Add instance update and reactivation

[WilboMo]

Issue number:
Addresses #9

Description of changes:
Adds functionality to update drained Bottlerocket instances, reboot updated instances and change state to "ACTIVE" after successful upgrade.

Testing done:
Executed changes against ECS test cluster containing a mix of AL2 instances and 4 Bottlerocket version 1.0.5 hosts with service and non-service tasks present in the cluster:

Output (truncated for brevity):

---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Connection: keep-alive
Content-Type: application/x-amz-json-1.1
Date: Thu, 15 Apr 2021 16:48:30 GMT
Server: Server
X-Amzn-Requestid: c3f71a22-c586-4c1f-b62b-d9724aefd926


-----------------------------------------------------
2021/04/15 09:48:30 {"CloudWatchOutputConfig":{"CloudWatchLogGroupName":"","CloudWatchOutputEnabled":false},"CommandId":"8865c81a-83ae-4c2e-958d-05dc107ef47e","Comment":"","DocumentName":"AWS-RunShellScript","DocumentVersion":"$DEFAULT","ExecutionElapsedTime":"PT0.484S","ExecutionEndDateTime":"2021-04-15T16:48:25.429Z","ExecutionStartDateTime":"2021-04-15T16:48:25.429Z","InstanceId":"i-##########","PluginName":"aws:runShellScript","ResponseCode":0,"StandardErrorContent":"16:48:25 \u001B[0m\u001B[34m[INFO] \u001B[0mRefreshing updates...\n","StandardErrorUrl":"","StandardOutputContent":"{\n  \"active_partition\": {\n    \"image\": {\n      \"arch\": \"x86_64\",\n      \"variant\": \"aws-ecs-1\",\n      \"version\": \"1.0.7\"\n    },\n    \"next_to_boot\": true\n  },\n  \"available_updates\": [\n    \"1.0.7\",\n    \"1.0.6\",\n    \"1.0.5\",\n    \"1.0.4\",\n    \"1.0.3\",\n    \"1.0.2\",\n    \"1.0.1\",\n    \"1.0.0\"\n  ],\n  \"chosen_update\": null,\n  \"most_recent_command\": {\n    \"cmd_status\": \"Success\",\n    \"cmd_type\": \"refresh\",\n    \"exit_status\": 0,\n    \"stderr\": \"\",\n    \"timestamp\": \"2021-04-15T16:48:25.835131261Z\"\n  },\n  \"staging_partition\": null,\n  \"update_state\": \"Idle\"\n}\n","StandardOutputUrl":"","Status":"Success","StatusDetails":"Success"}
2021/04/15 09:48:30 Instance i-########## updated to Bottlerocket 1.0.7

3 Bottlerocket instances running a Service and 1 with no tasks:

BR - 1
$ apiclient update check
04:27:15 [INFO] Refreshing updates...
{
  "active_partition": {
    "image": {
      "arch": "x86_64",
      "variant": "aws-ecs-1",
      "version": "1.0.7"
    },

BR - 2
$ apiclient update check
04:27:15 [INFO] Refreshing updates...
{
  "active_partition": {
    "image": {
      "arch": "x86_64",
      "variant": "aws-ecs-1",
      "version": "1.0.7"
    },

BR - 3

$ apiclient update check
04:27:59 [INFO] Refreshing updates...
{
  "active_partition": {
    "image": {
      "arch": "x86_64",
      "variant": "aws-ecs-1",
      "version": "1.0.7"
    },
 
BR - 4

$ apiclient update check
04:28:31 [INFO] Refreshing updates...
{
  "active_partition": {
    "image": {
      "arch": "x86_64",
      "variant": "aws-ecs-1",
      "version": "1.0.7"
    },

The previous, updated, instances were then replaced with 1.0.5 instances and a non-service tasks placed into the cluster, running on BR-1:

BR-1 
{
  "active_partition": {
    "image": {
      "arch": "x86_64",
      "variant": "aws-ecs-1",
      "version": "1.0.5"
    },

BR-2
{
  "active_partition": {
    "image": {
      "arch": "x86_64",
      "variant": "aws-ecs-1",
      "version": "1.0.8"
    },
    "next_to_boot": true
  },

 BR-3
{
  "active_partition": {
    "image": {
      "arch": "x86_64",
      "variant": "aws-ecs-1",
      "version": "1.0.8"
    },

BR-4
{
  "active_partition": {
    "image": {
      "arch": "x86_64",
      "variant": "aws-ecs-1",
      "version": "1.0.7"
    },

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[webern]

Looks good. Some stream of consciousness while reading.

[webern]

The saddest outcome.

[webern]

Not sure why this function is taking an ec2ID and then returning it.

[WilboMo]

The EC2ID goes through some filtering to make sure its eligible for update. So the EC2ID It returns is one thats been vetted and cleared to proceed.

[srgothi92]

But, I don't see ec2ID being used anywhere in the method ? If the function does not return an error doesn't that mean that ec2ID is ready for update ?

[webern]

Is this true? Or does resp.Status only mean that the SSM Command invocation succeeded? (Typo succeessfully)

[WilboMo]

Ah, my mistake. I have another idea that may do the trick.

[webern]

Is checkSsmCommandResult a better name, or will this function eventually check more deeply that the update actually occurred?

[webern]

Maybe getActiveVersions is a better name? Also maybe explain these functions with doc comments.

[webern]

The name is still a little weird. This might read better:

instancesToUpdate, err := up.listInstancesToUpdate(commandID, instances)

[webern]

I think using this empty string to carry some meaning is a little strange. You could use the ok bool pattern instead.

[webern]

_ec2ID: the underscore isn't needed since you are using the variable.

[srgothi92]

But, I don't see ec2ID being used anywhere in the method ? If the function does not return an error doesn't that mean that ec2ID is ready for update ?

[srgothi92]

I am just worried about all these return on err. Do we really like to return if anything failed in between ?
I think we should just:
1 . make sure to mark Instance "Active".
2. continue updating next instance and worry about updating this instance in next program iteration.
Similar things for lot many errors, I think we need to scan all the errors and proceed for non fatal error.

[WilboMo]

Oh, you're right (regarding checkAndDrain's handling of the EC2ID)!

On your notes regarding returning err

1. Is handled by the functions/methods themselves.
2. I like the idea of scanning for fatals, I'll create a new issue to add that in. For now, what about capturing the error output and just printing it to log but not returning an error? This way the information about problems is still provided but it doesn't kill the operation?

[srgothi92]

I'll create a new issue to add that in.

I will do this, because I would not like to rush on how each error is handled. We would have to think of all the cases that can cause an error and then make a decision accordingly. For now happy path works, so we can get this merged and not block on this.

[srgothi92]

Any reason why we are adding checkedEC2ID to a list ? Due this we had to run a loop inside getVersion. We are updating only one instance at a time why do we need a list ?

[WilboMo]

I did this because some functions like sendCommand expect a slice as an argument. This ensures those functions can use the EC2ID we're operating on throughout the process.

[srgothi92]

In that case we can just pass checkedEC2IDAsSlice only to sendCommand and we can directly use ec2ID for getVersion. So that we don't have to unnecessarily run a loop when we know there is only one item.

[srgothi92]

formatting issue ?

[WilboMo]

I'll run format again, but I have it on save now and I did a go fmt before pushing 🤔 .

[srgothi92]

In that case we can just pass checkedEC2IDAsSlice only to sendCommand and we can directly use ec2ID for getVersion. So that we don't have to unnecessarily run a loop when we know there is only one item.

[srgothi92]

Mostly looks good.

[webern]

Suggested change

	// getActiveVersion queries a Bottlerocket instnace to determine the active version in use by the instance.
	// getActiveVersion queries a Bottlerocket instance to determine the active version in use by the instance.

[WilboMo]

Thanks for catching that!

[samuelkarp]

This logic here is a bit weird. Since line 103 constructs a slice with exactly one element, line 104 will always evaluate to true.

Aside from removing the if, it's also not necessary to say "AsSlice" to record the type of the variable in the name.

Suggested change

	ec2IDAsSlice := []string{ec2ID}
	if len(ec2IDAsSlice) != 0 {
	ec2IDs := []string{ec2ID}

[WilboMo]

Thanks. I had considered doing away with the if len(ec2IDAsSlice) for the reasons you pointed out, but was concerned I may not have been thinking of a situation where it would evaluate false and left it for safety. I'll make the suggested change!

[samuelkarp]

There's a pattern here of continue-on-error, which I think is probably not the right pattern. If there are errors in updating, we risk taking out the entire cluster and leaving no remaining capacity.

• What can we do in terms of recovery if an error occurs?
• If no recovery is possible, should we abort entirely?
• If no recovery is possible, how do we notify the cluster administrator that some action needs to be taken, and what that action is?

[WilboMo]

• What can we do in terms of recovery if an error occurs?

I'm not yet sure on what recovery actions we can take for some of these failures. The apiclient update apply -r could be re-attempted on the next pass and it may work just fine. But things like reboot failures or an instance entering a non Ok state may be beyond the scope of what Updater should act on. We could add in logic to attempt restarting it again, describe the instance or take some other action but that would require an escalation in IAM permissions to EC2 that I don't think, off the cuff, is a good idea.

• If no recovery is possible, should we abort entirely?

In my first iteration of this bit I had it returning err rather than logging it so that it would abort the entire operation. However, it was pointed out by another commenter that we wanted it to proceed with the other instances to be updated as one failure doesn't necessarily disqualify the rest and that we could just let Updater try again on the next pass.

However, if they were all to fail taking down an entire cluster would be horrible as you rightly point out. I'll think on this but I think it may be the safest option, until better error handling is added later on, that we abort on a failure to preserve the integrity of the cluster as a whole.

• If no recovery is possible, how do we notify the cluster administrator that some action needs to be taken, and what that action is?

I had debated adding in additional log statements here in tandem with the functions already defined error message reporting to provide more context on the problem. However, I ended up removing that before posting the PR because I was concerned the messages may be too verbose.

Would it better to remove the log messages from their functions and allow them to be defined in main.go when the functions are called and go through the if err != nil checks? This would allow the error message to be tailor made for the operation and give more clear indication to users where things failed and why.

[samuelkarp]

I'm not yet sure on what recovery actions we can take for some of these failures.

Depending on the type of failure, it may be reasonable to put the container instance back to ACTIVE and continue on, or to continue on directly. For example:

• If our call to drain the container instance fails due to something like a permission issue and the instance stays ACTIVE: it's safe to continue forward since no capacity was removed
• If our call to check update status fails: it's safe to undrain the instance and continue forward, unless the undrain fails

However, if they were all to fail taking down an entire cluster would be horrible as you rightly point out. I'll think on this but I think it may be the safest option, until better error handling is added later on, that we abort on a failure to preserve the integrity of the cluster as a whole.

I think it's worth thinking about it this way: any failure which results in a reduction in cluster capacity that cannot be successfully restored (undrained) should probably result in us aborting with a clear error message to the administrator.

Would it better to remove the log messages from their functions and allow them to be defined in main.go when the functions are called and go through the if err != nil checks? This would allow the error message to be tailor made for the operation and give more clear indication to users where things failed and why.

It's definitely worth revisiting the logging that we have before the updater is really ready to be used, but it doesn't have to be in the context of this PR.

In general: it's good to embed context into errors. Newer versions of Go (since 1.13 if I'm remembering correctly) have a native error-wrapping feature that allows you to add context. So you can do something like this:

if err != nil {
	return fmt.Errorf("failed to undrain: %w", err)
}

and then have that error bubble all the way up to the top.

However, it can also be useful to add local logs with additional local context. Structured logging implementations (like logrus) enable contextual fields to be added and automatically included:

myLog := logrus.WithField("cluster", cluster)
// ... omitted ...
if err != nil {
	myLog.WithError(err).Error("failed to undrain")
	return fmt.Errorf("failed to undrain: %w", err)
}

[samuelkarp]

What if len(updateResult) != 0? What should happen then?

[samuelkarp]

It looks like the error is unintentionally ignored here.

Suggested change

	updateResult, _ := u.checkSSMCommandResult(updateStatus, ec2IDAsSlice)
	if err != nil {
	updateResult, err := u.checkSSMCommandResult(updateStatus, ec2IDAsSlice)
	if err != nil {

[samuelkarp]

What should happen if len(updatedVersion) == 0?

[samuelkarp]

It looks like GetCommandInvocation is called twice for the same command ID; once here and once in checkSSMCommandResult. In checkSSMCommandResult, there is further logic applied to map the result into a set of candidates. That looks like a bit of an anti-pattern, since we can instead make a single remote call and have two separate ways of interpreting the results.

There are a couple ways to restructure the code to achieve that, for example:

• Instead of having two calls to GetCommandInvocation, have one single place where that is called and have the raw bytes returned such that they can be unmarshalled in two separate places with different interpretation
• Instead of having two functions that unmarshal the result differently, have a single function that calls GetCommandInvocation, unmarshalls the results into a struct, and then returns that struct. Then you can interpret the struct appropriately in based on your needs.

This would be a bit of refactoring, but is appropriate to do.

[samuelkarp]

nit: there's no additional error message so there's no need for fmt.Errorf

Suggested change

	return fmt.Errorf("%#v", err)
	return err

[samuelkarp]

If sending the command "apiclient update check" fails, getCommandResult will probably also fail. Since we've already returned the instance to "ACTIVE", we can continue here.

Suggested change

	updateStatus, err := u.sendCommand(ec2IDs, "apiclient update check")
	if err != nil {
	log.Printf("%#v", err)
	}
	updateResult, err := u.getCommandResult(updateStatus, ec2ID)
	if err != nil {
	log.Printf("%#v", err)
	}
	updateStatus, err := u.sendCommand(ec2IDs, "apiclient update check")
	if err != nil {
	log.Printf("%#v", err)
	continue
	}
	updateResult, err := u.getCommandResult(updateStatus, ec2ID)
	if err != nil {
	log.Printf("%#v", err)
	continue
	}

[samuelkarp]

It doesn't look like the instanceID parameter is used

Suggested change

	func getActiveVersion(commandOutput []byte, instanceID string) (string, error) {
	func getActiveVersion(commandOutput []byte) (string, error) {

[WilboMo]

Ah, good catch. Thanks!

[samuelkarp]

nit: getUpdateState implies that the function would return some sort of state indicator, but instead it's just returning whether an update is available

Suggested change

	func getUpdateState(commandOutput []byte) bool {
	func isUpdateAvailable(commandOutput []byte) bool {

[samuelkarp]

nit: short flags are present for convenience when typing into a terminal, but when scripting it's more clear to use long flags

Suggested change

	_, err = u.sendCommand(ec2IDs, "apiclient update apply -r")
	_, err = u.sendCommand(ec2IDs, "apiclient update apply --reboot")

[samuelkarp]

This logic enables the following scenario to occur:

• Instance updates
• Update is still available (perhaps because another update's wave is now visible to the instance)
• Log "Instance %s did not update. Manual update advised."
• Read the active version
• Log "Instance %s updated to Bottlerocket: %s"

Or this scenario:

• Instance fails to update
• Update is still available
• Log "Instance %s did not update. Manual update advised."
• Read the active version
• Log "Instance %s updated to Bottlerocket: %s"

In the first case, even though the instance did update the log claims it didn't. In the second case, even though the instance didn't update, the last log line claims it did.

These should probably not happen. Either the instance updated or it didn't; we shouldn't be able to claim both at the same time. There are a couple ways this could be changed:

1. Remove the check for isUpdateAvailable, since the question is really "did the version change". Instead, store the original version and compare to the new version.
2. Adjust the logic such that if a "manual update advised" we skip the second check about the version.
3. Adjust the language in the second change so it doesn't say "updated to" and instead says something more like "Instance %s is running Bottlerocket %s".

[WilboMo]

Thanks for the comment! I think PR #47 will enable option 1 nicely (which I think is the right option long term) as we could cast the version to the struct introduced by @srgothi92 in that pull request and use that to compare with during the update process. I could implement the version check in a different way, but unless I'm mistaken, it would make sense to move it into that struct when its merged anyways.

I considered waiting until that PR was merged and revising my PR off that, but in the interest of moving forward I'm going to implement the second and third options you lay out, add a TODO and open an issue to put the version comparison in a subsequent PR.

[samuelkarp]

It looks like the error is ignored here.

Suggested change

	if err != nil {
	log.Printf("failed to unmarshal command invocation output: %#v", err)
	}
	if err != nil {
	log.Printf("failed to unmarshal command invocation output: %#v", err)
	return "", err
	}

[samuelkarp]

nit: This can be simplified

Suggested change

	switch updateState.UpdateState {
	case "Available":
	return true
	}
	return false
	return updateState.UpdateState == "Available"

[WilboMo]

Thats awesome, thanks for pointing that out. Didn't know that'd return bool.

[WilboMo]

While testing my changes to address @samuelkarp's comments I encountered a scenario where an empty Json would trigger a success result. I added this in to prevent that scenario from giving false positives.

[samuelkarp]

A string result here is very strange. An error is a common mechanism for communicating failure.

Alternately, success and failure can be communicated with a bool (conventionally, an ok variable).

Suggested change

	func isUpdateAvailable(commandOutput []byte) (bool, string) {
	func isUpdateAvailable(commandOutput []byte) (bool, error) {

[WilboMo]

I originally used error but was concerned using it in an elif statement as I had intended would be anti-pattern. I reckon I overthought that a bit as I don't think I even need to use it in an elif for that to work. Thanks for the comment!

[samuelkarp]

nit: this comment is out of date

[samuelkarp]

LGTM, thanks!