Scheduler update_aggregates race causes incorrect aggregate information

Could you please tell us which Nova version is corresponding to the Ubuntu package 1:2015.1.2-0ubuntu2~cloud0 ?

Also, could you please tell us if another request coming in would get the accurate number of hosts within the Aggregate ? In general, you don't need to restart the scheduler service, because updates are RPC'd (fanout) to the scheduler which should get the update anyway.

It's nova version 2015.1.2

All requests to create a VM are scheduled using the wrong aggregate members until nova-scheduler is restarted.

My understanding is that the scheduler only receives an update via RPC when an aggregate's members change. Therefore if no further changes are made it will continue to use the incorrect aggregate members.

@James Dennis (jtmes)
I believe your understanding on #2 is correct.

The root cause for this issue is that the aggregate's operation sequence on DB may not exactly as same as on scheduler.

for example:
operation on DB:
1. add host
2. del host

however, on scheduler, if the operation's sequence reversed as:
1. del host
2. add host

it will case the DB/scheduler outer-sync.

propose solution:
pass DB operation timestamp to scheduler, set it as scheduler update timestamp, if the timestamps of a new update is older than scheduler update timestamp, drop this update.

Timestamps do have the benefit of being simple to implement, but also have some flaws:

1. Relying on the standard system clock means they aren't monotonic, i.e. if the clock is adjusted backwards no updates may be accepted by nova-scheduler
2. If you have nova-api running on two different hosts it requires the hosts times to be synchronized or updates could be lost
3. Very unlikely with microsecond precision but two updates could have the same identifier.

While more complex, and requiring a database change, an integer that is updated by nova-api in the database, and sent every time with the scheduler message would avoid the above problems. The use of the database would guarantee monotonic increase for every update, and also the durability of the value across nova-api restarts. Without durability some notification to nova-scheduler that it needs to reset its expected sequence number would be needed.

It would probably make sense to make this sequence number larger in scope than just host aggregation changes so that it can be reused for other future scheduler messages.

your considering make lots of sense, and they are common issues in distributed system,
OpenStack use timestamp update method all over the codes like:
https://github.com/openstack/nova/blob/master/nova/scheduler/host_manager.py#L185
for your considering:
#1, synchronized timing is a basic assumption in distributed system like OS, even it make system prone to going wrong.
#2, timestamp is from DB operation, as long as mutli nova-api service operate to same single DB, this won't be a problem.
#3, very helpful heads up, the logic will be updating cache as long as DB timestamps = cache timestamps.

Is it correct that the example use of a timestamp is for a message that will only be sent by one agent, i.e. the nova-compute instance? If so then I don't think it is a comparable scenario.

#1 I agree that typically synchronized timing is expected, but I wouldn't expect timing to be used as the basis of versioning data that can be updated at high frequency as it can be non-deterministic due to clock jitter etc.
#2 I missed the detail of a DB-derived timestamp, which means there is a "master lock". I have not tested this but use of MariaDB Galera Cluster might return the timestamp of whatever node executes the query?

I am not familiar with the nova code; if the use of timestamps is prevalent in this scenario then this particular bug is unlikely to be severe enough to warrant a change in approach.

Fix proposed to branch: master
Review: https://review.openstack.org/289207

Change abandoned by Michael Still (<email address hidden>) on branch: master
Review: https://review.openstack.org/289207
Reason: This patch is quite old, so I am abandoning it to keep the review queue manageable. Feel free to restore the change if you're still interested in working on it.

There are no currently open reviews on this bug, changing
the status back to the previous state and unassigning. If
there are active reviews related to this bug, please include
links in comments.

Is there anybody else concerned about this question?

Maybe we can try to synchronize add_host_to_aggregate and remove_host_from_aggregate.

I believe this is the same bug here: https://bugs.launchpad.net/nova/+bug/1947813

and related to this one? https://bugs.launchpad.net/nova/+bug/1699054

Steps to reproduce with devstack, on devstack master commit 9be4ceeaa10f6ed92291e77ec52794acfb67c147

The `AggregateInstanceExtraSpecsFilter` is only added to trigger a log message and/or scheduling failures from the stale aggregate info, extra debug logging in _update_aggregates will show the inconsistent state even without the added filter.

### Adding logging to the host_manager helps to see what's going on:

```
diff --git a/nova/scheduler/host_manager.py b/nova/scheduler/host_manager.py
index 8cb775a923..c9894c79fa 100644
--- a/nova/scheduler/host_manager.py
+++ b/nova/scheduler/host_manager.py
@@ -392,6 +392,8 @@ class HostManager(object):

     def _update_aggregate(self, aggregate):
         self.aggs_by_id[aggregate.id] = aggregate
+
+ LOG.debug(f"update for {aggregate.id} called with {aggregate.hosts}")
         for host in aggregate.hosts:
             self.host_aggregates_map[host].add(aggregate.id)
         # Refreshing the mapping dict to remove all hosts that are no longer
```

### Local.conf:

```
[[local|localrc]]
ADMIN_PASSWORD=secret
DATABASE_PASSWORD=$ADMIN_PASSWORD
RABBIT_PASSWORD=$ADMIN_PASSWORD
SERVICE_PASSWORD=$ADMIN_PASSWORD

VIRT_DRIVER=fake
NUMBER_FAKE_NOVA_COMPUTE=10

[[post-config|$NOVA_CONF]]

# just addition of AggregateInstanceExtraSpecsFilter to exercise the issue
[filter_scheduler]
enabled_filters = ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,SameHostFilter,DifferentHostFilter,AggregateInstanceExtraSpecsFilter
```

### aggregate and flavor setup for AggregateInstanceExtraSpecsFilter

```
openstack aggregate create test_agg
openstack aggregate set --property "test=true" test_agg

openstack flavor create --ram 512 --disk 1 --vcpus 1 test_flavor
openstack flavor set --property "aggregate_instance_extra_specs:test=true" test_flavor
```

### add hosts to aggregate in parallel
It is not guaranteed to trigger the issue, so several attempts may be needed.
Looking at the debug logs from host manager will show if the last applied RPC has an incomplete list of hosts in the aggregate.
The issue seems easier to trigger the more closely spaced in time the requests are, such as doing it via openstacksdk and reusing the session and avoiding the python startup time.

```
openstack hypervisor list -c "Hypervisor Hostname" -f value \
| xargs -I {} -P 10 -n 1 \
 openstack aggregate add host test_agg -c hosts -f value {}
```

This will show responses like the following:
```
['devstack8']
['devstack8', 'devstack1']
['devstack8', 'devstack1', 'devstack2']
['devstack8', 'devstack3']
['devstack8', 'devstack1', 'devstack7']
['devstack8', 'devstack4']
['devstack8', 'devstack6']
['devstack8', 'devstack1', 'devstack3', 'devstack4', 'devstack10']
['devstack8', 'devstack1', 'devstack3', 'devstack4', 'devstack2', 'devstack6', 'devstack9']
['devstack8', 'devstack1', 'devstack3', 'devstack4', 'devstack2', 'devstack6', 'devstack5']
```

At this point, viewing the aggregate info directly does show the correct memebership
```
$ openstack aggregate show test_agg --max-width=80
+-------------------+----------------------------------------------------------+
| Field...

setting this to medium severity

there is an existing race in how the cache is updated.
the workaround is to periodically restart the scheduled to clear the cache.

this looks like it affects all stable releases of OpenStack.
however its unlikely but not impossible that a fix for this can be backported.

given the above I'm marking this as medium as there is a relatively simple workaround even if the detection of the
isuee is not trivial.