upgrade to etcd/client/v3

[tormath1]

in this PR, we migrate from etcd/client/v2 to etcd/client/v3.

Some high level changes:

• rework a bit the Init method -> we first try to check that a key exist it does not we create it
• use KV instead of KeyAPI from V2
• did not use the client/v3/concurrency. in order to not break the current locksmithctl semaphore logic
• rework a bit the tests - first step in order to provide a decent coverage

Testing done

• update the unit tests

run kola tests with locksmith:

• coreos.locksmith.reboot
• coreos.locksmith.tls
• cl.locksmith.cluster

How to use

easy way:

make
scp -P 2222 ./bin/locksmithctl core@127.0.0.1:/home/core

or using the SDK:

diff --git a/app-admin/locksmith/locksmith-9999.ebuild b/app-admin/locksmith/locksmith-9999.ebuild
index 1fab0c6e4..2fca232f3 100644
--- a/app-admin/locksmith/locksmith-9999.ebuild
+++ b/app-admin/locksmith/locksmith-9999.ebuild
@@ -11,7 +11,7 @@ inherit cros-workon systemd coreos-go
 if [[ "${PV}" == 9999 ]]; then
        KEYWORDS="~amd64 ~arm64"
 else
-       CROS_WORKON_COMMIT="085ff774311dba979a53d049f6a776e156224437" # flatcar-master
+       CROS_WORKON_COMMIT="cc4db15e48c1afc979ac1c73c3ac680cb2369c43" # tormath1/upgrade-etcd
        KEYWORDS="amd64 arm64"
 fi

then

emerge-amd64-usr -av app-admin/locksmith && ./build_image

SSH into the VM - then play a bit with the ./locksmithctl and assert it consumes correctly ETCDCTL_API=3

$ sudo systemctl start etcd-member.service
$ ./locksmithctl status
Available: 1
Max: 1
$ ./locksmithctl set-max 123
Old-Max: 1
Max: 123
$ ETCDCTL_API=3 etcdctl get "coreos.com/updateengine/rebootlock/semaphore"
coreos.com/updateengine/rebootlock/semaphore
{"semaphore":123,"max":123,"holders":[]}
$ ./locksmithctl lock
$ ETCDCTL_API=3 etcdctl get "coreos.com/updateengine/rebootlock/semaphore"
coreos.com/updateengine/rebootlock/semaphore
{"semaphore":122,"max":123,"holders":["0f80dd16217b482eb89ffea2e1412115"]}

Note for reviewers

This one fde90bd was a hard one to solve and I think it results from an implementation mistake - no matter which LOCKSMITHD_ENDPOINT we set as environment variable it will still be added to the default ones - with V2 it seems it was not an issue but with V3, in the test, we set a TLS etcd node on ::2379 since the connection is considered as a success with the default http://localhost:2379 this endpoint will be used as the correct one .. but each call will fail because we send http to a https service.

[krnowak]

Looks like we will need to use Txn in one more place.

I'm on the fence with what you did with the tests. I kinda like the former table-based testing. :) Any reason to move away from that?

[krnowak]

I think this needs to be turned into a transaction too, because the old code had a SetOption to apply the changes if the previous index is a value known to us. I think that with v3 it could be something like:

response, err = c.keyapi.Txn(context.Background()).If
	client.Compare(client.Version(c.keypath), "=", sem.Index),
).Then(
	client.OpPut(c.keypath, string(payload)),
).Commit()
if err != nil {
	return err
}
// If it's true, it means that the "then" branch was taken, false - "else" branch was taken.
if !response.Succeeded {
	return fmt.Errorf("failed to set the semaphore - it got updated in the meantime")
}
return nil

Also, maybe the Index field in the Semaphore struct should be renamed to Version?

This change will probably allow us to get rid of the Set method in the KeyAPI interface.

[tormath1]

I agree - using Txn instead of Put will provide more controls on the insertion. The s/Index/Version/ makes sense too.

[invidian]

It seems it would be nice to have some congestion tests around that to make sure things behave as expected in distributed environment.

[tormath1]

@invidian I don't know what are congestion tests - do you have some example to provide ?

[invidian]

I meant, if more than one client initializes etc at the same time. Maybe https://github.com/golang/mock could be useful here to simulate the races?

[tormath1]

I do agree that we should cover this section - but I also think that etcd provides the right tool: concurrency.Mutex to ensure that we don't have this kind of race conditions.

Package concurrency implements concurrency operations on top of etcd such as distributed locks, barriers, and elections.

When I started to upgrade to v3 I knew that the changes will be quite something so I tried to mitigate the migration impact. That's why I did not used the concurrency.Mutex as mentioned in the PR description:

did not use the client/v3/concurrency. in order to not break the current locksmithctl semaphore logic

But now, I feel we are actually redeveloping this concurrency.Mutex through Txn and racing tests - so it might actually be the correct choice to go ahead with the Mutex. What do you think ? :)

[krnowak]

I do agree that we should cover this section - but I also think that etcd provides the right tool: concurrency.Mutex to ensure that we don't have this kind of race conditions.

Package concurrency implements concurrency operations on top of etcd such as distributed locks, barriers, and elections.

When I started to upgrade to v3 I knew that the changes will be quite something so I tried to mitigate the migration impact. That's why I did not used the concurrency.Mutex as mentioned in the PR description:

did not use the client/v3/concurrency. in order to not break the current locksmithctl semaphore logic

But now, I feel we are actually redeveloping this concurrency.Mutex through Txn and racing tests - so it might actually be the correct choice to go ahead with the Mutex. What do you think ? :)

Up to you. :) On one hand it would probably make the code easier to understand and the tests would be easier to write (maybe). On the other hand, it introduces more back-and-forth communication with etcdserver. Not sure if the latter is a big problem, so using the mutex may be a good idea.

[tormath1]

Mm, just quickly read the documentation - it seems we can't really use the concurrency.Mutex because it does not allow to use custom semaphores. It relies on the key to lock/unlock - so we need to think about how we could authorize many instances ( > 1) to reboot - in other terms, how we could implement the set-max command using concurrency.Mutex. (see also: etcd-io/etcd#12490)

[tormath1]

I'm on the fence with what you did with the tests. I kinda like the former table-based testing. :) Any reason to move away from that?

table tests were ok until now because we were only using {err, response} struct but we now have {err, getResponse, setResponse, Txn} which can be quite big to define into a table a1a5db4#diff-509fec5f7f91a11e078c85b72f3645555168d99ae5a8a036f2d0c807b0eb673fR138-R146 😕

Also it gives a better reading of the running tests + can eventually be run in parallel.

[invidian]

Some general suggestions. Overall, it seems it would be nice to have a better test suite for this code, testing implied properties of the code, e.g. what happens on write conflicts etc.

I really appreciate your work @tormath1 and I'm sure it's worth an effort.

BTW, Did we consider what will happen when this patch hits users? Some locksmiths will be using v2 storage and some v3, which means more nodes will be able to update at a time than it's configured, but only when 2 different version updates are happening at the same time I guess (v2 -> v3 and v3 -> another using v3). So I guess it should be fine?

[invidian]

Note: dbus lib has also been updated here.

[invidian]

Suggested change

	// it returns 0 value
	// it returns 0 value.

[invidian]

Suggested change

	// So we first try to get the value, if the value is not found we create the key
	// with a default semaphore value
	// So we first try to get the value, if the value is not found we create the key
	// with a default semaphore value.

[invidian]

Suggested change

	// there is no proper way to handle non-existing value for a
	// given key
	// https://github.com/etcd-io/etcd/issues/6089
	// There is no proper way to handle non-existing value for a
	// given key.
	// See https://github.com/etcd-io/etcd/issues/6089 for more details.

[invidian]

I'd flip the error logic here to save on indentation. if err == nil { return nil }, then if !errors.Is(err, ErrNotFound) { return fmt.Errorf("...") }, I think it should be easier to read.

[invidian]

Maybe if defined like this it won't have to be a pointer in a struct and it's zero-value can be used, so you don't have to initialize it in all tests?

Suggested change

	func (t *testTxn) If(cs ...client.Cmp) client.Txn {
	func (t testTxn) If(cs ...client.Cmp) client.Txn {

[invidian]

Given that this is not a top-level context, I think using context.TODO() is more appropriate here.

Suggested change

	if _, err := c.keyapi.Txn(context.Background()).If(
	if _, err := c.keyapi.Txn(context.Background()).If(

[invidian]

I wouldn't add a testify as a dependency here. Is it really worth it for few lines saved?

[invidian]

It seems it would be nice to have some congestion tests around that to make sure things behave as expected in distributed environment.

[invidian]

Can we make "" (group) a const named like testGroup, so it's easier to figure out what is it?

[tormath1]

• rebased onto flatcar-master to solve a conflict
• squashed fixup! commits from first review
• added a test to mock transaction result
• removed the Put to use Txn instead
• removed the module testify depenency (still in go.sum, it seems to be used by etcd)

[invidian]

Hmm, I've tried reviewing this PR couple of times and I still get stuck on reviewing the test suite, as I'm afraid modifying both test suite logic and the code may introduce some regressions.

I wonder if we could modify the test suite (and possibly code) in a way that upgrading to new etcd client version won't affect those tests. However, this requires capturing the essence of existing behavior and writing tests for it, which is not always easy.

[invidian]

It seems this can be dropped. v3.5.0 use grpc v1.38.0: https://github.com/etcd-io/etcd/blob/946a5a6f25c3b6b89408ab447852731bde6e6289/go.mod#L35

[invidian]

Maybe just:

Suggested change

	return fmt.Errorf("failed to set the semaphore - it got updated in the meantime")
	return fmt.Errorf("semaphore got updated in the meantime")

[invidian]

Suggested change

	return fmt.Errorf("unable to marshal initial semaphore: %w", err)
	return fmt.Errorf("marshaling initial semaphore: %w", err)

[invidian]

Suggested change

	return fmt.Errorf("unable to commit initial transaction: %w", err)
	return fmt.Errorf("committing initial transaction: %w", err)

[invidian]

Suggested change

	pb "go.etcd.io/etcd/api/v3/mvccpb"
	client "go.etcd.io/etcd/client/v3"
	"golang.org/x/net/context"
	pb "go.etcd.io/etcd/api/v3/mvccpb"
	client "go.etcd.io/etcd/client/v3"
	"golang.org/x/net/context"

[invidian]

Suggested change

	&pb.KeyValue{
	{

[invidian]

Suggested change

	&pb.KeyValue{
	{

[invidian]

If you set the error here, you should be able to make use of errors.Is() perhaps?

[invidian]

The string error could be put in variable at least, to avoid duplication, if we stay on string comparison for errors.

[invidian]

Similar to errors, it's good to explain what went wrong when you fail the test. For example:

Suggested change

	t.Fatalf("error should be nil, got: %v", err)
	t.Fatalf("Failed creating new etcd lock client: %v", err)

[pothos]

I think we should leverage airlock as etcd3 client through the fleetlock protocol. Then we don't need to implement this again in locksmith.