Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

checksumming state store implementation #16257

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

checksumming state store implementation #16257

wants to merge 2 commits into from

Conversation

tgross
Copy link
Member

@tgross tgross commented Feb 24, 2023
edited
Loading

Nomad's in-memory state store is subject to corruption when an object that's
read from memdb is mutated. Depending on memdb's (undocumented) isolation
guarantees, there may be a narrow number of cases where an object that's been
inserted can be safely mutated in the same transaction before the transaction is
committed. But in general the rule is that you always need to deep copy the
object before mutating. This class of bug is hard to track down, leading to
"spooky action at a distance" when servers have diverging in-memory states, and
the potential existence of these bugs undermines our confidence in understanding
the system.

This changeset extends the FSM interface wrapper started by the event stream
work to allow checksumming. When enabled, the wrapper checksums each object on
insert and writes it to a table of checksums. On read, the wrapper checksums the
object again and looks for a matching previously-recorded checksum. If there's
no match, the object has been mutated outside of an insert.

Checksumming slows down the state store quite a bit (4x latency for
typical RPCs with multiple queries like JobRegister), so this will only ever
be intended for testing and developer debugging.

The process of going through the whole code base to detect these problems is
going to land in several PRs, as we frequently corrupt the state store in test
code. This PR gets the nomad/state package tests all passing with the
checksumming state store.

Notes to reviewers:

  • I've got this in draft for now as I'd like to test out a different hash that @lgfa29 brought up. But this should be good enough to discuss the overall design.
  • I know at a glance this PR looks huge but a lot of the changed lines are swapping *txn pointers for for Txn interfaces. 😀
  • I'm seeing a few tests outside the nomad/state package are currently failing because they're grabbing the state.TestStateStore. Will fix that on Monday.
  • My very rough working branch where I'm pulling changesets out of is statestore-checksumming.

@tgross
checksumming state store implementation
88b92f2 
Nomad's in-memory state store is subject to corruption when an object that's
read from memdb is mutated. Depending on memdb's (undocumented) isolation
guarantees, there may be a narrow number of cases where an object that's been
inserted can be safely mutated in the same transaction before the transaction is
committed. But in general the rule is that you always need to deep copy the
object before mutating. This class of bug is hard to track down, leading to
"spooky action at a distance" when servers have diverging in-memory states, and
the potential existence of these bugs undermines our confidence in understanding
the system.

This changeset extends the FSM interface wrapper started by the event stream
work to allow checksumming. When enabled, the wrapper checksums each object on
insert and writes it to a table of checksums. On read, the wrapper checksums the
object again and looks for a matching previously-recorded checksum. If there's
no match, the object has been mutated outside of an insert.

The process of going through the whole code base to detect these problems is
going to land in several PRs, as we frequently corrupt the state store in test
code. Checksumming slows down the state store quite a bit (4x latency for
typical RPCs with multiple queries like `JobRegister`), so this will only ever
be intended for testing and developer debugging.
@tgross tgross requested review from lgfa29 and schmichael February 24, 2023 21:06
@tgross tgross added this to the 1.5.x milestone Feb 24, 2023
@tgross tgross added type/enhancement theme/testing Test related issues labels Feb 24, 2023
@tgross tgross mentioned this pull request Feb 24, 2023
Merged
@tgross
tests with checksumming state store: nomad/state
c42e111 
Get the `nomad/state` package tests all passing with the checksumming state
store. This work will be broken across multiple PRs.
@tgross tgross force-pushed the checksumming-state-store branch from 107b110 to c42e111 Compare February 24, 2023 21:38
@tgross tgross requested a review from shoenig February 24, 2023 21:38
This was referenced Feb 27, 2023
Merged
Merged
@tgross tgross modified the milestones: 1.5.x, 1.6.x Jun 23, 2023
@tgross tgross added the stage/needs-rebase This PR needs to be rebased on main before it can be backported to pick up new BPA workflows label May 17, 2024
@tgross tgross mentioned this pull request Jul 24, 2024
Open
@tgross tgross mentioned this pull request Aug 7, 2024
Closed
This was referenced Nov 6, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lgfa29 lgfa29 Awaiting requested review from lgfa29

@schmichael schmichael Awaiting requested review from schmichael

@shoenig shoenig Awaiting requested review from shoenig

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
stage/needs-rebase This PR needs to be rebased on main before it can be backported to pick up new BPA workflows theme/testing Test related issues type/enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tgross