[batch] Support deployment mode as a Terra on Azure app

[daniel-goldstein]

First draft of a helm chart for packaging up Hail Batch as a Terra on Azure App. This will likely need numerous bug fixes as we set up a proper testing strategy, but the rough shape of everything should be pretty stable.

[daniel-goldstein]

I don't love what I've had to do with the deploy config stuff. That's in my opinion the most finicky part of this (has already broken multiple times) and it's mostly our fault, because we overload the namespace parameter with both identifying the namespace in Kubernetes and signifying whether the environment is prod or not. All I want really is to change the domain to a domain and path prefix, and not have the namespace have such an impact on routing. Like what if namespace didn't affect routing, but if the deploy config only gave a domain with no path e.g. hail.is, we use subdomains so batch.hail.is, but if we provided a domain with a path prefix like internal.hail.is/dgoldste, we make the batch root internal.hail.is/dgoldste/batch?

Alternative: Actually have and use a base_path in the deploy config. This would be used in dev and terra environments.

[danking]

Pretty straightforward review! Still letting it all sink in, so some of my comments might be naive; tell me if they are!

[danking]

Is this a version for the chart?

[daniel-goldstein]

Yes, updating hail batch in terra basically just requires a PR to Leonardo that updates the chart version they use. We could just use the pip version across the board, but haven't given that much thought.

[danking]

I like pip version. The fewer distinct versions we have to deal with the better.

[danking]

unused perhaps?

[daniel-goldstein]

This is a class variable that is used by worker.py. It probably is inconsequential in terra but I copied this value from the Azure worker API.

[danking]

say more?

[daniel-goldstein]

Lost track of this in all the LoC in this change. In the WSM API there's a state field in the response of the following enum [ BROKEN, CREATING, DELETING, READY, UPDATING ]. I'm hoping, but am not certain, that we can at least map READY to our notion of ready. Interestingly, this functionality doesn't seem entirely necessary, as a VM is marked ready regardless when it comes online and contacts the driver.

[danking]

Hmm. Is the TODO suggesting that we assert the state field is READY in the response?

addressed

[danking]

I'll do a more thorough review tomorrow; today has too many meetings sadly.

[danking]

I'm thinking refresh sooner, but I admit my thinking is still hazy here.

It almost feels like our retry logic needs to be URL-aware. What if we're 11 minutes from expiration and we're streaming a big-ish file. We make some requests to get the first couple chunks, then we do some processing, then a network hiccups and we retry from the start. It feels very reasonable to exceed the 11 minutes.

Of course, the same problem can happen in normally authenticated code, but, at least for aiogoogle, every independent call to request will check for authentication validity. Here, once we've resolved the URL, we've locked in our credentials until we successfully complete all interactions with this object. I wonder if the right place for this functionality is much deeper, at the level of AzureSession/AzureCredentials. We'd have to change the interface for credentials so that it has access to the URL though.

[danking]

dismiss when the signed URL fiddliness is ready for another look

[daniel-goldstein]

@danking , I'm a bit stuck on how to proceed with the credential refreshing. Here's the layout of the problem:

1. In normal Azure, we accept user-provided SAS tokens. Since they are user-provided, we have no way of obtaining new ones and the onus is on the user to obtain a SAS token for however long they expect to need to use it.
2. This current design in Terra is to not make the user have to do that, because that seems annoying, and for terra-controlled ABS containers we have an endpoint we can hit to get a SAS token. Ok, but now we need to update our Azure FS infrastructure to refresh a credential if it expires. But, we use the azure client lib and don't control all http requests. For example, for AzureStorageFS.open, we call downloader.readall() if we want to load the whole file into memory. I went spelunking through their source and looks like readall mostly wraps a sequence of range reads, but regardless if we were to use that method we would have to catch credential expiration errors, reset credentials on the blob client and retry hoping that we didn't break any invariants -- I don't want to do that as I wouldn't trust a stream that encountered a non-transient error like that. It could be that getting rid of downloader.readall is the only thing we have to worry about, but it makes me uneasy not having control of the http requests we're making to ABS.

Do you see a solution other than raking through our aioazure.fs and making sure that we only use "quick" methods and possibly retrying 401s? It just seems to me like we're going against the grain and even though it feels user-hostile the intention of SAS tokens are to have users own credential expiration.

[daniel-goldstein]

Stepping back a little bit, there might be a reasonable (if unsatisfying) middle ground. Presumably the operations most at risk are long streams that we always do in chunks anyway, and in that case we can create new downloaders on AzureReadableStream.read if the SAS token expires. That would probably solve most of these problems.

x

[danking]

boop

done and passing!

[danking]

some thoughts, haven't gone through everything yet

[danking]

Do you know what happens to the disk when the VM dies? Who cleans up the disk?

[daniel-goldstein]

We've decided to remove the data disk from this PR and only accept VMs with a local ssd.

[danking]

Hmm. Is the TODO suggesting that we assert the state field is READY in the response?

[danking]

This is a bit of a bike shed but also a bit of a principled stance against UUID.

---

I'm a bit generally skeptical of UUIDs. They encode a 128-bit number using 32+4 = 36 ASCII characters or 288 bits. They also waste 6 of the 128 bits on deterministic version information.

What's the arguments for/against uuid4 versus, say, a 64-bit random integer or even a 128-bit random integer, if we want a very low chance of collision?

For 64 bits the chance of collision with 100,000 draws is 1 in 10^-10 [1]. But even if we just base64.b64encode(secrets.token_bytes(16)) that's a full 128 bits of randomness encoded in 192 bits of base64 characters.

[1] https://www.wolframalpha.com/input?i=1+-+Pochhammer%5Bn-%28k-1%29%2Ck%5D%2Fn%5Ek+where+n+is+2%5E64+and+k+is+100000 Pochhammer is necessary because of the huge numbers involved. Pochhammer[x-(y-1), y] is x!/(x-y)!.

[daniel-goldstein]

This is fair, I was simply going by the recommendation in the WSM API docs. I don't have a big preference, happy to change it to base64.b64encode(secrets.token_bytes(16))

[danking]

Shouldn't disk creation failure be more traumatic?

[daniel-goldstein]

Turns out this is how the other cloud drivers operate when they can't create an instance. We're going to keep this as is but this should be scrutinized more broadly to consider whether we should immediately remove the instance when it fails to be created.

[daniel-goldstein]

Hmm. Is the TODO suggesting that we assert the state field is READY in the response?

I handled the other states and removed the TODO

addressed

[danking]

One nit, but this seems broadly right to me!

[danking]

WIP'ed in case you want to add the last shq