Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make Unlock key delete conditional on being old leader's #6637

Merged

Conversation

EdwinRobbins
Copy link
Contributor

No description provided.

@hashicorp-cla
Copy link

hashicorp-cla commented Apr 25, 2019

CLA assistant check
All committers have signed the CLA.

@EdwinRobbins EdwinRobbins force-pushed the erobbins/fix-dynamodb-leader-delete branch from 9f455b9 to 092c1a8 Compare April 25, 2019 00:15
@kalafut kalafut self-assigned this Apr 25, 2019
@kalafut
Copy link
Contributor

kalafut commented Apr 25, 2019

@EdwinRobbins Thanks. I was was able to reproduce the issue and I think your fix is the right approach. I have some feedback on the PR, but first I'd like to get the CLA sorted out. Can you rewrite your commit(s) using an email address that is part of your Github profile?

@EdwinRobbins EdwinRobbins force-pushed the erobbins/fix-dynamodb-leader-delete branch from 092c1a8 to a95cf02 Compare April 26, 2019 00:58
@EdwinRobbins
Copy link
Contributor Author

@kalafut swapped over to my Github profile address; CLA should be all sorted.

Copy link
Contributor

@kalafut kalafut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This works well and I think the core logic is correct. Just some smaller items to change.

l.updateItem(false)
err := l.updateItem(false)
if err != nil {
l.backend.logger.Error("error renewing leadership lock", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hclog takes a message and then label/value pairs, so this needs to be like: Error("my message", "error", "err")

@@ -576,7 +576,9 @@ func (c *Core) waitForLeadership(newLeaderCh chan func(), manualStepDownCh, stop
c.logger.Error("clearing leader advertisement failed", "error", err)
}

c.heldHALock.Unlock()
if err := c.heldHALock.Unlock(); err != nil {
c.logger.Error("unlocking HA lock failed", "error", err)
Copy link
Contributor

@kalafut kalafut Apr 26, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hclog takes a message and then label/value pairs, so this needs to be like: Error("my message", "error", "err")

That said, I'm hesitant about this change until we understand what all of the HA backends are returning. For example even DynamoDB would need to have some additional guards around the error from Unlock(), like the check for dynamodb.ErrCodeConditionalCheckFailedException elsewhere in the file, or else you end up with [ERROR] log entries that are really just expected artifacts from that DB/SDK.

To be clear I do like the idea here, but we may want to run some additional tests with other backends lest customers start seeing errors. Thoughts, @briankassouf ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After some discussion, we decided that this line is OK to leave in. But please add a check to Unlock() (which calls your modified Delete) to catch the ConditionCheck error and not report it as an error, similar to that handling here:

if err.Code() != dynamodb.ErrCodeConditionalCheckFailedException {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do think this case is a bit different from the tryToLock one because in that case it is speculatively attempting to update and has the expectation that it can reasonably fail. Whereas for Unlock() this shouldn't really expected unless something aberrant has happened.

Though as long as Vault will always attempt unlock when it steps down, even if it knows there is a new leader already, it's reasonable to not report the error.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is interesting b/c I've seen this occur in Unlock at least once, but that was during a simulated network outage. Much more common (and I didn't mention this previously) is [ERROR] storage.dynamodb: error renewing leadership lock: error="ConditionalCheckFailedException: .... This occurs with your current build during operator step-down. So a couple of things:

  1. This error catch should be just in dynamodb.go, not ha.go which is backend agnostic. e.g. move to after you call DeleteItem() in the dynamo implementation of Unlock().
  2. We also need to catch the one triggering the "renewing leadership lock" message. Both tryToLock and periodicallyRenewLock rely updateItem, so I think centralizing the check in updateItem is reasonable. i.e. if the error is the ConditionCheck, just make it nil instead.
  3. (Optional) A filterError() method that just does the transformation of err->nil if ConditionCheck (or a no-op if no) might benefit 1 and 2, and keeps it clean if other such benign errors ever are added.

I appreciate the effort on this! I'd like to get this merged fairly soon, so if you need any help I'm able to push to your branch as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those all make sense to me and should be taken care of now.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alas, my suggested refactor was too much. The presence of an error is needed from updateItem() for correct tryToLock behavior. I've changed this slightly to restore that, and now it seems to work fine. There is no flapping of the active node, spurious errors aren't showing up in the logs, a situations like the lock file being deleted or network being lost are handled OK. Let me know what you think.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good to me.

TableName: &l.backend.table,
ConditionExpression: &condition,
Key: map[string]*dynamodb.AttributeValue{
"Path": &dynamodb.AttributeValue{S: aws.String(recordPathForVaultKey(l.key))},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The type (&dynamodb.AttributeValue) isn't required here, or on 583 & 589.

Push logic into dynamodb to keep specific logic contained to it.
Centralize filtering and add to updateItem and Unlock
vault/ha.go Outdated
@@ -6,6 +6,8 @@ import (
"crypto/x509"
"errors"
"fmt"
"github.com/aws/aws-sdk-go/aws/awserr"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the reason for these imports?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, that should have been removed when I moved the DynamoDB specific logic back into dyanamodb.go.

@kalafut
Copy link
Contributor

kalafut commented Apr 30, 2019

Another engineer is going to do a re-review but I think we're in good shape now.

@kalafut kalafut merged commit fdcf68d into hashicorp:master May 1, 2019
@kalafut
Copy link
Contributor

kalafut commented May 1, 2019

Thanks for your work on this!

catsby added a commit that referenced this pull request May 1, 2019
* master:
  Fixed Typo
  [Doc]: PKI Fix allowed_uri_sans spelling mistake (#6660)
  DynamoDB: Make Unlock key delete conditional on being old leader's (#6637)
  Fix hook by using env to discover the correct location of bash as sh doesn't have [[
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants