Make Unlock key delete conditional on being old leader's #6637
Conversation
|
|
EdwinRobbins
force-pushed
the
erobbins/fix-dynamodb-leader-delete
branch
from
9f455b9 to
092c1a8
Compare
|
@EdwinRobbins Thanks. I was was able to reproduce the issue and I think your fix is the right approach. I have some feedback on the PR, but first I'd like to get the CLA sorted out. Can you rewrite your commit(s) using an email address that is part of your Github profile? |
EdwinRobbins
force-pushed
the
erobbins/fix-dynamodb-leader-delete
branch
from
092c1a8 to
a95cf02
Compare
|
@kalafut swapped over to my Github profile address; CLA should be all sorted. |
physical/dynamodb/dynamodb.go
Outdated
| l.updateItem(false) | ||
| err := l.updateItem(false) | ||
| if err != nil { | ||
| l.backend.logger.Error("error renewing leadership lock", err) |
There was a problem hiding this comment.
hclog takes a message and then label/value pairs, so this needs to be like: Error("my message", "error", "err")
| @@ -576,7 +576,9 @@ func (c *Core) waitForLeadership(newLeaderCh chan func(), manualStepDownCh, stop | |||
| c.logger.Error("clearing leader advertisement failed", "error", err) | |||
| } | |||
|
|
|||
| c.heldHALock.Unlock() | |||
| if err := c.heldHALock.Unlock(); err != nil { | |||
| c.logger.Error("unlocking HA lock failed", "error", err) | |||
There was a problem hiding this comment.
hclog takes a message and then label/value pairs, so this needs to be like: Error("my message", "error", "err")
That said, I'm hesitant about this change until we understand what all of the HA backends are returning. For example even DynamoDB would need to have some additional guards around the error from Unlock(), like the check for dynamodb.ErrCodeConditionalCheckFailedException elsewhere in the file, or else you end up with [ERROR] log entries that are really just expected artifacts from that DB/SDK.
To be clear I do like the idea here, but we may want to run some additional tests with other backends lest customers start seeing errors. Thoughts, @briankassouf ?
There was a problem hiding this comment.
After some discussion, we decided that this line is OK to leave in. But please add a check to Unlock() (which calls your modified Delete) to catch the ConditionCheck error and not report it as an error, similar to that handling here:
vault/physical/dynamodb/dynamodb.go
Line 632 in 54d8c25
There was a problem hiding this comment.
I do think this case is a bit different from the tryToLock one because in that case it is speculatively attempting to update and has the expectation that it can reasonably fail. Whereas for Unlock() this shouldn't really expected unless something aberrant has happened.
Though as long as Vault will always attempt unlock when it steps down, even if it knows there is a new leader already, it's reasonable to not report the error.
There was a problem hiding this comment.
It is interesting b/c I've seen this occur in Unlock at least once, but that was during a simulated network outage. Much more common (and I didn't mention this previously) is [ERROR] storage.dynamodb: error renewing leadership lock: error="ConditionalCheckFailedException: .... This occurs with your current build during operator step-down. So a couple of things:
- This error catch should be just in dynamodb.go, not ha.go which is backend agnostic. e.g. move to after you call
DeleteItem()in the dynamo implementation of Unlock(). - We also need to catch the one triggering the "renewing leadership lock" message. Both tryToLock and periodicallyRenewLock rely updateItem, so I think centralizing the check in updateItem is reasonable. i.e. if the error is the ConditionCheck, just make it nil instead.
- (Optional) A filterError() method that just does the transformation of err->nil if ConditionCheck (or a no-op if no) might benefit 1 and 2, and keeps it clean if other such benign errors ever are added.
I appreciate the effort on this! I'd like to get this merged fairly soon, so if you need any help I'm able to push to your branch as well.
There was a problem hiding this comment.
Those all make sense to me and should be taken care of now.
There was a problem hiding this comment.
Alas, my suggested refactor was too much. The presence of an error is needed from updateItem() for correct tryToLock behavior. I've changed this slightly to restore that, and now it seems to work fine. There is no flapping of the active node, spurious errors aren't showing up in the logs, a situations like the lock file being deleted or network being lost are handled OK. Let me know what you think.
There was a problem hiding this comment.
Changes look good to me.
physical/dynamodb/dynamodb.go
Outdated
| TableName: &l.backend.table, | ||
| ConditionExpression: &condition, | ||
| Key: map[string]*dynamodb.AttributeValue{ | ||
| "Path": &dynamodb.AttributeValue{S: aws.String(recordPathForVaultKey(l.key))}, |
There was a problem hiding this comment.
The type (&dynamodb.AttributeValue) isn't required here, or on 583 & 589.
Push logic into dynamodb to keep specific logic contained to it. Centralize filtering and add to updateItem and Unlock
vault/ha.go
Outdated
| @@ -6,6 +6,8 @@ import ( | |||
| "crypto/x509" | |||
| "errors" | |||
| "fmt" | |||
| "github.com/aws/aws-sdk-go/aws/awserr" | |||
There was a problem hiding this comment.
What's the reason for these imports?
There was a problem hiding this comment.
Ah, that should have been removed when I moved the DynamoDB specific logic back into dyanamodb.go.
|
Another engineer is going to do a re-review but I think we're in good shape now. |
|
Thanks for your work on this! |
No description provided.