Add WithExternalConn to app.App

[masnax]

This takes a bunch of the logic from the dqlite proxies in lxd's Gateway and applies them to app.App via a WithExternalConn option.

WithExternalConn takes a client.DialFunc and an acceptCh which will be used for back and forth handling of the external connection.

I modified the TLS keep alive options a little to look more like how we handle them in LXD here.

[MathieuBordere]

LGTM, can you add some tests for the new option though? Something like creating a cluster with a couple of nodes and performing a write and a read on the db.

[MathieuBordere]

LGTM, can you add some tests for the new option though? Something like creating a cluster with a couple of nodes and performing a write and a read on the db.

Thanks! Could you just add a 3rd node to the cluster in your test please? The reason is that the second node will remain in the cluster as a spare and the raft leader will not attempt to send it raft RPCs, thus not triggering extDialFuncWithProxy that is used by the raft nodes to talk to each other. Adding a 3rd node will trigger the non-leader nodes to be converted to voters which will cause extDialFuncWithProxy to be hit because the leader will start sending heartbeats to the other nodes.

So you should add a 3rd node & wait a bit for the roles to settle.

[masnax]

LGTM, can you add some tests for the new option though? Something like creating a cluster with a couple of nodes and performing a write and a read on the db.

Thanks! Could you just add a 3rd node to the cluster in your test please? The reason is that the second node will remain in the cluster as a spare and the raft leader will not attempt to send it raft RPCs, thus not triggering extDialFuncWithProxy that is used by the raft nodes to talk to each other. Adding a 3rd node will trigger the non-leader nodes to be converted to voters which will cause extDialFuncWithProxy to be hit because the leader will start sending heartbeats to the other nodes.

So you should add a 3rd node & wait a bit for the roles to settle.

Ah right, I forgot the spares don't do much :)
Added a third node and now they all come up as voters.

[MathieuBordere]

LGTM, can you add some tests for the new option though? Something like creating a cluster with a couple of nodes and performing a write and a read on the db.

Thanks! Could you just add a 3rd node to the cluster in your test please? The reason is that the second node will remain in the cluster as a spare and the raft leader will not attempt to send it raft RPCs, thus not triggering extDialFuncWithProxy that is used by the raft nodes to talk to each other. Adding a 3rd node will trigger the non-leader nodes to be converted to voters which will cause extDialFuncWithProxy to be hit because the leader will start sending heartbeats to the other nodes.
So you should add a 3rd node & wait a bit for the roles to settle.

Ah right, I forgot the spares don't do much :) Added a third node and now they all come up as voters.

A minor nit about the comment and we should be good.

[masnax]

A minor nit about the comment and we should be good.

Fixed.

[tomponline]

I think this comment needs updating.

[tomponline]

Adding a comment here detailing some of the reason behind its presence (from the comment in LXD's SetTCPTimeouts) would likely be beneficial for future readers, especially focussing on why the keepalive timeout itself is not sufficient.

[tomponline]

Why are errors ignored here after accepting an inbound request?

[masnax]

Not sure to be honest, I plucked this out of LXD. In LXD we used to panic here in case of errors, but now we keep retrying.

This is trying to connect to dqlite's bind address so if that fails we probably can't connect to dqlite at all. I think it would be safe to handle the error here.

[tomponline]

Just wondering also what we do with the accepted connection?

[masnax]

The remote accepted connection? We just copy any data back and forth between the accepted connection and dqlite's bind address. Did you mean something specific?

[tomponline]

Yeah what happens to it if an error occurs here abd we continue? Should it be closed?

[masnax]

Yeah I don't see any problem with closing it.

[tomponline]

Why does the function here accept a ctx, but doesn't pass it to the go proxy() function call inside it?

[masnax]

ah thanks I missed that.

[masnax]

Hmm, actually it appears the parent context is already done by the time the dialfunc is run, which seems odd. Looking to find out why.

[masnax]

Ok so the parent context starts from the connectWithDial method in internal/bindings/server.go, which is called from c, and this is what executes the DialFunc. The context isn't cancelled until the DialFunc returns, but since we're running the proxy in a goroutine that we want to run as long as there's data between the connections, we don't want the context to be cancelled by the caller.

[tomponline]

OK makes sense, so one is a connect timeout CTX and one is a cancelation context.

What concerns me is why in one call to proxy() a cancelation context is passed as expected, but here the background context is passed meaning it won't get cancelled.

[masnax]

Ok, I added a context to the Node struct that starts/stops the dqlite server, which is then assigned to a variable in the c bindings when the server starts, and is cancelled when the server stops.

This context becomes the parent context for the dial function, which in turn is only cancelled on a timeout or if the dial function returns any errors. If there aren't any errors but the server suddenly stops, the child context will also be cancelled.

[MathieuBordere]

Comment is outdated.

[stgraber]

@masnax test seems to be getting stuck?

[masnax]

@masnax test seems to be getting stuck?

Yeah I just reversed the commit. Didn't like my change to contexts :(

[tomponline]

@masnax test seems to be getting stuck?

Yeah I just reversed the commit. Didn't like my change to contexts :(

This got merged without a fix for the uncancelable context?

[stgraber]

Gah, I missed that this is what got reverted, must have been checking an older set of commits against the new github action status. We should still wire up the ctx on the proxy to something other than a generic context.Background (but as mentioned, not pass the dial context through as that's not the right one for this).

[masnax]

@masnax test seems to be getting stuck?

Yeah I just reversed the commit. Didn't like my change to contexts :(

This got merged without a fix for the uncancelable context?

Yeah it did, at the very least it's not more broken as the uncancelable context was already there, I just changed the lines above it :)

I dropped the last commit which added a life cycle context to the dqlite server as it was causing 1 test to hang, although I'm not exactly sure if the test was correct in the first place.

@MathieuBordere Maybe you can help clarify, TestRolesAdjustment_CantReplaceVoter in app/app_test.go seems to drop a 3-voter (and 1 stand-by) cluster to a 2-voter cluster, but I thought this should result in loss of quorum? I'm wondering if this test was only passing before because of the uncancelable context. Adding the voter back to the cluster will once again establish quorum and the test will pass.

[MathieuBordere]

@masnax test seems to be getting stuck?

Yeah I just reversed the commit. Didn't like my change to contexts :(

This got merged without a fix for the uncancelable context?

Yeah it did, at the very least it's not more broken as the uncancelable context was already there, I just changed the lines above it :)

I dropped the last commit which added a life cycle context to the dqlite server as it was causing 1 test to hang, although I'm not exactly sure if the test was correct in the first place.

@MathieuBordere Maybe you can help clarify, TestRolesAdjustment_CantReplaceVoter in app/app_test.go seems to drop a 3-voter (and 1 stand-by) cluster to a 2-voter cluster, but I thought this should result in loss of quorum? I'm wondering if this test was only passing before because of the uncancelable context. Adding the voter back to the cluster will once again establish quorum and the test will pass.

So there are 3 voters and 1 standby node, then a voter and the standby go offline. The app logic will in this case not try to reshuffle the roles, the 2 remaining online nodes are voters and still have quorum (2 out of 3).
There's really not much else we can or should do, the standby was there to be promoted to voter in case a voter went offline, but in this test a voter and standby went offline at the same time.