Rewrite the etcd doc to be about upgrading etcd.

[mml]

First draft, nearly verbatim copy. Please rip to shreds.

---

This change is 

[wojtek-t]

Just some minor comments.

[wojtek-t]

@mml ping

[mml]

@wojtek-t I don't see any comments from you.

[wojtek-t]

It would be useful to link to this script here.

[mml]

Done.

[wojtek-t]

s/3.0.14/3.0.17/

everywhere

[mml]

Done.

[wojtek-t]

I think we should leave this section - it seems useful.

[mml]

Done. I made it a subsection of "About etcd" and renamed it.

[wojtek-t]

Sorry - seems I forgot to click submit.

[xiang90]

etcd upgrade limitations. (do not use Etcd, we prefer etcd :P)

[mml]

Done :-). But I will defer to whatever our style guide is about capitalizing words like etcd when they start a heading or sentence.

[xiang90]

Where is the rule about capitalizing words in the style guide? I cannot find it here: https://kubernetes.io/docs/contribute/style-guide/#documentation-formatting-standards.

[xiang90]

i do not think this is a design issue to be honest. we have done quite some internal work to allow removing these limitations from very beginning. we just do not know the scope of the use case and the effort. We should resolve it here:

etcd-io/etcd#7308

[mml]

Would you prefer a different phrasing? Regardless of why, the limitations are there.

[xiang90]

use etcd instead of Etcd?

[xiang90]

This doc looks good to me in general.

etcd team is OK to support rollback once etcd-io/etcd#7308 is resolved.

[xiang90]

to be clear, this is a offline data rollback tool with very limited scope. it probably only works for v2 to v3 upgrades for k8s.

[ravilr]

@mml @wojtek-t can we also add some notes around how to deal with running pods in the cluster. I understand that the etcd migration is offline, during which kube-apiserver won't be able to talk to etcd. What happens to the already running pods in the cluster. Would the node controller evict nodes/pods due to lack of heartbeats as soon as the etcd is available but before the nodes starts heartbeating again. How to avoid affecting running pods in the cluster during this migration.

[ravilr]

did you mean 'how kubernetes builds,.. deploys etcd'

[mml]

Heh, fixed.

[justinsb]

I think no comma after Fortunately, and s/it is/is/g

[mml]

The comma belongs, but I'll defer to a "doc review" at some point.

See "sentence adverbs" at http://theeditorsblog.net/2016/02/21/a-tale-of-adverbs-and-the-comma/

I fixed the "it is".

[justinsb]

may be gramatically less controversial to say "all data written in the meantime"

[mml]

Done.

[justinsb]

"very huge" is apt but perhaps not the bestest wording

[mml]

changed to "significant"

[justinsb]

This file is version.txt I believe - should we specify that? (I don't have a strong opinion either way...)

[mml]

Done. I also tidied up the tense there to be more consistent, but I think it's still all over the map across the doc.

[justinsb]

Although it does remain part of the etcd cluster, because we don't change the peer port, I believe, so new data will be written. Should we clarify the "no new data" statement? (And is this actually safe?)

[justinsb]

I actually opened an issue about this before I knew about this doc: kubernetes/kubernetes#43364

[mml]

We are relying on the fact that the port we run on is obscure and "shouldn't" be exposed the way most masters are configured. We should clarify that a bit.

If by safe, we mean we guarantee no one will try to write to it during this transition, then strictly speaking no.

[justinsb]

I think we should link to the salt manifest, and probably make this more explicit

i.e.

Change "/usr/local/bin/etcd ..." to be
"if [ -e /usr/local/bin/migrate-if-needed.sh ]; then /usr/local/bin/migrate-if-needed.sh 1>>/var/log/etcd.log 2>&1; fi; /usr/local/bin/etcd..."

[mml]

Where exactly are you suggesting I link to? (i.e. Can you paste a URL?)

[justinsb]

I was suggesting to link to https://github.com/kubernetes/kubernetes/blob/master/cluster/saltbase/salt/etcd/etcd.manifest, as it may be easier to point to an example rather than saying it in words.

[justinsb]

We also need:

• Specify the image as 3.0.17

• Specify these env vars for upgrade:

TARGET_STORAGE=etcd3
TARGET_VERSION=3.0.17
DATA_DIRECTORY=???

• Specify these env vars for downgrade (and clarify that the image should still be 3.0.17, as I made that mistake before engaging brain):

TARGET_STORAGE=etcd2
TARGET_VERSION=2.2.1
DATA_DIRECTORY=???

We also do specify this flag for etcd3 in salt; not sure if it matters: --quota-backend-bytes=4294967296

[liggitt]

from kubernetes/kubernetes#43366 (comment):

[downgrading is] supported assuming that:

1. you are still using 'json' as the storage data format (even though the default is protobuf in 1.6)
2. you're not downgrading back to 2.2.1 image, but just using "3.0.17" image and setting ETCD_VERSION to 2.2.1

Documentation needs to make it crystal clear that you have to explicitly set --storage-media-type=application/json if you want to have the option to downgrade from etcd3 to etcd2.

It also needs to explain the "use the 3.0.17 image but run in 2.2.1 mode"... I'm not seeing that mentioned in this doc.

[mml]

Clarified this, I think. PTAL.

I'd like to rearrange the doc so that the reader can get the recipe first and read the gory details about implementation later, if they wish. Next revision, tho.

[justinsb]

Great document - thank you!

Q: Is there any reason to stick with the 2.2.1 image? My understanding is that the 3.0.17 image will still run etcd 2.2.1 if TARGET_STORAGE=="etcd2". Sticking with one image would mean we wouldn't need to remember whether we were "etcd2 on a downgrade" or "etcd2 always", which would be great...

[justinsb]

We should also document that mixing versions of etcd-main and etcd-events does not work (unless there's some magic syntax for etcd-servers-overrides)

[liggitt]

is this accurate? is that what @wojtek-t meant at kubernetes/kubernetes#43366 (comment):

you're not downgrading back to 2.2.1 image, but just using "3.0.17" image and setting ETCD_VERSION to 2.2.1

[liggitt]

and only if all apiservers started against the etcd3 server ran with --storage-media-type=application/json, right?

[mml]

This is accurate, yes. What @wojtek-t meant by that comment was that we don't need to change images. The 3.0.17 image also contains the 2.2.1 binaries (and 2.3.7 and the rollback tool!).

[ethernetdan]

Has the feedback here been implemented? I'd like to close the issue kubernetes/kubernetes#43366

[hongchaodeng]

@mml

I think the docs is way too subjective -- mentioning words like "significant limitations on etcd". This breaks the spirit of open source community and not healthy for the project in long term. etcd team have been writing the tool and fixing all issues in fast responsive manner, despite all of this being none of etcd or company's work.

Thus, please correct some wording.

Last but not least, please mention the most important point for users: A good design of etcd cluster deployment should include: 1. have 3 or 5 members for HA; 2. have backup periodically. HA cluster is safe enough. If entire cluster went down, users need to do disaster recovery from backup.

[hongchaodeng]

The way etcd was designed introduces some significant limitations on how the upgrade can be done. These are the main limitations.

I disagree with the wording here. It sounds more like complaints than clarifying the limits to users.

Maybe rephrase like:

There are some limits in etcd upgrade process.

[hongchaodeng]

To emphasize and point out the upgrade path more explicitly, rephrase:

Upgrade only one minor release at a time. That means we cannot upgrade directly e.g. from 2.1.x to 2.3.x . Within patch releases, versions can be switched back and forth.

[hongchaodeng]

Fortunately, this limitation is easy to workaround

[hongchaodeng]

Combine this with above paragraph.

[hongchaodeng]

etcd versions through 3.0 3.0+

[hongchaodeng]

Remove this paragraph. What can users get from reading this paragraph?

[hongchaodeng]

For the sake of open source spirit:

CoreOS -> etcd

[hongchaodeng]

given all the limitations we have given above conditions.

[wojtek-t]

Should this be put in the top?
@liggitt for input.

[wojtek-t]

Has the feedback here been implemented? I'd like to close the issue kubernetes/kubernetes#43366

@ethernetdan - the modification to the doc, yes. Though there was also request to explicitly mention it in release note, and i think it's not yet done.

[jaredbhatti]

This appears to be a 1.6 release-bound item. It's not in the tracking sheet (https://docs.google.com/spreadsheets/d/1nspIeRVNjAQHRslHQD1-6gPv99OcYZLMezrBe3Pfhhg/edit#gid=0) nor is it targeted against the 1.6 brach. Can you please fix these two issues?

[mml]

@calebamiles #2898 is not targeted for 1.6, so in the interim the current doc will disappear. Is that cool?

[wojtek-t]

I just have two minor comments.

[wojtek-t]

I'm not native speaker, but for me something is missing before "It is fairly easy...". I'm missing some context for this, sth like:
"Fortunately, just starting a cluster for any intermediate minor release, waiting until it is healthy and functional and then shutting it down is itself performing the migration."

WDYT?

[wojtek-t]

Make it bold?

[mml]

This is now called out as a warning per @steveperry-53's style guidance.

[wojtek-t]

LGTM - but I guess we also need LGTM signal from tech writer.
@devin-donnelly ?

[wojtek-t]

Also - please squash commits.

[xiang90]

@mml @wojtek-t can we change the name of the md file to etcd_upgrade.md to match the title?

I am going to revive the original generic etcd doc soon, which should be named as etcd.md.

[wojtek-t]

I'm not good at naming - I'm fine with that, but will leave that decision to others.

[calebamiles]

I'll add the original etcd.md to this PR @xiang90 and I can make some small changes to update that doc if you'd like. Is that ok with you @devin-donnelly

[chenopis]

Is some doc just a placeholder for a link? If so, this needs to put in before we can Docs LGTM.

[mml]

It is a placeholder. I'll just take the sentence out until some doc is ready. I do not want to hold up this PR any further.

[steveperry-53]

@mml, @wojtek-t, See cb07168 for suggested edits.

[steveperry-53]

Is this text under "To verify" meant to be in the document? It almost looks like a review comment.

[mml]

Good call. I will rephrase that.

[mml]

@steveperry-53 edits mostly look good, but some of the seemingly excessive bolding is because there are some mistakes users can make here that could cut off their option for rollback or that would lead them into waters where we have not tested. These are charted waters, but the chart is not the territory.

So I guess the question is one of doc style. How do we warn users about something risky and important? This is like those sidebars usually indicated by something like (!) in "for dummies" books.

Thanks!

[steveperry-53]

@mml, If you feel it's important, go ahead and return some important statements to bold. Usually what we do, instead of bold, is to separate important material as a Note or Warning. We bold the word Note or Warning but not the text. Here is an example. I'll leave the choice up to you. I don't need to review this again.

[mml]

@steveperry-53 Thanks, I'll try to restructure things to follow that style. I am re-labeling do-not-merge until I finish those changes and squash.

[mml]

We are ready to go.

[steveperry-53]

@mml, Would you like me to merge this now?

[mml]

@steveperry-53 yes, pleas.

[jagosan]

typo: "the the"