Async iprop fixes #347
Async iprop fixes #347
Conversation
In preparation for fixes to iprop issues we now log a record immediately after writing the uber record on initialization. This will help the system understand when a slave needs a complete dump. It also gives us a proper timestamp for the time of [re-]initialization.
This commit extends the protocol in various ways, with what should be
graceful rolling upgrade semantics (you should be able to upgrade the
master and the slaves in any order and not all at once).
The master and slave now identify state not by a single uint32_t version
number, but also by the timestamp at which an iprop log entry was
recorded at that version. This makes reinitialization of iprop safe.
This means:
- protocol messages were extended:
- I_HAVE
- TELL_YOU_EVERYTHING (which appears in the dump)
- NOW_YOU_HAVE (which also appears in the dump)
- master datastructures were extended
- the dump format was extended in that the TELL_YOU_EVERYTHING /
NOW_YOU_HAVE brackets were extended
- a previous commit ensures that the log always has at least two
entries: the uber record and a first record, which means that we
always have at least one record whose version and timestamp can be
used to help establish identify synchronization state
|
@vdukhovni This isn't ready for code review, but if you want to take a look at least at the commit commentary and the PR commentary, that would be great. The changes to |
|
It would help (and would have helped) a lot to create a data structure for representing versions as |
|
For version number wraparound protection... provided we skip version zero (which is always the uber record), maybe the only special thing to do is to make EDIT: I think we want a couple of predicates:
and then EDIT: We'd have to assume or ensure that zero is never crossed more than once in the iprop log... |
|
The thought occurs that iprop-{slave, master} are perfect candidates for writing in a language that makes async easy/trivial. Haskell, node, whatever. |
|
Now that Linux has a native AF_RXRPC socket classI wonder if it's worth implementing a ubik replicated database.
|
|
The Ubik thing would be fine. I'll still plow on (slowly) with a PostgreSQL backend though. |
|
What I'd really like though is to not have an iprop protocol anymore, and ubik and PG both would give us that. |
| { | ||
| time_t tt = t; | ||
|
|
||
| if (sizeof(tt) > sizeof(t)) |
There was a problem hiding this comment.
There’s now a preprocessor definition for the size of time_t although that’s not going to make any practical difference.
There was a problem hiding this comment.
Although I’d prefer to use krb5_timestamp instead of time_t so we don’t have three types for times...
| if (sp != NULL) | ||
| ret = krb5_ret_uint32(sp, &op); | ||
| if (ret == 0 && op != TELL_YOU_EVERYTHING) | ||
| ret = EINVAL; /* XXX */ |
There was a problem hiding this comment.
Is there a krb5 error code we can use?
| uint32_t now = time(NULL); | ||
|
|
||
| assert(now > 0 && now < UINT32_MAX); | ||
| if (now > 0 && now < UINT32_MAX) |
There was a problem hiding this comment.
Hmm, shouldn’t we make now time_t and return an error if we are past 2038 rather than asserting? Why do I have the feeling we might still be working on this code in another 20 years...
There was a problem hiding this comment.
time_t is not guaranteed to be larger than 32-bit. krb5_timestamp defined as time_t. Perhaps we should define krb5_timestamp as int64_t to ensure that we always have support for post 2038 times.
AuriStorFS takes that approach.
There was a problem hiding this comment.
I suspect that will break other things (I just wrote some code that relies on that assumption the other day!). But yes...
There was a problem hiding this comment.
@jaltman unsigned 32-bit will get you past 2038. You won't care about 68 years later.
Anyways, this stuff goes on the wire. We can't change it without a flag day or a new protocol. I won't build a new iprop. I want to not be in that business. I want to move to a PG-based backend and do all replication in PostgreSQL.
There was a problem hiding this comment.
In any case, this code will go past 2038. The rest of Heimdal, I dunno, I don't recall and I'm busy with the gss_add_cred() rewrite :) I'll look when I'm done with that.
There was a problem hiding this comment.
The internal type and the wire protocol are orthogonal. We can consistently represent timestamps internally using signed 64-bit values while at the same time sending signed 32-bit values on the wire.
|
The code LGTM but I don't know enough about iprop to know why it's failing the tests, @jaltman do you want me to investigate this further or is it better to let @nicowilliams do it? |
|
@nicowilliams will you have time to determine why the check-iprop test is failing with this pull request? |
|
@jaltman maybe later this week. |
|
rebased against master, check-iprop failing with |
|
In order to get this into 8.0 I should split this up so that only the async I/O changes in |
|
This has been superseded by new, recent work that finally made |
This is still WIP in that
tests/kdc/check-ipropneeds to test more things. Also, I need to test graceful rolling upgrade semantics, though that I won't script.TODO:
ipropd-masterto make sure that no slave can cause the master to block without servicing the others.