[JIRA] (JENKINS-55512) Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs)

[jimklimov@gmail.com (JIRA)]

Jim Klimov created an issue

Jenkins / JENKINS-55512 Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs) Issue Type: Improvement Assignee: Unassigned Components: core Created: 2019-01-10 12:31 Environment: from ages ago up till current Jenkins 2,156 Priority: Minor Reporter: Jim Klimov Jenkins supports "safe" behavior to shut down or restart itself, which seems to be used in plugin updater, thinBackup plugin, operations that can be requested via Jenkins URL (and a link from Jenkins Manage interface), to name a few use-cases. This mode waits for currently running jobs to complete and disallows new jobs to progress from scheduled to running. The assumption is that the current jobs will complete, the server will be quiet and can be administratively restarted with no severe interruption to its users. This is problematic however when there are complex jobs, such as MultiPhase or entangled pipelines, where one wrapper job calls as its payload over time a number of other jobs that implement certain tests or other operations. When the safe shutdown mode is enabled, these child jobs can not be started, and the parent job stalls indefinitely waiting for their result, and the Jenkins master is left dysfunctional (not restarted for e.g. upgrade overnight, and not running any new builds). The expected operational result would be that the currently running wrapper jobs AND any children (and their children) that can get spawned would be allowed to start and awaited to complete (boils down to "completion of all running jobs" as before), after which the safe restart/shutdown normally takes place. I believe this could be done with some simple check of the build cause in the code which disallows execution of scheduled builds when the safe shutdown is enabled, to allow building of jobs triggered by a job, but would disallow builds triggered by SCM changes, Polling, Indexing, manually triggered (or maybe that one with an option to go through nonetheless?) etc. Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[jimklimov@gmail.com (JIRA)]

Jim Klimov updated an issue

Jenkins / JENKINS-55512 Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs)

Change By: Jim Klimov Priority: Minor Major

Add Comment

[jimklimov@gmail.com (JIRA)]

Jim Klimov updated an issue

Jenkins / JENKINS-55512 Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs)

Change By: Jim Klimov Component/s: safe-restart Component/s: saferestart-plugin Component/s: core

Add Comment

[jimklimov@gmail.com (JIRA)]

Jim Klimov updated an issue

Jenkins / JENKINS-55512 Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs)

Change By: Jim Klimov Component/s: core

Add Comment

[jimklimov@gmail.com (JIRA)]

Jim Klimov updated an issue

Jenkins / JENKINS-55512 Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs) Change By: Jim Klimov

Jenkins supports "safe" behavior to shut down or restart itself, which seems to be used in plugin updater, thinBackup plugin (doing just a quietDown part of this) , operations that can be requested via Jenkins URL (and a link from Jenkins Manage interface), to name a few use-cases.

This mode waits for currently running jobs to complete and disallows new jobs to progress from scheduled to running. The assumption is that the current jobs will complete, the server will be quiet and can be administratively restarted with no severe interruption to its users. This is problematic however when there are complex jobs, such as MultiPhase or entangled pipelines, where one wrapper job calls as its payload over time a number of other jobs that implement certain tests or other operations. When the safe shutdown mode is enabled, these child jobs can not be started, and the parent job stalls indefinitely waiting for their result, and the Jenkins master is left dysfunctional (not restarted for e.g. upgrade overnight, and not running any new builds). The expected operational result would be that the currently running wrapper jobs AND any children (and their children) that can get spawned would be allowed to start and awaited to complete (boils down to "completion of all running jobs" as before), after which the safe restart/shutdown normally takes place. I believe this could be done with some simple check of the build cause in the code which disallows execution of scheduled builds when the safe shutdown is enabled, to allow building of jobs triggered by a job, but would disallow builds triggered by SCM changes, Polling, Indexing, manually triggered (or maybe that one with an option to go through nonetheless?) etc.

Add Comment

[jimklimov@gmail.com (JIRA)]

Jim Klimov updated an issue

Jenkins / JENKINS-55512 Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs) Change By: Jim Klimov

Jenkins supports "safe" behavior to shut down (safeExit) or restart (safeRestart) itself, which seems to be used in plugin updater, thinBackup plugin (doing just a quietDown part of this), operations that can be requested via Jenkins URL (and a link from Jenkins Manage interface), to name a few use-cases.

This mode waits for currently running jobs to complete and disallows new jobs to progress from scheduled to running. The assumption is that the current jobs will complete, the server will be quiet and can be administratively restarted with no severe interruption to its users. This is problematic however when there are complex jobs, such as MultiPhase or entangled pipelines, where one wrapper job calls as its payload over time a number of other jobs that implement certain tests or other operations. When the safe shutdown mode is enabled, these child jobs can not be started, and the parent job stalls indefinitely waiting for their result, and the Jenkins master is left dysfunctional (not restarted for e.g. upgrade overnight, and not running any new builds). The expected operational result would be that the currently running wrapper jobs AND any children (and their children) that can get spawned would be allowed to start and awaited to complete (boils down to "completion of all running jobs" as before), after which the safe restart/shutdown normally takes place. I believe this could be done with some simple check of the build cause in the code which disallows execution of scheduled builds when the safe shutdown is enabled, to allow building of jobs triggered by a job, but would disallow builds triggered by SCM changes, Polling, Indexing, manually triggered (or maybe that one with an option to go through nonetheless?) etc.

Add Comment

[jimklimov@gmail.com (JIRA)]

Jim Klimov updated an issue

Jenkins / JENKINS-55512 Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs) Change By: Jim Klimov

Jenkins supports "safe" behavior to shut down (safeExit) or restart (safeRestart) itself, which seems to be used in plugin updater, thinBackup plugin (doing just a quietDown part of this), operations that can be requested via Jenkins URL (and a link from Jenkins Manage interface), to name a few use-cases.

This mode waits for currently running jobs to complete and disallows new jobs to progress from scheduled to running. The assumption is that the current jobs will complete, the server will be quiet and can be administratively restarted with no severe interruption to its users. Documented in more detail at https://support.cloudbees.com/hc/en-us/articles/216118748-How-to-Start-Stop-or-Restart-your-Instance- for example.

This is problematic however when there are complex jobs, such as MultiPhase or entangled pipelines, where one wrapper job calls as its payload over time a number of other jobs that implement certain tests or other operations. When the safe shutdown mode is enabled, these child jobs can not be started, and the parent job stalls indefinitely waiting for their result, and the Jenkins master is left dysfunctional (not restarted for e.g. upgrade overnight, and not running any new builds). The expected operational result would be that the currently running wrapper jobs AND any children (and their children) that can get spawned would be allowed to start and awaited to complete (boils down to "completion of all running jobs" as before), after which the safe restart/shutdown normally takes place. I believe this could be done with some simple check of the build cause in the code which disallows execution of scheduled builds when the safe shutdown is enabled, to allow building of jobs triggered by a job, but would disallow builds triggered by SCM changes, Polling, Indexing, manually triggered (or maybe that one with an option to go through nonetheless?) etc.

Add Comment

[jimklimov@gmail.com (JIRA)]

I believe this could be done with some simple check of the build cause in the code which disallows execution of scheduled builds when the safe shutdown is enabled, to allow building of jobs triggered by a job, but would disallow builds triggered by SCM changes, Polling, Indexing, manually triggered (or maybe that one with an option to go through nonetheless?) etc. This seems like the place (or good starting point): https://github.com/jenkinsci/jenkins/blob/d5eeefd7beb8a00910f8d579ef14124a8be1914c/core/src/main/java/hudson/model/Queue.java#L1786

Add Comment

[jimklimov@gmail.com (JIRA)]

Jim Klimov commented on JENKINS-55512

Re: Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs) Proposed PR https://github.com/jenkinsci/jenkins/pull/3840 to address this.

Add Comment

[jimklimov@gmail.com (JIRA)]

Jim Klimov started work on JENKINS-55512

Change By: Jim Klimov Status: Open In Progress

Add Comment

[jimklimov@gmail.com (JIRA)]

Jim Klimov assigned an issue to Jim Klimov

Jenkins / JENKINS-55512

Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs)

Change By: Jim Klimov Assignee: Jim Klimov

Add Comment

[jimklimov@gmail.com (JIRA)]

Jim Klimov updated JENKINS-55512

Jenkins / JENKINS-55512 Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs)

Change By: Jim Klimov Status: In Progress Review

Add Comment

[jimklimov@gmail.com (JIRA)]

Jim Klimov updated JENKINS-55512

Jenkins / JENKINS-55512 Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs)

Change By: Jim Klimov Status: In Review Progress

Add Comment

[jimklimov@gmail.com (JIRA)]

Jim Klimov commented on JENKINS-55512

Re: Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs) Upon discussion with Daniel Beck the initial approach I took was not fully proper, at least not for upstreaming the change, as it would unilaterally change behavior for all child jobs, and this might not be applicable for some pipelines that can be (or not be) restartable, and certainly not intended for triggering of downstream jobs (rather than sub-jobs in focus of this issue) that have the same UpstreamCause – such jobs are independent and can wait in the blocked queue until the Jenkins master is safely restarted. This would also not be easily extensible to add behaviors (e.g. the idea about sysadmin forcing some job even though the server is shutting down). The better suggestion was to make use of Actions, which are an attachable piece of metadata, e.g. to inherit some new nonBlockingJobAction (name is arbitrary), consider its presence when making Queue.java decisions, and attach it to jobs scheduled in the plugins like the Freestyle, MultiPhase build and Pipeline (Workflow) build steps in case the current job would wait for completion of that new child job (async children can also wait until restart of the master, right?). For additional features, such as an administrative enforcement to run some job even if the server is quieting down, an extension point should be defined in the jenkins-core and then new plugins can be made to take advantage of that based on their purpose, logic and configurability. Effectively, the code in Queue.java would ask all currently loaded implementations of the extension point whether this Queue.Item (and/or Queue.Task) CAN be executed despite the pending shutdown, aka "is not blocked by the pending shutdown", with probably some tri-state outcome (permitted, blocked, no_opinion), with the current implementation being the fallback for a definitive result unless there is some certain verdict earlier. https://jenkins.io/doc/developer/extensibility/ https://wiki.jenkins-ci.org/display/JENKINS/AnnotationExtension https://wiki.jenkins-ci.org/display/JENKINS/Defining+a+new+extension+point PS: Hope I got and relayed it right

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-55512

Re: Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs)

Looks about right. The main problem seems to be that isBlockedByShutdown takes a Task argument (corresponds to Job), so this would need to be deprecated and replaced in favor of something taking a Queue.Item (precursor to Run/Build). This way, queue items/builds of a job can have different shutdown blocking characteristics. Outline of plan: Replace isBlockedByShutdown with this new implementation. Create NonBlockedQueueItemAction and check for its presence in the new isBlockedByShutdown Actually add these new actions to queue items where it makes sense: pipeline-build-step plugin or parameterized-trigger could add it to scheduleBuild2 if they wait for the result to prevent deadlocking. Alternatively, any plugin could contribute the action via Queue.QueueDecisionHandler and allow manual admin overrides and similar.

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-55512

Re: Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs)

The other alternative was to add a new extension point specifically for this (perhaps similar to QueueTaskDispatcher?), and have it be implemented in plugins. The problem there might be that we need tri-state Allow/Deny/Don't Care for proper 'fallthrough' to the default implementation. Or perhaps not, unsure. This is a different approach form my previous comment's, and is what Jim's last paragraph partially refers to.

Add Comment

[jimklimov@gmail.com (JIRA)]

Jim Klimov commented on JENKINS-55512

Re: Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs)

See also https://github.com/jenkinsci/jenkins/pull/3920

Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

[jimklimov@gmail.com (JIRA)]

Jim Klimov commented on JENKINS-55512

Re: Safe shutdown/restart should not block completion of complex jobs (that spawn child jobs)

For some more alternative approaches, as I recently dug in some other plugins, I wondered if a solution could come from a cannibalized (and adapted by a non-Java developer) copy of `lockable-resources-plugin`? It already has ways to block startup of jobs (waiting for "this resource" which has no instances available) after all, so it seems feasible to just replace the logic from locked resources processing by what I originally proposed for jobs/builds/causes relationships, and allow or block the builds. In fact, it would be less work to make this behavior optional and used only by specific jobs rather than server-wide, because the lockable resource abilities are something one configures in a job (and it would be some effort to find and rip out the relevant bits, going this way).

Add Comment