-
-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rails 7.0 update #25668
Rails 7.0 update #25668
Conversation
0cf5b8e
to
367d885
Compare
This pull request has merge conflicts that must be resolved before it can be merged. |
367d885
to
4d4203f
Compare
This pull request has resolved merge conflicts and is ready for review. |
fe9a2aa
to
b95097c
Compare
This pull request has merge conflicts that must be resolved before it can be merged. |
After running, pick through changes and keep sensible defaults while preserving previous intentional deviations.
The method now takes `records` and `association` keyword args.
Changes the monkey-patched AR Persistence code to match Rails 7 changes.
b95097c
to
4caa344
Compare
This pull request has resolved merge conflicts and is ready for review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have not actually tested the changes yet, but I made a new review pass.
Also, I'm a bit worried about https://guides.rubyonrails.org/upgrading_ruby_on_rails.html#key-generator-digest-class-changing-to-use-sha256 as I don't see it being addressed in this PR.
In either case, I will very shortly proceed to test this PR in a real environment!
Will review and report back.
Cool. |
A behavior change I just noticed is IIRC, This is because railties dropped the |
Deployed to vmst.io, my own session was briefly logged out (like 5 seconds) as it rolled between k8s pods, but it's working fine now. |
Probably same issue - rails/rails#46148 |
Just to confirm -- the session was preserved and you stayed signed in without needing to re-auth ... but you just had a normal connectivity drop during the k8s rollover? |
The session was preserved. I was watching Sidekiq queues show up and then the whole page went blank, which doesn't normally happen. I went to the main page and I was logged out but then when I refreshed it was fine. However I'm seeing issues with 2fa codes no longer working. Hardware token is fine but code generators are not working. |
Also confirming 2FA is not working. |
Thanks for confirming.
These are cases where the OTP was setup and working prior to update, and now post update even if initial password auth works fine, the otp verification step fails? If so, is the request blowing up with error, or just normal failure as though they had incorrect code? |
Initial password works |
That is weird, I have no issue logging in using TOTP. I'm unsure what could be different between our setups. The gem used for generating/checking TOTP codes also does not have any Rails-related dependency. So my only guess is that something is amiss with |
@vmstan @WhiskeyOmega if you haven't cleared TOTP parameters for your account yet, can you try a few things? From Rails 7, in a Rails console ( If there is some output, can you run the same thing from a pre-Rails 7 copy of the code (do not start If the first value was empty or the two did not match, can you share the output of |
Ok so my bad. I was using the TOTP for a different app when I tested. Sorry 🫢 |
One thing I missed with the cookie situation is that when doing zero-downtime migrations we may mix Rails 7 and Rails 6 workers, in which case it will lead to temporary hiccups with unreadable cookies… is there something we can do to make the transition smoother? |
Hmm, right ... I assume this is around the scenario where you are doing a rolling deploy across multiple app servers and someone:
There's probably a solution there at the IP/http/routing layer in a datacenter (ie, change config to track which connections have been routed to an updated app server, and keep them in the pool of updated servers for the duration of the rollout), but that's going to be specific to each setup and might reduce some of the benefit of the rolling deploy. |
I'm wondering if we couldn't flip the thing around: write Rails 6.1 compatible cookies and support Rails 7 cookies, then in a later version switch that around to support both cookies but emit Rails 7 compatible cookies, before finally dropping Rails 6 cookies in a later release? |
This seems to be the sensible solution |
I think there might be a typo in the last part here? ("dropping rails 7 cookies" should be the SHA1 Rails 6 cookies?). That aside, I think what you are suggesting is something like:
This would allow the workers still running the pre-7 code to keep working during the rolling deploy, because even if a browser had hit an upgraded worker in a prior request, the SHA1/old-name cookie would still be there unmodified. The updated workers would try to read the new name first and use it if present, but fall back on the old ones (but not change them). In a future release, after some value of "enough time", we could drop the support for reading the old format on the assumption that frequent enough users would have gotten the new format in the new name by then. I have not researched how straightforward either of:
|
Definitely a typo, I meant “dropping Rails 6 cookies”, sorry!
No, sorry, that's not what I was suggesting! I meant, if possible, continue to use SHA1 in the next release, but also support reading from SHA256 (which wouldn't be used in the next release). Then, in a later release, switch to SHA256, with a rotator supporting SHA1 cookies (switch to the current code). There does not need to be any significant delay between those two releases, as they could safely run concurrently. Then a later release would drop SHA1 cookies support altogether. EDIT: See #26023 |
I'll comment on #26023 to try to work through this more, but I didn't think that "continue to use SHA1 in next release" and "also read from SHA256" ... are actually possible at the same time? My mental model was that there are sort of two discrete components:
Will comment more on the PR. |
Still having users mention their 2FA is broken so its not like it fixes it over time in changing from Rails 6 to 7 workers. |
We haven't seen any other report. If you get the consent of one of your affected users, can you try the steps listed in #25668 (comment)? Also, have you possibly made unrelated changes to your |
I mean all my setups were brought upto date the night i brought the main one up to rails 7 so dont run a 6 code anymore but maybe there wont be any output. Ill try if i get another user but not many actually run it. |
Is it possible that when recently editing it you changed |
Bah! This was it ! i accidently deleted .env.production last week and copied it over from an already bad paste so the code was shorter than it should have been. That and Secret_Key_Base. Should I change it back and just remove peoples 2fa so they can add them back ? |
That's a tricky question to answer. I'd say you should change it back, but people who enabled or changed it in the meantime will have to reset it again |
I dont think there were many to be honest. So ive disabled it on the ones i took off last week and alot havent actually added it back anyway. |
Re-do of #24241
Background on merge/revert here: #24241
This contains the same changes as the previous PR, rebased against main after the merge/revert commits and a few other recent ones.