RFC#0192 - ensures workers do not get unnecessarily killed

Author: JohanLorenzo

README.md

@@ -69,3 +69,4 @@ See [mechanics](mechanics.md) for more detail.
 | RFC#182 | [Allow remote references to .taskcluster.yml files processed by Taskcluster-GitHub](rfcs/0182-taskcluster-yml-remote-references.md)                                                    |
 | RFC#189 | [Batch APIs for task definition, status and index path](rfcs/0189-batch-task-apis.md)                                                                                                  |
 | RFC#191 | [Worker Manager launch configurations](rfcs/0191-worker-manager-launch-configs.md)                                                                                                     |
+| RFC#192 | [`minCapacity` ensures workers do not get unnecessarily killed](rfcs/0192-min-capacity-ensures-workers-do-not-get-unnecessarily-killed.md)                                             |

rfcs/0192-min-capacity-ensures-workers-do-not-get-unnecessarily-killed.md

@@ -0,0 +1,257 @@
+# RFC 192 - `minCapacity` ensures workers do not get unnecessarily killed
+* Comments: [#192](https://github.com/taskcluster/taskcluster-rfcs/pull/192)
+* Proposed by: @johanlorenzo
+
+# Summary
+
+Optimize worker pools with `minCapacity >= 1` by implementing minimum capacity workers that avoid unnecessary shutdown/restart cycles, preserving caches and reducing task wait times.
+
+## Motivation
+
+Currently, workers in pools with `minCapacity >= 1` exhibit wasteful behavior:
+
+1. **Cache Loss**: Workers shut down after idle timeout (600 seconds for decision pools), losing valuable caches:
+   - VCS repositories and history
+   - Package manager caches (npm, pip, cargo, etc.)
+   - Container images and layers
+
+2. **Provisioning Delays**: New worker provisioning takes ~73-74 seconds average for decision pools, during which tasks must wait
+
+3. **Resource Waste**: The current cycle of shutdown → detection → spawn → provision → register wastes compute resources and increases task latency
+
+4. **Violation of MinCapacity Intent**: `minCapacity >= 1` suggests these pools should always have capacity available, but the current implementation allows temporary capacity gaps
+
+# Details
+
+## Current Behavior Analysis
+
+**Affected Worker Pools:**
+- Direct `minCapacity: 1`: [`infra/build-decision`](https://github.com/mozilla-releng/fxci-config/blob/43c18aab0826244e369b16a964637b6c411c7760/worker-pools.yml#L220), [`code-review/bot-gcp`](https://github.com/mozilla-releng/fxci-config/blob/43c18aab0826244e369b16a964637b6c411c7760/worker-pools.yml#L3320)
+- Keyed `minCapacity: 1`: [`gecko-1/decision-gcp`, `gecko-3/decision-gcp`](https://github.com/mozilla-releng/fxci-config/blob/43c18aab0826244e369b16a964637b6c411c7760/worker-pools.yml#L976), and [pools matching `(app-services|glean|mozillavpn|mobile|mozilla|translations)-1`](https://github.com/mozilla-releng/fxci-config/blob/43c18aab0826244e369b16a964637b6c411c7760/worker-pools.yml#L1088)
+
+**Current Implementation Issues:**
+- Worker-manager enforces minCapacity by spawning new workers when capacity drops below threshold
+- Generic-worker shuts down after `afterIdleSeconds` regardless of minCapacity requirements
+- Gap exists between worker shutdown and replacement detection/provisioning
+
+## Proposed Solution
+
+### Core Concept: MinCapacity Workers
+
+Workers fulfilling `minCapacity >= 1` requirements should receive significantly longer idle timeouts to preserve caches.
+
+### Implementation Approach
+
+#### 1. Worker Identification and Tagging
+
+**Worker Provisioning Logic:**
+- Worker-manager determines worker idle timeout configuration at spawn time based on current pool capacity
+- Workers are launched with predetermined `intended_role` for tracking purposes only
+- Uses existing [`launch_config_id` system](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/data.js#L313-L362) to ensure per-variant capacity tracking
+- **No Special Replacement Logic**: Failed workers are handled through normal provisioning cycles, not immediate replacement
+
+#### 2. Lifecycle-Based Worker Configuration
+
+Workers are assigned minCapacity or overflow roles at launch time and never change configuration during their lifetime. This approach works within TaskCluster's architectural constraints where worker-manager cannot communicate configuration changes to running workers.
+
+**Launch-Time Configuration:**
+Worker-manager determines worker role at spawn time based on current pool capacity needs. Workers fulfilling minCapacity requirements receive the pool's configured minCapacityIdleTimeoutSecs (0 for indefinite runtime) and are tagged with 'min-capacity' role. Additional workers beyond minCapacity receive standard idle timeouts (default 600 seconds) and are tagged as 'overflow' workers.
+
+**Immutable Worker Behavior:**
+- Workers receive their complete configuration at startup
+- No runtime configuration changes
+- Worker role and idle timeout never change during worker lifetime
+- MinCapacity requirements fulfilled through worker replacement, not reconfiguration
+
+#### 3. Pool Configuration
+
+**New Configuration Options:**
+Pools will have a new `minCapacityIdleTimeoutSecs` parameter that enables minCapacity worker behavior. Setting this to 0 means minCapacity workers will run indefinitely (no idle timeout), providing maximum cache preservation.
+
+**Validation:**
+- Fail pool provisioning entirely if invalid configuration (e.g., `minCapacity > maxCapacity`)
+- Require `minCapacityIdleTimeoutSecs >= 0` if minCapacity workers are desired
+- Setting `minCapacityIdleTimeoutSecs = 0` enables indefinite runtime for maximum cache preservation
+
+#### 4. Enhanced Provisioning Logic
+
+**Provisioning Strategy:**
+The enhanced estimator uses existing minCapacity enforcement logic but provisions workers with different idle timeout configurations based on pool needs. When total running capacity falls below minCapacity, new workers are spawned with indefinite runtime (minCapacityIdleTimeoutSecs = 0) to serve as long-lived minCapacity workers. Additional workers beyond minCapacity are spawned with standard idle timeouts. This demand-based approach avoids over-provisioning and works within existing estimator logic.
+
+**Current Estimator Implementation:** [Estimator.simple() method](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/estimator.js#L7-L84) enforces minCapacity as a floor at [line 35-39](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/estimator.js#L35-L39)
+
+**Capacity Management:**
+- **minCapacity increases**: Spawn additional minCapacity workers with indefinite runtime
+- **minCapacity decreases**: Forcefully terminate excess minCapacity workers (see Capacity Reduction Trade-offs)
+- **Worker failures**: Failed workers are handled through normal provisioning cycles when total capacity falls below minCapacity
+- **Multi-region**: Pool-wide capacity management (any region can fulfill minCapacity)
+
+**Capacity Reduction Trade-offs:**
+When minCapacity decreases, excess minCapacity workers must be forcefully terminated since:
+- Worker-manager cannot communicate with running workers to reduce their idle timeouts
+- Waiting for natural idle timeout could take hours (defeating responsive capacity management)
+- Forceful termination provides immediate capacity adjustment but loses cache benefits
+
+#### 5. Forceful Termination for Capacity Management
+
+**Technical Capability:**
+Worker-manager has direct cloud provider API access and can forcefully terminate instances:
+- **GCP**: [`workerId = instanceId` mapping](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/providers/google.js#L341), uses [`compute.instances.delete()` API](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/providers/google.js#L181-L185)
+- **AWS**: [`workerId = instanceId` mapping](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/providers/aws.js#L243), uses [`TerminateInstancesCommand` API](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/providers/aws.js#L393-L395)
+- **Azure**: [Worker ID maps to VM name](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/providers/azure/index.js#L302), uses [VM deletion API](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/providers/azure/index.js#L1249-L1254)
+
+**Implementation:**
+Worker-manager has existing capability to forcefully terminate workers by updating the database to mark workers as STOPPING state and then making direct cloud provider API calls to terminate the instances. This process works across all supported cloud providers (GCP, AWS, Azure) using their respective termination APIs.
+
+**Implementation References:**
+- [Worker.states.STOPPING definition](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/data.js#L858-L863)
+- [AWS removeWorker implementation](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/providers/aws.js#L382-L418)
+- [Google removeWorker implementation](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/providers/google.js#L168-L192)
+- [Azure removeWorker implementation](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/providers/azure/index.js#L1221-L1233)
+
+**Trade-offs:**
+- ✅ **Immediate capacity response**: minCapacity changes take effect in ~30 seconds
+- ❌ **Cache loss**: Defeats primary optimization goal when terminating active workers
+- ⚠️ **Selective termination**: Prioritize terminating idle workers when possible
+
+#### 6. Enhanced Health Monitoring
+
+**MinCapacity Worker Health Checks:**
+- More aggressive health monitoring for minCapacity workers
+- Faster detection of unresponsive minCapacity workers
+- Automatic detection and fallback if minCapacity workers cause issues
+
+#### 7. Monitoring and Alerting
+
+**Implementation Location:**
+New metrics will be added to [services/worker-manager/src/monitor.js](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/monitor.js#L377) following the existing pattern established in [lines 246-377](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/monitor.js#L246-L377). These metrics will be displayed in the Taskcluster UI Status Dashboard for human operators and exposed via Prometheus `/metrics` endpoint for external monitoring systems to create custom dashboards and alerting.
+
+**New Prometheus Metrics:**
+
+1. **MinCapacity Worker Count** - Gauge metric tracking the number of workers fulfilling minCapacity requirements, labeled by worker state (running/stopping/requested)
+
+2. **Overflow Worker Count** - Gauge metric tracking the number of workers beyond minCapacity requirements, labeled by worker state
+
+3. **MinCapacity Worker Terminations** - Counter metric tracking total minCapacity workers terminated, labeled by termination reason (capacity-reduction/health-check/idle-timeout)
+
+4. **MinCapacity Deficit Duration** - Histogram metric measuring time spent below minCapacity threshold, with buckets for different time ranges (1s to 10 minutes)
+
+**Metrics Integration:**
+Metrics will be exposed in [estimator.js](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/src/estimator.js#L89-L92) using the existing `exposeMetrics()` pattern to report worker counts by pool and role during each provisioning cycle.
+
+**Alerting Rules:**
+Two key alerting rules will monitor minCapacity worker health: a MinCapacityDeficit alert triggered when worker pools fall below minCapacity for more than 30 seconds, and a HighMinCapacityTerminations alert triggered when termination rates exceed 0.1 workers per 5-minute window for more than 2 minutes.
+
+## Success Measurement
+
+**Primary Metrics:**
+
+1. **Task Wait Time Reduction** - Measure 95th percentile task pending-to-running duration before and after implementation by worker pool
+
+2. **Worker Spawn Frequency Reduction** - Track the rate of new worker requests relative to total capacity changes to measure churn reduction
+
+3. **MinCapacity Worker Stability** - Calculate percentage of time pools maintain minCapacity without deficits
+
+**Secondary Metrics:**
+
+4. **Cache Preservation Effectiveness** - Compare 90th percentile worker uptime between minCapacity and overflow workers to measure cache retention
+
+5. **Termination Frequency Impact** - Monitor rate of minCapacity worker terminations per hour
+
+6. **Capacity Response Time** - Average time to fulfill minCapacity requirements after capacity deficits occur
+
+**Success Criteria:**
+- **Task wait time**: 20% reduction in P95 pending→running time
+- **Worker churn**: 50% reduction in worker spawn frequency for minCapacity pools
+- **Cache effectiveness**: 80% of minCapacity workers have >1 hour uptime
+- **Deficit resolution**: <60 seconds average time to resolve minCapacity deficits
+- **Termination cost**: <5% of minCapacity workers terminated for capacity reduction per day
+
+**Trade-off Evaluation:**
+Cost-benefit analysis will compare the benefits of reduced task wait times (measured by time savings multiplied by task throughput) against the costs of cache loss from forced terminations (measured by termination rate multiplied by average cache warmup time).
+
+## Rollout Strategy
+
+**Phase 1**: Single Pool Testing
+- Enable on one stable test pool (e.g., `gecko-1/decision-gcp` for try branch)
+- Monitor success metrics, cache preservation, and termination frequency
+- Validate that pool benefits outweigh costs of occasional forceful termination
+
+**Phase 2**: Gradual Expansion
+- Roll out to remaining decision pools with stable minCapacity requirements
+- Prioritize pools where minCapacity changes are infrequent
+- Monitor trade-off between cache benefits and capacity management responsiveness
+
+**Phase 3**: Full Deployment
+- Enable for all eligible pools after validating net positive impact
+- Continue monitoring optimization effectiveness across different usage patterns
+- Consider disabling for pools where minCapacity changes are too frequent
+
+## Error Handling and Edge Cases
+
+**Worker Lifecycle Management:**
+- **Pool reconfiguration**: Capacity changes trigger worker replacement, not reconfiguration
+- **Graceful transitions**: When possible, only terminate idle workers to preserve active caches
+- **Resource allocation**: MinCapacity workers mixed with overflow workers on same infrastructure
+
+**Capacity Reduction Strategy:**
+When minCapacity decreases, a hybrid approach minimizes cache loss by first prioritizing termination of idle excess workers to preserve active caches. If additional capacity reduction is needed, busy workers are terminated immediately, starting with the oldest workers first to maximize cache preservation for recently started workers.
+
+## Compatibility Considerations
+
+**Backward Compatibility:**
+- Opt-in via `minCapacityIdleTimeoutSecs` configuration
+- Existing pools continue current behavior unless explicitly enabled
+- No changes to generic-worker's core idle timeout mechanism
+
+**API Changes:**
+- New worker database field for role tracking
+- Enhanced worker pool configuration schema
+- Existing cloud provider termination APIs used for capacity management
+
+**Security Implications:**
+- No security changes - same authentication and authorization flows
+- Longer-lived workers maintain same credential rotation schedule
+
+**Performance Implications:**
+- **Positive**: Reduced task wait times, preserved caches, fewer API calls
+- **Negative**: Slightly higher resource usage for idle minCapacity workers
+- **Net**: Expected improvement in overall system efficiency
+
+## Documentation Updates Required
+
+**Configuration Schema:**
+- [`/services/worker-manager/schemas/constants.yml`](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/schemas/constants.yml) - Add minCapacityIdleTimeoutSecs schema definitions
+
+**Operational Documentation:**
+- [`/services/worker-manager/README.md`](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/README.md) - Update provisioning loop diagrams for minCapacity worker behavior
+- [`/services/worker-manager/docs/providers.md`](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/services/worker-manager/docs/providers.md) - Add minCapacity worker provisioning behavior
+
+**Worker Documentation:**
+- [`/workers/generic-worker/README.md`](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/workers/generic-worker/README.md) - Document launch-time idle timeout configuration
+
+**Monitoring Documentation:**
+- [`/libraries/monitor/README.md`](https://github.com/taskcluster/taskcluster/blob/d7fbf0ee9e0d93e079cc7ff069eaceecfd7d29ec/libraries/monitor/README.md) - Document new minCapacity worker metrics and alerting
+
+## Migration Path
+
+**For Existing Deployments:**
+1. Deploy enhanced worker-manager with feature disabled by default
+2. Update worker pool configurations to enable minCapacity workers
+3. Monitor success metrics and validate cache preservation vs termination trade-offs
+4. Gradually expand to additional pools based on observed benefits
+
+**Database Migration:**
+The database migration requires adding a new `intended_role` text column to the workers table for tracking worker roles. Additionally, an index on worker_pool_id and intended_role columns will be created specifically for min-capacity workers to enable efficient capacity queries during provisioning decisions.
+
+# Implementation
+
+<Once the RFC is decided, these links will provide readers a way to track the
+implementation through to completion, and to know if they are running a new
+enough version to take advantage of this change.  It's fine to update this
+section using short PRs or pushing directly to master after the RFC is
+decided>
+
+* <link to tracker bug, issue, etc.>
+* <...>
+* Implemented in Taskcluster version ...

rfcs/README.md

@@ -57,3 +57,4 @@
 | RFC#182 | [Allow remote references to .taskcluster.yml files processed by Taskcluster-GitHub](0182-taskcluster-yml-remote-references.md)                                                    |
 | RFC#189 | [Batch APIs for task definition, status and index path](0189-batch-task-apis.md)                                                                                                  |
 | RFC#191 | [Worker Manager launch configurations](0191-worker-manager-launch-configs.md)                                                                                                     |
+| RFC#192 | [`minCapacity` ensures workers do not get unnecessarily killed](0192-min-capacity-ensures-workers-do-not-get-unnecessarily-killed.md)                                             |