Troubleshoot batch jobs
Estimated reading time: 9 minutesDTR uses a job queue to schedule batch jobs. A job is placed on this work queue, and a job runner component of DTR consumes work from this cluster-wide job queue and executes it.
All DTR replicas have access to the job queue, and have a job runner component that can get and execute work.
How it works
When a job is created, it is added to a cluster-wide job queue with the
waiting status.
When one of the DTR replicas is ready to claim, it waits a random time of up
to 3 seconds, giving the opportunity to every replica to claim the task.
A replica gets a job by adding it’s replica ID to the job. That way, other
replicas know the job has been claimed. Once a replica claims a job it adds
it to an internal queue of jobs, that is sorted by their scheduledAt time.
When that time happens, the replica updates the job status to running, and
starts executing it.
The job runner component of each DTR replica keeps an heartbeatExpiration
entry on the database shared by all replicas. If a replica becomes
unhealthy, other replicas notice this and update that worker status to dead.
Also, all the jobs that replica had claimed are updated to the status worker_dead,
so that other replicas can claim the job.
Job types
DTR has several types of jobs.
| Job | Description |
|---|---|
| gc | Garbage collection job that deletes layers associated with deleted images |
| sleep | Sleep is used to test the correctness of the jobrunner. It sleeps for 60 seconds |
| false | False is used to test the correctness of the jobrunner. It runs the false command and immediately fails |
| tagmigration | Tag migration is used to synchronize tag and manifest information between the DTR database and the storage backend. |
| bloblinkmigration | bloblinkmigration is a 2.1 to 2.1 upgrade process that adds references for blobs to repositories in the database |
| license_update | License update checks for license expiration extensions if online license updates are enabled |
| scan_check | An image security scanning job. This job does not perform the actual scanning, rather it spawns scan_check_single jobs (one for each layer in the image). Once all of the scan_check_single jobs are complete, this job will terminate |
| scan_check_single | A security scanning job for a particular layer given by the parameter: SHA256SUM. This job breaks up the layer into components and checks each component for vulnerabilities |
| scan_check_all | A security scanning job that updates all of the currently scanned images to display the latest vulnerabilities |
| update_vuln_db | A job that is created to update DTR’s vulnerability database. It uses an Internet connection to check for database updates through https://dss-cve-updates.docker.com/ and updates the dtr-scanningstore container if there is a new update available |
| webhook | A job that is used to dispatch a webhook payload to a single endpoint |
Job status
Jobs can be in one of the following status:
| Status | Description | |
|---|---|---|
| waiting | The job is unclaimed and waiting to be picked up by a worker | |
| running | The worker defined by workerID is currently running the job |
|
| done | The job has successfully completed | |
| error | The job has completed with errors | |
| cancel_request | The worker monitors the job statuses in the database. If the status for a job changes to cancel_request, the worker will cancel the job |
|
| cancel | The job has been cancelled and not fully executed | |
| deleted | The job and logs have been removed | |
| worker_dead | The worker for this job has been declared dead and the job will not continue |
|
| worker_shutdown | The worker that was running this job has been gracefully stopped | |
| worker | resurrection | The worker for this job has reconnected to the database and will cancel these jobs |
Job capacity
Each job runner has a limited capacity and doesn’t claim jobs that require a
higher capacity. You can see the capacity of a job runner using the
GET /api/v0/workers endpoint:
{
"workers": [
{
"id": "000000000000",
"status": "running",
"capacityMap": {
"scan": 1,
"scanCheck": 1
},
"heartbeatExpiration": "2017-02-18T00:51:02Z"
}
]
}
This means that the worker with replica ID 000000000000 has a capacity of 1
scan and 1 scanCheck. If this worker notices that the following jobs
are available:
{
"jobs": [
{
"id": "0",
"workerID": "",
"status": "waiting",
"capacityMap": {
"scan": 1
}
},
{
"id": "1",
"workerID": "",
"status": "waiting",
"capacityMap": {
"scan": 1
}
},
{
"id": "2",
"workerID": "",
"status": "waiting",
"capacityMap": {
"scanCheck": 1
}
}
]
}
Our worker can pick up job id 0 and 2 since it has the capacity
for both, while id 1 will need to wait until the previous scan job is complete:
{
"jobs": [
{
"id": "0",
"workerID": "000000000000",
"status": "running",
"capacityMap": {
"scan": 1
}
},
{
"id": "1",
"workerID": "",
"status": "waiting",
"capacityMap": {
"scan": 1
}
},
{
"id": "2",
"workerID": "000000000000",
"status": "running",
"capacityMap": {
"scanCheck": 1
}
}
]
}
Troubleshoot jobs
You can get the list of jobs, using the GET /api/v0/jobs/ endpoint. Each job
looks like this:
{
"id": "1fcf4c0f-ff3b-471a-8839-5dcb631b2f7b",
"retryFromID": "1fcf4c0f-ff3b-471a-8839-5dcb631b2f7b",
"workerID": "000000000000",
"status": "done",
"scheduledAt": "2017-02-17T01:09:47.771Z",
"lastUpdated": "2017-02-17T01:10:14.117Z",
"action": "scan_check_single",
"retriesLeft": 0,
"retriesTotal": 0,
"capacityMap": {
"scan": 1
},
"parameters": {
"SHA256SUM": "1bacd3c8ccb1f15609a10bd4a403831d0ec0b354438ddbf644c95c5d54f8eb13"
},
"deadline": "",
"stopTimeout": ""
}
The fields of interest here are:
id: the ID of the jobworkerID: the ID of the worker in a DTR replica that is running this jobstatus: the current state of the jobaction: what job the worker will actually performcapacityMap: the available capacity a worker needs for this job to run
Cron jobs
Several of the jobs performed by DTR are run in a recurrent schedule. You can
see those jobs using the GET /api/v0/crons endpoint:
{
"crons": [
{
"id": "48875b1b-5006-48f5-9f3c-af9fbdd82255",
"action": "license_update",
"schedule": "57 54 3 * * *",
"retries": 2,
"capacityMap": null,
"parameters": null,
"deadline": "",
"stopTimeout": "",
"nextRun": "2017-02-22T03:54:57Z"
},
{
"id": "b1c1e61e-1e74-4677-8e4a-2a7dacefffdc",
"action": "update_db",
"schedule": "0 0 3 * * *",
"retries": 0,
"capacityMap": null,
"parameters": null,
"deadline": "",
"stopTimeout": "",
"nextRun": "2017-02-22T03:00:00Z"
}
]
}
The schedule uses a Unix crontab syntax.