Host container migrations #294
Conversation
For new setting-generator we process following fields from the defaults TOML file: - command - strength - skip-if-populated This needs to be saved as json in the filesystem.
The get API on route /tx is used to fetch the pending settings in pending transaction. This is used in setting-commiter to just log the pending settings before committing them. The version 2 of this api will also return the pending metadata.
Updated the `commit_transaction` function to enable committing metadata from pending transactions. In commit transaction we will first commit metadata and then pending keys to correctly perform the check to identify if key exists or not. The strength handling among pending and committed transaction is as: If pending metadata is strong and committed metadata is weak, commit the pending setting. If pending metadata is weak, committed metadata is strong and the setting is already available, do not downgrade from strong to weak. Otherwise add the strength file with value as weak. If pending and committed metadata are the same, no action is performed. Additionally, made minor changes to metadata functions for improved access and flexibility: Introduced a `committed` field to dynamically access metadata in pending transactions. Replaced the hardcoded use of live committed metadata with this committed variable ans pass Committed::Live from previous usages.
vyaghras
force-pushed
the
host_container_migrations
branch
from
8c3e361 to
e997915
Compare
Earlier we used to have setting generator as a string, but we have now changed it to a struct containing the command, strength and skip-if-populated. Hence after requesting the settings generators from api, we need to change these in to Setting generator struct instance. We will use default strength strong and skip_if_populated true if the setting generator is a string and use what has been provided in the response otherwise. Then after running the setting generator, we will send the weak and strong setting settings separately to process them using api.
We will remove the weak settings and settings genrators using the migrator of the destination migrator. The storewolf do not repopulate any metadata or setting, if it is already presnt. As migrator runs before storewolf, if we will delete the weak settings and setting-generators in migrator, storewolf can populate the setting-generator from defaults and ssundog will populate the new source using the new setting generator from default.
- `/v2/tx`: We will also return the pending metadata along with pending settings(that we used to return in version 1). As the return struct is changing, we are doing versioning of the API. - `v2/metadata/settings-generators`: We will also return the settings-generators(that contains strength and are saved as JSON object in datastore). As we just used to return arrays and string earlier as response for this API, returning object may break the existing usage. Hence we need to version this API. - `/settings`(patch and patchkeypair): For both of these we will set strength metadata. The default strength used is strong. - `/tx/commit` and `/tx/commit_and_apply`: We will commit the pending metadata(that just accounts for strength metadata for now) as part of commit. No changes has been done in apply.
vyaghras
force-pushed
the
host_container_migrations
branch
from
e997915 to
4d9addf
Compare
|
☝️ Fixed failing tests |
Updated the `commit_transaction` function to enable committing metadata from pending transactions. In commit transaction we will first commit metadata and then pending keys to correctly perform the check to identify if key exists or not. The strength handling among pending and committed transaction is as: If pending metadata is strong and committed metadata is weak, commit the pending setting. If pending metadata is weak, committed metadata is strong and the setting is already available, do not downgrade from strong to weak. Otherwise add the strength file with value as weak. If pending and committed metadata are the same, no action is performed. Additionally, made minor changes to metadata functions for improved access and flexibility: Introduced a `committed` field to dynamically access metadata in pending transactions. Replaced the hardcoded use of live committed metadata with this committed variable ans pass Committed::Live from previous usages. Refer commit: bottlerocket-os/bottlerocket-core-kit@20a435e Refer PR: bottlerocket-os/bottlerocket-core-kit#294
Updated the `commit_transaction` function to enable committing metadata from pending transactions. In commit transaction we will first commit metadata and then pending keys to correctly perform the check to identify if key exists or not. The strength handling among pending and committed transaction is as: If pending metadata is strong and committed metadata is weak, commit the pending setting. If pending metadata is weak, committed metadata is strong and the setting is already available, do not downgrade from strong to weak. Otherwise add the strength file with value as weak. If pending and committed metadata are the same, no action is performed. Additionally, made minor changes to metadata functions for improved access and flexibility: Introduced a `committed` field to dynamically access metadata in pending transactions. Replaced the hardcoded use of live committed metadata with this committed variable ans pass Committed::Live from previous usages. Refer commit: bottlerocket-os/bottlerocket-core-kit@20a435e Refer PR: bottlerocket-os/bottlerocket-core-kit#294
Updated the `commit_transaction` function to enable committing metadata from pending transactions. In commit transaction we will first commit metadata and then pending keys to correctly perform the check to identify if key exists or not. The strength handling among pending and committed transaction is as: If pending metadata is strong and committed metadata is weak, commit the pending setting. If pending metadata is weak, committed metadata is strong and the setting is already available, do not downgrade from strong to weak. Otherwise add the strength file with value as weak. If pending and committed metadata are the same, no action is performed. Additionally, made minor changes to metadata functions for improved access and flexibility: Introduced a `committed` field to dynamically access metadata in pending transactions. Replaced the hardcoded use of live committed metadata with this committed variable ans pass Committed::Live from previous usages. Refer commit: bottlerocket-os/bottlerocket-core-kit@20a435e Refer PR: bottlerocket-os/bottlerocket-core-kit#294
Updated the `commit_transaction` function to enable committing metadata from pending transactions. In commit transaction we will first commit metadata and then pending keys to correctly perform the check to identify if key exists or not. The strength handling among pending and committed transaction is as: If pending metadata is strong and committed metadata is weak, commit the pending setting. If pending metadata is weak, committed metadata is strong and the setting is already available, do not downgrade from strong to weak. Otherwise add the strength file with value as weak. If pending and committed metadata are the same, no action is performed. Additionally, made minor changes to metadata functions for improved access and flexibility: Introduced a `committed` field to dynamically access metadata in pending transactions. Replaced the hardcoded use of live committed metadata with this committed variable ans pass Committed::Live from previous usages. Refer commit: bottlerocket-os/bottlerocket-core-kit@20a435e Refer PR: bottlerocket-os/bottlerocket-core-kit#294
Updated the `commit_transaction` function to enable committing metadata from pending transactions. In commit transaction we will first commit metadata and then pending keys to correctly perform the check to identify if key exists or not. The strength handling among pending and committed transaction is as: If pending metadata is strong and committed metadata is weak, commit the pending setting. If pending metadata is weak, committed metadata is strong and the setting is already available, do not downgrade from strong to weak. Otherwise add the strength file with value as weak. If pending and committed metadata are the same, no action is performed. Additionally, made minor changes to metadata functions for improved access and flexibility: Introduced a `committed` field to dynamically access metadata in pending transactions. Replaced the hardcoded use of live committed metadata with this committed variable ans pass Committed::Live from previous usages. Refer commit: bottlerocket-os/bottlerocket-core-kit@20a435e Refer PR: bottlerocket-os/bottlerocket-core-kit#294
Updated the `commit_transaction` function to enable committing metadata from pending transactions. In commit transaction we will first commit metadata and then pending keys to correctly perform the check to identify if key exists or not. The strength handling among pending and committed transaction is as: If pending metadata is strong and committed metadata is weak, commit the pending setting. If pending metadata is weak, committed metadata is strong and the setting is already available, do not downgrade from strong to weak. Otherwise add the strength file with value as weak. If pending and committed metadata are the same, no action is performed. Additionally, made minor changes to metadata functions for improved access and flexibility: Introduced a `committed` field to dynamically access metadata in pending transactions. Replaced the hardcoded use of live committed metadata with this committed variable ans pass Committed::Live from previous usages. Refer commit: bottlerocket-os/bottlerocket-core-kit@20a435e Refer PR: bottlerocket-os/bottlerocket-core-kit#294
Updated the `commit_transaction` function to enable committing metadata from pending transactions. In commit transaction we will first commit metadata and then pending keys to correctly perform the check to identify if key exists or not. The strength handling among pending and committed transaction is as: If pending metadata is strong and committed metadata is weak, commit the pending setting. If pending metadata is weak, committed metadata is strong and the setting is already available, do not downgrade from strong to weak. Otherwise add the strength file with value as weak. If pending and committed metadata are the same, no action is performed. Additionally, made minor changes to metadata functions for improved access and flexibility: Introduced a `committed` field to dynamically access metadata in pending transactions. Replaced the hardcoded use of live committed metadata with this committed variable ans pass Committed::Live from previous usages. Refer commit: bottlerocket-os/bottlerocket-core-kit@20a435e Refer PR: bottlerocket-os/bottlerocket-core-kit#294
We need to add these to match changes in Bottlerocket-core-kit Refer commit: bottlerocket-os/bottlerocket-core-kit@a72f6bd PR: bottlerocket-os/bottlerocket-core-kit#294
We need to add these to match changes in Bottlerocket-core-kit Refer commit: bottlerocket-os/bottlerocket-core-kit@a72f6bd PR: bottlerocket-os/bottlerocket-core-kit#294
We need to add these to match changes in Bottlerocket-core-kit Refer commit: bottlerocket-os/bottlerocket-core-kit@a72f6bd PR: bottlerocket-os/bottlerocket-core-kit#294
Updated the `commit_transaction` function to enable committing metadata from pending transactions. In commit transaction we will first commit metadata and then pending keys to correctly perform the check to identify if key exists or not. The strength handling among pending and committed transaction is as: If pending metadata is strong and committed metadata is weak, commit the pending setting. If pending metadata is weak, committed metadata is strong and the setting is already available, do not downgrade from strong to weak. Otherwise add the strength file with value as weak. If pending and committed metadata are the same, no action is performed. Additionally, made minor changes to metadata functions for improved access and flexibility: Introduced a `committed` field to dynamically access metadata in pending transactions. Replaced the hardcoded use of live committed metadata with this committed variable ans pass Committed::Live from previous usages. Refer commit: bottlerocket-os/bottlerocket-core-kit@20a435e Refer PR: bottlerocket-os/bottlerocket-core-kit#294
We need to add these to match changes in Bottlerocket-core-kit Refer commit: bottlerocket-os/bottlerocket-core-kit@a72f6bd PR: bottlerocket-os/bottlerocket-core-kit#294
|
Do you mind adding more detail to the PR description about the intent of this changeset? Moving the testing done to a gist may also help to make the PR description a bit less cluttered. |
| // This is special case to handle metadata as table that contains | ||
| // "command": "command", | ||
| // "strength": "weak", | ||
| // "skip-if-populated": true | ||
| if table.contains_key("command") | ||
| && table.contains_key("strength") | ||
| && table.contains_key("skip-if-populated") |
There was a problem hiding this comment.
We had spoken previously about allowing metadata objects that aren't related to "setting-generators" by e.g. using something like metadata-table to prefix the keys.
It seems like this approach focuses more heavily on only supporting the setting generator case, though.
Is there a reason we shouldn't do the more generic solution?
If we do indeed go with the more specific solution, can we make it more clear here why we've chosen these keys? e.g. the comment should probably explain that these are the setting-generator keys, and we should ensure that the metadata itself is referring to a setting generator.
There was a problem hiding this comment.
Spoke with @vyaghras in person about this. CC @bcressey as well so we can reconcile opinions here.
To recap: the problem we are solving is that when storewolf encounters a TOML table, it recursively descends into the settings or metadata within, treating all other TOML value types as "leaves" which will be individually stored as metadata. With the changes to setting-generators, we wish to represent them as objects and so need storewolf to be able to distinguish between "leaf" objects that should be stored, and "branch" objects into which it should recurse.
The proposed solutions that I'm aware of are:
- Add a new key type
metadata-tableforstorewolf, indicating that the TOML table should be treated as a leaf.- Pros: Unambiguous, Generic
- Cons: Poor clarity:
metadataandsettingsboth align exactly with datastore classifications. Addingmetadata-tableis less clear.
- (Implemented here) search through TOML tables for keys that distinguish specific metadata tables as being
setting-generators, then store those as objects.- Pros: Preserves datastore semantic clarity
- Cons: Unambiguous, but only if you know the rules on what keys are special. Future metadata objects would need special consideration
Some additional ideas I discussed with @vyaghras were:
- Mark leaf objects in the config with a special key, like
is-object: true. Storewolf can discard this key after using it to identify the object as a leaf.- Pros: Unambiguous, Generic, Maintains datastore semantic clarity
- Cons:
is-objectwould steal keyspace that is otherwise reserved for settings data.
- Add a postfix or suffix to the TOML table key which is otherwise "illegal" in the keyspace which indicates that a table is a leaf. e.g.
[metadata.top-level.sub-level~]or[~metadata.top-level.sub-level].- Pros: Unambiguous, Generic, maintains datastore semantic clarity
- Cons:
~is somewhat opaque.
For what it's worth, I'm partial to the last suggestion because it keeps the keyspace open everywhere else for the data being stored, but curious what ya'll think. I'm also open to a suggestion that I'm overcomplicating this 😆
| let mut path = path.clone(); | ||
| path.push(key.to_string()); | ||
| to_process.push((path, val)); | ||
| // This is special case to handle metadata as table that contains |
There was a problem hiding this comment.
Could we add unit tests for the parent function to assert that we're emitting the correct metadata? I think this is especially important now that we are treating a very specific case differently than others.
| // If we have setting-generator metadata as table like | ||
| // [metadata.settings.host-containers.admin.source.setting-generator] | ||
| // command = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.13'" |
There was a problem hiding this comment.
nit: I think this comment is a bit distracting here, since it doesn't influence the implementation. Something more generic like "metadata is expressed as arbitrary JSON values" may be better while still getting the point across.
| @@ -494,6 +515,29 @@ paths: | |||
| type: string | |||
| 500: | |||
| description: "Server error" | |||
| /v2/metadata/setting-generators: | |||
| get: | |||
| summary: "Get programs with strength needed to generate settings" | |||
There was a problem hiding this comment.
nit:
| summary: "Get programs with strength needed to generate settings" | |
| summary: "Get programs to generate settings, and the strength of the generated settings" |
| content: | ||
| application/json: | ||
| schema: | ||
| $ref: #/components/schemas/SettingsResponseWithMetadata" |
There was a problem hiding this comment.
This component doesn't seem to be defined.
| warn!("Trying to change the strength from strong to weak for key: {}, Operation ignored", key.name()); | ||
| continue; |
There was a problem hiding this comment.
I think that this should cause the transaction to fail.
There was a problem hiding this comment.
We would not like to stop the transaction in between, hence we can just log it and keep going with the rest of the transaction.
There was a problem hiding this comment.
Left in another comment, but can we make the decision on whether or not to proceed before we start writing anything? That way it would not be possible to commit a partial transaction.
| @@ -10,6 +10,7 @@ The output is collected and sent to a known Bottlerocket API server endpoint. | |||
| #[macro_use] | |||
There was a problem hiding this comment.
Nit for the commit message:
sundog: Parse settings generators as a table
I might change this to something like:
sundog: Parse setting generators using model
| let response: HashMap<String, Value> = serde_json::from_str(&response_body) | ||
| .context(error::ResponseJsonSnafu { method: "GET", uri })?; | ||
|
|
||
| get_setting_generator_from_api_response(response) | ||
| } | ||
|
|
||
| fn get_setting_generator_from_api_response( |
There was a problem hiding this comment.
I'm OK with this as-is, but there's an example in the serde docs for parsing a struct from input which could either be a struct or a string.
If implemented this way, you could leave the details of parsing settings generators to the model, and then just directly parse into HashMap<String, SettingsGenerator>.
| if generator_object.skip_if_populated | ||
| && populated_settings | ||
| .iter() | ||
| .any(|k| k.starts_with_segments(setting.segments())) | ||
| { | ||
| debug!("Setting '{}' is already populated, skipping", setting); |
There was a problem hiding this comment.
It might be a good idea here to also emit a log message if the value is populated but skip_if_populated is true. One succinct way you could do that would be to match against a tuple of the values:
match (generator_object.skip_if_populated, populated_settings) {
(true, true) => {
debug!("Setting '{}' is already populated, skipping", setting);
continue;
},
(false, true) => {
debug!("Setting '{}' is already populated, but configured to be overwritten", setting);
}
_ => (),
}
| set_settings(&args.socket_path, settings).await?; | ||
| set_settings(&args.socket_path, weak_settings, Strength::Weak).await?; | ||
| set_settings(&args.socket_path, strong_settings, Strength::Strong).await?; |
There was a problem hiding this comment.
nit: Should we check that the settings aren't empty before submitting them?
There was a problem hiding this comment.
It is struct of type model::Settings, hence can not check if it is empty or not?
There was a problem hiding this comment.
Is it something we could check prior to creating the model::Settings? Perhaps we could return Option<model::Settings>.
| let datastore = match remove_weak_settings(&args.datastore_path, &args.migrate_to_version).await | ||
| { | ||
| Ok(datastore) => datastore, | ||
| Err(e) => { | ||
| eprintln!("{}", e); | ||
| process::exit(1); | ||
| } | ||
| }; | ||
|
|
||
| // change datastore path in args | ||
| let mut args = args; | ||
| args.datastore_path = datastore; |
There was a problem hiding this comment.
I'd rather see this moved to run() -- It's pretty common for main() to handle argument parsing and logging setup, and then delegate the rest of the programs functionality to some other function.
My specific problem here is that overwriting args could make for very confusing debug logging later on, if the software reports args that are different to the actual command line args for the program.
| Ok(target_datastore) | ||
| } | ||
|
|
||
| fn remove_weak_setting_from_datastore(datastore: &mut DataStoreData) -> Result<DataStoreData> { |
There was a problem hiding this comment.
Do you mind adding docstring comments to remove_weak_settings and remove_weak_settings_from_datastore? The intent (and difference between both) isn't clear without reading the function source.
| async fn remove_weak_settings<P>(datastore_path: P, new_version: &Version) -> Result<PathBuf> | ||
| where | ||
| P: AsRef<Path>, | ||
| { | ||
| // We start with the given source_datastore, updating this to delete weak settings and setting-generators | ||
| let source_datastore = datastore_path.as_ref(); | ||
| // We create a new data store (below) to serve as the target for update. (Start at | ||
| // source just to have the right type) | ||
| let target_datastore = new_datastore_location(source_datastore, new_version)?; | ||
|
|
||
| let source = DataStoreImplementation::new(source_datastore); | ||
| let mut target = DataStoreImplementation::new(&target_datastore); |
There was a problem hiding this comment.
I'd like to see unit tests of the "weak" removal functionality.
One way to do this would be to delegate the rest of remove_weak_settings (after the selection that I've left my comment on) to another function, something like:
/// Copies the contents of `source` to `target`, excluding any "weak" settings.
fn copy_without_weak_settings(source: impl Datastore, target: impl Datastore) {
// the rest of the implementation
}Writing this against impl Datastore would let storewolf call it with the source/target that you've created here, but you could add tests which use the in-memory datastore implementation to validate that your logic is correct.
| set_settings(&args.socket_path, settings).await?; | ||
| set_settings(&args.socket_path, weak_settings, Strength::Weak).await?; | ||
| set_settings(&args.socket_path, strong_settings, Strength::Strong).await?; |
There was a problem hiding this comment.
Is it something we could check prior to creating the model::Settings? Perhaps we could return Option<model::Settings>.
| for (key, value) in transaction_metadata { | ||
| for (metadata_key, metadata_value) in value { | ||
| // For now we are only processing the strength metadata from pending | ||
| // transaction to live | ||
| if metadata_key.name() != "strength" { | ||
| continue; | ||
| } |
There was a problem hiding this comment.
To elaborate on this one a bit more -- the datastore currently has no concept of "strength", only data and metadata. The concept of strength is a concept in Bottlerocket that happens to be stored in metadata. This is why I think it makes sense to implement the strength checks at the API/controller layer.
I'm not completely opposed to making commits "strength-aware" at the datastore layer. But if we do it, we need to move the implementation "up" one more level of abstraction. To be specific, right now the checks are only implemented for "commits" of the Filesystem implementation, but it should work for both the Filesystem and InMemory implementation.
Some of the shared functionality is implemented at the Trait level as default methods -- perhaps this could be one way to share the functionality?
| fn strength(query: &web::Query<HashMap<String, String>>) -> Strength { | ||
| match query.get("strength") { | ||
| Some(strength) => strength.parse::<Strength>().unwrap_or(Strength::Strong), | ||
| None => Strength::Strong, | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
If the given query string isn't strong or weak, we should probably throw an error.
| fn strength(query: &web::Query<HashMap<String, String>>) -> Strength { | |
| match query.get("strength") { | |
| Some(strength) => strength.parse::<Strength>().unwrap_or(Strength::Strong), | |
| None => Strength::Strong, | |
| } | |
| } | |
| fn strength(query: &web::Query<HashMap<String, String>>) -> Result<Strength> { | |
| Ok(query.get("strength") | |
| .map(str::parse::<Strength>) | |
| .transpose() | |
| .context(SomethingSomethingSomething)? | |
| .unwrap_or_default()) | |
| } |
| let mut metadata = HashMap::new(); | ||
| for (key, value) in transaction_metadata { | ||
| let mut inner_map = HashMap::new(); | ||
| for (inner_key, inner_value) in value { | ||
| inner_map.insert(inner_key.name().clone(), inner_value); | ||
| } | ||
| metadata.insert(key.name().clone(), inner_map); | ||
| } |
There was a problem hiding this comment.
Carrying around deeply nested hashmaps and performing "on-the-spot" conversions like this can get messy fast.
Suggestion:
- Make a type like
SettingsMetadatawhich implementsFrom<HashMap<Key, HashMap<Key, Value>>> SettingsMetadatacan#[derive(Serialize, Deserialize)]and use the#[serde(transparent)]to expose the inner nested hashmap.- Modify
get_transaction_metadatato return aSettingsMetadatastruct.
| // We know it is not possible, as in default we set the setting-generator | ||
| // as string or object | ||
| _ => { | ||
| info!("Invalid value type for key '{}': {:?}", key, value); |
There was a problem hiding this comment.
We should log this as error!
| for (key, value) in metadata_for_keys.iter() { | ||
| match value { |
There was a problem hiding this comment.
Mentioned in another comment, but if we allowed SettingsGenerator to successfully deserialize from a String or an Object, we could remove a branch and make this much simpler -- just parse the returned metadata into a SettingsGenerator
|
|
||
| info!("Writing Metadata to data store"); | ||
| match strength { | ||
| Strength::Strong => { | ||
| // Get keys in the request |
There was a problem hiding this comment.
The checks against Live happening in this function won't work -- we need to handle checks against strength changes at commit time. If we do it at set, another transaction could come first and change our assumptions, leading to a TOCTOU bug.
Issue number:
Closes #
Description of changes:
In case of host container upgrade in BoB repo, we need to write migrations. By this PR we are incorperating the concept of weak and strong setting, where a weak setting will be deleted on upgrade and downgrade and default setting will be populated from the settings-defaults.
Testing done:
Refer https://gist.github.com/vyaghras/cc7391ade3b276b223d1814a8770eea7
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.