Auto-updater improvements

[andresilva]

• Refactored auto-updater logic into state machine
• Refactored to make it testable
• Added --auto-update-delay to randomly delay updates by n blocks. This takes into account the number of the block of the update release (old updates aren't delayed).
• Added --auto-update-check-frequency to define the periodicity of auto-update checks in number of blocks.

Fixes #7272.

[andresilva]

I still need to write some tests for this. I need help in testing this manually, by deploying the Operations contract into the Dev chain and triggering an update there.

[andresilva]

I tested this locally by deploying the Operations and GitHubHint contracts and creating a new release, it seems to be working properly. I refactored the interactions with the operations contract by creating a OperationsClient trait, this will allow me to mock it and to write unit tests.

[folsen]

Pretty big piece of code, can I get a comment about what it does and when to use it?

[andresilva]

It has a comment up there in the trait definition:

/// Fetches the block number when the given release was added, checking the interval [from; latest_block].

I can make it more descriptive if you feel it's necessary.

[folsen]

Ah sorry, I wasn't looking back at the trait to compare.

[folsen]

The answer to that is that if you need more than 3 levels of indentation, you're screwed anyway, and should fix your program.

– Linus Torvalds

No but seriously though, is there a way to break this up somehow?

[debris]

please exit fast on if let statements, cause it's difficult to read it :)

[andresilva]

Agreed, I'll clean it up.

[folsen]

I would suggest putting a maximum here, otherwise it goes from 6 days to 12 days to a month etc around 20 retries, meaning we have like ~2 weeks to fix any issue before it takes a month before any node updates. Having a maximum wait of a week seems pretty reasonable?

[debris]

It's also probably a cause of #8003 crash

[andresilva]

The current updater logic will drop the backoff as soon as a new release is pushed, so we won't get stuck in any wait case. I will add a test for that 😉.

[folsen]

Intentionally or unintentionally left TODO?

[andresilva]

This was copied from the existing code. I'm not sure how to fix it.

[debris]

This changes are definitely an improvement, but they still need some polishing

[debris]

can we somehow get rid of this? I know that this will require moving some logic to a separate structure, but weak_self even sounds terribly :p

[debris]

please exit fast on if let statements, cause it's difficult to read it :)

[kirushik]

If this is going to be backported, we might encounter problems with different openssl versions on different distros. See three different versions of linux packages here for example.

How do we handle that in out current updater? We might've been breaking clients' installations on Debian and CentOS in the worst case.

[andresilva]

I don't think we handle it at all, AFAIK only one Linux release is published in the Operations contract for a given platform. Maybe we can start detecting the distro and treat those as different platforms: "x64-ubuntu-linux-gnu"/"x64-centos-linux-gnu" etc. I think this will require changes in https://github.com/paritytech/push-release and in our CI pipeline.

[jamesray1]

I haven't looked into how auto-update works but I think users should be prompted with a list of changes for each update (particularly for forks and especially for contentious changes) so that they can choose whether to look into the changes before updating. I expect most users will just update like they would with checking yes without reading terms and conditions, but having the choice to look further into it is important for increasing participation and having healthy governance. I'm sure that @vladzamfir would agree.

[andresilva]

@jamesray1 I appreciate your concerns about informing users on the list of changes for an update, although that is outside the scope of this PR (which is just refactoring the current behavior of the updater). For now users can disable the installation of updates (--auto-update none). They are still notified about new updates and they can then decide for themselves whether they want to update or not. I feel like what you are suggesting would be more suitable to a GUI app which could be built using the existing RPC methods (https://wiki.parity.io/JSONRPC-parity_set-module#parity_upgradeready https://wiki.parity.io/JSONRPC-parity_set-module#parity_executeupgrade).

[jamesray1]

@andresilva Yes, a GUI app for this kind of update notification would be most appropriate.

[tomusdrw]

Couple of grumbles.

[tomusdrw]

Why do we need to create this filter manually? Ethabi does not support that?

[andresilva]

Yes I think ethabi supports this, I'll fix it.

[tomusdrw]

I'd say a day/week would be enough. To reach 2^21 (month) we already need to spend 48 days waiting for previous delays.

With week (2^19) it's 12 days waiting before reaching the cap
and with a day (2^16) it's 2 days waiting.

(Given my math is not off 😩 )

And I think it shouldn't be an issue to handle one request a week/day from every single node in case something goes wrong.

[andresilva]

Seems reasonable to me.

[folsen]

#hedidthemath

[tomusdrw]

if let Some(ref latest) = state.latest.clone() should be enough, you are cloning it again anyway.

[andresilva]

We can't borrow since we mutate on state. But I've updated it to avoid cloning latest again when triggering the fetch. I also removed a similar latest clone in poll.

[tomusdrw]

Isn't it possible to isolate the locks better? Or maybe pass the lock guard to fetch instead?

[andresilva]

Actually fetch doesn't lock on self.state so these are unnecessary. I updated updater_step and execute_upgrade to take the MutexGuard, all explicit drops have been removed.

[tomusdrw]

Perhaps pass the lock guard to the method instead?

[tomusdrw]

Should we increase the backoff even if latest.track is now different?

[andresilva]

If latest.track changes then we don't enter this branch and instead start downloading the new release (I think there's a test for this).

[tomusdrw]

Should the delay be capped with upcoming fork block number?

[andresilva]

Yes, good idea.

[tomusdrw]

How often do we poll? What's the guarantee that it will ever proceed?

[andresilva]

This is currently driven by ChainNotify and we only poll after we're done syncing.

[tomusdrw]

Ok! I was worried that if it's run by a timer instead it might go into some weird stalled situations where it's aligned with multiplication of block time and the frequency would work incorrectly.

[andresilva]

@tomusdrw I think I've addressed all your comments please re-review.