fix: make GetWorkspacesEligibleForTransition return less false-positives #15429
Conversation
There was a problem hiding this comment.
I'll take another look through as I haven't looked at autostop behavior in a long time and need to wrap my head around it a bit more. I do have concerns there are cases we won't pick up jobs we should or that there are ways to abuse the system.
Let's say I'm a nefarious user and start a bitcoin miner in a tmux of my workspace. Then I hit stop + cancel immediately afterwards. Now my workspace is in a cancelled state, the previous job was stop and I don't think it'll be picked up by any condition here and thus my bitcoin miner remains running in perpetuity. There may be other similar cases and I'm not sure what should happen in these, but I could also be wrong.
PS. Very nice job on reducing the DB load through better filters 👍🏻
| -- If the workspace's template has an inactivity_ttl set | ||
| -- it may be eligible for dormancy. | ||
| -- A workspace may be eligible for dormant stop if the following are true: | ||
| -- * The workspace is not dormant. |
There was a problem hiding this comment.
Who/when marks a workspace as dormant? Is there a chance the workspace can be marked dormant and we never trigger either autostop or dormant stop?
There was a problem hiding this comment.
Autobuild executor does it here:
coder/coderd/autobuild/lifecycle_executor.go
Lines 497 to 506 in 7b33ab0
There was a problem hiding this comment.
Ok, that plus this seems relevant:
coder/coderd/autobuild/lifecycle_executor.go
Lines 421 to 428 in 7b33ab0
As does this:
coder/coderd/autobuild/lifecycle_executor.go
Lines 254 to 264 in 7b33ab0
So one thing that can happen at least in the code-version is that a workspace has remained in a failed stop state for a long time. Then it becomes eligible for dormant stop but since it wasn't a start, we don't try to stop it but mark it as dormant anyway.
Then we'll have a workspace marked dormant that we never attempted to stop.
| templates.time_til_dormant > 0 AND | ||
| workspaces.dormant_at IS NULL | ||
| (@now :: timestamptz) - workspaces.last_used_at > (INTERVAL '1 millisecond' * (templates.time_til_dormant / 1000000)) |
There was a problem hiding this comment.
I realize this is probably already in use elsewhere but not going to lie, it's weird seeing nanos being converted into millis. I know ms is the smallest unit in pg but feels like this isn't super intuitive for humans to understand what's going on here.
Obviously storing ns in the db is the main problem (and we're not fixing that here). But I'd prefer to see the conversion into seconds instead of ms as that feels like a more intuitive unit.
Even the db column for time_til_dormant doesn't have a comment so this is pretty much hidden magic 😄.
Not a blocker, but we should probably do something about this at some point.
There was a problem hiding this comment.
Every day I regret my previous decision 😓
| -- If the user account is suspended, and the workspace is running. | ||
| -- A workspace may be eligible for failed stop if the following are true: | ||
| -- * The template has a failure ttl set. | ||
| -- * The workspace build was a start transition. |
There was a problem hiding this comment.
If we failed to autostop previously, then this limitation will prevent this case from triggering and I think we'll never retry it because of the other cases. Is that as intended?
There was a problem hiding this comment.
This should be the same logic that's done later on? We're not changing any logic here, just front-loading it.
coder/coderd/autobuild/lifecycle_executor.go
Lines 525 to 536 in 7b33ab0
There was a problem hiding this comment.
I didn't look at the original logic, but then I suppose I'm proposing that the original logic doesn't take this into account?
Here, unless the failed build is "start", we'll never try to stop it. The failed build could just as well be a cancelled (or failed) "stop" which has left resources behind.
There was a problem hiding this comment.
That's a good catch. We might want to adjust this behaviour in a separate PR.
EDIT: filed #15477
|
Thanks for also linking the explains. I think adding an index on 
There only exists one tangentially related index: But it's non-trivial to utilize it, so an index targeting that single column is probably the best. |
|
@johnstcn and I spotted, whilst doing some testing yesterday, that we're still returning false-positives in the following scenario:
(
users.status = 'active'::user_status AND
provisioner_jobs.job_status != 'failed'::provisioner_job_status AND
workspace_builds.transition = 'stop'::workspace_transition AND
workspaces.autostart_schedule IS NOT NULL
) What is happening here is that |
There was a problem hiding this comment.
@johnstcn I worry about either going stale now that we have logic duplicated both in code an query. Is there a reason to keep both?
Just thinking out loud but right now the conditions are lost since they're part of the WHERE. But if we moved them to SELECT instead they could be utilized as booleans in the code.
But aside from the duplication, and considering we're tracking additional state handling in #15477, I have no further objections. Feel free to merge.
…ositives (#15594) Relates to #15082 Further to #15429, this reduces the amount of false-positives returned by the 'is eligible for autostart' part of the query. We achieve this by calculating the 'next start at' time of the workspace, storing it in the database, and using it in our `GetWorkspacesEligibleForTransition` query. The prior implementation of the 'is eligible for autostart' query would return _all_ workspaces that at some point in the future _might_ be eligible for autostart. This now ensures we only return workspaces that _should_ be eligible for autostart. We also now pass `currentTick` instead of `t` to the `GetWorkspacesEligibleForTransition` query as otherwise we'll have one round of workspaces that are skipped by `isEligibleForTransition` due to `currentTick` being a truncated version of `t`.
Relates to #15082
The old implementation of
GetWorkspacesEligibleForTransitionreturns many workspaces that are not actually eligible for transition. This new implementation reduces this number significantly (at least on our dogfood instance).For each workspace returned from
GetWorkspacesEligibleForTransition, we make (at minimum) 7 calls to the database. That means for our dogfood instance, we currently make roughly 700 DB calls a minute for workspaces that are not eligible for transition. The new implementation cuts this down to <50DB calls a minute (a reduction of around 90%).Looking at the planning/execution time of the new query, it appears to be either within run-to-run variance or a little quicker.
Before:
https://explain.dalibo.com/plan/95f6e257d8fg51gd
After:
https://explain.dalibo.com/plan/h2cb9hc533cac0c7