Fixes #4421: General solution to stop blocking queries with index 0 #4437
Conversation
agent/cache-types/connect_ca_leaf.go
Outdated
| @@ -108,7 +108,8 @@ func (c *ConnectCALeaf) Fetch(opts cache.FetchOptions, req cache.Request) (cache | |||
| return result, errors.New("invalid RootCA response type") | |||
| } | |||
| if roots.TrustDomain == "" { | |||
| return result, errors.New("cluster has no CA bootstrapped") | |||
| return result, errors.New("cluster has no CA bootstrapped: ensure Connect" + | |||
| " is enabled in server config") | |||
There was a problem hiding this comment.
This is my attempt to make it more obvious to users what the cause is (likely) to be. We can't be more explicit since it's possible to hit this just due to timing before the CA bootstrap happens, especially in dev setups where CA bootstrap happens on every server restart and proxies might already be hitting the APIs before it does.
| func (c *Cache) entryKey(r *RequestInfo) string { | ||
| return fmt.Sprintf("%s/%s/%s", r.Datacenter, r.Token, r.Key) | ||
| func (c *Cache) entryKey(t string, r *RequestInfo) string { | ||
| return fmt.Sprintf("%s/%s/%s/%s", t, r.Datacenter, r.Token, r.Key) |
There was a problem hiding this comment.
This is the fix for another hypothetical bug I found along the way. It was well discussed with Mitchell on Slack and the test case below highlights why it might be needed one day but can be ignored for purposes of reviewing the blockingQuery fix.
There was a problem hiding this comment.
Total nitpick but should the type be the prefix here? We don't do any cache key searching or lookups or anything fancy but least specificity => most usually has benefits. Super hypothetical but feels better.
There was a problem hiding this comment.
Hmm the type is the prefix here. It seemed to me that type is the most coarse grained partitioning we'd want (cache results from different operation types are entirely separate data sets whereas split by DC or token or key are finer grained.
So I'd agree with your high level point but either I'm not understanding why you think the cache type is less specific than the other elements, or there is confusion caused by the diff rendering highlighting the last /%s when really the new t value is being added as the first segment.
There was a problem hiding this comment.
Oh right, the git diff just threw me off. Hah! Ignore me.
agent/cache/cache_test.go
Outdated
| @@ -750,7 +798,8 @@ func TestCacheGet_partitionToken(t *testing.T) { | |||
| // testPartitionType implements Type for testing that simply returns a value | |||
| // comprised of the request DC and ACL token, used for testing cache | |||
| // partitioning. | |||
| type testPartitionType struct{} | |||
| type testPartitionType struct { | |||
| } | |||
There was a problem hiding this comment.
Huh I though go fmt would clean that up but it didn't..
| @@ -108,7 +108,7 @@ func (c *ConnectCALeaf) Fetch(opts cache.FetchOptions, req cache.Request) (cache | |||
| return result, errors.New("invalid RootCA response type") | |||
| } | |||
| if roots.TrustDomain == "" { | |||
| return result, errors.New("cluster has no CA bootstrapped") | |||
| return result, errors.New("cluster has no CA bootstrapped yet") | |||
There was a problem hiding this comment.
This used to cover both the case where Connect was enabled but the request raced with initial CA bootstrap and the case where Connect is not enabled at all. Now I've added an explucit error for not-enabled that is more descriptive, the only way (tm) this can be hit is during a race so I think adding "yet" helps to hint that the request was just a bit early and not that anything is misconfigured.
|
Last change broke a few explicit tests expecting the empty CA when connect is disabled behaviour. I'm fixing them as I can't think of a useful reason for that as mentioned. |
| func (c *Cache) entryKey(r *RequestInfo) string { | ||
| return fmt.Sprintf("%s/%s/%s", r.Datacenter, r.Token, r.Key) | ||
| func (c *Cache) entryKey(t string, r *RequestInfo) string { | ||
| return fmt.Sprintf("%s/%s/%s/%s", t, r.Datacenter, r.Token, r.Key) |
There was a problem hiding this comment.
Total nitpick but should the type be the prefix here? We don't do any cache key searching or lookups or anything fancy but least specificity => most usually has benefits. Super hypothetical but feels better.
| // Exit early if Connect hasn't been enabled. | ||
| if !s.srv.config.ConnectEnabled { | ||
| return ErrConnectNotEnabled | ||
| } |
There was a problem hiding this comment.
This seems important enough that it should have a unit test, also easy to test.
There was a problem hiding this comment.
It does - they are all the ones that are broken right now as they asserted the old behaviour! Will be fixed soon.
There was a problem hiding this comment.
Interesting side effect of the incoming commit to convert all the Empty response tests into expecting errors - there is no easy way to test that empty response any more.
It's still legit during a race to bootstrap the cluster but we relied on just disabling connect not erroring as a side effect to provoke that case before.
I think it's OK and I'd rather not spend a lot of effort figuring out how to construct a mechanism to have connect enabled but to arbitrarily delay the actual bootstrapping just so we can get an empty response, esp. since we know it works now from before this PR. Feels odd that that expected mode isn't covered by a test any more though...
There was a problem hiding this comment.
I ran into this same thing and couldn't come up with a good test without making it really fragile, I think that's okay (to avoid it, not to make it fragile).
|
@mitchellh The test are committed and pass locally - travis is having a lot of trouble with this and seems to be failing on different transient issue despite me hitting retry a few times. They all pass locally though. |
…ith same result type
…return zero index
… not enabled when they try to request cert
banks
force-pushed
the
connect-disabled-cpu-burn
branch
from
09d6f33 to
31c0855
Compare
When developing Connect we hit a few edge cases where blocking queries would return
X-Consul-Indexof0along with a blank request.The root cause is that some of our state functions (for example fetching the CARoots) have no state to load at all in some cases and so have no index value to read and end up returning
meta.Index = 0.In general our blocking query code assumes that no well-behaved blocking query ever has this behaviour and in some places where it's possible (e.g. KV fetches for non-existent keys) we have code to explicitly account for it. Some places account ofr it as above in the RPC endpoint code, some account for it in the actual state store transactions, but many still don't and rely on semantics or just plain unlikeliness of a given situation to never hit it.
During Connect we discussed the idea of fixing this once and for all within the
Server.blockingQueryhelper that all blocking queries use - we hypothesised this fix and were relatively sure it couldn't cause any damage as it's a fundamental assumption of the blocking query system and the only change in behaviour seems to be that it will prevent a tight busy loop that eats 100% CPU. But ultimately we didn't want to take the risk of adding the more general change that would affect non-connect endpoints.Our solution which we thought covered all Connect APIs was to add the logic of using at least
1as the index in the agent's cache fetcher for connect data.However #4421 is a subtle edge case we missed even in connect endpoints.
The cause there is that the CA RPC response returns an empty result with
0index, and the client dutifully upgrades that index to1for the next request. But the subsequent blocking request still has a 0 index returned fromstate.CARootsbecuas there is still no CA config with connect disabled. TheblockingQueryhelper here used to check the returned meta was at least one before blocking as a proxy for "should blocking be enabled" so it never blocked in this case and caused the client agent to consume 100% CPU again.General fix.
The actual fix here is just to switch the zero check from
queryMeta.Index > 0(the value returned from the state method) toqueryOpts.MinQueryIndex > 0. As far as I understand this is a better semantic since we already explicitly checked for nilerrfrom the method.My rationale is:
Tests
This is actually pretty easy to test and I think the tests added are sufficient. I was expecting to violate a bunch of other tests in the repo that expected zero indexes just because that's what they used to get but all tests pass locally - including all the
watchpackage and all blocking-related stuff!UX Error message
The original poster of #4421 didn't find the message about 'CA is not bootstrapped' to be clear enough. By adding an explicit enabled check for
CARootsRPC the message is much improved:@mitchellh @kyhavlov the Roots RPC was the only one that didn't have this check already. I wonder if it was intentional for some reason - a few tests used the fact to force empty results but with no rationale why that behaviour was desirable. I can't think of a good reason though to return an empty set of roots as if it is a valid request when connect is explicitly disabled? Returning empty if CA is not bootstrapped yet is important for races during bootstrap esp. in dev mode but if it's disabled it seems more helpful to be explicit about that?