Change-Id: I81051249e5759f23b76515f36dc21e9071c4c86f
7.6 KiB
Event Alarm Timeout
https://blueprints.launchpad.net/aodh/+spec/event-alarm-timeout
This BP adds timeout mechanism for event-alarm. End users can specify a timeout, 0 (no timeout) by default, for each event-alarm. The alarm status becomes 'TIMEOUT' after timeout reached without receiving desired event.
Problem description
After event-alarm were introduced in Liberty, end users or operators could set alarm for desired event and get alarmed when it receive them. But in some circumstances, operator want to know otherwise: when desired event is not received.
For example, "compute.instance.create.end" is the final event sent to message bus to indicate success of instance creation. Not receiving it after a long time is a signal of creation failure, in which operator should be notified. Unfortunately, current event-alarm doesn't support it.
Proposed change
When creating event-alarm, a new parameter 'timeout' is proposed to define a expiry time length, so that alarm gets fired when desired event is not received in expected time. Otherwise, alarm status becomes 'TIMEOUT'.
Currently, 3 states are supported in alarm: 'UNKNOWN', 'ALARM' and 'OK', so a new state 'TIMEOUT' will be added to reflect timeout situation.
For timeout implementation, an 'alarm.timeout.start' notification is sent out by the AODH api process after the event-alarm is created. After receiving it, evaluator asks its timeout thread/process to handle timeout request. In this way, avoid new process in AODH api and make all alarm handling jobs inside evaluator.
Synchronization handling is critical in evaluator, as both evaluators original process and timeout process can change status for same alarm. To avoid complicated lock, timeout process just send a 'alarm.timeout.end' event with related alarm/project id to 'alarm.all' topic, where evaluator original process handle it along with desired event.
Each 'alarm.timeout.*' event should carry enough info in payload, including alarm_id, project_id, timeout, and desired event. These info could be used for evaluation and future partitioning infrastructure.
Each evaluator has only one timeout thread, which gets timeout requests from evaluator into a queue. Small footprint of timeout process is guaranteed, as it always sleeps unless one timeout happens. After wake up, it only does 2 things:
- sends out 'alarm.timeout.end' event
- pick up nearest timeout request and start sleeping for it
The final alarm status depends on the order of events. If 'timeout.end' event comes first, alarm status becomes 'TIMEOUT' and following desired event is ignored. Otherwise, alarm status becomes 'ALARM' and following 'timeout.end' event is ignored. In this way, synchronization is well handled with new 'timeout.end' event and simple logic in evaluator.
After adding timeout, event-alarm state transition changes as following:
- EVENT - desired event arrive
- TIMEOUT - timeout happen
Registered action is only triggered when:
- transition between different states, like UNKNOWN => ALARM
- receiving desired event again at ALARM state if repeat_actions is true
:
+-----------+ +---------+ EVENT
| | | +---------+
| UNKNOWN +------------> TIMEOUT | |
| | TIMEOUT | <---------+
+-----+-----+ +---------+
|
|
| +---------+
| | +---------+
+------------------> ALARM | |
EVENT | <---------+
+-+-----^-+ TIMEOUT
| |
+-----+
EVENT
Also need changes in DB layer to get all the event-alarm with timeout. In following cases, we need restart timeout thread if the alarm has timeout, and previous timeout thread already exit:
- reset the alarm state to 'UNKNOWN'
- enable the alarm via the 'enabled' attribute
Alternatives
There is another BP from Igor to illustrate a different high level design and usage model. Pls. check https://blueprints.launchpad.net/ceilometer/+spec/timeout-event-alarm-evaluator
It adds a new alarm type 'event_timeout' to track sequence of events, like: "compute.instance.create.start", "compute.instance.create.end". So this new alarm includes 2 events: start and end -- only after receiving "start" event, timeout is created for "end" event. It is not as simple and flexible as this BP, which just adds timeout.
To handle the synchronization, an alternative is to lock critical section between evaluator timeout and original thread, so each of them need handle alarm data structure. But it's tricky and bug prone.
Data model impact
None
REST API impact
API needs minor changes to add 'timeout' to 'event_rule'. One simple event-alarm definition is as following:
{"alarm_actions": ["log://"],
"ok_actions": ["log://"],
"alarm_id": null,
"enabled": true,
"name": "alarm01",
"repeat_actions": false,
"state": "insufficient data",
"event_rule": {"query": [{"field": "traits.name",
"type": "string",
"value": "cirros-0.3.4-x86_64-uec-ramdisk",
"op": "eq"}],
"event_type": "image.update",
"timeout": 10},
"type": "event"}
Security impact
None
Pipeline impact
None
Other end user impact
End user need to know a new 'timeout' parameter when create event alarm.
Performance/Scalability Impacts
No obvious performance issue, because of small footprint of timeout thread. No obvious scalability issue, as timeout handling is done in evaluator who will support good partition.
Other deployer impact
None
Developer impact
None
Implementation
Assignee(s)
- Primary assignee:
-
edwin-zhai
Work Items
- Add new parameter 'timeout' for event-alarm creation in aodh-client
- Add new alarm state 'TIMEOUT' for timeout expired alarms
- Add new interface in aodh-client and DB layer to get all event-alarm with timeout
- Modify AODH api's event-alarm creating code to send out 'alarm.timeout.start' notification
- Modify AODH event-alarm evaluator so that:
- spawn a new timeout thread to handle all timeout requests
- timeout thread works in a loop of sleeping for timeout seconds then sending out 'alarm.timeout.end' event
- set related alarm status as 'TIMEOUT' when receive 'alarm.timeout.end' event.
- Add extra action to restart timeout thread when reset alarm state to 'UNKNOWN' or enable the alarm if previous timeout thread already exit
Future lifecycle
To be maintained by edwin-zhai for bug fixing and enhancement.
In future, we need timeout thread disaster-recovery capability, that is, no loss of timeout info when evaluator crash. Need store pending timeout requests in DB, and feed evaluator when restarting.
Dependencies
None
Testing
Add new test case besides current event-alarm test to cover timeout
Documentation Impact
Administrator Guide and Installation Guide in OpenStack Manuals should be updated to describe usage of 'timeout' parameter.
References
Blueprint Timeout mechanism for Event Alarm Evaluator https://blueprints.launchpad.net/ceilometer/+spec/timeout-event-alarm-evaluator