Artifact GC still acting up for failed Workflows

[static-moonlight]

I still have problems with the artifact GC with Argo Workflows 3.5.5.

1. I have defined a shared artifact repository in the workflow controller config map (it's basically a MinIO running as a service in the Kubernetes cluster):

   # [...]
   artifactRepository:
     archiveLogs: true
     s3:
       bucket: argo-artifacts
       endpoint: s3.storage:9999
       insecure: true
       accessKeySecret:
         name: artifact-repository
         key: USERNAME
       secretKeySecret:
         name: artifact-repository
         key: PASSWORD
   # [...]

2. In the workflow deployments I have a secret named artifact-repository
3. In the workflow template I have enabled artifact GC

   # [...]
   artifactGC:
     serviceAccountName: [...]
     strategy: OnWorkflowDeletion
   # [...]

This is working fine, as long as there are no errors. I can see artifacts being created and automatically removed in that bucket (for successful workflows).

4. If a workflow failed, I see the following error (in the UI):
   "Artifact garbage collection failed"
5. If a workflow failed, I can see the following message in the workflow details:
   "ArtifactGCError: Artifact Garbage Collection failed for strategy [...], pod OnWorkflowDeletion exited with non-zero exit code: check pod logs for more information".
   The way how this reads is that the GC failed, because the workflow failed?!
   (BTW: I think this error message is messed up as well: "[...] failed for strategy {pod-name}, pod {strategy} [...]". I think the placeholders are wrong)
6. In the logs of an [...]-artgc-[...] container I found this:

   # [...]
   time="[...]" level=info msg="S3 Delete artifact: key: [...]/[...]/ARTIFACT.tgz"
   time="[...]" level=info msg="Creating minio client using static credentials" endpoint="s3.storage:9999"
   time="[...]" level=info msg="Deleting object from s3" bucket=argo-artifacts endpoint="s3.storage:9999" key=[...]/[...]/ARTIFACT.tgz
   Error: You need to configure artifact storage. More information on how to do this can be found in the docs: https://argo-workflows.readthedocs.io/en/release-3.5/configure-artifact-repository/
   You need to configure artifact storage. More information on how to do this can be found in the docs: https://argo-workflows.readthedocs.io/en/release-3.5/configure-artifact-repository/
   

   This container knows exactly what to do. It has the artifact key, the bucked and an address. And then if somehow fails?!

So, in conclusion: the artifact GC failed, for an unknown reason. The [...]-artgc-[...] container doesn't log anything specific, but it tells me to configure an artifact storage, which I already did (see point 1), and doesn't log any errors whatsoever. And remember: the artifact repository works absolutely fine for successful workflows. Which means: the S3 service and bucket are accessible, the credentials are correct, the required S3 permissions are working as well.

So what is the problem here? What am I missing? Why is the GC somehow not working for failed workflows?

[agilgur5]

I haven't used or worked on Artifact GC, but can try to help

The way how this reads is that the GC failed, because the workflow failed?!

No, I'm reading that as the Artifact GC Pod failed and so the Workflow has not been cleaned up properly and so has that message on it. That's also why it didn't finish deleting (as it failed to clean up), if I'm understanding correctly, as you don't have forceFinalizerRemoval enabled.

(BTW: I think this error message is messed up as well: "[...] failed for strategy {pod-name}, pod {strategy} [...]". I think the placeholders are wrong)

I think you are correct -- would you like to submit a PR to fix that?

So, in conclusion: the artifact GC failed, for an unknown reason. The [...]-artgc-[...] container doesn't log anything specific, but it tells me to configure an artifact storage, which I already did (see point 1), and doesn't log any errors whatsoever. And remember: the artifact repository works absolutely fine for successful workflows. Which means: the S3 service and bucket are accessible, the credentials are correct, the required S3 permissions are working as well.

The Artifact GC Pod log message is the same log message you get when you try to add artifacts without a configured Artifact Repository. So my suspicion is that it didn't detect your Controller-level Artifact Repository configuration for some reason. It might be expecting a Workflow or artifactGC level config (which is maybe a bug or missing feature), but I'm not sure yet as I don't know this feature well yet.

[agilgur5]

So my suspicion is that it didn't detect your Controller-level Artifact Repository configuration for some reason. It might be expecting a Workflow or artifactGC level config (which is maybe a bug or missing feature), but I'm not sure yet as I don't know this feature well yet.

The docs would suggest it uses the same Artifact Repository configuration (or at least don't suggest otherwise).
What namespace is the Artifact GC Pod being ran in? Does that namespace contain your Secret?

If that's all fine, this might be a bug or missing feature; the much of the Artifact GC code is here and I don't see anything obvious wrong with it. It seems to inherit the same Secret Volumes + Mounts as Workflow Pods.

[static-moonlight]

I think you are correct -- would you like to submit a PR to fix that?

done, see #12935

[static-moonlight]

I think you are correct -- would you like to submit a PR to fix that?

I would, but I couldn't find the correct location yet.

if I'm understanding correctly, as you don't have forceFinalizerRemoval enabled.

That is correct. I might consider enabling this once this kind of behavior is an exception and doesn't happen for every failed workflow. Otherwise, my artifact repository fills up with orphaned artifacts.

So my suspicion is that it didn't detect your Controller-level Artifact Repository configuration for some reason.

Are you sure? I mean, look at point 6 again. In the logs are all necessary details for the artifact repository. The only place where this is can come from is the controller-level artifact repository configuration. If that component/container would be unable to get that config (somehow), it wouldn't be able to write those logs. Based on the fact, that the container can write those logs, I would assume, the config is accessible, but there is another problem hidden behind that generic error message. But I can't fix it if I don't know what it is.

What namespace is the Artifact GC Pod being ran in? Does that namespace contain your Secret?

Argo runs in the argo namespace. the workflow runs in a different namespace, lets call it workflow. And yes, in the workflow namespace exists as secret named artifact-repository with the elements USERNAME and PASSWORD, at stated in point 2. Without it, it would not work at all.

[agilgur5]

I would, but I couldn't find the correct location yet.

That line is right here, and indeed the interpolation arguments are in the wrong order. It's the only line that pops up for "failed for strategy"

What namespace is the Artifact GC Pod being ran in? [...]

Argo runs in the argo namespace. the workflow runs in a different namespace, lets call it workflow

The Artifact GC Pod is neither the Controller nor the Workflow 😅 I want to make sure it's running in the correct namespace as well.

Are you sure? I mean, look at point 6 again. In the logs are all necessary details for the artifact repository

Oh I missed that, didn't realize that the first few log lines had the correct artifact repository while still getting an error. That is indeed odd 🤔
It is failing to delete the artifacts as well, right? So it is getting the config correctly and interpolating the correct location based on that, but failing to delete that artifact. Does the Artifact GC Pod SA have the proper IAM permissions to delete? (that is a destructive operation different from create and get of artifacts during the Workflow. also I'm not that familiar with Minio config, so not sure if it names "IAM" differently)

but there is another problem hidden behind that generic error message

Fortunately, this is coming from the Executor, so there's not too much code that could produce this. Here's the code for argo artifact delete. The error comes from when the code tries to detect the location of the artifact, during this Relocate call (which takes you near the error; hasLocation calls Get), as far as I can tell.
As you have the "S3 Delete artifact" log line (from the S3 Driver's Delete function), then if I'm interpreting correctly, that means at least one of the artifacts was deleted, but another failed to be located.

[agilgur5]

Since this is only happening for failed Workflows and based on the above, my guess is that some of the failed tasks may have a corrupted status?
cc @Garett-MacGowan who worked on #11947 which seems quite similar

[static-moonlight]

The Artifact GC Pod is neither the Controller nor the Workflow 😅 I want to make sure it's running in the correct namespace as well.

Yes, I'm aware :) The [...]-artgc-[...] container, where the logs are coming from (point 6), was definitely running in the workflow namespace, and should have proper access to the artifact-repository secret.

Does the Artifact GC Pod SA have the proper IAM permissions to delete?

It should, yes. Otherwise even the successful workflows wouldn't be able to delete artifacts. But I was thinking about that as well. I still have that on my todo list to verify if there are any errors in the audit logs of MinIO while that happens. It's one of the very few ways to potentially make whatever-this-is visible.

Here's the code for argo artifact delete. The error comes from when the code tries to detect the location of the artifact, during this Relocate call (which takes you near the error; hasLocation calls Get), as far as I can tell.

I looked at the code and I don't see a reason, why this would suddenly fail? 🤔

Also: Relocate seems to be called only when archiveLocation is not nil. That implies that the config can be read but somehow ends up not being usable because it doesn't seem to be any of the supported types (Artifactory, ... S3, ...) I would love to know what state the ArtifactLocation variable is in when the Get function is called. Is it possible, that there is an error somewhere in the code where the ArtifactLocation is put together? Maybe all the fields (Artifactory, Azure, ...) are nil because of it?

What is the task.Spec.ArtifactsByNode code doing, exactly. It there a way that I can find out, what the result of that statement is gonna be?

then if I'm interpreting correctly, that means at least one of the artifacts was deleted, but another failed to be located.

What could possibly make the GC work for one artifact but not for another? 🤔

Since this is only happening for failed Workflows and based on the above, my guess is that some of the failed tasks may have a corrupted status?

What does that mean exactly? I can check, when I know what I am looking for.

Thanks btw. for all the answers. Hopefully I can fix this some day. It's driving me crazy. Since I can easily implement a workaround for successful workflows (exits handler), failed workflows are the main(!) reason, why I need this feature.

[agilgur5]

That implies that the config can be read but somehow ends up not being usable because it doesn't seem to be any of the supported types

Yes that's more or less what I meant by corrupted status.

What could possibly make the GC work for one artifact but not for another?

What does that mean exactly?

My guess is that the Workflow Executor was terminated before it could properly save all the state, so only some got properly saved.

I can check, when I know what I am looking for.

The status of completed Workflows -- I detailed this below

[static-moonlight]

Just an idea: is it possible, that for failed workflows, somehow additional Kubernetes resources are being created/used that my workflow service account can't access, and that's why the artifact repository seems to be not configured?

This is the role, used by the workflow service account. By any chance, is there some important permission missing?

apiVersion: "rbac.authorization.k8s.io/v1"
kind: "Role"
metadata:
  name: "workflow-argo"
rules:
  # See https://argoproj.github.io/argo-workflows/workflow-rbac/
  - apiGroups:
      - "argoproj.io"
    resources:
      - "workflowtaskresults"
    verbs:
      - "create"
      - "patch"
  - apiGroups:
      - "argoproj.io"
    resources:
      - "workflows"
    verbs:
      # Permissions to submit a workflow
      - "list"
      - "create"
      # Permissions to resubmit, retry, resume, suspend a workflow
      - "get"
      - "update"
  # See https://argoproj.github.io/argo-workflows/walk-through/artifacts/#service-accounts-and-annotations
  - apiGroups:
      - "argoproj.io"
    resources:
      - "workflowartifactgctasks"
    verbs:
      - "list"
      - "watch"
  # See https://argoproj.github.io/argo-workflows/walk-through/artifacts/#service-accounts-and-annotations
  - apiGroups:
      - "argoproj.io"
    resources:
      - "workflowartifactgctasks/status"
    verbs:
      - "patch"

[Garett-MacGowan]

I think this is fine.

[Garett-MacGowan]

@static-moonlight can you confirm that the artifact still exists in the repository? Have you done a manual inspection of it? I assume the artifactgc finalizer doesn't get removed, right?

[Garett-MacGowan]

@static-moonlight I just experienced an artifactgc failure for one of my failed workflows. Will investigate and report back.

[Garett-MacGowan]

Hmm... It turns out that in my case, I was just being too impatient. GC was just taking longer than I expected.

[Garett-MacGowan]

@static-moonlight is your workflow controller configmap syntax correct? Notably:

In all versions, the configuration may be under a config: | key:

https://argo-workflows.readthedocs.io/en/latest/workflow-controller-configmap/

[agilgur5]

Since artifacts get uploaded properly and successful Workflows' artifacts get deleted properly, it must be correct.

[Garett-MacGowan]

@static-moonlight I've added a test specific to failed workflow artifact garbage collection. It seems to be working. #12904

[agilgur5]

My guess is that there's a race where workflowtaskresults or something is not properly saved. So a simple test wouldn't detect that unfortunately

[static-moonlight]

@static-moonlight is your workflow controller configmap syntax correct? Notably:

It should. Otherwise, my editor would most likely show me syntax errors, and nothing would work in the cluster.

I don't like the inline yaml config (config: |), so I did this:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: argo
# [...]
configMapGenerator:
  - name: workflow-controller-configmap
    behavior: replace
    files:
      - config=config.yaml
# [...]

config.yaml:

# [...]
artifactRepository:
  s3:
    bucket: argo-artifacts
    endpoint: s3.storage:9999
    insecure: true
    accessKeySecret:
      name: artifact-repository
      key: USERNAME
    secretKeySecret:
      name: artifact-repository
      key: PASSWORD
# [...]

It works nice though for normal operation. Workflows are being executed. The artifact repository only contains artifacts for active workflows. Which means it works ok. Because of our latest stabilization, workflow errors are kind of rare now. I'm currently working on a dedicated setup to forcefully fail a few workflow runs to hopefully find the missing puzzle piece which is causing all this trouble ...

[static-moonlight]

I have a suspicion that it has something to do with this:

"Pod was active on the node longer than the specified deadline"

I have collected roughly 200 defect input files (which will cause the workflow to fail) and threw them at the cluster. Most of those workflows failed, but not because they couldn't handle the input, but because they took too long an hit the configured "activeDeadlineSeconds" of the pod. And for all those failed workflows, I see the "Artifact garbage collection failed" message again.

... I'm doing more tests on this one.

[agilgur5]

It seems like it might indeed be the activeDeadlineSeconds, this seems to be the primary outlier. See also my comment on the status.nodes below -- there seems to be a corrupted artifact for a step that had this error message.

[static-moonlight]

Well, that doesn't seem to be it either. When I try to specifically fail a single workflow by setting a pods activeDeadlineSeconds to an unrealistic low number, it works as intended (meaning: the artifact gc works).

So far it seems that there is a random factor involved. Sometimes it works and sometimes it doesn't. In high-load situations I could produce lots of artifact-gc errors. During normal operation I almost never have them.

I'm a little lost here. I can't seem to find the magic recipe to reliably (re)produce this behavior. But apparently it still happens sometimes.

Any more ideas?

[agilgur5]

Well, that doesn't seem to be it either. When I try to specifically fail a single workflow by setting a pods activeDeadlineSeconds to an unrealistic low number, it works as intended (meaning: the artifact gc works).

It may depend on the size of the artifact (i.e. how long it takes to upload) as well as how long it takes the step to produce the artifact (i.e. whether it does so before or after activeDeadlineSeconds). I did seem to find a corrupted artifact for a step with this error message below

In high-load situations I could produce lots of artifact-gc errors. During normal operation I almost never have them.

Your Workflow Pods don't seem to have resource requests, so I wonder if they're getting starved potentially? And that may then cause them to hit the activeDeadlineSeconds?

Also yea, high load is typically when you see race conditions like these get hit more often, that's why they're rare (and hard to diagnose, debug, reproduce, test, etc).

[static-moonlight]

I did the same test again. This time I limited the number of parallel workflows with a semaphore. The result: green across the board. The workflows failed, as expected, and they were removed successfully, including artifact gc.

This amplifies my suspicion that workload has something to do with the issue. I would even throw the theory of a potential race condition into the ring. All I can do now is to do incremental tests, increasing the number of parallel workflows each time, and look when it starts to break ...

EDIT: The intended limit (for parallel workflows) is set to 5. I increased it to 10, 15 and now 20. With the limit of 20, things start to break. I have a couple left-overs from this test run ... with "Artifact garbage collection failed" errors again. I assume the number of artifact-gc-errors increases when I put even more load on the cluster.

Meaning: Load is obviously a factor. Can someone confirm this?

[static-moonlight]

Alright, here we go:

I only replaced names and identifiers. I didn't remove anything. I hope this helps.

failed-workflow-failed-gc-j7mjs.yaml.txt
failed-workflow-nz98s.yaml.txt

oh wow, I can can upload all kinds of files, but yaml is forbidden :)

[agilgur5]

Thanks for getting to that!

On first glance, it only has a single artifactRepository and s3 config (other than keys), so uh, that's confusing how it got missed during artifact GC... Especially when it works for some of the deletions in the Pod and not others...
My primary suspicion was that it might've gotten specified in a node incorrectly somewhere, but it's never specified in a node at all. 🤔 EDIT: The s3.key is, and it appears to be missing in one artifact below. So my hunch may indeed be correct!

I see that your rclone command also uses S3, but the way it's written including with RCLONE_S3_* env vars would make me think it wouldn't conflict. Though you do have an envFrom, which could have other things in it. Though those should also be container local and therefore not affect artifact GC, which is a totally separte Pod.

I see you're using artifact logs as well, but I wouldn't think that's related either.

The one with failed GC does have a message regarding the activeDeadlineSeconds while the one where it succeeded does not. Both have a message with "Error (exit code 1)" as well.
You mentioned activeDeadlineSeconds above; I wouldn't think that would relate to artifact GC given it's a separate Pod -- or at least not your specific error, it could potentially cause a bug in the initial artifact upload -- so that could be a red herring, but I'm not 100% sure.

The one with failed GC has two strategies in artifactGCStatus as well, OnWorkflowCompletion and OnWorkflowDeletion. The succeeded GC one only has OnWorkflowCompletion. Failed GC one also has podsRecouped while the other doesn't.
I don't know what that means, though I see you only have OnWorkflowDeletion set.

It would be helpful if we knew which artifacts weren't deleted -- then we could match those up to their nodes/steps. The original error message doesn't say which failed to delete, only which ones successfully deleted (potentially that error message could be improved). The original error message is also from different Workflows ofc.

[agilgur5]

But overall the Workflow status doesn't look corrupted, particularly not the artifact definitions themselves EDIT: nvm, see below corrupted artifact... I'm wondering if then the WorkflowArtifactGCTask was somehow corrupted? 🤔
That one is created based on the Workflow status.nodes though...
WorkflowTaskResult is another one of particular relevance that could be corrupted

[agilgur5]

Hmm there are also only 5 items in the taskResultsCompletionStatus in the failed one and 7 in the succeeded one. That may correspond to the 2 activeDeadlineSeconds failures

Wait a minute, I think I did find a corrupted artifact:

    workflow-j7mjs-2762173675:
      boundaryID: workflow-j7mjs
      children:
      - workflow-j7mjs-3284464227
      displayName: create-variant-d
      finishedAt: "2024-04-12T14:34:55Z"
      hostNodeName: node-5.company.com
      id: workflow-j7mjs-2762173675
      inputs:
        artifacts:
        - name: RAW_DATA
          path: /tmp/raw-data
          s3:
            key: workflow-j7mjs/workflow-j7mjs-download-raw-data-538700425/RAW_DATA.tgz
        parameters:
        - name: PRODUCT_NAME
          value: path/to/input-file
        - name: REGION
          value: region-2
        - name: MAP_TYPE
          value: map-type-2
      message: Pod was active on the node longer than the specified deadline
      name: workflow-j7mjs.create-variant-d
      outputs:
        artifacts:
        - name: FINAL_DATA
          path: /tmp/final-data   # <------- this is missing an s3.key??
        - name: main-logs
          s3:
            key: workflow-j7mjs/workflow-j7mjs-create-data-variant-2762173675/main.log
        exitCode: "143"
      phase: Failed
      progress: 0/1
      resourcesDuration:
        cpu: 18
        memory: 182
      startedAt: "2024-04-12T14:33:23Z"
      templateName: create-data-variant
      templateScope: local/
      type: Pod

That is one of the steps that failed due to activeDeadlineSeconds (the other step seems fine) and it seems to be missing s3.key for the FINAL_DATA output artifact (the other step has it).

Was that artifact ever uploaded? It might not have been if the Pod got killed due to an activeDeadlineSeconds overrun.

Also if this is the root cause, you should be able to cross-check that against other failed artifact GC Workflows and see if they're also missing an s3.key in one of their artifacts in status.nodes

[static-moonlight]

That is a lot on information. And I hope I understand that correctly. Unfortunately, I took too long and by now I lost log and artifact data due to automatic cleanup (it's just a test environment, and orphaned data was never meant to be kept for very long here, I disabled it for now).

However, lets say I would run that test again, and lets say I could link those gc failures to missing s3.key attributes, and lets say I could determine if those artifacts in question were uploaded or not ... what would that mean? Would that help you to narrow down the root cause?

[Garett-MacGowan]

@juliev0 @shuangkun thoughts?