Agent cache manager

[walmav]

agent cache manager:
renews expired SVID in cache
updates cache with new registration entry SVIDs
changed FetchSVID endpoint to use grpc streams

#TODO Increase test coverage for cache manager(48.9%)

fixes #233

[evan2645]

When ranging over a channel, the channel must be explicitly closed in order to break the range - otherwise, it will block forever

[evan2645]

Maybe this should be in cache package? It would then be cache.NewManager

[walmav]

makes sense will change the package

[evan2645]

We should use a config struct for all these

[evan2645]

@boz had once recommended not passing channels around (particularly between packages), and after having played around with them a bit I tend to agree. Here's the pattern I used the last time I ran into this:

spire/pkg/server/endpoint/endpoint.go

Lines 178 to 210 in 18eb814

	func (e *endpoint) listenAndServe() error {
	grpcListener, err := net.Listen(e.grpcAddr.Network(), e.grpcAddr.String())
	if err != nil {
	return err
	}
	errChan := make(chan error)
	go func() {
	errChan <- e.grpcServer.Serve(grpcListener)
	}()
	go func() {
	errChan <- e.httpServer.ListenAndServe()
	}()
	// Differentiate between shutdown and an actual error condition
	err = <-errChan
	if e.isCleanShutdown(err) {
	// Ensure that the second server shutdown cleanly
	err = <-errChan
	if e.isCleanShutdown(err) {
	return nil
	}
	return err
	}
	e.grpcServer.Stop()
	_ = e.httpServer.Close()
	_ = <-errChan
	return err
	}

And then on the consuming side:

spire/pkg/server/server.go

Line 153 in 18eb814

go func() { server.Config.ErrorCh <- server.endpoints.ListenAndServe() }()

I have found other common libraries to have similar block-forever behavior (like net/http server and grpc server)

[boz]

Passing in a channel to signal when to stop isn't all that bad here -- it's similar to passing around a context.Context and having things listen to Done() -- but it gets pretty messy if it's not just closed to signal the shutdown.

If you want to continue using a channel, UpdateCache() should take a <-chan struct{} to ensure that the signaling only goes one way.

With that said, I think the general approach to these things in this project needs work. Yes, as @evan2645 said, things like Config.ErrorCh are red flags.

Try decoupling the objects - give them all a common interface of something along the lines of:

interface AsyncObject {
  Shutdown()              // signals shutdown, internally the `context.CancelFunc` is called.
  Done() <- chan struct{} // channel is readable when all gofuncs have returned
  Err() error             // blocks until done and then returns error if one occurred.
}

Use context.Context for shutting down - when an object is created it can use context.WithCancel() to derive a new one for itself and also have a context.CancelFunc to use for it to shutdown itself.

For composite objects:

1. wait for any of the child objects to be Done() or for your context to be Done().
2. Shutdown() all children.
3. Wait for all children to be Done().
4. Derive an error from the Err() of the children.
5. return from main loop and close Done() channel.

With something like this then an object only needs to manage the lifecycle of its direct descendants and each object is only coupled to its parent via the context.Context that it was given.

[walmav]

Thank you @boz for explaining it so well. I will make the necessary changes to use context.Context instead of a stop channel and implement the decoupling pattern you explain here.

[evan2645]

Welp, looks like I stand corrected :) blocking forever can be dangerous - I just hit this one in the very example I linked previously golang/go#20239

[evan2645]

nit: Entries?

[evan2645]

Fancy :)

[evan2645]

an svid.pem has been checked in that you can use or replace

[walmav]

yea the rebase pulled in two other pem. will consolidate.

[evan2645]

is this different than the existing blog_csr.pem fixture?

[evan2645]

same here for blog_cert.pem?

[evan2645]

Maybe this should go in test/util?

[kunzimariano]

It could also read the content from https://github.com/spiffe/spire/blob/master/test/fixture/registration/good.json

[boz]

Looks like it needs some work on lifecycle management and error handling.

Let me know if you want some examples for lifecycle management options.

[boz]

Any reason why these are initialized here? What happens if Run() is called twice? It's generally preferable to have as little mutation after construction as possible IMO.

[walmav]

makes sense. I will move these initializations to the newAgent.

[boz]

Passing in a channel to signal when to stop isn't all that bad here -- it's similar to passing around a context.Context and having things listen to Done() -- but it gets pretty messy if it's not just closed to signal the shutdown.

If you want to continue using a channel, UpdateCache() should take a <-chan struct{} to ensure that the signaling only goes one way.

With that said, I think the general approach to these things in this project needs work. Yes, as @evan2645 said, things like Config.ErrorCh are red flags.

Try decoupling the objects - give them all a common interface of something along the lines of:

interface AsyncObject {
  Shutdown()              // signals shutdown, internally the `context.CancelFunc` is called.
  Done() <- chan struct{} // channel is readable when all gofuncs have returned
  Err() error             // blocks until done and then returns error if one occurred.
}

Use context.Context for shutting down - when an object is created it can use context.WithCancel() to derive a new one for itself and also have a context.CancelFunc to use for it to shutdown itself.

For composite objects:

1. wait for any of the child objects to be Done() or for your context to be Done().
2. Shutdown() all children.
3. Wait for all children to be Done().
4. Derive an error from the Err() of the children.
5. return from main loop and close Done() channel.

With something like this then an object only needs to manage the lifecycle of its direct descendants and each object is only coupled to its parent via the context.Context that it was given.

[boz]

Do you want to continue if there's an error?

Seems like just returning (manager,error) would be simpler.

Also, returning an un-exported struct (manager) from an exported function NewManager is kinda iffy.

[boz]

I don't think this stuff should be modifying m. Anything stopping UpdateCache() from being called twice?

Why is CacheEntryCh exported?

[boz]

Do you really want to continue if there's an error? Will node.NewNodeClient(conn) handle conn == nil gracefully?

[boz]

Why is this capitalized?

[boz]

Will conn, stream, or resp be nil if there is an error?

[boz]

Will stream, resp, or cert be nil if there is an error?

[boz]

This doesn't look gofmt'd

[boz]

This change will be visible to everything else that uses the same Config that was passed into New(). Unexpected behavior at the very least, IMO.

[kunzimariano]

Do we want this value here or do we prefer an empty one?

[kunzimariano]

It could also read the content from https://github.com/spiffe/spire/blob/master/test/fixture/registration/good.json

[boz]

Looks a lot better.

Some deadlock issues to work through but getting closer.

[boz]

A trick I've been doing to allow both graceful shutdown and easy "really, f--ing die" is to stop handling signals after the first one. See here.

It might not be too applicable in a non-interactive program like this server, but mentioning for food for thought. It can make dev cycles easier (although Ctrl-\ is usually fine too).

[boz]

Do you want "in parse reg" to be printed? What about entries?

[boz]

delete commented code.

[boz]

delete commented code

[boz]

Is this the only place that the context can be cancelled? If do the WithCancel() in here. Otherwise it's not clear that the context can be cancelled elsewhere and the following select will never stop blocking.

[boz]

deadlock here. quickfix similar to above.

[boz]

deadlock here. quickfix similar to above.

[boz]

these breaks will trigger the deadlock; Shutdown() cancels the context and then m.entryRequestCh <- entryRequestMap is executed after the for loop.

[boz]

use this context for grpc calls where appropriate.

[boz]

might want to incorporate the context into this Dial.

[evan2645]

Few minor comments to add to boz's far more important ones :)

[evan2645]

style nit: newline before config

[evan2645]

style nit: newline before }

[evan2645]

Discussed offline implications related to golang/go#20239

Suggest Init call to return once the cache manager is running

[evan2645]

nit: we can skip the error: prefix since we're logging it as warn level. If you wanna keep it, then maybe add a space after it

[evan2645]

non-blocking: this is pretty hard to read. maybe a comment or something will help

[evan2645]

Can we remove these?

[evan2645]

Do we need spaces at the end of these strings? Also, is entryRequests cleanly printable? I saw some hex debug output during your demo yesterday. Another option is to use structured logging. Similar comment about many of the other debug statements in here

[evan2645]

Can we remove this?

[evan2645]

Maybe we can remove some of these debug lines? I assume they were there for... debugging :) but some of them will be hard to grok for folks who are not intimately familiar with this bit of the code. Also feels like the volume of debug statements from cache manager will drown out lines from other areas in the agent

[walmav]

@boz @evan2645 I have addressed most of the PR comments here. Please review. Thank you!

[boz]

Looking great.

Sorry I missed the Shutdown() thing earlier.

[boz]

There's a race condition here because m.Shutdown() is called from multiple threads.

Also, every Shutdown(err) will overwrite the previous reason. The initial error is generally more useful imho.

A quick fix/hack would be to wrap it in a sync.Once:

m.once.Do(func(){
   m.reason = err
})

[walmav]

created a errch channel, the errch receiver would drain all errors and only call shutdown with the first error.

[boz]

stream.Close()

[evan2645]

Shutdown(err) can be called twice in the event that stream.CloseSend() in the defer returns non-nil error. Is that ok? Same thing with the Shutdown calls below

[boz]

stream.Close()

[boz]

stream.Close()

[boz]

use defer close(strmch) as a prelude to this fn so you don't have to worry about it.

[boz]

return?

[boz]

return?

[boz]

curious: what does CloseSend() get you over Close()? Using a single defer stream.Close() is more readable to me but maybe I'm missing something?

[walmav]

the GRPC ClientStream interface used here for bi-directional stream only support CloseSend() which closes the send side so if there are more messages from the other direction it would still receive it.

[boz]

I see, thanks. Maybe just defer stream.CloseSend() then?

[walmav]

calling defer stream.CloseSend() would block the stream from closing and creates a deadlock..the go func would never terminate

[boz]

Not sure I understand, but ok.

As of now it's doing

// ...
go func(){
  // ...
  stream.CloseSend()
  // ...
}()
stream.CloseSend()
// ...

which doesn't make much sense to me.

[walmav]

so stream.Recv() returns err=io.EOF to signal the end of msgs on the stream which would never happen without sending stream.CloseSend() In our go func we wait till we receive io.EOF so with defer we would get blocked waiting on io.EOF
Also I removed the stream.CloseSend() inside the go func()

[evan2645]

Feels like we should log this instead so we still get to know the original error

[evan2645]

Was this intentional? It was recently committed to fix #213

[walmav]

not at all intentional..I think this was some conflict resolution issue..will fix it

[evan2645]

non-blocking: This should probably be formally structured

[boz]

whack-a-deadlock

[boz]

the wg.Add(1) will never be wg.Done() for this iteration if you break here. for clarity, try to move the wg.Add(1) as close to the go fn() as possible.

[boz]

m.errch is unbuffered; this will block forever.

[boz]

this will deadlock if Init() is blocking on wg.Wait()

[boz]

ditto - deadlock.

[boz]

deadlock.

[boz]

deadlock.

[boz]

deadlock.

[boz]

deadlock.

[boz]

deadlock.

[boz]

m.errch is not closed here; this will block forever.

[boz]

deadlock.

[walmav]

@boz would it make sense to wait on the m.errch in a separate go func() to avoid these deadlocks:

	go func() {
		err := <-m.errch
		m.Shutdown(err)
		for err := range m.errch {
			m.log.Debug(err)
		}}()

[boz]

No.

• what if nothing is ever sent to m.errch?
• m.errch is not closed before the for loop so that will block forever.

Don't use m.errch. Use Shutdown(error). Log in that method. Populate m.reason with the error that gets passed the first time Shutdown() is called using sync.Once like I mentioned earlier.

Alternatively, look at tomb or go-lifecycle for other pattern options.

[walmav]

ok let me go back to using Shutdown(error) with sync.Once. Thank you.

[boz]

🎊

[ghost]

We require contributors to sign our Contributor License Agreement.
If you are submitting ad an individual, please see https://goo.gl/Wf9j4z
for more information.

If you are covered by a Organizational CLA, the email address you
use in your commits must include your company's domain name, and
that email address must be verified by GitHub.

[boz]

looks great!

[evan2645]

lgtm 🚢 🇮🇹

[evan2645]

Will this unblock on an error condition too or only a clean shutdown? Should we shutdown the agent?

[walmav]

Yes CacheMgr.Done() will return when doneCh is closed which happens when the Init() method returns

[evan2645]

Above near my other comment, we wait on the Done channel in agent, then once we receive off of it, we call Err() to see if there was an error... but Done channel is being read here again. Does it get closed somewhere? If it's closed we'll read a zero value and continue, but if it's not it will block

[walmav]

yes it gets closed when the main loop returns..see comment above

[evan2645]

Shutdown(err) can be called twice in the event that stream.CloseSend() in the defer returns non-nil error. Is that ok? Same thing with the Shutdown calls below

[evan2645]

It looks like here we create strmch but never write to it, only close it once the go func is done. Do we need to have a go func here in that case?

[walmav]

All that shutdown is doing is setting the error and then calling cancel function..subsequent calls to cancel do nothing

[walmav]

hmm good point I dont think its necessary to use a go routine here but not really sure if it hurts to have one.