RSDK-11248 RSDK-11266 RSDK-11900 RSDK-11901 Add restart checking logic

[benjirewis]

RSDK-11248:
Adds similar restart checking logic to the logic disabled in viamrobotics/rdk#5324; the logic now restarts viam-agent and all its other subsystems along with viam-server. Refactors hits of restart_status to be more generic (can query multiple restart "properties"). Adds a Property method to the Subsystem interface.

RSDK-11266:
Logs the reason that viam-agent is exiting (either a received signal or a requested restart from app).

RSDK-11900:
Stops logging a stack trace from viam-server on part restart. A stack trace will only be logged from viam-server when shutdown is hanging.

RSDK-11901:
Stops logging any ERROR-level logs for restarts (so no error logs appear in machine settings control card).

Manual testing

Note that I'm leveraging a does_not_handle_needs_restart JSON property exposed on the restart_status endpoint introduced in the associated RDK PR along with a VIAM_AGENT_HANDLES_NEEDS_RESTART environment variable set by agent. The expected behavior right now is:

	Old viam-agent	New viam-agent
Old viam-server	viam-server should handle restart checking	viam-server should handle restart checking
New viam-server	viam-server should handle restart checking	viam-agent should handle restart checking

I've tested the above matrix on both Linux and Windows, and the behavior is as-expected. I've also ensured that I haven't broken the existing "restart allowed" logic.

[benjirewis]

IMO this was a pointless field to store on the manager; creating a gRPC client on top of conn above through which to call DeviceAgentConfig requires no actual, blocking work. It was confusing to store this variable on the struct and check its existence to see if we had dialed already.

[benjirewis]

I removed the RestartCheck interface, and instead added a Property method to the Subsystem interface. I think it's a bit easier to read. I also moved logging about the result of querying restart_allowed to this file (line below this).

[benjirewis]

We now have two background check goroutines: one checks for a new config every 5s (existing), and another checks for a restart every 1s (new). Each check can receive a new, different interval from the app call, so they need to be running at different cadences in different goroutines. You'll also notice that I renamed some interval variable names in this file to be more specific as to which "interval" they were associated with.

[benjirewis]

[drive-by] This log was getting output after agent shutdown timed out, so the message was slightly inaccurate.

[benjirewis]

We were doing this for the config check interval, too... I'm not sure why; anyone know?

[benjirewis]

Here's the new method I added. I realize the interface here is meant to reveal a limited API from manager -> subsystems, but I found that the manager truly needed to know a couple "properties" of the running viamserver subsystem (whether restart was currently allowed and whether viamserver was already handling restart checking logic), so I thought this was worth adding despite it opening a pretty generic API to subsystems.

[jmatth]

Honestly I think the interface duck typing that's already there was a mistake and we should just make viamserver.viamServer public, put it directly in the manager struct as a pointer, and remove all the interface casting. I also don't think it's worth holding up this PR though so I'm in favor of just continuing as-is and I can make a follow up PR.

[benjirewis]

Removing it entirely is also fair; filed https://viam.atlassian.net/browse/RSDK-12263.

[benjirewis]

I moved most the code that attempted to find whether restart was allowed here, and I extended it to also be able to check whether viamserver handled restart checking logic. Some of the concurrent code could use an extra pair of eyes since it's slightly different than before; my manual testing seems to imply it works fine.

[benjirewis]

In case you're curious, I don't think we can check the semantic version string of viamserver to know this information. That string is not always a semantic version (could be stable, customURL..., etc.), so I felt that the best way to know was to directly query something on the running viam-server.

[benjirewis]

[drive-by] Logging fix related to comment.

[benjirewis]

We were getting unnecessary error logs here when restarting. A non-zero exit code when we sent SIGQUIT to viam-server is expected.

[benjirewis]

This change, and the addition and usage of reason for the Exit method in manager.go are for RSDK-11266. Hopefully these messages will be useful for debugging.

[benjirewis]

We now continue to handle checking NeedsRestart in a background goroutine in the server if VIAM_AGENT_HANDLES_NEEDS_RESTART_CHECKING is unset (newer versions of agent will set it unconditionally when launching viam-server). It was determined offline that we do want to support old-agent/new-server setups for a while, and eventually completely remove needs restart checking functionality from the rdk with RSDK-12057.

Thanks to @jmatth for the env var idea 🎉 .

[benjirewis]

I did some manual testing to ensure I didn't break "restart allowed" logic (turns out it wasn't even working on main for Windows) and that Windows behaved as expected for the feature (across old/new agent/server versions).

I'm also going to add some unit tests to this PR.

[benjirewis]

I changed this to 127.0.0.1 so checks to checkURLAlt would work on Windows (localhost does not exist on Windows) as well as Linux. Restart allowed checks could already work with the checkURL (this was something like https://vader-main.ydbecmp2sz.local.viam.cloud:8080).

[benjirewis]

We used to also return true unconditionally on Windows, meaning a maintenance sensor returning false or an active reconfiguration would not stop viam-agent from restarting viam-server for an update on Windows. That's no longer the case, and both of those things will prohibit viam-agent with these changes from restarting viam-server (the WARN log viam-server has NOT allowed a restart; will NOT restart will be output).

[jmatth]

What was the reason for always returning true on Windows? I assume it was working around some weird behavior and want to make sure we're not causing a regression

[benjirewis]

Hard-coding true was introduced in this PR. I'll check to see if that's no longer relevant, but restart_allowed seems to function fine in my manual testing on Windows.

[benjirewis]

I've put the hard-coding back for now and filed https://viam.atlassian.net/browse/RSDK-12271 to re-enable at some point in the future. Re-enabling a feature that caused a lot of Windows issues previously as part of this already-large PR is probably too large of a risk.

[cheukt]

LGTM pending tests

[benjirewis]

Added some unit tests for checkRestartProperty, lmk what you think @jmatth .

[jmatth]

We should use structured logging instead of format strings for any parameterized logs. agent.SubsystemName is a bit weird here because it's just a constant so doesn't need to be a log field but formatting it into the log message with fmt.Sprintf and to then be passed to the logger method is annoying. If you'd prefer to just make it another parameter for convenience I'd be fine with it.

The following is a code block instead of a suggestion because Github's code review tool is bad and I can't figure out how to tell it to apply a suggestion to two lines instead of one.

				globalLogger.Infof("Signal %s was received. %s will now exit to be restarted by service manager",
					sig, agent.SubsystemName)

[benjirewis]

Can do. I believe you just copied the existing line into that code block but I get the gist.

[jmatth]

Honestly I think the interface duck typing that's already there was a mistake and we should just make viamserver.viamServer public, put it directly in the manager struct as a pointer, and remove all the interface casting. I also don't think it's worth holding up this PR though so I'm in favor of just continuing as-is and I can make a follow up PR.

[jmatth]

What was the reason for always returning true on Windows? I assume it was working around some weird behavior and want to make sure we're not causing a regression

[jmatth]

[nit] If we actually need to take the lock I'd just do

s.mu.Lock()
t.Cleanup(s.mu.Unlock)

to avoid having to keep track of the lock/unlock calls

[jmatth]

I believe the concurrency in restart_properties will do the right thing but dislike that it means every potential URL now has to produce an error or nil before we check for a successful response and think the double channels will make the code hard to maintain. I threw together a version that returns an error or result per URL over a single channel here: jmatth@2e8d8b5. I'd prefer that but don't want to hold up this PR any more so am approving now and am fine merging either version of the code.

Also thank you for writing tests for that code, I'm pretty sure I noticed a bug in the old version when I was comparing the two so they were definitely needed 😬

[benjirewis]

I threw together a version that returns an error or result per URL over a single channel here: jmatth@2e8d8b5.

Discussed offline: I put that commit in and one commit on top of it with some "fixes." Thanks! It's a cool Rust-like pattern.