subservers: fail LiT startup when integrated sub-server boot fails #1183
Conversation
Summary of ChangesHello @ffranr, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the reliability of the LiT startup sequence by elevating the status of integrated sub-servers to critical. Previously, LiT could continue operating even if some of its integrated sub-servers failed to launch. Now, any failure in an integrated sub-server's boot process will cause LiT itself to cease its startup, ensuring that the system only reaches an operational state when all essential integrated components are functioning correctly. This change provides a more robust and predictable initialization experience. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request modifies the startup logic to treat integrated sub-server startup failures as fatal. The changes correctly propagate errors from StartIntegratedServers up to the main start function, causing LiT to fail on startup as intended. The documentation has also been updated to reflect this new behavior. The implementation is sound, but I have one suggestion to improve the consistency of error handling.
ffranr
force-pushed
the
wip/fail-startup-on-subserver-err
branch
from
57ee325 to
86e8ec5
Compare
There was a problem hiding this comment.
Thanks for this @ffranr 🙏!
In addition to the feedback I've commented below, this new behaviour definitely needs itest coverage.
I think we actually started working on this at the same time, and I have local branch with draft code implementing this + itest coverage. If you want to, i can clean that up and push it so that you can cherry-pick that to make it more simple for you. Let me know if that'd be helpful :).
|
@ffranr, remember to re-request review from reviewers when ready |
ellemouton
left a comment
ellemouton
left a comment
There was a problem hiding this comment.
havent actually looked at the diff here yet, just want to make a note in case: we should just make sure that the daemon still runs & ie, that the status server still gets served
ffranr
force-pushed
the
wip/fail-startup-on-subserver-err
branch
4 times, most recently
from
1772099 to
0091958
Compare
* Treat integrated sub-servers as fatal to startup and return an error if any fail to start. * Propagate integrated sub-server startup errors to LiT so it stops launching and records the failure status. * Update docs to reflect integrated sub-servers are now critical to startup.
- Ensure critical integrated sub-servers initialize first. - Introduce alphabetical sorting for consistent order across startup runs.
- Introduce tests for critical and non-critical sub-server startup behavior. - Ensure failures in critical servers stop startup, while non-critical failures are tolerated.
ffranr
force-pushed
the
wip/fail-startup-on-subserver-err
branch
from
0091958 to
381d0b1
Compare
| if criticalIntegratedSubServers.Contains(ss.Name()) { | ||
| return fmt.Errorf("%s: %v", ss.Name(), err) | ||
| } | ||
|
|
There was a problem hiding this comment.
but i think this then will result in complete shutdown which i dont think we want? we want the status server to remain running.
ViktorT-11
left a comment
ViktorT-11
left a comment
There was a problem hiding this comment.
Thanks for the updates 🚀! Leaving some additional feedback in addition to @ellemouton's feedback.
|
|
||
| // testCriticalTapStartupFailure ensures LiT exits quickly when a critical | ||
| // integrated sub-server (tapd) fails to start during boot. | ||
| func testCriticalTapStartupFailure(ctx context.Context, net *NetworkHarness, |
There was a problem hiding this comment.
Thanks for this 🙏! Similar to the unit tests, we should also have an itest which covers a startup when a non-critical sub-server errors during startup.
| if err != nil { | ||
| s.statusServer.SetErrored(ss.Name(), err.Error()) | ||
|
|
||
| if criticalIntegratedSubServers.Contains(ss.Name()) { |
There was a problem hiding this comment.
Thanks 🙏!
Note that the commit message is outdated and does not cover the "criticalIntegratedSubServers" part.
| if client, err := g.basicLNDClient(); err == nil { | ||
| stopCtx, cancel := context.WithTimeout( | ||
| ctx, 5*time.Second, | ||
| ) | ||
| defer cancel() | ||
|
|
||
| _, err := client.StopDaemon( | ||
| stopCtx, &lnrpc.StopRequest{}, | ||
| ) | ||
| if err != nil { | ||
| log.Warnf("Error stopping lnd after failed "+ | ||
| "start: %v", err) | ||
| } | ||
| } |
There was a problem hiding this comment.
This will now attempt to shutdown lnd for all types of startup errors, not just the "critical sub-server" error.
I'm not sure that this is exactly what we want, for 2 main reasons:
- This will apply in
remotemode as well, and attempt to shutdown the remotelndnode for anylitdrelated startup error. - Even in integrated mode, it's not certain that we've gotten to executing the code that sets
basicLNDClientwheng.starterrors, despite having startedlnd. Meaning thatlndwill not be shutdown in that scenario. That leads to a quite unpredictable behaviour, wherelndwill sometimes be shutdown wheng.starterrors, and sometimes not.
I therefore think we should only execute this if we specifically error during the startup of a critical litd sub-server, to keep the behaviour predictable, and not effect remote lnd nodes. You may want to guard the shutdown request and require that litd is not running with a "remote" lnd node, even though the current critical sub-server startup error logic cannot occur when lnd is in remote mode.
| err) | ||
| } | ||
|
|
||
| return startErr |
There was a problem hiding this comment.
Similar to what @ellemouton has already commented, this will now shutdown litd before the shutdownInterceptor.ShutdownChannel() has been triggered, which we would like to avoid.
| if err := g.shutdownSubServers(); err != nil { | ||
| log.Errorf("Error shutting down after failed start: %v", | ||
| err) | ||
| } |
There was a problem hiding this comment.
We should only do this after the shutdownInterceptor.ShutdownChannel() has been triggered, similar to the current logic below :)
Closes #1181