Lava Dispatcher Design¶

Principal changes¶

1. Database isolation - Only the master daemon has a connection to the database. This simplifies the architecture and avoids the use of fault-intolerant database connections to remote workers.
2. Drop use of SSHFS between workers and master - this was awkward to configure and problematic over external connections.
3. Move configuration onto the master - The worker becomes a simple slave which receives all configuration and tasks from the master.

Using strategy classes¶

Strategies are ways of meeting the requirements of the submitted job within the limits of available devices and code support.

If an internal pipeline would need to allow for optional actions, those actions still need to be idempotent. Therefore, the pipeline can include all actions, with each action being responsible for checking whether anything actually needs to be done. The populate function should avoid using conditionals. An explicit select function can be used instead.

Whenever there is a need for a particular job to use a different Action based solely on job parameters or device configuration, that decision should occur in the Strategy selection using classmethod support.

Where a class is used in lots of different strategies, identify whether there is a match between particular strategies always needing particular options within the class. At this point, the class can be split and particular strategies use a specialised class implementing the optional behaviour and calling down to the base class for the rest.

If there is no clear match, for example in testdef.py where any particular job could use a different VCS or URL without actually being a different strategy, a select function is preferable. A select handler allows the pipeline to contain only classes supporting git repositories when only git repositories are in use for that job.

The list of available strategies can be determined in the codebase from the module imports in the strategies.py file for each action type.

This results in more classes but a cleaner (and more predictable) pipeline construction.

Lava test shell scripts¶

The LAVA scripts are a standard addition to a LAVA test and are handled as a single unit. Using idempotent actions, the test script extension can support LMP or MultiNode or other custom requirements without requiring this support to be added to all tests. The extensions are created during the deploy strategy and specific deployments can override the ApplyExtensionAction to unpack the extension tarball alongside the test during the deployment phase and then mount the extension inside the image. The tarball itself remains in the output directory and becomes part of the test records. The checksum of the overlay is added to the test job log.

RuntimeError Exception¶

Runtime errors include:

1. Parser fails to handle device configuration
2. Parser fails to handle submission YAML
3. Parser fails to locate a Strategy class for the Job.
4. Code errors in Action classes cause Pipeline to fail.
5. Errors in YAML cause errors upon pipeline validation.

Each runtime error is a bug in the code - wherever possible, implement a unit test to prevent regressions.

InfrastructureError Exception¶

Infrastructure errors include:

1. Missing dependencies on the dispatcher
2. Device configuration errors

JobError Exception¶

Job errors include:

1. Failed to find the specified URL.
2. Failed in an operation to create the necessary extensions.

TestError Exception¶

Test errors include:

1. Failed to handle a signal generated by the device
2. Failed to parse a test case

Keep the dispatcher dumb¶

There is a temptation to make the dispatcher clever but this only restricts the test writer from doing their own clever tests by hard coding commands into the dispatcher codebase. If the dispatcher needs some information about the test image, that information must be retrieved from the job submission parameters, not by calculating in the dispatcher or running commands inside the test image. Exceptions to this are the metrics already calculated during download, like file size and checksums. Any information about the test image which is permanent within that image, e.g. the partition UUID strings or the network interface list, can be identified by the process creating that image or by a script which is run before the image is compressed and made available for testing. If a test uses a tarball instead of an image, the test must be explicit about the filesystem to use when unpacking that tarball for use in the test as well as the size and location of the partition to use.

LAVA will need to implement some safeguards for tests which still need to deploy any test data to the media hosting the bootloader (e.g. fastboot, SD card or UEFI) in order to avoid overwriting the bootloader itself. Therefore, although SD card partitions remain available for LAVA tests where no other media are supportable by the device, those tests can only use tarballs and pre-defined partitions on the SD card. The filesystem to use on those partitions needs to be specified by the test writer.

Avoid defaults in dispatcher code¶

Constants and defaults are going to need an override somewhere for some device or test, eventually. Code defensively and put constants into the utilities module to support modification. Put defaults into the YAML, not the python code. It is better to have an extra line in the device_type than a string in the python code as this can later be extended to a device or a job submission.

Let the test fail and diagnose later¶

Avoid guessing in LAVA code. If any operation in the dispatcher could go in multiple paths, those paths must be made explicit to the test writer. Report the available data, proceed according to the job definition and diagnose the state of the device afterwards, where appropriate.

Avoid trying to be helpful in the test image. Anticipating an error and trying to code around it is a mistake. Possible solutions include but are not limited to:

• Provide an optional, idempotent, class which only acts if a specific option is passed in the job definition. e.g. AutoLoginAction.
• Provide a diagnostic class which triggers if the expected problem arises. Report on the actual device state and document how to improve the job submission to avoid the problem in future.
• Split the deployment strategy to explicitly code for each possible path.

AutoLogin is a good example of the problem here. For too long, LAVA has made assumptions about the incoming image, requiring hacks like linaro-overlay packages to be added to basic bootstrap images or disabling passwords for the root user. These helpful steps act to make it harder to use unchanged third party images in LAVA tests. AutoLogin is the de facto default for non-Linaro images.

Another example is the assumption in various parts of LAVA that the test image will raise a network interface and repeatedly calling ping on the assumption that the interface will appear, somehow, eventually.

Treat the deployment as a black box¶

LAVA has claimed to do this for a long time but the refactored dispatcher is pushing this further. Do not think of the LAVA scripts as an overlay, the LAVA scripts are extensions. When a test wants an image deployed, the LAVA extensions should be deployed alongside the image and then mounted to create a /lava-$hostname/ directory. Images for testing within LAVA are no longer broken up or redeployed but must be deployed intact. This avoids LAVA needing to know anything about issues like SELinux or specific filesystems but may involve multiple images for systems like Android where data may exist on different physical devices.

Only protect the essential components¶

LAVA has had a tendency to hardcode commands and operations and there are critical areas which must still be protected from changes in the test but these critical areas are restricted to:

1. The dispatcher.
2. Unbricking devices.

Any process which has to run on the dispatcher itself must be fully protected from mistakes within tests. This means that all commands to be executed by the dispatcher are hardcoded into the dispatcher python code with only limited support for overriding parameters or specifying tainted user data.

Tests are prevented from requiring new software to be installed on any dispatcher which is not already a dependency of lava-dispatcher. Issues arising from this need to be resolved using MultiNode.

Until such time as there is a general and reliable method of deploying and testing new bootloaders within LAVA tests, the bootloader / firmware installed by the lab admin is deemed sacrosanct and must not be altered or replaced in a test job. However, bootloaders are generally resilient to errors in the commands, so the commands given to the bootloader remain accessible to test writers.

It is not practical to scan all test definitions for potentially harmful commands. If a test inadvertently corrupts the SD card in such a way that the bootloader is corrupted, that is an issue for the lab admins to take up with the test submitter.

Give the test writer enough rope¶

Within the provisos of Only protect the essential components, the test writer needs to be given enough rope and then let LAVA diagnose issues after the event.

There is no reason to restrict the test writer to using LAVA commands inside the test image - as long as the essential components remain protected.

Examples:

1. KVM devices need to protect the QEMU command line because these commands run on the dispatcher
2. VM devices running on an arndale do not need the command line to be coded within LAVA. There have already been bug reports on this issue.

Diagnostic subclasses report on the state of the device after some kind of error. This reporting can include:

• The presence or absence of expected files (like /dev/disk/by-id/ or /proc/net/pnp).
• Data about running processes or interfaces, e.g. ifconfig

It is a mistake to attempt to calculate data about a test image - instead, require that the information is provided and diagnose the actual information if the attempt to use the specified information fails.

Guidance¶

1. If the command is to run inside a deployment, require that the full command line can be specified by the test writer. Remember: Avoid defaults in dispatcher code. It is recommended to have default commands where appropriate but these defaults need to support overrides in the job submission. This includes using a locally built binary instead of an executable installed in /usr/bin or similar.
2. If the command is run on a dispatcher, require that the binary to be run on the dispatcher is actually installed on the dispatcher. If /usr/bin/git does not exist, this is a validation error. There should be no circumstances where a tool required on the dispatcher cannot be identified during validation of the pipeline.
3. An error from running the command on the dispatcher with user-specified parameters is a JobError.
4. Where it is safe to do so, offer overrides for supportable commandline options.

The codebase itself will help identify how much control is handed over to the test writer. self.run_command() is a dispatcher call and needs to be protected. connection.sendline() is a deployment call and does not need to be protected.

Providing gold standard images¶

Test writers are strongly recommended to only use a known working setup for their job. A set of gold standard jobs has been defined in association with the QA team. These jobs will provide a known baseline for test definition writers, in a similar manner as the existing QA test definitions provide a base for more elaborate testing.

There will be a series of images provided for as many device types as practical, covering the basic deployments. Test definitions will be required to be run against these images before the LAVA team will spend time investigating bugs arising from tests. These images will provide a measure of reassurance around the following issues:

• Kernel fails to load NFS or ramdisk.
• Kernel panics when asked to use secondary media.
• Image containing a different kernel to the gold standard fails to deploy.

The refactoring will provide Diagnostic subclasses which point at these issues and recommend that the test is retried using the standard kernel, dtb, initramfs, rootfs and other components.

The reason to give developers enough rope is precisely so that kernel developers are able to fix issues in the test images before problems show up in the gold standard images. Test writers need to work with the QA team, using the gold standard images.

Device Dictionary¶

The normal admin flow for individual devices will be to make changes to the device dictionary of that device. In time, an editable interface will exist within the admin interface. Initially, changes to the dictionary are made from the command line with details being available in a read-only view in the admin interface.

The device dictionary acts as a set of variables inside the template, in a very similar manner to how Django handles HTML templates. In turn, a device type template will extend a base template.

It is a bug in the template if a missing value causes a broken device configuration to be generated. Values which are not included in the specified template will be ignored.

Once the device dictionary has been populated, the scheduler can be told that the device is a pipeline device in the admin interface.

$ sudo lava-server manage device-dictionary --hostname mypanda --export
{% extends 'panda.jinja2' %}
{% set power_off_command = '/usr/bin/pduclient --daemon tweetypie --hostname pdu --command off --port 08' %}
{% set hard_reset_command = '/usr/bin/pduclient --daemon tweetypie --hostname pdu --command reboot --port 08' %}
{% set connection_list = [‘uart0’] %}
{% set connection_commands = {‘uart0’: ‘telnet dispatcher01 7001’} %}
{% set connection_tags = {‘uart0’: [‘primary’, 'telnet']} %}
{% set power_on_command = '/usr/bin/pduclient --daemon tweetypie --hostname pdu --command on --port 08' %}

$ sudo lava-server manage device-dictionary --hostname mypanda --review

device_type: beaglebone-black
commands:
  connect: telnet localhost 6000
  hard_reset: /usr/bin/pduclient --daemon localhost --hostname pdu --command reboot --port 08
  power_off: /usr/bin/pduclient --daemon localhost --hostname pdu --command off --port 08
  power_on: /usr/bin/pduclient --daemon localhost --hostname pdu --command on --port 08

parameters:
 bootm:
  kernel: '0x80200000'
  ramdisk: '0x81600000'
  dtb: '0x815f0000'
 bootz:
  kernel: '0x81000000'
  ramdisk: '0x82000000'
  dtb: '0x81f00000'

actions:
 deploy:
   # list of deployment methods which this device supports
   methods:
     # - image # not ready yet
     - tftp

 boot:
   # list of boot methods which this device supports.
   methods:
     - u-boot:
         parameters:
           bootloader_prompt: U-Boot
           boot_message: Booting Linux
           send_char: False
           # interrupt: # character needed to interrupt u-boot, single whitespace by default
         # method specific stanza
         oe:
           commands:
           - setenv initrd_high '0xffffffff'
           - setenv fdt_high '0xffffffff'
           - setenv bootcmd 'fatload mmc 0:3 0x80200000 uImage; fatload mmc 0:3 0x815f0000 board.dtb;
             bootm 0x80200000 - 0x815f0000'
           - setenv bootargs 'console=ttyO0,115200n8 root=/dev/mmcblk0p5 rootwait ro'
           - boot
         nfs:
           commands:
           - setenv autoload no
           - setenv initrd_high '0xffffffff'
           - setenv fdt_high '0xffffffff'
           - setenv kernel_addr_r '{KERNEL_ADDR}'
           - setenv initrd_addr_r '{RAMDISK_ADDR}'
           - setenv fdt_addr_r '{DTB_ADDR}'
           - setenv loadkernel 'tftp ${kernel_addr_r} {KERNEL}'
           - setenv loadinitrd 'tftp ${initrd_addr_r} {RAMDISK}; setenv initrd_size ${filesize}'
           - setenv loadfdt 'tftp ${fdt_addr_r} {DTB}'
           # this could be a pycharm bug or a YAML problem with colons. Use : for now.
           # alternatively, construct the nfsroot argument from values.
           - setenv nfsargs 'setenv bootargs console=ttyO0,115200n8 root=/dev/nfs rw nfsroot={SERVER_IP}:{NFSROOTFS},tcp,hard,intr ip=dhcp'
           - setenv bootcmd 'dhcp; setenv serverip {SERVER_IP}; run loadkernel; run loadinitrd; run loadfdt; run nfsargs; {BOOTX}'
           - boot
         ramdisk:
           commands:
           - setenv autoload no
           - setenv initrd_high '0xffffffff'
           - setenv fdt_high '0xffffffff'
           - setenv kernel_addr_r '{KERNEL_ADDR}'
           - setenv initrd_addr_r '{RAMDISK_ADDR}'
           - setenv fdt_addr_r '{DTB_ADDR}'
           - setenv loadkernel 'tftp ${kernel_addr_r} {KERNEL}'
           - setenv loadinitrd 'tftp ${initrd_addr_r} {RAMDISK}; setenv initrd_size ${filesize}'
           - setenv loadfdt 'tftp ${fdt_addr_r} {DTB}'
           - setenv bootargs 'console=ttyO0,115200n8 root=/dev/ram0 ip=dhcp'
           - setenv bootcmd 'dhcp; setenv serverip {SERVER_IP}; run loadkernel; run loadinitrd; run loadfdt; {BOOTX}'
           - boot

$ sudo lava-server manage device-dictionary --hostname mypanda --import mypanda.yaml

Running lava-dispatch directly¶

lava-dispatch only accepts a YAML file for pipeline jobs - the old behaviour of looking up the file based on the device hostname has been dropped. The absolute or relative path to the YAML file must be specified to the --target option. --output-dir must also be specified:

sudo lava-dispatch --target devices/fred.conf panda-ramdisk.yaml --output-dir=/tmp/test