

[rkooo567]

Maybe DEBUG? Feel like this may be too spammy?

[fishbone]

I'm not sure. This should only happen when error happened (scale down won't trigger this). If it got printed a lot maybe it means we should increase the interval?

[rkooo567]

maybe we don't need to post again? Since we are already in the same io service

[fishbone]

Remove the node will make 'this' not valid. So run it in another place after this. I can put some comments there.

[rkooo567]

What's the overhead of this call usually? Is it blocking?

[fishbone]

no overhead.

[fishbone]

@rkooo567 thanks for the review. This PR is not following the convention we are having because it adds complexity there. I'm following the direction making the component only doing its own job. No Raylet/GCS involved. This is good for the maintenance and easier to write test.
I'm also testing the gRPC callback API. In the future if it's good, we probably should just use this instead of the old way. Adding gRPC method is very heavy nowadays, which doesn't make sense.
Let's check in person if you have some concerns and we can figure out what to do with that.
Really appreciate your review here!

[fishbone]

synced offline with Sang and here are the comments need to be cleared by me:

• gRPC callback API is nice, but I am worried it exposes too much low level detail (maybe we need a wrapper) -> we will migrate to this in the future if it’s good.

We'll not change it in this PR. The callback API is new in gRPC and we should evaluate it and later if we decide to go with this one, we'll have some wrapper for this.

• Network timeout 25 -> 60 seconds? or even longer

I'll change it.

• the heartbeat timeout 5 seconds means the raylet should guarantee 5 seconds SLA for heartbeat endpoints when it is alive. Check + should we increase the timeout to like 30 seconds?

I'll change it.

• stub uses num_cpus/2 threads for client & server? we should figure it out

I'll check the gRPC implementation. Good question!

• The doc says gRPC unavailable is transient condition and we should backoff. Is 1 second backoff sufficient?

I'll test this and search around.

[fishbone]

stub uses num_cpus/2 threads for client & server? we should figure it out

The tuning hasn't been implemented grpc/grpc#28642 yet

The alternative cq is a global variable. So each process will only have one (for both client/server):
https://github.com/grpc/grpc/blob/master/src/cpp/common/completion_queue_cc.cc#L124

[fishbone]

@rkooo567 all comments answered. let me know if you have some other concerns. i'll merge once the tests passed tmr.

[rkooo567]

Looking forward the improvement after the protocol change!!