update inFlight cache to avoid race condition on volume operation

[AndyXiangLi]

Is this a bug fix or adding new feature?
Fixes #918
What is this PR about? / Why do we need it?
Per spec, there is no more than one call “in-flight” per volume at a given time.
Add another layer of protection on the driver to make sure apis are idempotent.
What testing is done?
e2e test on k8s 1.19

[coveralls]

Coverage increased (+0.5%) to 79.496% when pulling 383299e on AndyXiangLi:create-volume-idempotent into 454fdb4 on kubernetes-sigs:master.

[AndyXiangLi]

As we only support single writer mode now, I would say it is ok to just use volumeId as key here. However, I don't see any harm if we using combination of volumeId&nodeId, If customer is trying to attach same volume to different node now, this request will be reject in other steps. Advise?

[AndyXiangLi]

I removed this block in ControllerPublishVolume and ControllerUnpublishVolume, e2e test is failing because of this. I think we need to dig deeper into the publish/unpublish volume scenario. It's not related to the issue though, how about we implement this in a separate PR?

[wongma7]

which test? I agree, let's leave ControllerPublish/Attach for another PR, it's more complicated for sure

[wongma7]

the spec says: This operation MUST be idempotent. If the volume corresponding to the volume_id has already been published at the node corresponding to the node_id, and is compatible with the specified volume_capability and readonly flag, the Plugin MUST reply 0 OK.

So you are right, we should use volume_id and node_id.

If the attacher requests the same volume_id and different node_id (and volume is not multiattach, which we don't support yet anyway) the request will fail/get rejected anyway, I agree that's fine.

[AndyXiangLi]

Failed test: https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/kubernetes-sigs_aws-ebs-csi-driver/924/pull-aws-ebs-csi-driver-e2e-single-az/1402061105047539712

[wongma7]

it seems like detach just took too long? or somehow the lock/inflight didn't get released, although the code is simple so I don't know how that would be possible.

 I0608 00:51:24.912672       1 cloud.go:594] Waiting for volume "vol-059485ebcfd5f7282" state: actual=detaching, desired=detached
I0608 00:51:26.006673       1 cloud.go:594] Waiting for volume "vol-059485ebcfd5f7282" state: actual=detaching, desired=detached
I0608 00:51:27.918180       1 cloud.go:594] Waiting for volume "vol-059485ebcfd5f7282" state: actual=detaching, desired=detached
W0608 00:53:00.254490       1 cloud.go:535] Ignoring error from describe volume for volume "vol-0944244f08b5badd0"; will retry: "RequestCanceled: request context canceled\ncaused by: context deadline exceeded"
E0608 00:53:28.688453       1 driver.go:119] GRPC error: rpc error: code = Aborted desc = ControllerUnpublishVolume for Volume vol-0944244f08b5badd0 and Node i-071ebf53811520106 is already in progress
E0608 00:54:18.254315       1 driver.go:119] GRPC error: rpc error: code = Aborted desc = ControllerUnpublishVolume for Volume vol-0944244f08b5badd0 and Node i-071ebf53811520106 is already in progress 

[wongma7]

I wonder if it's possible for attach/detach to deadlock since in kubernetes world it's quite common/possible to have 1 replica Terminating on one Node and its vol trying to detach at the same time as 1 replica Pending on another Node and its vol trying to attach. This would mean we would need to index by ControllerPublish+volume_id+node_id or ontrollerUnpublish+volume_id+node_id

[wongma7]

what if we move this all the way to beginning of the func, even before validating the request?

Also I noticed it's inconsistent how some functions index * with volumeID but others with request...I think they should all use request?

[AndyXiangLi]

When I look into the spec, it is saying there is no more than one call “in-flight” per volume at a given time. I was struggled to determine using volumeId or whole req. If we use req, we are able to guarantee no more than one request per operation for one volume, but some case like deleteVolume & createSnapshot on same VolumeId will be allowed. Just wondering should we care about these use cases, otherwise use whole request make sense to me..

[wongma7]

let's consult the spec and think about it rigorously for each operation, I am scared of races :D

CreateVolume: We should use name: https://github.com/container-storage-interface/spec/blob/master/spec.md#controller-service-rpc
DeleteVolume: We should use volume_id: https://github.com/container-storage-interface/spec/blob/master/spec.md#deletevolume
CreateSnapshot: We should use name: https://github.com/container-storage-interface/spec/blob/master/spec.md#createsnapshot
DeleteSnapshot: We should use snapshot_id: https://github.com/container-storage-interface/spec/blob/master/spec.md#deletesnapshot

obviously, for createvolume and createsnapshot, you don't know the ID yet, so you can't use it as an idempotency token, that's why the spec requires name.

[wongma7]

for ControllerUnpublish, we get stuck in this loop

aws-ebs-csi-driver/pkg/cloud/cloud.go

Line 499 in 2b61230

func (c *cloud) WaitForAttachmentState(ctx context.Context, volumeID, expectedState string, expectedInstance string, expectedDevice string, alreadyAssigned bool) (*ec2.VolumeAttachment, error) {

. the context gets cancelled after just 15 seconds by external-attacher https://github.com/kubernetes-csi/external-attacher/blob/e9f6477657cf1616e63405a9ad29aaf99ebfad70/pkg/controller/csi_handler.go#L574 https://github.com/kubernetes-csi/external-attacher/blob/e9f6477657cf1616e63405a9ad29aaf99ebfad70/cmd/csi-attacher/main.go#L59 but DescribeVolumesWithContext keeps getting retried with the cancelled context

aws-ebs-csi-driver/pkg/cloud/cloud.go

Line 805 in 2b61230

response, err := c.ec2.DescribeVolumesWithContext(ctx, request)

I think the fix is to check ctx.Err() with every loop iteration, if it has been cancelled we should exit the loop. External-attacher will then call ControllerUnpublish again and start another loop

[wongma7]

The alternative is to increase external-attacher context timeout to be much higher, like 45 minutes

aws-ebs-csi-driver/pkg/cloud/cloud.go

Line 500 in 2b61230

// Most attach/detach operations on AWS finish within 1-4 seconds.

In that case, our own retry logic will dictate the frequency we call DescribeVolumes instead of external-attacher.

[AndyXiangLi]

/test pull-aws-ebs-csi-driver-external-test

[wongma7]

don't think we need the && to check of the err is canceled. if there's any err, exit

[wongma7]

/lgtm
/approve
tyvm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AndyXiangLi, wongma7

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [AndyXiangLi,wongma7]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ialidzhikov]

Thank you @AndyXiangLi and @wongma7 ! Is it possible to backport the fix to the affected versions that are still maintained/patched?

[ialidzhikov]

/kind bug

[ialidzhikov]

ping @AndyXiangLi @wongma7

[wongma7]

yes we can do a 1.1.1, if not today then next week. There is also an xfs bugfix that I think deserves release

[ialidzhikov]

yes we can do a 1.1.1, if not today then next week. There is also an xfs bugfix that I think deserves release

@wongma7 @AndyXiangLi , is there any update wrt to v1.1.1? We are still looking forward to it :)