Initial import of working mutex.

[howbazaar]

Tested on linux, my mac book air, and on windows 10.

[davecheney]

Why do these need to be exported ?

[fwereade]

It implies that we expect people to take specific action in response to this error, and I don't actually know what that would be. Tim?

[howbazaar]

Acquiring a mutex can fail for other reasons. Yes we don't expect them to fail for those reasons, but they are valid none the less. The caller can at least check that the cause of the error was the Timeout they expected, or something more fatal. That was my reasoning

[fwereade]

makes sense to me

[davecheney]

s/impl/mutex

[davecheney]

rename to mutex_flock.go please

[davecheney]

Why not use os.Create(); then os.Fd() ?

[howbazaar]

Because I copied it from elsewhere.

[mjs]

Won't a mode of 0600 mean that only processes belonging to the user which first created the lock will be able to interact with it? That's probably OK for the Juju use case but is a bit surprising for a machine-wide lock.

I guess we need to decide whether cross-account interactions are a thing we want this to support.

[davecheney]

0600 is probably ok. Not being able to read, or even better, write to the file someone else has an fslock on is good insurance.

[howbazaar]

In reality, all the system flocks are interacted with by root as the user running jujud, or as a user for the config store. As @axw mentioned, the creator of the config store mutex should give it a user based name.

[davecheney]

Why do you call our EWOULDBLOCK here ? Why not just return errors.Annotatef(err, "unable to aquire file lock on %q", name)

[howbazaar]

Because we need to know the difference between the lock currently being locked, and other errors. If it is currently locked, the outer acquire function retries.

[davecheney]

This should panic if release is called twice.

[howbazaar]

Errors are fine, panics are bad.

[fwereade]

I think it should just error, not panic; but I think we should consciously error if invoked twice, instead of depending on the syscall.

Dave, what's the benefit of a panic here? All I see are costs, basically...

[davecheney]

I disagree. If you cannot release a lock you held, then by definition things are pretty fucked up. You cannot release the lock, and worse, no other process on the machine can aquire the lock.

This is such an extreme condition I think

a. we cannot allow the caller to ignore the error, and in fact I don't think there is a way they can handle it safely. Anything that quietly tucks it into a log file and goes through the internal worker restart process will not fix the sitaution.

b. All our locks are tied to the process, the invariant is, no matter what, killing the process will release the lock. So, if the lock cannot be released (I don't even know how this would happen), then by definition the way to release the lock is to kill the process via panic, or even os.Exit(1) (to make sure the panic is not caught)

[fwereade]

I anticipate that the common scenario is a double-release (and I don't know how a real release would fail either); that doesn't seem like a good reason to take down the whole process.

I could probably be swayed into agreeing that an error actually releasing the lock might be nuke-worthy; but the common simple case is murphy's law (of interfaces): if it can be used wrong, it will be used wrong. I'm much more concerned that people will write code paths that rarely double-release than I am that release will actually fail...

[davecheney]

How about this then

type Releaser interface {
        // Release releases the mutex.
        // Release may be called multiple times, but only the first
        // call will release this instance of the mutex.
        // Release is unable to release the mutex successfully it
        // will call panic to forcibly release the mutex.
        Release()
}

Some justification

1. If Release is idempotent, ie it releases the lock then has no effect, it should be clear that calling it mulitple times won't release another instance of the same lock. Ie.

var spec Spec = ...
r := mutex.Acquire(spec)
r.Release()
r2 := mutex.Acquire(spec)
r.Release() // does not thing, and does not affect r2

1. My comments about panic'ing if the mutex cannot be released are the same as elsewhere.

[howbazaar]

Actually I quite like @davecheney's interface definition above. The whole point of the mutex is to have a system lock. If it can't be removed for some reason, then taking down the process to release the lock has a certain form of sanity.

[howbazaar]

Need to add a test for different named locks not interfering.

[davecheney]

USER is not going to be set very often. Why not drop this and just make it /tmp/juju-mutex-+name

[mjs]

Again, whether you want the username in there depends on whether this should support cross-account interactions.

If you do want the username in there then os/user.Current() is a more reliable approach. It even works on Windows.

[howbazaar]

I think that the caller should care about splitting out the name, not the mutex.

[davecheney]

s/impl/mutex

[davecheney]

This is different to the flock implementation, please make it the same.

[axw]

This means different behaviour to the other implementations: name becomes scoped to $USER. It's meant to be machine scoped, right? If the caller wants it scoped by user, then they should include $USER in name.

Also I think the name could do with a bit more context: maybe "/tmp/juju-mutex-" as a prefix. Finally, you should probably use os.TempDir() instead of hard-coding to /tmp.

[davecheney]

Excellent point. If this lock is supposed to be user scoped, then the caller should include this in the name of the mutex.

[mjs]

This ties in to what I've been saying above.

[davecheney]

this must panic if release is called twice.

[fwereade]

I agree we shouldn't double-close the socket, but why do we need to panic instead of just informing the client that they're an idiot?

[davecheney]

At least nil out the socke.

[fwereade]

yeah, strong +1 to writing these to expect and handle misuse

[davecheney]

Why shold release return an error ? is anyone going to check it ? And what would you do if releasing a lock failed ?

Ie, if you could not release a mutex that is held across the whole machine, the process should dump, 'cos that's the only way to recover the lock.

I suggest making release not return an error and panic if it fails.

[mjs]

Dave: That makes me pretty uncomfortable. Sure, ignore the error if you want but not giving the caller a choice on what should happen (even if only to log the problem and then exit) seems dicey to me.

[davecheney]

I disagree. If you cannot release a lock you held, then by definition things are pretty fucked up. You cannot release the lock, and worse, no other process on the machine can aquire the lock.

This is such an extreme condition I think

a. we cannot allow the caller to ignore the error, and in fact I don't think there is a way they can handle it safely. Anything that quietly tucks it into a log file and goes through the internal worker restart process will not fix the sitaution.

b. All our locks are tied to the process, the invariant is, no matter what, killing the process will release the lock. So, if the lock cannot be released (I don't even know how this would happen), then by definition the way to release the lock is to kill the process via panic, or even os.Exit(1) (to make sure the panic is not caught)

[fwereade]

Yeah, I don't think that one little utility package really gets to decide that the whole process is unviable just because (most likely scenario) someone deferred a second Release or something.

I know that many people are pretty goddamn lazy about defer ThingThatErrors(), and that does piss me off, but I don't think it's a very good reason to panic... I do think we should expect and anticipate pathologically stupid usage, and surely we're in a perfect position to DTRT by intercepting extra releases?

[davecheney]

Calling Release twice should panic for the same reason that closing a channel twice panics. This is a programming error, and laziness begats laziness.

[fwereade]

I'm trying to remember a time where I've thought "golly, that panic was a good idea, I'm glad it took down the controller" rather than "GAAAAH FFS". Inability to release a global lock it holds probably does qualify; and if the client was doing something super-evil that we somehow couldn't prevent, I might appreciate that; but a double-release (that we can trivially detect and deflect without panicking) is entirely predictable.

(counterargument: if we don't impose extreme consequences for double-releasing, people will just do it anyway and ignore all errors... and, well, yeah, they could, but that would just be shitty code, which I think is (sadly) unexceptional and (happily) at least addressable.)

[davecheney]

I'll concede the double-release argument if we can agree that a failure to release a lock is panic worthy.

[davecheney]

Please delete this. If some other code needs this it should define it in its package.

[davecheney]

Why does this exist ? Now there are two ways of doing the same thing.

[mjs]

I agree that there should only be one way, either Spec.Acquire or Acquire. Sticking with Spec.Acquire has the benefit of easier mocking via an interface when testing something that takes one of these.

[davecheney]

+1, there should be one way. And if it's via Spec.Acquire, then please rename Spec to Mutex so you have

var m mutex.Mutex {
   /// spec stuff
}

r, err := mutex.Acquire()
if err { ... }

r.Relaese()

[fwereade]

I'd slightly prefer Acquire(spec), FWIW; but I don't really mind.

Strongly favour having just one way to do it.

[davecheney]

@fwereade same here. One of the design decisions that thumper and I talked about was never having a Mutex which is not locked -- that is, if you have a value which implements Releaser your process holds the lock.

Currently a lot of the fslock code set's up the lock (to coin a phrase) then passes around that *fslock inside a config or a context or some other structure to the point that the calling code wants to grab the lock.

This has the downside that if your function receives an *fslock, you don't know if it's locked or not. And this is a big problem, because this lock is machine wide. Any operation like IsLocked() bool is inherently racy because between the time of asking "is it locked" and deciding "right, it's not locked, I'll go lock it" or worse, assume that it is not locked while the code does something, the lock could be take by any other process on the machine.

The mutex.Spec in this type avoids this ambiguity as it is the "setup" for a lock, and only when you want to grab the lock to you pass the spec to mutex.Acquire() and either grab the lock or don't. That is to say, if you have a Spec, you don't hold the lock, all you have is a description of the lock you'd like to hold.

So, with that said, I'd prefer mutex.Acquire(Spec), rather than func (m *Mutex) Acquire(). Because the latter is oh so tempting to add an IsLocked method.

[fwereade]

yep, heartily concur.

[davecheney]

I think the logic should be to try to aquire the lock until the timeout occurs. Any error triggers a retry.

[mjs]

Why? Then the code is almost certainly going to be spinning around, butting against problem isn't going to go away. Better report any unexpected error immediately.

[davecheney]

Ok, but please make it errLocked so that doesn't bubble up to the caller.

[davecheney]

Why does the calling code care about this ?

[davecheney]

Looks pretty good to me, but I want to see the API surface reduced, specifically I want to see the error values unexported.

[howbazaar]

Key rationale to have an Acquirer interface is to be able to mock out the Mutex. To have something that wants a mutex.Acquirer, but doesn't actually want to interact with the system.

I have removed the two ways to do things, and stopped exporting errLocked.

I do still think it is valuable though to have ErrTimeout and ErrCancelled.exported.

[davecheney]

Key rationale to have an Acquirer interface is to be able to mock out the Mutex. To have something that wants a mutex.Acquirer, but doesn't actually want to interact with the system.

What is the requirement to mock a mutex? If you want to have a dummy mutex then make up a random spec, heck write a testing helper, func UniqueSpec() Spec, that does it for you.

[davecheney]

Do you support this ?

r := mutex.Acquire()
go r.Release()
r.Release()

You may need to add a lock to prevent two Release's happening concurrently as m.socket is not nil'd out until after the call to close.

[davecheney]

See comment about other release implementation