[nexus] Re-implement disk attach/detach

[smklein]

Fixes #1073

Summary of previous version

When a request to attach a disk arrived at Nexus, the following would be performed:

1. Check the number of disks attached to an instance
2. Check the disk state (valid for attach?)
3. Check the instance state (valid for disk attach?)
4. (If the instance is running) Send a request to the Sled agent to update the state
5. Update the disk state in the DB

Problems with previous version

• None of the steps are guarded against concurrent access - it's possible to attach a disk after the "max disk attach count" check, but before the DB has been updated. Similarly, it's possible to modify the disk/instance state after the check, but before the update.
• The previous version allows sending requests to the attach disks to running instances (by making requests to the sled agent) but this path is both (1) not implemented, and (2) has some subtle races that need a more holistic solution. For example: what if a concurrent request was made to attach a disk to two instances simultaneously? Although Nexus should prevent this case, if both bypass the checks before actually updating the DB, both operations would be issued.

New implementation

• Add CTEs for attach, detach to atomically: (1) Check instance/disk state, (2) update instance/disk state, and (3) return any information (e.g., do the resources exist) within a single statement.

TODOs:

• Q: Do we need the rcgen in instances? A: No! Removed.
• Deal with the disk-attach-during-instance-destroy race condition. Done via "collection_detach_many"
• Be more consistent about units for the "max attached resources" value
• Would love to de-duplicate more trait bounds between the "collection_*" CTEs. However, I think I may be close to my limits here until more progress on 🔬 Tracking issue for RFC 2089: Extended Implied bounds rust-lang/rust#44491 is made.

[smklein]

Note: this may be a simpler implementation of the "dueling administrators" solution proposed in RFD 192.

Basically, to perform a conditional UPDATE and check for existence of an object, that proposal relies on a division-by-zero to do an early exit before performing the UPDATE itself.

However, it seems possible to:

• Avoid the early exit
• Make the UPDATE conditional on whatever subqueries we want
• Return the results of multiple rows, letting the caller figure out what happened (did the object exist? did we perform the update? etc.)

This version is slightly more verbose, but the lack of "division by zero" makes it seem simpler to me.

[smklein]

This change should also resolve the race condition mentioned in this comment by @plotnick : https://github.com/oxidecomputer/omicron/pull/1068/files#r873063471

[smklein]

Since there's a lot here, I'm going to go ahead and try to give a "tour" of the contents of this CTE.

collection_detach.rs and collection_detach_many.rs are similar in layout.

[smklein]

Right out the gate, I'm using a ton of type aliases. The DatastoreAtttachTarget<ResourceType> trait is implemented on a collection (after all, "collections" hold "resources") so nearly all of these act on "resource type, collection type".

Most of these are just short-hands for "get me the key/column/table/etc belonging to the resource/column".

[smklein]

This is the trait I would expect clients to implement - just pointing to the types we actually need, by steering towards the right columns.

A real implementation exists in db/model/instance.rs.

[smklein]

By stating Column<Table = <Self::CollectionIdColumn as Column>::Table>, we're forcing this column to belong to the "Collection" table.

This prevents users of this API from accidentally pointing the "Collection" columns at the "Resource" table.

[smklein]

If you wanna compare this CTE with the others, the signature of this function is something to keep an eye out for.

It's basically our statement of "how do we expect the API user to interact with this CTE"?

My goal was to ingest:

1. UUIDs
2. "Query statements"
3. "Update statements"

Since we use them elsewhere in the datastore, so I figured that language would be easy to understand.
A fair bit of the CTE trait bounds are devoted to preventing misuse of these APIs.

[smklein]

We ensure the "count of attached resources" clause is always scoped to non-deleted resources that point back to the collection, based on the provided collection_id.

[smklein]

We force the user-supplied queries to look at the same collection_id, and still be non-deleted.

This means someone can't get accidentally call this to modify the wrong resource:

Instance::attach_resource(
  collection_id,
  resource_id,
  collection::table.into_boxed().filter(collection_id.eq(a_different_collection_id))
  ...
)

If they did, it would always result in "no update", since we'd filter by ID = 1 AND ID = 2

[smklein]

We enforce a similar constraint on the resource query. We also enforce that the "foreign key" field is actually NULL, as it should be before we call "attach".

[smklein]

This is the result type I expect most users to interact with.

Either:

1. "Here is the collection + resource you updated", or
2. "We did not do the update, and here's an AttachError explaining why"

[smklein]

This hopefully describes the meat of the CTE.

The TL;DR: We want to check a few things, then do an update if all those checks pass, and we want it to be atomic, even though multiple tables are involved.

[jmpesp]

🚀 with some questions and suggestions

[jmpesp]

can we guarantee that primary_key is always only id? why not the more specific ResourceIdColumn?

[smklein]

To be clear, you're suggesting "can we guarantee this is the only call to filter which contains an ID?"

In this case, we're constructing the entire resource_exists_query from scratch - the only user input is the UUID - so I don't think this check is explicitly necessary. Re-phrasing: I don't such a check would prevent any user behavior.

Also, unfortunately, it's a little tricky to parse the whole list of filters applied through Diesel (it's easy to ask are there any filters, but hard to find a specific one, especially since this query is boxed).

[smklein]

FWIW, we do have the bound:

BoxedQuery<ResourceTable<ResourceType, Self>>: FilterBy<Eq<ResourcePrimaryKey<ResourceType, Self>, Self::Id>>

which states that the resource table should be filterable comparing the ID type with the ResourcePrimaryKey .

However, the Diesel table type:

https://docs.diesel.rs/master/diesel/prelude/trait.Table.html

has an associated type PrimaryKey, but I'm not 100% sure how to connect it back to the Column type.

[jmpesp]

As mentioned in the linked PrimaryKey documentation, I'm concerned about the case of

If the table has a composite primary key, this will be a tuple.

where ResourceIdColumn is not a tuple. Though, looking at that bound, I can squint and convince myself that if primary_key() returns a tuple then compilation would fail :)

[smklein]

Yeah, I think the primary_key() and Self::Id types would need to match for this to work... since the CollectionIdColumn must implement Column, I think this CTE as currently implemented would not allow for composite PKs.

... but as you said, that would at least be a compile-time error, rather than a runtime error.

[jmpesp]

there's a couple of match branches on this variant that state something like "this error didn't tell us enough", leading me to think we should attach more context or information here.

[smklein]

What more information would you want? Is there a match branch in particular you're looking at?

[smklein]

I added more context below - if you're talking about cases where we return 500 errors, those should be impossible to hit, so I'm not sure more context would help.

[jmpesp]

(this is an example of the error not providing enough context, referenced in another review comment)

[smklein]

Any case where I return "internal_error" implies a CTE bug to me - that's why we're returning internal_error for these cases, or a 500 error.

In this particular case:

• We are trying to attach a disk to an instance
• The disk and instance both exist, and "Time deleted" is NULL
• We are not at the capacity of "number of attached disks"
• Both instance and disk appeared in valid states
• and yet the update did not occur

This should not happen - If I saw this case, I'd want to debug it, hence the 500 error - but I do not think any valid input should be able to trigger it.

[jmpesp]

Right - I'd want to debug that too, but all I would see internally is "cannot attach disk". The error hasn't helped us infer why at all, like the comment says, and I don't see any other existing context in parse_result that can be attached to the NoUpdate errors which would point to additional investigation steps.

[smklein]

I agree with this, but I'm still not sure what other info to attach. I think if this case happened, we'd need to perform manual inspection of the DB to infer why it happened.

I view this as akin to "attempting, but failing, to deserialize a value from the database". I don't think it's appropriate to dump raw strings all the way back to the client, but it's still worth flagging.