Async Healthcheck

[DimitarPetrov]

Motivation

Currently SM healthcheck works synchronously (calls all dependant components synchronously every time a call to /v1/health comes). This is not optimal and introduces unnecessary load both on SM and the dependencies.

Using https://github.com/InVisionApp/go-health healthchecks can happen asynchronously from the API call. We could remember the results of the last few executions so that we can return 500 on /v1/health only if the pg health indicator has failed 3-4 times in a row. This way we can avoid micro outages (e.g. if we couldnt reach the db for 5min straight, then we report status 500) otherwise we report 200 OK with body that mentions that db is down. This way hopefully we avoid microoutages reports caused by other components. We can leverage logic from the dependency in 1. that would help implement this

Approach

Each indicator could be configured separately in application.yml. The properties which could be configured are if the indicator is fatal or not, which says if the health of this indicator will affect the overall health. Failures treshold which is how much times in a row an indicator must report down until the component is considered down. And last is the interval time between each check for the component.

Example structure is:

...
health:
  indicators:
    storage:
      fatal: true
      failures_treshold: 3
      interval: 30
...

Positive response sample

{
  "details": {
    "ping": {
      "check_time": "2019-06-25T09:44:23.270103+03:00",
      "fatal": true,
      "first_failure_at": "0001-01-01T00:00:00Z",
      "name": "ping",
      "num_failures": 0,
      "status": "UP"
    },
    "storage": {
      "check_time": "2019-06-25T09:44:23.270114+03:00",
      "fatal": true,
      "first_failure_at": "0001-01-01T00:00:00Z",
      "name": "storage",
      "num_failures": 0,
      "status": "UP"
    }
  },
  "status": "UP"
}

Negative response sample (Treshold not exceeded and overall status is UP)

{
  "details": {
    "ping": {
      "check_time": "2019-06-25T09:46:23.272538+03:00",
      "fatal": true,
      "first_failure_at": "0001-01-01T00:00:00Z",
      "name": "ping",
      "num_failures": 0,
      "status": "UP"
    },
    "storage": {
      "check_time": "2019-06-25T09:46:23.274558+03:00",
      "error": "dial tcp [::1]:5432: connect: connection refused",
      "fatal": true,
      "first_failure_at": "2019-06-25T09:46:23.274626+03:00",
      "name": "storage",
      "num_failures": 1,
      "status": "DOWN"
    }
  },
  "status": "UP"
}

I made a PR in the library to make some of the fields in response optional since some of them are most of the time zero values like first_failure_at and num_failures when the component is UP, but still no response.
InVisionApp/go-health#64

[coveralls]

Coverage decreased (-0.4%) to 89.377% when pulling 06295e6 on async-health into e9af4a3 on master.

[dpanayotov]

I'm not entirely sure we need a new dependency that will span through all components just for its <100 rows of async collection of healths. Let's discuss this.

[KirilKabakchiev]

If we use more than the 100 lines of async collection of healths its worth using it - otherwise not. If we decide to use it we should make sure the pkg package does not expose any imports to this library (e.g. its internal implementation detail of the sm framework)

My idea was apart from the async collection of healths to also configure the library logging to use our logger so that we get health logging.

Also the library stores health failure timestamps and consecutive number of failures and other details which we could look at and decide if we want to enrich our health response with these extra details.
and some predefined healthcheckers such as Reachable, HTTP and SQLDB - but those are not a big deal.

[dpanayotov]

somewhere you should listen for ctx.Done() and call healthz.Stop()

[dpanayotov]

inline

[dpanayotov]

This works just because the storage implementation is hardcoded in sm.New to use postgres.Storage. Assuming it is not, this should be reverted.

[dpanayotov]

change this to time.Duration and add mapstructure. if time.Duration adjust the description

[dpanayotov]

I suppose this should be something larger. Like 30s/60s at least?

[dpanayotov]

I can't decide if it would be better to change our statuses from UP and Down to OK and Failed to avoid this.

[dpanayotov]

log.C(c)

[dpanayotov]

description should be time between...

[dpanayotov]

add tests for these

[dpanayotov]

now that these are not used, we might remove our health.Health altogether because it seems unnecessary conversion from one type to another

[dpanayotov]

health.ContiguousFailures > failureTreshold introduces behavior, which I'm not sure we want for all health indicators.
If the storage is down when healthcheck call comes, you might get a response with body that says failed, but you'll get status 200 OK. This will happen if the time between the detection of storage down and the call is less than failureThreshold * interval.
Assuming we configure interval=60s and /v1/monitor/health is called every 5 minutes - on the 4th minute the storage fails and now on the health call we get 200 OK but with failure response. Assuming there is a storage outage for 4 minutes (1 minute before the next health call) then the next health call will report UP again. However, the service has not been operational for 4 minutes and all storage operations were failing.

Does it make sense to have the health configuration be a map[string]Settings where each health indicator can be separately configured with failureThreshold and interval? Then we might configure the storage healthcheck to report down even after 1 failure.

[KirilKabakchiev]

its not a good idea (for projects with vendor folders) for pkg methods that will be used in other modules to expect input or return output that requires the caller of this to also import this dependency. this may complicate dependency management for any other project (proxy for example) - ideally creating a controller should require only imports from github.com/Peripli/service-manager

[KirilKabakchiev]

this should probably be configurable per HealthIndicator as the library allows - the way you implemented it limits us to having to use the same interval for all indicators which might be ok if the indicator didnt specify its own value

[KirilKabakchiev]

not a good practice to skip errors - even if its tests - normally you should handle the err by doing Expect(err).ShouldNot(HaveOccured()) - otherwise in case someone changed the logic in NewStorageHealthIndicator and the err occurred and was ignored here troubleshooting the failing test would be harder

[KirilKabakchiev]

The State also includes details such as

    CheckTime Time "json:\"check_time\""
    ContiguousFailures int64 "json:\"num_failures\""
    TimeOfFirstFailure Time "json:\"first_failure_at\""

It would be useful to have these in the json response for each of the indicators

[KirilKabakchiev]

The library allows registering IStatusListener that gets called back when the health status changes. We could register one so that we can log health status changes - rough example here https://github.com/InVisionApp/go-health/tree/master/examples/status-listener

Since Recovered can also log the times failures happened before recovery this could be useful information in logs

[KirilKabakchiev]

if err := ..; err != nil { ... }

[KirilKabakchiev]

if err := ..; err != nil { ... }

[KirilKabakchiev]

do you include the name in the details ? it would probably make sense to know what status comes from what indicator

[KirilKabakchiev]

coverage has dropped with 0.4% which seems a bit too much - could you have a look at new missed lines and see if they can be covered with meaningful tests?

[KirilKabakchiev]

Maybe something like // Gracefully stop health checks or no comment ?

[dpanayotov]

This seems like a hidden extra step that needs to be performed. What do you think about hiding the indicators and add a func (Registry) AddHealthIndicator(Inidicator) that configures it?

[dpanayotov]

log.C(smb.ctx).Panic()

[dpanayotov]

pass only the minimum that is required. you don't need the whole indicators slice.

[dpanayotov]

Panic(err)

[KirilKabakchiev]

storage.NewHealthIndicator (do not repeat storage)

[KirilKabakchiev]

not sure if its necessary to copy the settings over in the registry as the cfg is acessible in most places anyway?

[KirilKabakchiev]

I dont think its necessary to let the indicators know about these settings - Indicator can have .State() and .Name() and no other interfaced methods and the first touchpoint between the settings and the actual indicator will be when calling healthz.AddCheck

[KirilKabakchiev]

file order - constructors that return concrete types (typically) go right before the struct they return (readability)

[KirilKabakchiev]

what does a fatal = false with failureTreshold = 5 indicator mean ? Meaning do we need both or does having both just bring confusion

[KirilKabakchiev]

should it be >= or > (if threshold is the maximum allowed failures, the = should be removed)

[KirilKabakchiev]

you dont really use i so put _ instead. Also rename state to overrallState and v to state

[KirilKabakchiev]

You could wrap the access to the HealthIndicators in a register method that also adds defaultsettings for this indicator if they are missing and "completes" any incomplete settings for the indicator that is being registered - this will help get rid of the Configurable interface

[KirilKabakchiev]

I would suggest tey to get rid of this interface. - thereare some ideas in the other comments

[KirilKabakchiev]

NewController is a public api that will be used in other projects- so you have two options - go for a stable api (pass settings and know that when new settings are added the controller public api wont change) or pass minimal and risk having to refactor a public api afterwards. Both approaches are acceptable.

[KirilKabakchiev]

you should probably also handle partcially configured settings that are present in the map - meaning "complete" them with default values

[KirilKabakchiev]

Discussed and it seems that now partically configured indicator will result in confiuration validation error - which is also ok

[dpanayotov]

this is implementation specific in the storage package. Move this to postgres package or rename this to SQLHealthIndicator / PostgresHealthIndicator.