etcd3

[knisbet]

Issue: https://github.com/gravitational/gravity/issues/3121

This is the planet logic to implemented etcd upgrades. Let's chat about the approach before you spend too much time looking through the PR's.

[a-palchikov]

I've not yet completed the review - only skimmed over the first part of changes. I'll continue tomorrow.

[a-palchikov]

I'd swap the variable definitions to make it less error-prone:

# This is the version of etcd we should upgrade to (from the version list)
ETCD_LATEST_VER := v3.3.4
# ETCD Versions to include in the release
# This list needs to include every version of etcd that we can upgrade from + latest
ETCD_VER := v2.3.8 $(ETCD_LATEST_VER)

[knisbet]

I'm not sure I would embed $(ETCD_LATEST_VER) in ETCD_VER, to me it adds some amount of risks, that if someone say bumps ETCD to v3.3.5, that they may forget to add it to the ETCD_VER list, everything would work but upgrades from that version may not.

The way it is now, if someone bumps ETCD_LATEST_VER to v3.3.5, but forgets to update ETCD_VER, the new release will clearly not work.

[a-palchikov]

do you need go1.10 for anything specifically or is it just a timely update?

Also, do you know if go1.10 is an umbrella binary for 1.10.x or it is the 1.10.0? If they could release from release-branch.go1.10 as capturing the latest patch (i.e. 1.10.2 atm) but not sure if they actually do that.

[knisbet]

Etcd requires go 1.9, but I bumped to 1.10 since I was updating the version anyways: etcd-io/etcd#8548 (comment)

As for an umbrella binary, I don't know, I was sticking with the full version, as I suspect that's less likely for an upstream change to affect us.

[a-palchikov]

Is appending to planet-release intentional?

[knisbet]

Yes, right now it's only for etcd, but strictly speaking, if we were to embed version information for other dependencies, we could also include additional version information.

[a-palchikov]

echo -e to properly interpret escape sequences

[knisbet]

Are you sure that applies to Makefile builtin @echo?

[a-palchikov]

I don't think that's a builtin and what make does is it runs the echo command with the shell. The shell is /bin/sh by default but can be overridden with the SHELL envvar.
Now that I'm thinking about it, a better solution would be, for instance, to default SHELL to /bin/bash and use -e to avoid inconsistencies across environments:

With this makefile as an example:

.PHONY: all
all:
	@echo "\n --> I'm a bad boy\n"
	@echo -e "\n --> I'm a good boy\n"

you get either:

10:18 $ make

 --> I'm a bad boy

-e 
 --> I'm a good boy

or

10:18 $ make
\n --> I'm a bad boy\n

 --> I'm a good boy

(the last being also the result of using /bin/bash as a shell since bash only interprets escape sequence provided -e).
The results are different when I make locally or on jenkins (on jenkins, /bin/sh has been symlinked to /bin/bash)

[a-palchikov]

// EtcdGatewayList (a whitespace between commant and the sentence start)

[a-palchikov]

disables

[a-palchikov]

better to test for reversed condition to keep code outdented:

func etcdEnable(upgradeService bool) error {
	if !upgradeService {
		return trace.Wrap(enableService(ETCDServiceName))
	}
	// don't actually enable the service if this is a proxy
	env, err := box.ReadEnvironment(ContainerEnvironmentFile)
	if err != nil {
		return trace.Wrap(err)
	}

	if env.Get(EnvEtcdProxy) == EtcdProxyOn {
		log.Infof("etcd is in proxy mode, nothing to do")
		return nil
	}
	return trace.Wrap(enableService(ETCDUpgradeServiceName))
}

[a-palchikov]

no need for formatting version Infof w/o placeholders

[a-palchikov]

Do you want to fail the upgrade if you failed to query the status of the API server - it does not look like it's critical to the upgrade operation?
Otherwise you might need to undo a few things to be able to retry (though I'm not sure yet this is possible).

[a-palchikov]

same here: I'd accept the context from the outside.

[knisbet]

So I'm not completely sure I agree with you here in this specific case. etcdBackup / etcdRestore come from the dispatch from main based on the kingpin function, where we may not want to use the same context based on which cli command we're in.

However, this comes more from the philosophy of cobra, where the library does the dispatch for you, and the function for the command is really the entrypoint. Example: https://github.com/gravitational/etcd-backup/blob/master/cmd/etcd-backup/backup.go

[r0mant]

Extra ExecStart?

[a-palchikov]

This is to reset the previous value (here is a faint hint at resetting the values of a list attribute before setting a new one - look at the end of the document).

[r0mant]

trace.ConvertSystemError

[r0mant]

trace.ConvertSystemError

[r0mant]

trace.ConvertSystemError

[r0mant]

Use a constant for 644?

[r0mant]

You don't need fmt.Sprintf here.

[r0mant]

That's dangerous. I think this logic needs a better protection against accidental screw-ups - otherwise if "upgrade" somehow runs twice without "rollback", it will nuke the only backup on the second run.

Maybe it can append some ID (e.g. upgrade operation ID) to the backup dir to make it per-operation unique and instead of happily deleting it, refuse to proceed if it's not empty (thus, mandating rollback first).

[knisbet]

Hmm, if you run the step twice, it will early exit before this is hit, due to CurrentVersion == Desired version.

However, if it fails part way through the step, I think the filesystem could be inconsistent that would allow it to continue and delete the data. I'm not sure appending an ID really helps here, I think it would be susceptible to similar problems or would just leave a bunch of data lying around (which some customers are having trouble with as is). That said, I think it should be possible to make this code re-entrant, so that if it's run multiple times it will skip steps already completed and continue where it left off.

[r0mant]

Get rid of _ = then?

[knisbet]

I thought using _ = was a pattern for telling linters (and other devs) I'm intentionally swallowing the error.

[r0mant]

I'm looking at how this function is used and TBH the fact that it falls back to this "assumed" version makes the logic a bit harder to follow (for example, in etcdInit()). Also, IIUC it will still return 2.3.8 initially for new installs even though they're running 3.x? I would just have it return NotFound and handle on the caller side.

[r0mant]

This is what I was talking about in the currentEtcdVersion() method comment (see somewhere below). It returned 2.3.8 while in fact it's not.

[a-palchikov]

This looks like a longer version of:

c.Assert(err, IsNil)

[a-palchikov]

c.Assert(err, IsNil)? This will also mark the test as failed.

[a-palchikov]

Check for specific error expectation (type or a message).

[a-palchikov]

Not sure if it's worth testing.

[a-palchikov]

should not ignore errors here.
There's also a helper in fmt:

fmt.Fprintf(file, "%v=%v", EnvEtcdVersion, version)

[a-palchikov]

Setup etcd... - Capitalized as in other descriptions.

[a-palchikov]

... latest version ...

[a-palchikov]

You could use kingpin's ExistingFile mixin to enfocre this:

cetcdRestoreFile = cetcdRestore.Arg("file", "A previously taken backup file to use during upgrade").Required().ExistingFile()

[a-palchikov]

nit: Use dots to end sentences.

[a-palchikov]

Test for etcdproxy != "on" instead and don't use the else block as it is redundant:

func setupEtcd(config *Config) error {
	dropinPath := path.Join(config.Rootfs, ETCDGatewayDropinPath)

	if strings.ToLower(config.EtcdProxy) != "on" {
		err := os.Remove(dropinPath)
		if err != nil && !os.IsNotExist(err) {
			return trace.Wrap(err)
		}
		return nil
	}
	err := os.MkdirAll(path.Join(config.Rootfs, "etc/systemd/system/etcd.service.d/"), 0755)
	if err != nil {
		return trace.Wrap(err)
	}

	err = os.Symlink(
		"/lib/systemd/system/etcd-gateway.dropin",
		dropinPath,
	)
	if err != nil && !os.IsExist(err) {
		return trace.Wrap(err)
	}
	return nil
}

[r0mant]

Is this expected scenario? When a service status can't be queried?

[r0mant]

"to to" -> "to"

[r0mant]

Don't we also need to clean up data that can possibly be left after an upgrade attempt on rollback?

[knisbet]

This happens on the next upgrade attempt:

planet/tool/planet/etcd.go

Lines 315 to 320 in 182dff9

	// wipe data directory of any previous upgrade attempt
	path := path.Join(getBaseEtcdDir(desiredVersion), "member")
	err = os.RemoveAll(path)
	if err != nil && !os.IsNotExist(err) {
	return trace.ConvertSystemError(err)
	}

[r0mant]

IsNotExist check is redundant. From the docs: If the path does not exist, RemoveAll returns nil (no error)..

[r0mant]

So this is a version of a previous backup, not backup for this upgrade?

[knisbet]

that's correct.

[r0mant]

644 -> constants.SharedReadMask

[r0mant]

Use ticker := time.NewTicker instead and defer ticker.Close() it. From the docs:

While Tick is useful for clients that have no need to shut down the Ticker, be aware that without a way to shut it down the underlying Ticker cannot be recovered by the garbage collector; it "leaks".

[r0mant]

I would have all etcd* functions accept context as a parameter, even if it'd be passed as context.TODO() from main.go for now. This way it will be much easier to, for example, add a "--timeout" flag to all these commands so client can control it. Right now these internal context are pretty much useless.

[r0mant]

IsNotExist check is redundant.

[r0mant]

There's a constant for /registry as far as I can see.