-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make Unlock key delete conditional on being old leader's #6637
Make Unlock key delete conditional on being old leader's #6637
Conversation
9f455b9
to
092c1a8
Compare
@EdwinRobbins Thanks. I was was able to reproduce the issue and I think your fix is the right approach. I have some feedback on the PR, but first I'd like to get the CLA sorted out. Can you rewrite your commit(s) using an email address that is part of your Github profile? |
092c1a8
to
a95cf02
Compare
@kalafut swapped over to my Github profile address; CLA should be all sorted. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This works well and I think the core logic is correct. Just some smaller items to change.
physical/dynamodb/dynamodb.go
Outdated
l.updateItem(false) | ||
err := l.updateItem(false) | ||
if err != nil { | ||
l.backend.logger.Error("error renewing leadership lock", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hclog takes a message and then label/value pairs, so this needs to be like: Error("my message", "error", "err")
@@ -576,7 +576,9 @@ func (c *Core) waitForLeadership(newLeaderCh chan func(), manualStepDownCh, stop | |||
c.logger.Error("clearing leader advertisement failed", "error", err) | |||
} | |||
|
|||
c.heldHALock.Unlock() | |||
if err := c.heldHALock.Unlock(); err != nil { | |||
c.logger.Error("unlocking HA lock failed", "error", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hclog takes a message and then label/value pairs, so this needs to be like: Error("my message", "error", "err")
That said, I'm hesitant about this change until we understand what all of the HA backends are returning. For example even DynamoDB would need to have some additional guards around the error from Unlock()
, like the check for dynamodb.ErrCodeConditionalCheckFailedException
elsewhere in the file, or else you end up with [ERROR] log entries that are really just expected artifacts from that DB/SDK.
To be clear I do like the idea here, but we may want to run some additional tests with other backends lest customers start seeing errors. Thoughts, @briankassouf ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After some discussion, we decided that this line is OK to leave in. But please add a check to Unlock() (which calls your modified Delete) to catch the ConditionCheck error and not report it as an error, similar to that handling here:
vault/physical/dynamodb/dynamodb.go
Line 632 in 54d8c25
if err.Code() != dynamodb.ErrCodeConditionalCheckFailedException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do think this case is a bit different from the tryToLock one because in that case it is speculatively attempting to update and has the expectation that it can reasonably fail. Whereas for Unlock() this shouldn't really expected unless something aberrant has happened.
Though as long as Vault will always attempt unlock when it steps down, even if it knows there is a new leader already, it's reasonable to not report the error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is interesting b/c I've seen this occur in Unlock at least once, but that was during a simulated network outage. Much more common (and I didn't mention this previously) is [ERROR] storage.dynamodb: error renewing leadership lock: error="ConditionalCheckFailedException: ...
. This occurs with your current build during operator step-down
. So a couple of things:
- This error catch should be just in dynamodb.go, not ha.go which is backend agnostic. e.g. move to after you call
DeleteItem()
in the dynamo implementation of Unlock(). - We also need to catch the one triggering the "renewing leadership lock" message. Both tryToLock and periodicallyRenewLock rely updateItem, so I think centralizing the check in updateItem is reasonable. i.e. if the error is the ConditionCheck, just make it nil instead.
- (Optional) A filterError() method that just does the transformation of err->nil if ConditionCheck (or a no-op if no) might benefit 1 and 2, and keeps it clean if other such benign errors ever are added.
I appreciate the effort on this! I'd like to get this merged fairly soon, so if you need any help I'm able to push to your branch as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those all make sense to me and should be taken care of now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alas, my suggested refactor was too much. The presence of an error is needed from updateItem()
for correct tryToLock
behavior. I've changed this slightly to restore that, and now it seems to work fine. There is no flapping of the active node, spurious errors aren't showing up in the logs, a situations like the lock file being deleted or network being lost are handled OK. Let me know what you think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good to me.
physical/dynamodb/dynamodb.go
Outdated
TableName: &l.backend.table, | ||
ConditionExpression: &condition, | ||
Key: map[string]*dynamodb.AttributeValue{ | ||
"Path": &dynamodb.AttributeValue{S: aws.String(recordPathForVaultKey(l.key))}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The type (&dynamodb.AttributeValue) isn't required here, or on 583 & 589.
Push logic into dynamodb to keep specific logic contained to it. Centralize filtering and add to updateItem and Unlock
vault/ha.go
Outdated
@@ -6,6 +6,8 @@ import ( | |||
"crypto/x509" | |||
"errors" | |||
"fmt" | |||
"github.com/aws/aws-sdk-go/aws/awserr" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the reason for these imports?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, that should have been removed when I moved the DynamoDB specific logic back into dyanamodb.go.
Another engineer is going to do a re-review but I think we're in good shape now. |
Thanks for your work on this! |
No description provided.