Connectivity diagnostic with VC/ESXi from appliance

[vburenin]

INFO[2016-11-17T09:21:25-08:00] Waiting for IP information
INFO[2016-11-17T09:21:31-08:00] Waiting for major appliance components to launch

INFO[2016-11-17T09:21:31-08:00] Checking connectivity with the target vCenter/ESXi
INFO[2016-11-17T09:21:31-08:00] VC/ESXi API Ping Test: https://10.0.1.152 is reacheable and responds to ICMP ping request
INFO[2016-11-17T09:21:31-08:00] VC/ESXi API Test: https://10.0.1.152 API responds as expected

INFO[2016-11-17T09:21:34-08:00] Initialization of appliance successful
INFO[2016-11-17T09:21:34-08:00]
INFO[2016-11-17T09:21:34-08:00] VCH Admin Portal:
INFO[2016-11-17T09:21:34-08:00] https://10.0.1.156:2378
INFO[2016-11-17T09:21:34-08:00]
INFO[2016-11-17T09:21:34-08:00] Published ports can be reached at:
INFO[2016-11-17T09:21:34-08:00] 10.0.1.156
INFO[2016-11-17T09:21:34-08:00]
INFO[2016-11-17T09:21:34-08:00] Docker environment variables:
INFO[2016-11-17T09:21:34-08:00] DOCKER_HOST=10.0.1.156:2375
INFO[2016-11-17T09:21:34-08:00]
INFO[2016-11-17T09:21:34-08:00] Environment saved in vic-docker/vic-docker.env
INFO[2016-11-17T09:21:34-08:00]
INFO[2016-11-17T09:21:34-08:00] Connect to docker:
INFO[2016-11-17T09:21:34-08:00] docker -H 10.0.1.156:2375 info
INFO[2016-11-17T09:21:34-08:00] Installer completed successfully

INFO[2016-11-17T09:19:08-08:00] Waiting for IP information
INFO[2016-11-17T09:19:13-08:00] Waiting for major appliance components to launch
INFO[2016-11-17T09:19:13-08:00] Checking connectivity with the target vCenter/ESXi
ERRO[2016-11-17T09:19:14-08:00] VC/ESXi API Ping Test: https://brokenesx is unknown host name
INFO[2016-11-17T09:19:14-08:00] Collecting ha-host hostd.log
ERRO[2016-11-17T09:19:14-08:00] --------------------
ERRO[2016-11-17T09:19:14-08:00] vic-machine-linux failed: Access to VC/ESXi failed a ping test

Fixes #3066

[cgtexmex]

It would be nice if the error message vic-machine-linux failed: Access to VC/ESXi failed a ping test indicated that the issue is between the appliance and vc/ESXi and not some where else...potentially even listing the source and target.

[vburenin]

@cgtexmex Good point! I would really appreciate if people could take a look at error texts to rephrase them in a more human friendly way.

[caglar10ur]

This is not portable, there is no guarantee that ping binary will be there to use. Also parsing a command output is show stopper for me. Please consider using golang.org/x/net/icmp. Eg; bonneville-appliance (internal reference) https://enatai-git.eng.vmware.com/bonneville/bonneville-appliance/blob/master/setup.go#L74

[vburenin]

@caglar10ur golang.org/x/net/icmp is a new vendored dependency. I can create an issue to ICMP when vendor is unlocked.

[vburenin]

@caglar10ur #3219

it a hard piece for this PR. Here is a new one specifically for your request: #3219

[fdawg4l]

Where is this defined?

[fdawg4l]

If Semaphore is a buffered channel where the channel size is the value of the semaphore, then waiting just turns into value - len(semaphor).

[fdawg4l]

Also using a buffered channel means you don't need mu.

[vburenin]

oh, it's accidentally sneaked in. I will remove this file.

[caglar10ur]

using icmp pkg produces way less code than this diag pkg (and much easier to wortk with IMHO) so I'm still not sure why we prefer that. From that link above

// PrivilegedPing sends a ipv4.ICMPTypeEcho message to the given IP and returns true if it responds with a ipv4.ICMPTypeEchoReply
// Terminates if an error occurs
func PrivilegedPing(ip net.IP, seq int) bool {
    c, err := icmp.ListenPacket("ip4:icmp", "0.0.0.0")
    if err != nil {
        GuestRPCErrorf("Unable to listen: %s", err)
        os.Exit(ERR)
    }
    defer c.Close()

    // craft the icmp message
    wm := icmp.Message{
        Type: ipv4.ICMPTypeEcho,
        Code: 0,
        Body: &icmp.Echo{
            ID:   os.Getpid() & 0xffff,
            Seq:  1 << uint(seq),
            Data: []byte("KNOCK-IF-YOU-CAN-HEAR-ME"),
        },
    }

    // marshal it to write buffer
    wb, err := wm.Marshal(nil)
    if err != nil {
        GuestRPCErrorf("Unable to marshall the icmp message: %s", err)
        os.Exit(ERR)
    }

    dst := &net.IPAddr{IP: ip}
    // write it to wire
    if n, err := c.WriteTo(wb, dst); err != nil {
        GuestRPCErrorf("Unable to write: %s", err)
        os.Exit(ERR)
    } else if n != len(wb) {
        GuestRPCErrorf("Unable to write: got %v; want %v", n, len(wb))
        os.Exit(ERR)
    }

    // create read buffer
    rb := make([]byte, 1500)

    // Set read deadling to 3 sec.
    if err := c.SetReadDeadline(time.Now().Add(3 * time.Second)); err != nil {
        GuestRPCErrorf("Unable to set deadline: %s", err)
        os.Exit(ERR)
    }

    // read it from wire to read buffer
    n, _, err := c.ReadFrom(rb)
    if err != nil {
        GuestRPCErrorf("Unable to read: %s", err)
        os.Exit(ERR)
    }

    // parse the icmp message
    rm, err := icmp.ParseMessage(iana.ProtocolICMP, rb[:n])
    if err != nil {
        GuestRPCErrorf("Unable to parse: %s", err)
        os.Exit(ERR)
    }

    // type assert to see whether we have a response
    switch rm.Type {
    case ipv4.ICMPTypeEchoReply:
        return true
    default:
        return false
    }
}

but I'm fine with this if others are OK with it so I'll let them to decide

[vburenin]

@caglar10ur it is just PING for IPv4. I will need to take care about name resolution, IPv6, etc. I agreed that this needs to be done, but not today. Issue has been filed, so I will take care about this after this PR for the next release.

[caglar10ur]

we don't support anything other than ipv4 at this time and we have net.LookupAddr for name resolution, just saying...

[hmahmood]

s/exist/exit

[hmahmood]

I don't think we need to log that we're running a ping test. We could just report that we can't reach the VCH if the ping test fails.

[vburenin]

well, I am on the other side about it ;)

[hmahmood]

I am not sure we need such detailed information about the ping output. How about just the output and exit code from the command, and the client can figure out what went wrong? In our case, we just need to know if the exit code != 0 to report bad connectivity.

[vburenin]

Giving more detailed diagnostics is better I think.

[vburenin]

@caglar10ur This code example is not the good one. It doesn't take into account so many things: It doesn't check reponse ID, doesn't check sequence, doesn't track sequences that are being sent and received, it doesn't take into account possible intermitent delays and that packets may be delivered in different order, etc. I am working on my own code for this - but it is already a large one. Definitely not for this PR.

net.LookupAddr -> net.LookupIP

[hickeng]

This message is unclear:
Checking VCH connectivity with vSphere target

[hickeng]

Don't put a ping test in here - there are plenty of people who will be blocking ICMP packets.
The only thing we care about is whether the endpointVM can talk to vSphere API - just the HEAD request will suffice.

Ping is solely for diagnostics in the failure case.

[vburenin]

No ICMP responses is totally ok test result. It is not in the fatal category, it will be just logged on warning level saying ping is not working.

[hickeng]

@vburenin
This issue is about providing a means to determine:
a. can the target be resolved?
b. can we get an HTTP response from the target?

Additional diagnostics to aid in troubleshooting don't belong in vic-machine but in vic-admin.
If we wish to be able to report health status via vic-machine in general, that's a completely different PR.

I'd much prefer we add a structured mechanism to allow the components to report status, rather than add narrow checks like this into vic-machine. Done properly this can be leveraged to report health via vSphere alerts and in vic-admine as well as in all the other vic-machine operations.
Until we have a structured mechanism my request are:

1. drop/icebox this PR in it's current form
2. modify components to update the vchconfig "status" field for the session with an appropriate (concise) error message if connection to vsphere fails (and potentially other fatal paths), and another message e.g. "initialization successful", when the portlayer is fully up
3. modify ensureApplianceInitializes to recognize the success message and wait for that in vic-machine, reporting and error and existing if an unexpected status is found.

This allows for reporting a MUCH broader range of errors, with the errors determined by inline product code rather than sideline diagnostics. This status can also be checked by vic-machine ls and vic-machine inspect to provide a quick gauge of health.

[hickeng]

This should be under pkg/vsphere - it's specifically checking the vsphere API

[hickeng]

This is likely to fail intermittently as it's in a race with the childReaper.

[vburenin]

@hickeng hm. Any suggestion on that?

[vburenin]

@hickeng I reduced scope of vSphere API test to focus purely on responses from client.Get
The rest will can do next time.

[hmahmood]

Is it possible to actually check for errno's here instead of comparing error strings?

[vburenin]

Nope. I wish it was the case.

[hmahmood]

lgtm

[andrewtchin]

lgtm