Restart operation on child-devices

[didier-wenzek]

Updating tedge-agent and c8y-mapper to support restart operation on child devices

Proposed changes

• use mqtt.topic_root and mqtt.device_topic_id
• use te/device/main///cmd/restart/+ instead of tedge/commands/+/control/restart
• move the command id from the payload to the topic
• publish restart commands as retained messages
• The c8y-mapper has to register child device restart capability
• Add system tests: restarting a child device from c8y

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
• Documentation Update (if none of the other choices apply)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue

#2018

Checklist

• I have read the CONTRIBUTING doc
• I have signed the CLA (in all commits with git commit -s)
• I ran cargo fmt as mentioned in CODING_GUIDELINES
• I used cargo clippy as mentioned in CODING_GUIDELINES
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Further comments

[github-actions]

Robot Results

✅ Passed	❌ Failed	⏭️ Skipped	Total	Pass %	⏱️ Duration
288	0	3	288	100	1h1m19.047999999s

[codecov]

Codecov Report

Merging #2245 (97a07a0) into main (09b7d30) will decrease coverage by 0.1%.
Report is 1 commits behind head on main.
The diff coverage is 69.6%.

❗ Current head 97a07a0 differs from pull request most recent head b717228. Consider uploading reports for the commit b717228 to get more accurate results

Additional details and impacted files

Files Changed	Coverage Δ
crates/core/c8y_api/src/smartrest/topic.rs	86.2% <0.0%> (-5.6%)	⬇️
crates/core/tedge_agent/src/agent.rs	0.0% <0.0%> (ø)
...ates/core/tedge_agent/src/restart_manager/error.rs	0.0% <ø> (ø)
crates/core/tedge_api/src/topic.rs	97.1% <ø> (+2.6%)	⬆️
crates/extensions/c8y_mapper_ext/src/config.rs	53.5% <0.0%> (-1.4%)	⬇️
crates/extensions/c8y_mapper_ext/src/converter.rs	77.8% <35.2%> (-2.1%)	⬇️
...ates/core/tedge_agent/src/restart_manager/actor.rs	43.1% <38.1%> (-4.4%)	⬇️
...tes/core/tedge_agent/src/restart_manager/config.rs	45.8% <75.0%> (+12.5%)	⬆️
crates/extensions/tedge_log_manager/src/actor.rs	69.2% <75.0%> (+0.2%)	⬆️
...tedge_agent/src/tedge_operation_converter/actor.rs	78.7% <78.5%> (+4.2%)	⬆️
... and 12 more

... and 7 files with indirect coverage changes

[reubenmiller]

@didier-wenzek is the PR in a state where we can add an integration test for the child device as well? Or is there still other work required for the tedge-agent to function on a child device (in the scope of the restart command only)

[albinsuresh]

LGTM. Was a bit surprised to see the sheer amount of files and crates that were touched. It just highlights the amount of fragmentation that we currently have.

I was also surprised to see that no integration tests were updated. But then found out that none exists atm. I'm hoping that it is feasible now, since we have containers in place of real devices.

[albinsuresh]

I just realised that you can have multiple plain impl blocks for the same struct, which are not for any trait implementations and this module already had 3 different impl blocks. Looks fine, but I just don't understand the benefits though. I'm assuming it is for better code organization to isolate different responsibilities into different impl blocks instead of one big fat impl block.

[didier-wenzek]

Indeed, something that needs to be fixed. But in a PR doing only that.

Why are we here? Previously, there was an implementations of a trait used only here. There were also functions which have been promoted to methods. When I introduced these changes, I decided to go that way in order to help the code reviewers by minimizing code shuffling on an already huge refactoring.

Now, this can be cleaned up.

[reubenmiller]

This might be a bit premature, but I did a quick manual test to see if I could trigger a restart operation from Cumulocity on the child device, but

• c8y_Restart operation is not registered on the c8y device managed object
• the operation stays in PENDING status in Cumulocity, but the tedge-agent goes into a restart cycle, where the container continuously keeps restarting

So if this is not the expected behaviour (due to that part not being implemented yet), then I would suggest we wait to add some new integration tests for this new functionality before we merge it.

[didier-wenzek]

So if this is not the expected behaviour (due to that part not being implemented yet), then I would suggest we wait to add some new integration tests for this new functionality before we merge it.

Sure, we must add system tests with the 3 systems (c8y, c8y-mapper and tedge-agent). The integration tests are only checking partial exchanges between c8y-mapper and tedge-agent.

[reubenmiller]

So if this is not the expected behaviour (due to that part not being implemented yet), then I would suggest we wait to add some new integration tests for this new functionality before we merge it.

Sure, we must add system tests with the 3 systems (c8y, c8y-mapper and tedge-agent). The integration tests are only checking partial exchanges between c8y-mapper and tedge-agent.

Then I'll add the system tests on Monday, though we definitely have issues here (as previously posted).

[didier-wenzek]

@didier-wenzek is the PR in a state where we can add an integration test for the child device as well? Or is there still other work required for the tedge-agent to function on a child device (in the scope of the restart command only)

The PR should be in a state where a restart of the child-device should work.

I was also surprised to see that no integration tests were updated. But then found out that none exists atm. I'm hoping that it is feasible now, since we have containers in place of real devices.

There is at least this one for the main device:

https://github.com/thin-edge/thin-edge.io/blob/main/tests/RobotFramework/tests/cumulocity/restart/restart_device.robot

[albinsuresh]

I was also surprised to see that no integration tests were updated. But then found out that none exists atm. I'm hoping that it is feasible now, since we have containers in place of real devices.

There is at least this one for the main device:

https://github.com/thin-edge/thin-edge.io/blob/main/tests/RobotFramework/tests/cumulocity/restart/restart_device.robot

Aah okay, using the Cumulocity APIs instead of triggering commands via te/.../cmd/restart topics. I was searching for a direct test using the tedge/ or te/ topics and that's why I didn't get any results.

[didier-wenzek]

This PR has been rebased on top of #2265

[didier-wenzek]

I confirm something is going wrong :-(

Restart operations are pushed and executed but then the agent start looping while the mapper say to nothing to c8y.

$ tedge mqtt sub te/+/+/+/+/cmd/restart/+
INFO: Connected
[te/device/main///cmd/restart/VKF2G1m2xslA-oLkvoy3t] {"status":"failed"}
[te/device/main///cmd/restart/vtigzeuw8fXhDPUGFnvXc] {"status":"failed"}
[te/device/main///cmd/restart/WR38g0Q4FsL4I-KdTj3y-] {"status":"failed"}
[te/device/main///cmd/restart/AG0CQgUz7FedAzGS-NLFq] {"status":"init"}

[te/device/main///cmd/restart/VKF2G1m2xslA-oLkvoy3t] {"status":"failed"}
[te/device/main///cmd/restart/VKF2G1m2xslA-oLkvoy3t] {"status":"failed"}
[te/device/main///cmd/restart/VKF2G1m2xslA-oLkvoy3t] {"status":"failed"}
[te/device/main///cmd/restart/vtigzeuw8fXhDPUGFnvXc] {"status":"failed"}
[te/device/main///cmd/restart/vtigzeuw8fXhDPUGFnvXc] {"status":"failed"}
[te/device/main///cmd/restart/WR38g0Q4FsL4I-KdTj3y-] {"status":"failed"}
[te/device/main///cmd/restart/WR38g0Q4FsL4I-KdTj3y-] {"status":"failed"}
[te/device/main///cmd/restart/AG0CQgUz7FedAzGS-NLFq] {"status":"failed"}
[te/device/main///cmd/restart/AG0CQgUz7FedAzGS-NLFq] {"status":"failed"}
[te/device/main///cmd/restart/VKF2G1m2xslA-oLkvoy3t] {"status":"failed"}
[te/device/main///cmd/restart/VKF2G1m2xslA-oLkvoy3t] {"status":"failed"}
[te/device/main///cmd/restart/VKF2G1m2xslA-oLkvoy3t] {"status":"failed"}
[te/device/main///cmd/restart/VKF2G1m2xslA-oLkvoy3t] {"status":"failed"}
[te/device/main///cmd/restart/vtigzeuw8fXhDPUGFnvXc] {"status":"failed"}

[didier-wenzek]

To be fixed:

• the agent must ignore commands which are not in the init state
• the mapper should use better cmd_id e.g. c8y-{timestamp}
• the mapper correctly send [c8y/s/us] 502,c8y_Restart,"Restart Failed" but this is ignored by the cloud. Why?
• the mapper must clear successful and failed requests
• the reason for a restart failure is not given
• on restart, the mapper should not create a new restart request (when pending in the cloud and locally)
• it would be helpful to add to each message the name of the service which changed the state

[reubenmiller]

The reason behind the status updates and failure reason not working is because they're being published on the incorrect c8y topic. For child devices it should be c8y/s/us/{child_id}

[reubenmiller]

The PRs looking very close now, I pushed some minor fixes and added some more system tests.

Though only remaining minor change is the following:

• Log entry is misleading when the restart command is killed by a signal. The entry with Restart command has been interrupted by a signal is good, but it is proceeded by an entry with the opposite meaning The restart command has been successfully executed.

  Sep 21 21:30:08 d2dcf7b3095f tedge-agent[189]: 2023-09-21T21:30:08.072623262Z  INFO tedge_agent::restart_manager::actor: Restart command has been interrupted by a signal: Command { std: "/usr/bin/sudo" "/usr/bin/on_shutdown_signal_interrupt.sh", kill_on_drop: false }
  Sep 21 21:30:08 d2dcf7b3095f tedge-agent[189]: 2023-09-21T21:30:08.072724928Z  INFO tedge_agent::restart_manager::actor: The restart command has been successfully executed
  

[albinsuresh]

The code looks fine except for a small issue that I've highlighted around failed state repository updates, that's not handled cleanly(even in the old code). Happy to approve once that's fixed.

[albinsuresh]

What's that case? Getting a message on some tedge/ topic that we've explicitly subscribed to, but still ignoring?

[didier-wenzek]

No this is temporary code. The first part of the method is related to tedge topics, the second part to te topics.

I could have write this differently, but came with this not so nice return to avoid confusing diffs in the PR.

[albinsuresh]

Initially I was wondering why we still need to rely on these files when we have all the info via retained messages. But then realised that we can't get rid of it until software management is also migrated to the topic based capability model and we expose the same topic API mechanism for custom operations as well.

[albinsuresh]

Not an error that you introduced but something that existed in the previous version as well: If update_state_repository returned a Failed status, we shouldn't be proceeding beyond the next line, right? It should have failed fast and return from here.

[didier-wenzek]

Fixed by 97a07a0

[albinsuresh]

Why are we doing this here? To make sure that the restart command that was executed genuinely triggered a device restart which would have translated into a RuntimeRequest::Shutdown request? What if the user intentionally replaced the restart script with something that doesn't really restart the device but does something else? In that case, do we want to mark that operation as failed? From his perspective, the successful execution of the script should have translated to a Success, right?

[albinsuresh]

From his perspective, the successful execution of the script should have translated to a Success, right?

I guess this is the root of the problem. When it's a user-overridden script, we can't always assume that the device would have been restarted, and wait for the agent to reboot and really validate if the restart succeeded and then only send the Successful status. But, purely relying on the exit status is not sufficient for our default restart script either. So, it's like a chicken and egg problem.

If we can always assume that the user-provided scripts must restart the device, then this is fine. That's a very genuine assumption to make, IMO. Else we should expect their custom script to send the successful status update MQTT message as well, at the end of their "non-restarting" logic.

[didier-wenzek]

What if the user intentionally replaced the restart script with something that doesn't really restart the device but does something else?

The user should not be surprised that the restart command fails ;-)

If we can always assume that the user-provided scripts must restart the device, then this is fine.

We can and we do. Even more, we check that this is the case: if the agent doesn't shutdown than restart after a reboot of the device, then command execution is reported as failed.

[didier-wenzek]

• Log entry is misleading when the restart command is killed by a signal.
  The entry with Restart command has been interrupted by a signal is good,
  but it is proceeded by an entry with the opposite meaning The restart command has been successfully executed.

Addressed by 6cb2de6

[reubenmiller]

The requested log message changes were resolved.

Approved