bug: auto-generated apisix id is likely to be duplicated in containerized environments

[tokers]

Issue description

Currently, Apache APISIX will generate an id while initializing if the user doesn't specify one, and it relies on the lua-resty-jit-uuid library but without an explicit seed.

apisix/apisix/core/id.lua

Lines 76 to 78 in 4dafab5

	uuid.seed()
	apisix_uid = uuid.generate_v4()
	log.notice("not found apisix uid, generate a new one: ", apisix_uid)

While the jit-uuid library creates the seed by the process id and the time in ngx_lua context.

https://github.com/thibaultcha/lua-resty-jit-uuid/blob/82538049040ae85ff880b79886f21d8593140c7d/lib/resty/jit-uuid.lua#L53-L54

However, in a containerized environment, the process id (the master process) might be the same, i.e. the No. 1 process, also, if users try to deploy Apache APISIX clusters on Kubernetes through the Deployment resource, the time might be the same for several Pods, since ngx.time doesn't have enough precisions (only at milliseconds level). so the generated apisix id might be duplicated, and if the id is critical, this may cause some fatal problems in the business scenarios.

Environment

• apisix version (cmd: apisix version):
• OS (cmd: uname -a):
• OpenResty / Nginx version (cmd: nginx -V or openresty -V):
• etcd version, if have (cmd: run curl http://127.0.0.1:9090/v1/server_info to get the info from server-info API):
• apisix-dashboard version, if have:
• the plugin runner version, if the issue is about a plugin runner (cmd: depended on the kind of runner):
• luarocks version, if the issue is about installation (cmd: luarocks --version):

Steps to reproduce

N/A

Actual result

N/A

Error log

N/A

Expected result

No response

[spacewander]

Maybe we can suffix some rand bytes from thibaultcha/lua-resty-jit-uuid#19 (comment)

[tokers]

Maybe we can suffix some rand bytes from thibaultcha/lua-resty-jit-uuid#19 (comment)

Good idea.

[spacewander]

@leslie-tsang
Would you like to have a try? Thanks!

[leslie-tsang]

@leslie-tsang Would you like to have a try? Thanks!

Sure.

[leslie-tsang]

After reading the lua-resty-jit-uuid's issue, there are three solution for this issue:

1. use resty.random to generate UUID, it depend on OpenSSL RAND_bytes
2. use tostring(table or str) to get a random seed, Ref to lua-nginx-module issue #1457 and apisix PR #5414
3. patch _G.math.randomseed like kong does

@spacewander @tokers What do you guys think ?

[spacewander]

I vote for the kong way.

[tzssangglass]

vote the kong way too

[tokers]

Vote for Kong, it's on a higher level.

[aseaday]

Considering a more stable production purpose use, how about we did our best in the k8s environment or something else?
Project Hipsor

[membphis]

how about this way?

https://github.com/kubernetes/ingress-nginx/blob/30809c066cd027079cbb32dccc8a101d6fbffdcb/rootfs/etc/nginx/lua/lua_ingress.lua#L44

[aseaday]

how about this way?

https://github.com/kubernetes/ingress-nginx/blob/30809c066cd027079cbb32dccc8a101d6fbffdcb/rootfs/etc/nginx/lua/lua_ingress.lua#L44

It seems like the same as Kong one?

[membphis]

After a careful look at the two implementations, the core is the same.

Let's do it.

[aseaday]

After a careful look at the two implementations, the core is the same.

Let's do it.

I want to fix this bug as an first step to contribute to apisix. As an newbie, I had one question:

1. Need we to patch the math.randomseed or just fix the id problem?

[membphis]

Which one is the best, then use which one.

[membphis]

I prefer patch math.randomseed way

[aseaday]

I prefer patch math.randomseed way

If we patch the math.randomsee globally as the kong way, we need to add a module as the global patch. Is it a good choice to put the module in the core?

[aseaday]

Or add randomsed in apisix/patch.lua

[membphis]

Or add randomsed in apisix/patch.lua

I prefer this way. what is your opinion? @spacewander