feat(cli) disable automatic migrations

[subnetmarco]

⚠️ This is a breaking change in how Kong is being started with an empty database, or with missing migrations.

There are two steps to improve the current migrations:

1. Update the current strategy so that migrations are always non-breaking.
2. Even if (1) is being implemented, still making sure that migrations are not magically executed when starting Kong since things can always go wrong.

This PR is only trying to fix the (2) second point, by disabling automatic database migrations on kong start or kong restart, unless it's the first time Kong runs and in that case Kong will execute the migrations to initialize the empty database/keyspace.

Migrations now need to be explicitly executed with kong migrations up. The old behavior can be still replicated by adding --run-migrations on kong (re)start.

If --run-migrations is missing, this PR also checks that Kong can effectively run with the existing migrations or not.

Full changelog

• Disable automatic database migrations on kong start or kong restart.
• Added the optional --run-migrations flag on kong start and kong restart.

Issues resolved

Fix #1692.

TODO

Update website and documentation.

[subnetmarco]

@akasetty

[p0pr0ck5]

Thoughts on inverting this logic, and providing a flag to not run migrations automatically? That makes the change less drastic, and doesn't require simpler/new users to take an extra step to keep up to date, while still allowing user with complex deployment/data store environments an avenue to avoid problems.

[subnetmarco]

Thoughts on inverting this logic

I disagree - once there is a migration because of a major version update, the upgrade process needs to be explicit and not manual. Then once it's migrated, you will never have to worry about this again because Kong will start normally. We want that extra step.

[p0pr0ck5]

There is a consistently failing test, not sure how its related, perhaps it just needs adjustment.

[brockmiller]

This change LGTM -- thanks for adding this safety check 👍

[subnetmarco]

Tests now passing.

[bungle]

The are_migrations_uptodate will log a message with warn level. Still it seems like here it is a fatal. I would probably move that log statement out of that are_migrations_uptodate and do the logging where it has a context (e.g. here).

If we want this to prevent Kong from starting, it should be logged with possibly > ngx.ERR?

[bungle]

Also do we want this to be a fatal thing? Or should we just start the Kong and wait for the results of what happened to fan.

[subnetmarco]

It is indeed fatal, since the assert will fail and return the error. The error is that migrations are not up to date, the warn just tells which migration is missing (it's a more verbose information). I could log it as verbose or error.

[bungle]

Ok, thanks for explanation. I don't think anything needs to be changed for now.

[Tieske]

Instead of throwing the error, I think it would be nice if it would retry for a specified timeout (default 60 seconds?). That would allow orchestration tools to run a single kong migrations up and then schedule Kong containers/nodes using kong start. The containers will then wait before actually starting until migrations are complete, instead of failing.

whups, didnt mean to approve this, just cancel my requested changes since it was fixed

[mgiorgio]

Something it'd be great to clarify, especially for new users, is when migrations are supposed to be executed. As far as I understand, Kong starts with an empty schema, creates it and then runs migrations. That sounds a little counterintuitive to me because when you think about "migrating" something, that is typically related to updating to the next major version, not installing.

I agree with @thefosk that running migrations must be explicit when upgrading but I don't think that should be the case when installing Kong from scratch. I think those are two different test cases that should be treated differently from a user perspective.

[mgiorgio]

I will share our case to see if it matches anyone else's case. The way we deploy stuff is by creating recipes of what has to be deployed. As a result, deciding whether migrations must be run or not based on a parameter doesn't really work because we need to create one recipe for running migrations, wait until migrations are finished, then create the permanent recipe (without the migrations).
Something you folks could implement to solve this issue is by choosing if migrations must be run by checking for the existence of an arbitrary file. That way, I could normally deploy Kong (even run many nodes!), then go to one of my nodes, create the magic run-migrations file, restart that node (or all nodes, it doesn't really matter), then Kong on start-up will check for that file. Because the file is present, Kong will run migrations and then will delete the file. Consequently, next time Kong is restarted, the file won't be there and Kong won't attempt to run migrations again.

[Tieske]

Here the error message should probably contain a better user instruction telling them to start kong with the --run-migrations option (on one node only)

[Tieske]

runs ==> run

[Tieske]

Instead of throwing the error, I think it would be nice if it would retry for a specified timeout (default 60 seconds?). That would allow orchestration tools to run a single kong migrations up and then schedule Kong containers/nodes using kong start. The containers will then wait before actually starting until migrations are complete, instead of failing.

[subnetmarco]

@mgiorgio I understand your point, but either we execute migrations by default, or we disable them by default, but we shouldn't create edge-cases so that "they are always disabled, but.."

The first time you start Kong, you would run it with --run-migrations (because the schema would be empty) and if you forget to do so the error message could be more explanatory if it detects that this is the first migration, ie:

Kong cannot find the appropriate database schema - if this is the first you are running Kong then start it with the --run-migrations flag

or, another way would be to fix the semantics of the command and call the flag --run-db-updates, which assumes Kong will trigger the migrations on the first installation (because there's nothing to update, since it's the first installation), but it will not automatically update the database schema if they have already been initialized before.

[mgiorgio]

@thefosk, thanks for your answer. While it's arguable whether mine is an edge-case or not, I see the value on implementing this solution. The concern I still have is that relying on manual intervention for installing and upgrading Kong, will prevent developers from fully automating their deployments.
Is there any plan for going towards a fully automated solution for deployments?
Btw, +1 to --run-db-updates over --run-migrations.

[subnetmarco]

I have updated the PR:

1. On the first execution of Kong, when the database/keyspace is empty, Kong will automatically execute the migrations (with or without --run-migrations).
2. If the database is not empty, and new migrations need to be executed, Kong will not execute them until --run-migrations is being specified.

[subnetmarco]

Regarding this item:

drop auto-migrations on an empty database, as two nodes starting simultaneously will still create conflicts

IMHO it will make a first installation of Kong harder on an empty schema. I agree that multiple nodes could still create conflicts, but since it's a first run those conflicts will basically have no side effect and no data will be involved. At the same time it creates an "exception" in how we are handling migrations, so there's that.

Thoughts?

[Tieske]

@marco No more thoughts, we had a lengthy debate, and came to this consensus: remove the magic and add a very explicit/instructive error message.

(even the error message got a lengthy debate)

I fixed the first 2 items on the list, I'll add the schema consistency check tomorrow, then it will be up for review and merge.

outdated