Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

settings: assert that SystemOnly settings are not accessed in virtual clusters #110676

Merged
merged 2 commits into from
Sep 20, 2023

Conversation

knz
Copy link
Contributor

@knz knz commented Sep 14, 2023

Fixes #91825.
Epic: CRDB-6671
First commit from #110947

TLDR: tests will now fail (with a panic) if code running in virtual clusters mistakenly attempts to access a SystemOnly cluster setting.


Prior to this patch, it was possible for code (e.g. in SQL) running inside a virtual cluster to access a SystemOnly setting. This resulted in silently incorrect behavior: the default value of the setting would be observed always, without any relationship to values explicitly set in the storage layer.

When the setting mechanisms for virtual clusters had been implemented orignally, this concern was known. We even had implemented a mechanism on settings.Values (SetNonSystemTenant()) by which we could cause further .Get() calls to fail with an error in tests if accessing a SystemOnly setting from a virtual cluster.

Sadly, this mechanism was never hooked up anywhere.

This patch closes that loop by annotating the settings.Values properly during server initialization.

Since the property is stored inside the settings.Values, this means it is not any more possible to share a single settings.Values instance (nor cluster.Settings) between the system tenant and a secondary tenant.


The following bugs were fixed as a result of this change:

  • certain settings didn't have the right class, including:

    • kv.bulk_io_write.concurrent_export_requests
    • kv.closed_timestamp.follower_reads.enabled
    • kv.range_split.by_load_merge_delay
    • kv.rangefeed.enabled
    • sql.hash_sharded_range_pre_split.max
    • storage.max_sync_duration.fatal.enabled
    • storage.value_blocks.enabled
    • ui.display_timezone
    • kv.bulk_sst.target_size
  • the API endpoint that lists cluster settings was incorrectly
    trying to retrieve SystemOnly settings when accessed
    from a virtual cluster.

@knz knz requested review from dt, stevendanna and a team September 14, 2023 20:23
@knz knz requested review from a team as code owners September 14, 2023 20:23
@knz knz requested review from ericharmeling and removed request for a team September 14, 2023 20:23
@cockroach-teamcity
Copy link
Member

cockroach-teamcity commented Sep 14, 2023

This change is Reviewable

@knz

This comment was marked as outdated.

@knz knz force-pushed the 20230914-setting-overrides branch from 307eb32 to 0c5795f Compare September 14, 2023 21:29
@knz knz requested review from a team as code owners September 14, 2023 21:29
@knz knz requested a review from bananabrick September 14, 2023 21:29
@knz knz force-pushed the 20230914-setting-overrides branch 3 times, most recently from 2f147a1 to 7d42052 Compare September 15, 2023 15:42
@knz knz requested a review from a team as a code owner September 15, 2023 15:42
@knz knz requested review from a team September 15, 2023 15:42
@knz knz requested a review from a team as a code owner September 15, 2023 15:42
@knz knz requested review from a team, msirek, rachitgsrivastava and DarrylWong and removed request for a team September 15, 2023 15:42
@knz knz force-pushed the 20230914-setting-overrides branch from 7d42052 to 6466508 Compare September 15, 2023 16:37
The previous patch in this area was merely restarting the rangefeed
but did not actually wait for the initial update event to be received.

This patch fixes it.

Release note: None
@knz knz force-pushed the 20230914-setting-overrides branch 2 times, most recently from 50b16df to 6733ad7 Compare September 20, 2023 04:05
Copy link
Contributor Author

@knz knz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @dt, @stevendanna, and @yuzefovich)


pkg/server/testserver.go line 600 at r10 (raw file):

Or perhaps do that only when / if such need arises?

I like that better too.


pkg/settings/values.go line 251 at r10 (raw file):

Previously, knz (Raphael 'kena' Poss) wrote…

We just discussed this - we need this to propagate.
Alas the other work in #110758 is only going to work with persisted changes (they will be picked up by rangefed). So we need a propagate here for the .Override changes.

Done.

@knz knz requested a review from yuzefovich September 20, 2023 04:05
Copy link
Member

@yuzefovich yuzefovich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last commit :lgtm:

Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (waiting on @dt, @knz, and @stevendanna)


pkg/settings/values.go line 251 at r10 (raw file):

Previously, knz (Raphael 'kena' Poss) wrote…

Done.

nit: update the comment too to mention RO.


pkg/storage/pebble.go line 83 at r14 (raw file):

// MaxSyncDuration fatal the Cockroach process. Defaults to true.
var MaxSyncDurationFatalOnExceeded = settings.RegisterBoolSetting(
	settings.TenantWritable, // used for temp storage in virtual cluster servers.

nit: usually for inline comments like this we start without a capital and do not have a period in the end.

@knz knz force-pushed the 20230914-setting-overrides branch from 6733ad7 to 4d86291 Compare September 20, 2023 14:35
Copy link
Contributor Author

@knz knz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (waiting on @dt, @stevendanna, and @yuzefovich)


pkg/settings/values.go line 251 at r10 (raw file):

Previously, yuzefovich (Yahor Yuzefovich) wrote…

nit: update the comment too to mention RO.

Done.


pkg/storage/pebble.go line 83 at r14 (raw file):

Previously, yuzefovich (Yahor Yuzefovich) wrote…

nit: usually for inline comments like this we start without a capital and do not have a period in the end.

Fixed.

@knz
Copy link
Contributor Author

knz commented Sep 20, 2023

bors r=yuzefovich

@yuzefovich
Copy link
Member

Second commit should be removed, right?

bors r-

@craig
Copy link
Contributor

craig bot commented Sep 20, 2023

Canceled.

… clusters

TLDR: tests will now fail (with a panic) if code running in virtual
clusters mistakenly attempts to access a SystemOnly cluster setting.

----

Prior to this patch, it was possible for code (e.g. in SQL) running
inside a virtual cluster to access a `SystemOnly` setting. This
resulted in silently incorrect behavior: the default value of the
setting would be observed always, without any relationship to values
explicitly set in the storage layer.

When the setting mechanisms for virtual clusters had been implemented
orignally, this concern was known. We even had implemented a mechanism
on `settings.Values` (`SetNonSystemTenant()`) by which we could cause
further `.Get()` calls to fail with an error in tests if accessing a
`SystemOnly` setting from a virtual cluster.

Sadly, this mechanism was never hooked up anywhere.

This patch closes that loop by annotating the `settings.Values`
properly during server initialization.

Since the property is stored inside the `settings.Values`, this means
it is not any more possible to share a single `settings.Values`
instance (nor `cluster.Settings`) between the system tenant and a
secondary tenant.

As a convenience, this patch also propagates TenantReadOnly and
TenantWritable overrides from the system tenant to the secondary
tenant used in TestServer.

----

The following bugs were fixed as a result of this change:

- certain settings didn't have the right class, including:

  - kv.bulk_io_write.concurrent_export_requests
  - kv.closed_timestamp.follower_reads.enabled
  - kv.range_split.by_load_merge_delay
  - kv.rangefeed.enabled
  - sql.hash_sharded_range_pre_split.max
  - storage.max_sync_duration.fatal.enabled
  - storage.value_blocks.enabled
  - ui.display_timezone
  - kv.bulk_sst.target_size

- the API endpoint that lists cluster settings was incorrectly
  trying to retrieve SystemOnly settings when accessed
  from a virtual cluster.

Release note (sql change): It is not possible any more to control
access to the RANGEFEED SQL syntax by modifying the cluster setting
`kv.rangefeed.enabled`. Instead use `feature.changefeed.enabled`.
@knz knz force-pushed the 20230914-setting-overrides branch from 4d86291 to 334d887 Compare September 20, 2023 14:49
@knz
Copy link
Contributor Author

knz commented Sep 20, 2023

Second commit should be removed, right?

🤦

Done

bors r=yuzefovich

@craig
Copy link
Contributor

craig bot commented Sep 20, 2023

Build succeeded:

@craig craig bot merged commit 378b181 into cockroachdb:master Sep 20, 2023
@knz knz deleted the 20230914-setting-overrides branch September 20, 2023 17:00
craig bot pushed a commit that referenced this pull request Sep 26, 2023
111150: settings: make `.Override` set the value origin  r=yuzefovich,stevendanna a=knz

Previous in sequence:
- [x] #110789 and #110947 
- [x] #110676
- [x] #111008
- [x] #111145
- [x] #111147
- [x]  #111149

Needed for #110758
Epic: CRDB-6671


Prior to this patch, setting overrides in tests did not have their
value origin set properly. This patch fixes it.



Co-authored-by: Raphael 'kena' Poss <[email protected]>
craig bot pushed a commit that referenced this pull request Sep 26, 2023
111153: settings: simple refactors r=yuzefovich,stevendanna a=knz

See the last 7 commits for details.

Previous in sequence:
- [x] #110789 and #110947 
- [x] #110676
- [x] #111008
- [x] #111145
- [x] #111147
- [x]  #111149
- [x] #111150

Needed for #110758
Epic: CRDB-6671

Co-authored-by: Raphael 'kena' Poss <[email protected]>
craig bot pushed a commit that referenced this pull request Sep 29, 2023
110758: server,settings: properly cascade defaults for TenantReadOnly r=stevendanna,yuzefovich a=knz

Previous in sequence:
- [x] #110789 and #110947 
- [x] #110676
- [x] #111008
- [x] #111145
- [x] #111147
- [x]  #111149
- [x] #111150
- [x] #111153
- [x] #111475
- [x] #111210
- [x] #111212

Fixes #108677.
Fixes #85729.
Fixes #91825.
Completes the work described in the settings RFC.
Epic: CRDB-6671

TLDR: this patch ensures that virtual cluster servers observe changes
made to TenantReadOnly settings via SET CLUSTER SETTING in the system
interface, even when there is no override set via ALTER VIRTUAL
CLUSTER SET CLUSTER SETTING.

For example, after `SET CLUSTER SETTING
kv.closed_timestamp.target_duration = '10s'` in the system interface,
this value will show up via `SHOW CLUSTER SETTING` in a virtual
cluster SQL session.

This changes the way that settings are picked up in virtual cluster,
as follows:

1. if there is an override specifically for this tenant's ID
   (in `tenant_settings`), use that.
2. otherwise, if there is an override for the pseudo-ID 0
   (in `tenant_settings` still, set via `ALTER TENANT ALL SET CLUSTER
   SETTING`), then use that.
3. **NEW**  otherwise, if the class is TenantReadOnly and there
   is a custom value in `system.settings`, set via a regular
   `SET CLUSTER SETTING` in the system tenant, then use that.
4. otherwise, use the global default set via the setting's
   `Register()` call.

----

Prior to this patch, TenantReadOnly settings as observed from virtual
clusters were defined as the following priority order:

1. if there is an override specifically for this tenant's ID
   (in `tenant_settings`), use that.
2. otherwise, if there is an override for the pseudo-ID 0
   (in `tenant_settings` still, set via `ALTER TENANT ALL SET CLUSTER
   SETTING`), then use that.
3. otherwise, use the global default set via the setting's
   `Register()` call.

Remarkably, this did not pick up any changes made via a plain `SET
CLUSTER SETTING` statement via the system interface, which only
modifies this setting's value in `system.settings` (thus not
`tenant_settings`).

This situation was problematic in two ways.

To start, settings like `kv.closed_timestamp.target_duration` cannot
be set solely in `system.tenant_settings`; they are also used in the
storage layer and so must also be picked up from changes in
`system.settings`.

For these settings, it is common for operators to just issue the plain
`SET CLUSTER SETTING` statement (to update `system.settings`) and
simply forget to _also_ run `ALTER TENANT ALL SET CLUSTER SETTING`.

This mistake is nearly unavoidable and would result in incoherent
behavior, where the storage layer would use the customized value
and virtual clusters would use the registered global default.

The second problem is in mixed-version configurations, where
the storage layer runs version N+1 and the SQL service runs version N
of the executable. If the registered global default changes from
version N to N+1, the SQL service would not properly pick up
the new default defined in version N+1 of the storage layer.

This patch fixes both problems as follows:

- it integrates changes to TenantReadOnly settings observed
  in `system.settings`, to the watcher that tracks changes
  to `system.tenant_settings`. When a TenantReadOnly setting
  is present in the former but not the latter, a synthetic
  override is added.

- it also initializes synthetic overrides for all the
  TenantReadOnly settings upon server initialization,
  from the registered global default, so that virtual
  cluster servers always pick up the storage layer's
  default as override.


111383: *: simplify tests r=yuzefovich a=knz

All commits except the last are from #110758.
Epic: CRDB-6671

Now that "tenant-ro" settings take their default from the system tenant's value, we do not need `ALTER TENANT ALL` for them any more.

This patch simplifies test code accordingly.

Rcommended by `@yuzefovich` in the review for #110758. 

111440: cluster-ui: fix db page stories r=THardy98 a=THardy98

Epic: none

This change fixes the stories for the database pages.

Release note: None

111512: kv: correctly handle shared lock replays in KVNemesis r=nvanbenschoten a=arulajmani

Previously, we'd return an AssertionFailed error if a SKIP LOCKED request discovered another request from its own transaction waiting in a lock's wait queue. In SQL's use of KV, this can only happen if the SKIP LOCKED request is being replayed -- so returning an error here is fine. However, this tripped KVNemesis up.

This patch marks such errors, for the benefit of KVNemesis, and doesn't call them assertion failed errors.

Fixes #111426
Fixes #111506
Fixes #111513

Release note: None

Co-authored-by: Raphael 'kena' Poss <[email protected]>
Co-authored-by: Thomas Hardy <[email protected]>
Co-authored-by: Arul Ajmani <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

*: reads of SystemOnly settings from tenant process
4 participants