[core] Make KillActor RPC Fault Tolerant

[Sparks0219]

Why are these changes needed?

The issue with the current implementation of core worker HandleKillActor is that it won't send a reply when the RPC completes because the worker is dead. The application code from the GCS doesn't really care since it just logs the response if one is received, a response is only sent if the actor ID of the actor on the worker and in the RPC don't match, and the GCS will just log it and move on with its life.

Hence we can't differentiate in the case of a transient network failure whether there was a network issue, or the actor was successfully killed. What I think is the most straightforward approach is instead of the GCS directly calling core worker KillActor, we have the GCS talk to the raylet instead and call a new RPC KillLocalActor that in turn calls KillActor. Since the raylet that receives KillLocalActor is local to the worker that the actor is on, we're guaranteed to kill it at that point (either through using KillActor, or if it hangs falling back to SIGKILL).

Thus the main intuition is that the GCS now talks to the raylet, and this layer implements retries. Once the raylet receives the KillLocalActor request, it routes this to KillActor. This layer between the raylet and core worker does not have retries enabled because we can assume that RPCs between the local raylet and worker won't fail (same machine). We then check on the status of the worker after a while (5 seconds via kill_worker_timeout_milliseconds) and if it still hasn't been killed then we call DestroyWorker that in turn sends the SIGKILL.

Related issue number

Checks

• I've signed off every commit(by using the -s flag, i.e., git commit -s) in this PR.
• I've run pre-commit jobs to lint the changes in this PR. (pre-commit setup)
• I've included any doc changes needed for https://docs.ray.io/en/master/.
  • I've added any new APIs to the API Reference. For example, if I added a
    method in Tune, I've added it in doc/source/tune/api/ under the
    corresponding .rst file.
• I've made sure the tests are passing. Note that there might be a few flaky tests, see the recent failures at https://flakey-tests.ray.io/
• Testing Strategy
  • Unit tests
  • Release tests
  • This PR is not tested :(

[Sparks0219]

Couple comments about my design/concerns I have:
1.) I decided to keep KillActor rather than have the Raylet use core worker Exit since I think it would get a bit bloated. From what I see they both call into shutdown coordinator, but juggle a different set of params provided by rpc and use this to set various fields for shutdown coordinator. Hence think it would just get messier if I just used Exit for KillLocalActor with not much benefit.
2.) From what I see, KillActor should already be idempotent because of the changes in d63f464 i.e we track if there's an ongoing shutdown request and subsequent ones are noops
3.) In the current behavior of KillActor, we don't really have any mitigations if in graceful shutdown it gets stuck. Hence I added a timer and an async_wait call that does a force kill after a certain amount of time (5s). This is a bit not nice because ideally if we get a DisconnectClient message, we should immediately cancel the timer but I don't think it's too important because the GCS isn't blocked waiting for the response.

What are your thoughts @codope ?

[Sparks0219]

not sure how to do this a bit more elegantly, only possible case where KillActor responds is if we hit this error check at

ray/src/ray/core_worker/core_worker.cc

Line 3964 in 237268b

if (intended_actor_id != worker_context_->GetCurrentActorID()) {

and I want to propagate this error to the callback below if cancellation happens

[dayshah]

imo don't need to propagate back up to the gcs, since it throws it away

[dayshah]

nit but usually cpp getters and setters look like this

Suggested change

	const rpc::Address &GcsActor::GetLocalRayletAddress() const {
	return local_raylet_address_;
	}
	void GcsActor::UpdateLocalRayletAddress(const rpc::Address &address) {
	local_raylet_address_.CopyFrom(address);
	}
	const rpc::Address &GcsActor::LocalRayletAddress() const {
	return local_raylet_address_;
	}
	rpc::Address &GcsActor::LocalRayletAddress() {
	return local_raylet_address_;
	}

[Sparks0219]

Updated the getter, but for the setter should I keep it as is?

[ZacAttack]

Yeah that looks like a typo

[dayshah]

oh not a typo, the "setter" usually just returns a non-const lvalue ref so you can more efficiently make changes however you want to the data member.

An UpdateMember func is bound to changing by replacing rather than modifying in place + extra move constructs or separate rvalue/lvalue overloads, etc. if you want to give flexibility on replacing

[dayshah]

oh wait but at this point why isn't the member public ☠️ it doesn't matter lol

[dayshah]

on actor death in between restarting, there's probably a point where the actor doesn't have a local raylet.
The actor also doesn't have a local raylet at registration time + before creation completion

local_raylet_address should probably be an optional and we shouldn't make the rpc if it's nullopt

[Sparks0219]

ahhh good catch thanks, yup I modified it so that we don't make the rpc if its nullopt.

[dayshah]

i think execute_after does some of this boiler plate for you

Also this is new functionality we're adding to kill actor right? In what cases will the worker survive after it got the kill actor req?

[Sparks0219]

Yea agreed execute_after is a lot cleaner and yup this is new functionality we're adding. I think the issue is that in graceful shutdown we could end up getting stuck, and I don't think KillActor takes this into account. There's multiple places we use KillAsync that sends a SIGTERM (graceful shutdown) then SIGKILL hence I think we should follow the same pattern here.

[dayshah]

imo don't need to propagate back up to the gcs, since it throws it away

[codope]

@Sparks0219 Thanks for the PR and I'm aligned with your design. Few comments:

1.) I decided to keep KillActor rather than have the Raylet use core worker Exit since I think it would get a bit bloated.

Decision to keep KillActor is correct. It provides actor id validation to prevent killing wrong actor after restart. Plus, there is separation between worker lifecycle (Exit) and actor termination (KillActor).

2.) From what I see, KillActor should already be idempotent because of the changes in d63f464

Yes, that commit makes it idempotent at core worker level. ShutdownCoordinator tracks state, subsequent calls are no-op. Your code returns early if worker is nullptr. I suggested to also add worker->IsDead() check below.

In the current behavior of KillActor, we don't really have any mitigations if in graceful shutdown it gets stuck. Hence I added a timer and an async_wait call that does a force kill after a certain amount of time

Good callout! But i noticed that the current changes always log mismatch and report err. Please check my comments below in NodeManager::HandleKillLocalActor.

[edoakes]

how does this fit in with @codope's changes in #57090?

seems we have three separate paths for killing an actor? DestroyActor, KillActor, CleanupwWorkerForActor... there should be only one code path in the GCS for this if possible

[Sparks0219]

Here I renamed it from KillActorOnWorker to CleanupWorkerForActor since I think the latter makes more sense. This method is only used to cleanup workers allocated for actors that the GCS has marked dead or where creation failed, hence KillActorOnWorker didn't make much sense to me.

Think DestroyActor is meant to prevent the killed actor from restarting, while KillActor allows restarting... bad naming and think they probably could be unified by passing a flag to differentiate the restart behavior. Not entirely sure though, what do you think @codope ?

[codope]

yes, we should unify the two

[edoakes]

hm, shouldn't we be retrying here if we get a non-OK status?

at a minimum we should have an ERROR log here

[Sparks0219]

We're already retrying implicitly via the retryable grpc client for status UNAVAILABLE/UNKNOWN, think for the other cases like the actor id mismatch in HandleKillActor we don't want to retry.
Added an ERROR log to report this though

[edoakes]

please add an INFO level log that an actor is being killed (unless it's already logged in the callsite)

[Sparks0219]

Done, sounds good

[edoakes]

it's very unclear what "cleanup means". let's pick a better name and also clarify the exact behavior in the header comment

[Sparks0219]

I renamed it to KillLeasedWorkerForActor and updated the header comments

[cursor]

Bug: Bug

Race condition in HandleKillLocalActor: The replied flag is a std::shared_ptr<bool> but is accessed concurrently from both the timer callback (running on io_service thread) and the KillActor RPC callback (running on a gRPC thread). Additionally, the KillActor callback doesn't set *replied = true after sending an error reply, which could allow the timer to also fire and send a duplicate reply.

The callback checks if (!status.ok() && !*replied) and then calls timer->cancel() and send_reply_callback(), but never sets *replied = true. This creates two problems:

1. Without atomic operations, there's a data race when both callbacks access replied concurrently
2. Even if the callback sends an error reply, the timer could still see *replied == false and send another reply

The fix should be: (a) change replied to std::atomic<bool> or protect it with a mutex, and (b) set *replied = true immediately after checking it in the callback using atomic compare-and-swap or under a lock.

 

[Sparks0219]

1.) KillActorCallback is posted onto the main io_service thread so it's single threaded, there's no race condition
2.) We don't need to set *replied = true when timer->cancel() is triggered since the timer callback is never executed if the timer hasn't fired. If the timer has fired, the timer callback will have already set *replied = true so we'll skip sending the reply.