-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
settings: assert that SystemOnly settings are not accessed in virtual clusters #110676
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
307eb32
to
0c5795f
Compare
2f147a1
to
7d42052
Compare
7d42052
to
6466508
Compare
The previous patch in this area was merely restarting the rangefeed but did not actually wait for the initial update event to be received. This patch fixes it. Release note: None
50b16df
to
6733ad7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @dt, @stevendanna, and @yuzefovich)
pkg/server/testserver.go
line 600 at r10 (raw file):
Or perhaps do that only when / if such need arises?
I like that better too.
pkg/settings/values.go
line 251 at r10 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
We just discussed this - we need this to propagate.
Alas the other work in #110758 is only going to work with persisted changes (they will be picked up by rangefed). So we need a propagate here for the .Override changes.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: complete! 1 of 0 LGTMs obtained (waiting on @dt, @knz, and @stevendanna)
pkg/settings/values.go
line 251 at r10 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
Done.
nit: update the comment too to mention RO.
pkg/storage/pebble.go
line 83 at r14 (raw file):
// MaxSyncDuration fatal the Cockroach process. Defaults to true. var MaxSyncDurationFatalOnExceeded = settings.RegisterBoolSetting( settings.TenantWritable, // used for temp storage in virtual cluster servers.
nit: usually for inline comments like this we start without a capital and do not have a period in the end.
6733ad7
to
4d86291
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: complete! 1 of 0 LGTMs obtained (waiting on @dt, @stevendanna, and @yuzefovich)
pkg/settings/values.go
line 251 at r10 (raw file):
Previously, yuzefovich (Yahor Yuzefovich) wrote…
nit: update the comment too to mention RO.
Done.
pkg/storage/pebble.go
line 83 at r14 (raw file):
Previously, yuzefovich (Yahor Yuzefovich) wrote…
nit: usually for inline comments like this we start without a capital and do not have a period in the end.
Fixed.
bors r=yuzefovich |
Second commit should be removed, right? bors r- |
Canceled. |
… clusters TLDR: tests will now fail (with a panic) if code running in virtual clusters mistakenly attempts to access a SystemOnly cluster setting. ---- Prior to this patch, it was possible for code (e.g. in SQL) running inside a virtual cluster to access a `SystemOnly` setting. This resulted in silently incorrect behavior: the default value of the setting would be observed always, without any relationship to values explicitly set in the storage layer. When the setting mechanisms for virtual clusters had been implemented orignally, this concern was known. We even had implemented a mechanism on `settings.Values` (`SetNonSystemTenant()`) by which we could cause further `.Get()` calls to fail with an error in tests if accessing a `SystemOnly` setting from a virtual cluster. Sadly, this mechanism was never hooked up anywhere. This patch closes that loop by annotating the `settings.Values` properly during server initialization. Since the property is stored inside the `settings.Values`, this means it is not any more possible to share a single `settings.Values` instance (nor `cluster.Settings`) between the system tenant and a secondary tenant. As a convenience, this patch also propagates TenantReadOnly and TenantWritable overrides from the system tenant to the secondary tenant used in TestServer. ---- The following bugs were fixed as a result of this change: - certain settings didn't have the right class, including: - kv.bulk_io_write.concurrent_export_requests - kv.closed_timestamp.follower_reads.enabled - kv.range_split.by_load_merge_delay - kv.rangefeed.enabled - sql.hash_sharded_range_pre_split.max - storage.max_sync_duration.fatal.enabled - storage.value_blocks.enabled - ui.display_timezone - kv.bulk_sst.target_size - the API endpoint that lists cluster settings was incorrectly trying to retrieve SystemOnly settings when accessed from a virtual cluster. Release note (sql change): It is not possible any more to control access to the RANGEFEED SQL syntax by modifying the cluster setting `kv.rangefeed.enabled`. Instead use `feature.changefeed.enabled`.
4d86291
to
334d887
Compare
🤦 Done bors r=yuzefovich |
Build succeeded: |
111150: settings: make `.Override` set the value origin r=yuzefovich,stevendanna a=knz Previous in sequence: - [x] #110789 and #110947 - [x] #110676 - [x] #111008 - [x] #111145 - [x] #111147 - [x] #111149 Needed for #110758 Epic: CRDB-6671 Prior to this patch, setting overrides in tests did not have their value origin set properly. This patch fixes it. Co-authored-by: Raphael 'kena' Poss <[email protected]>
111153: settings: simple refactors r=yuzefovich,stevendanna a=knz See the last 7 commits for details. Previous in sequence: - [x] #110789 and #110947 - [x] #110676 - [x] #111008 - [x] #111145 - [x] #111147 - [x] #111149 - [x] #111150 Needed for #110758 Epic: CRDB-6671 Co-authored-by: Raphael 'kena' Poss <[email protected]>
110758: server,settings: properly cascade defaults for TenantReadOnly r=stevendanna,yuzefovich a=knz Previous in sequence: - [x] #110789 and #110947 - [x] #110676 - [x] #111008 - [x] #111145 - [x] #111147 - [x] #111149 - [x] #111150 - [x] #111153 - [x] #111475 - [x] #111210 - [x] #111212 Fixes #108677. Fixes #85729. Fixes #91825. Completes the work described in the settings RFC. Epic: CRDB-6671 TLDR: this patch ensures that virtual cluster servers observe changes made to TenantReadOnly settings via SET CLUSTER SETTING in the system interface, even when there is no override set via ALTER VIRTUAL CLUSTER SET CLUSTER SETTING. For example, after `SET CLUSTER SETTING kv.closed_timestamp.target_duration = '10s'` in the system interface, this value will show up via `SHOW CLUSTER SETTING` in a virtual cluster SQL session. This changes the way that settings are picked up in virtual cluster, as follows: 1. if there is an override specifically for this tenant's ID (in `tenant_settings`), use that. 2. otherwise, if there is an override for the pseudo-ID 0 (in `tenant_settings` still, set via `ALTER TENANT ALL SET CLUSTER SETTING`), then use that. 3. **NEW** otherwise, if the class is TenantReadOnly and there is a custom value in `system.settings`, set via a regular `SET CLUSTER SETTING` in the system tenant, then use that. 4. otherwise, use the global default set via the setting's `Register()` call. ---- Prior to this patch, TenantReadOnly settings as observed from virtual clusters were defined as the following priority order: 1. if there is an override specifically for this tenant's ID (in `tenant_settings`), use that. 2. otherwise, if there is an override for the pseudo-ID 0 (in `tenant_settings` still, set via `ALTER TENANT ALL SET CLUSTER SETTING`), then use that. 3. otherwise, use the global default set via the setting's `Register()` call. Remarkably, this did not pick up any changes made via a plain `SET CLUSTER SETTING` statement via the system interface, which only modifies this setting's value in `system.settings` (thus not `tenant_settings`). This situation was problematic in two ways. To start, settings like `kv.closed_timestamp.target_duration` cannot be set solely in `system.tenant_settings`; they are also used in the storage layer and so must also be picked up from changes in `system.settings`. For these settings, it is common for operators to just issue the plain `SET CLUSTER SETTING` statement (to update `system.settings`) and simply forget to _also_ run `ALTER TENANT ALL SET CLUSTER SETTING`. This mistake is nearly unavoidable and would result in incoherent behavior, where the storage layer would use the customized value and virtual clusters would use the registered global default. The second problem is in mixed-version configurations, where the storage layer runs version N+1 and the SQL service runs version N of the executable. If the registered global default changes from version N to N+1, the SQL service would not properly pick up the new default defined in version N+1 of the storage layer. This patch fixes both problems as follows: - it integrates changes to TenantReadOnly settings observed in `system.settings`, to the watcher that tracks changes to `system.tenant_settings`. When a TenantReadOnly setting is present in the former but not the latter, a synthetic override is added. - it also initializes synthetic overrides for all the TenantReadOnly settings upon server initialization, from the registered global default, so that virtual cluster servers always pick up the storage layer's default as override. 111383: *: simplify tests r=yuzefovich a=knz All commits except the last are from #110758. Epic: CRDB-6671 Now that "tenant-ro" settings take their default from the system tenant's value, we do not need `ALTER TENANT ALL` for them any more. This patch simplifies test code accordingly. Rcommended by `@yuzefovich` in the review for #110758. 111440: cluster-ui: fix db page stories r=THardy98 a=THardy98 Epic: none This change fixes the stories for the database pages. Release note: None 111512: kv: correctly handle shared lock replays in KVNemesis r=nvanbenschoten a=arulajmani Previously, we'd return an AssertionFailed error if a SKIP LOCKED request discovered another request from its own transaction waiting in a lock's wait queue. In SQL's use of KV, this can only happen if the SKIP LOCKED request is being replayed -- so returning an error here is fine. However, this tripped KVNemesis up. This patch marks such errors, for the benefit of KVNemesis, and doesn't call them assertion failed errors. Fixes #111426 Fixes #111506 Fixes #111513 Release note: None Co-authored-by: Raphael 'kena' Poss <[email protected]> Co-authored-by: Thomas Hardy <[email protected]> Co-authored-by: Arul Ajmani <[email protected]>
Fixes #91825.
Epic: CRDB-6671
First commit from #110947
TLDR: tests will now fail (with a panic) if code running in virtual clusters mistakenly attempts to access a SystemOnly cluster setting.
Prior to this patch, it was possible for code (e.g. in SQL) running inside a virtual cluster to access a
SystemOnly
setting. This resulted in silently incorrect behavior: the default value of the setting would be observed always, without any relationship to values explicitly set in the storage layer.When the setting mechanisms for virtual clusters had been implemented orignally, this concern was known. We even had implemented a mechanism on
settings.Values
(SetNonSystemTenant()
) by which we could cause further.Get()
calls to fail with an error in tests if accessing aSystemOnly
setting from a virtual cluster.Sadly, this mechanism was never hooked up anywhere.
This patch closes that loop by annotating the
settings.Values
properly during server initialization.Since the property is stored inside the
settings.Values
, this means it is not any more possible to share a singlesettings.Values
instance (norcluster.Settings
) between the system tenant and a secondary tenant.The following bugs were fixed as a result of this change:
certain settings didn't have the right class, including:
the API endpoint that lists cluster settings was incorrectly
trying to retrieve SystemOnly settings when accessed
from a virtual cluster.