libroach: add basic file encryption stats.

[mberhault]

Count the number of files and bytes reported by rocksdb.
Return totals for all files and for files using the active data key.

This is meant to be a rough indication of encryption progress when
changing key. Per-key ID stats will likely be necessary.

There is no synchronization between rocksdb and the file registry so
numbers may be off (eg: files deleted between calls). The active key may
also differ from the one contained in the encryption_status field.

Release note (general change): add encryption progress to stores debug page

[cockroach-teamcity]

This change is 

[mberhault]

I still want to add a test that creates a full DB, checks the stats against the filesystem, restarts with different encryption settings, and checks again.

[mberhault]

I forgot to rename this one with the rest.

[mberhault]

not sure how I ended up doing that.

[mberhault]

Added a test that starts in plaintext, forces a compaction (to have a SST that remains in plaintext), re-opens with AES, and checks that the number of files using the active key is somewhere in [1, total-files).

[bdarnell]

Reviewed 16 of 17 files at r1, 3 of 3 files at r2, 4 of 4 files at r3.
Review status: complete! 0 of 0 LGTMs obtained

---

c-deps/libroach/engine.cc, line 214 at r3 (raw file):

  if (env_mgr->env_stats_handler == nullptr || env_mgr->file_registry == nullptr) {
    // We can't compute these if we don't have a file registry or stats handler.
    // This happens in OSS mode or when encryption has not been turned on.

Why isn't this code on the CCL side if it's never run in a pure-OSS build?

OTOH, the "total" stats at least seem like they could be computed in an OSS build.

---

c-deps/libroach/engine.cc, line 233 at r3 (raw file):

  // Only files accounted for by rocksdb are included. This will ignore files multiple types
  // of files:
  // - files that are no longer live (eg: older OPTIONS files, files pending deletion)

If you're rotating keys because of a breach, the relevant concern is not when all the live data is using the new key, but when the last file that was using the old key has been deleted (you may also want some sort of overwriting deletion). I don't know if we should worry about that here, though.

---

c-deps/libroach/engine.cc, line 242 at r3 (raw file):

  // do not call DisableFileDeletions. This means that some files may be listed by rocksdb but not
  // present in the file registry (deleted between calls). Such files will be considered
  // "plaintext".

This seems like a problem for any monitoring that would want to alert if there are any plaintext files.

---

c-deps/libroach/utils.cc, line 40 at r3 (raw file):

    return path1 + path2;
  }
  return path1 + '/' + path2;

Do we need a TODO about windows here?

---

c-deps/libroach/include/libroach.h, line 317 at r3 (raw file):

  uint64_t total_files;
  uint64_t total_bytes;
  // Files/bytes using the active data key.

Rename these to active_key_{bytes,files}. The context doesn't otherwise make it clear that this is encryption-related (and sounds like it could have something to do with live/dead files)

---

pkg/ui/ccl/src/views/reports/containers/stores/encryption.tsx, line 74 at r3 (raw file):

    return [
      this.renderSimpleAlternateRow("Encryption Progress", "Fraction encrypted using the active data key"),

In the screenshot this looks like a key and value, not a subheading. Can we style this line differently (and make it a single cell)?

---

Comments from Reviewable

[mberhault]

Review status: complete! 0 of 0 LGTMs obtained

---

c-deps/libroach/engine.cc, line 214 at r3 (raw file):

Previously, bdarnell (Ben Darnell) wrote…

Why isn't this code on the CCL side if it's never run in a pure-OSS build?

OTOH, the "total" stats at least seem like they could be computed in an OSS build.

It's technically tied to the FileRegistry, with only a CCL hook to resolve key IDs. I think it'll be reasonable to compute the stats we can in OSS / no-file-registry mode, but I started out with the simple version.

---

c-deps/libroach/engine.cc, line 233 at r3 (raw file):

Previously, bdarnell (Ben Darnell) wrote…

If you're rotating keys because of a breach, the relevant concern is not when all the live data is using the new key, but when the last file that was using the old key has been deleted (you may also want some sort of overwriting deletion). I don't know if we should worry about that here, though.

I think we'll need to worry about it before release. If the stats tell you 100% of the files are using the desired encryption settings, that needs to be true. This means:

• disable deletions (easy and can be called multiple times: it's a counter. This means we don't have to worry about other callers). File creations should be fine as long as we scan the registry after the rocksdb calls.
• we may want to traverse the file registry (easy) and maybe even the filesystem (tricky, there are too many random files that can show up in our base dir. eg: logs)
• we may need to have a "unknown" category for files without an entry in the FileRegistry.
• we should create a FileRegistry entry for plaintext files as well.

The combination of those would account for all files created when the FileRegistry is in use. The transition to the FileRegistry on-disk format would still leave files unaccounted for but would be shorter lived. If we recommend that people start their stores with encryption, the FileRegistry will be accurate.

I've added some todos for these proposals. I'll need to experiment more though.

---

c-deps/libroach/engine.cc, line 242 at r3 (raw file):

Previously, bdarnell (Ben Darnell) wrote…

This seems like a problem for any monitoring that would want to alert if there are any plaintext files.

Definitely. Even if deletions while we're scanning are rare, it just takes one false positive to seriously irritate admins. Accurate numbers are definitely required. I think the proposal above will get us most of the way there (format transitions are still a pain, but we can detect those).

---

c-deps/libroach/utils.cc, line 40 at r3 (raw file):

Previously, bdarnell (Ben Darnell) wrote…

Do we need a TODO about windows here?

Unsure. I still need to test all this on windows. But rocksdb itself hard-codes '/' all over the place (eg: the filename building utilities are all db_dir + "/" + etc...).

---

c-deps/libroach/include/libroach.h, line 317 at r3 (raw file):

Previously, bdarnell (Ben Darnell) wrote…

Rename these to active_key_{bytes,files}. The context doesn't otherwise make it clear that this is encryption-related (and sounds like it could have something to do with live/dead files)

Done.

---

pkg/ui/ccl/src/views/reports/containers/stores/encryption.tsx, line 74 at r3 (raw file):

Previously, bdarnell (Ben Darnell) wrote…

In the screenshot this looks like a key and value, not a subheading. Can we style this line differently (and make it a single cell)?

I've moved the UI change to a separate PR for now. But yes, I'll tweak that. I'll re-send that PR after some other UI changes I need to do on it (loading spinner, use of cached something-or-other).

---

Comments from Reviewable

[mberhault]

UI components are being moved to a separate PR: #26890

[bdarnell]

---

Reviewed 9 of 13 files at r4.
Review status: complete! 0 of 0 LGTMs obtained (and 1 stale)

---

Comments from Reviewable

[mberhault]

bors r+

[craig]

Timed out

[mberhault]

bors r+

[craig]

Timed out

[mberhault]

bors r+

TC is finally not taking forever.

[craig]

Build failed (retrying...)

• GitHub CI (Cockroach)

[craig]

Build failed (retrying...)

• GitHub CI (Cockroach)

[mberhault]

bors r+

[craig]

Build failed

• GitHub CI (Cockroach)

[mberhault]

bors r+

Now that TC is green, maybe bors-triggered TC will be as well?

[craig]

Build succeeded

• GitHub CI (Cockroach)