Hold Auth init lock for the duration of initialization #29593
Merged
+34
−21
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Auth now uses `RunWhileLocked` instead of `AcquireLock` to ensure that the initialization lock is held until the bootstrapping process is completed. Prior, Auth only held the lock for 30s which could allow multiple Auths to attempt bootstrapping simultaneously. Initialization should complete prior to 30s in most cases, but it is not guarateed, especially on first boot when CAs are being generated and a large data migration may be needed.
zmb3
reviewed
Jul 25, 2023
| Backend: cfg.Backend, | ||
| LockName: domainName, | ||
| TTL: 30 * time.Second, | ||
| }, |
There was a problem hiding this comment.
Does RunWhileLocked release the lock as soon as the operation is completed, or only after the TTL elapses?
If the former, what's the harm in making this (for example) 60s?
There was a problem hiding this comment.
Yes the lock is released before returning from RunWhileLocked:
teleport/lib/backend/helpers.go
Lines 223 to 229 in 7889f56
In the event that the Auth instance holding the lock is terminated during initialization a longer TTL would block any other instances from initializing until they could acquire the lock. The longer TTL would result in less backend activity caused by lengthy migrations though.
zmb3
reviewed
Jul 25, 2023
| @@ -320,7 +333,7 @@ func Init(ctx context.Context, cfg InitConfig, opts ...ServerOption) (*Server, e | |||
| // singletons). However, we need to keep them around while Telekube uses them. | |||
There was a problem hiding this comment.
🤷 - I have intentionally left the legacy/odd things in Init alone while focusing on improving start up time and reliability of initialization. I was planning to circle back to cfg.Roles, cfg.Authorities, cfg.ReverseTunnels and migrateLegacyResources to determine if they can be eliminated.
There was a problem hiding this comment.
I think that was the name of teleport when it was running as a component of Gravity. Some deep cuts.
zmb3
approved these changes
Jul 25, 2023
|
Friendly ping @ravicious @Tener |
fspmarshall
approved these changes
Jul 27, 2023
|
@rosstimothy See the table below for backport results.
|
rosstimothy
added a commit
that referenced
this pull request
Jul 27, 2023
Auth now uses `RunWhileLocked` instead of `AcquireLock` to ensure that the initialization lock is held until the bootstrapping process is completed. Prior, Auth only held the lock for 30s which could allow multiple Auths to attempt bootstrapping simultaneously. Initialization should complete prior to 30s in most cases, but it is not guarateed, especially on first boot when CAs are being generated and a large data migration may be needed.
rosstimothy
added a commit
that referenced
this pull request
Jul 27, 2023
Auth now uses `RunWhileLocked` instead of `AcquireLock` to ensure that the initialization lock is held until the bootstrapping process is completed. Prior, Auth only held the lock for 30s which could allow multiple Auths to attempt bootstrapping simultaneously. Initialization should complete prior to 30s in most cases, but it is not guarateed, especially on first boot when CAs are being generated and a large data migration may be needed.
github-merge-queue bot
pushed a commit
that referenced
this pull request
Jul 28, 2023
* Add configuration with optional timeout to AcquireLock (#24559) * Add configuration with optional timeout to AcquireLock * rename to RetryInterval * backport RunWhileLocked changes from #25639 * Hold Auth init lock for the duration of initialization (#29593) Auth now uses `RunWhileLocked` instead of `AcquireLock` to ensure that the initialization lock is held until the bootstrapping process is completed. Prior, Auth only held the lock for 30s which could allow multiple Auths to attempt bootstrapping simultaneously. Initialization should complete prior to 30s in most cases, but it is not guarateed, especially on first boot when CAs are being generated and a large data migration may be needed. --------- Co-authored-by: Tobiasz Heller <14020794+tobiaszheller@users.noreply.github.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Jul 28, 2023
* Add configuration with optional timeout to AcquireLock (#24559) * Add configuration with optional timeout to AcquireLock * rename to RetryInterval * backport RunWhileLocked changes from #25639 * Hold Auth init lock for the duration of initialization (#29593) Auth now uses `RunWhileLocked` instead of `AcquireLock` to ensure that the initialization lock is held until the bootstrapping process is completed. Prior, Auth only held the lock for 30s which could allow multiple Auths to attempt bootstrapping simultaneously. Initialization should complete prior to 30s in most cases, but it is not guarateed, especially on first boot when CAs are being generated and a large data migration may be needed. --------- Co-authored-by: Tobiasz Heller <14020794+tobiaszheller@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Auth now uses
RunWhileLockedinstead ofAcquireLockto ensure that the initialization lock is held until the bootstrapping process is completed. Prior, Auth only held the lock for 30s which could allow multiple Auth instances to attempt bootstrapping simultaneously. Initialization should complete prior to 30s in most cases, but it is not guaranteed, especially on first boot when CAs are being generated and a large data migration may be needed.