Allow managers not to expose a remote API port

[aaronlehmann]

We'd like Docker to support swarm services without needing to run swarm init. One of the preconditions for this is that the swarm manager needs to operate and be useful without exposing a port to the outside world.

This PR is split into multiple parts, which will each become a separate PR for ease of review. The first few commits are focused on allowing the agent and certificate issuance/renewal to work without relying on a TCP connection to back to the same process. This works by exposing servers such as the dispatcher and node CA on the unix socket (or equivalent), and using that instead of a TCP connection. In theory we could codegen something to patch the calls straight through to the handlers (with some stuff injected onto the context to identify the caller as the local node), but for now, using the unix socket is good enough. This required some changes to the raft proxy to let it inject the local node identity onto the context when it's calling the handler locally.

• Fix demotion (No automatic manager shutdown on demotion/removal #1829)
• Expose the dispatcher, node CA, and a few other services on the UNIX socket. Inject the local node identity when they receive connections this way. (Expose needed services on the control socket #1828)
• Add a connectionbroker package. This is a small abstraction on top of Remotes that provides a gRPC connection to a manager. If running on a manager, it uses the unix socket, otherwise it will pick a remote manager using Remotes. This allows things like agent and certificate renewal to work even on a single node with no TCP port bound. (Add connectionbroker package #1850)
• Convert the agent and CA client to use connectionbroker. (Convert code to use connectionbroker package #1851)
• Separate binding ports from creating the manager. Add methods to Manager and Node that allow binding a port after the manager is already running. A small change to raft allows the raft code to get the machine's external address after raft is already running, instead of relying on having it already. (This PR)
• A simple integration test that binds a port after starting the first manager. (This PR)

cc @aluzzardi @LK4D4 @diogomonica @cyli @tonistiigi @stevvooe

[aluzzardi]

/cc @ehazlett @icecrime

[aluzzardi]

Awesome!

This also solves many issues we had with the local agent not connecting to the local manager, such as status drifting (e.g. Node both "down" and "reachable").

[LK4D4]

@aaronlehmann can we split it into different prs for easier reviews? Connbroker change permeates almost all files, so it's hard to find other changes.

[codecov-io]

Current coverage is 53.38% (diff: 50.88%)

Merging #1826 into master will decrease coverage by 0.29%

@@             master      #1826   diff @@
==========================================
  Files           107        107          
  Lines         18403      18489    +86   
  Methods           0          0          
  Messages          0          0          
  Branches          0          0          
==========================================
- Hits           9880       9871     -9   
- Misses         7308       7396    +88   
- Partials       1215       1222     +7   

Powered by Codecov. Last update 9a7d5e6...0eca203

[aaronlehmann]

@LK4D4: This PR is split into 3 commits. I thought reviewing commit by commit would make sense, but if you think it's easier, I can split this into multiple PRs.

Would you like me to open a separate PR with just the connection broker commit, or would you like me to split that one into smaller pieces?

[aaronlehmann]

If you'd like, I could split it into a sequence of commits and/or PRs like this:

1. Expose dispatcher/NodeCA/etc on local socket, modify proxy to support this.
2. Add connection broker package
3. Update existing code to use connection broker instead of remotes
4. Add late-binding support to manager and node
5. Add integration test

[LK4D4]

@aaronlehmann splitting plan will make it way easier for me to review. I think it's better to open different PRs.
Thanks!

[aaronlehmann]

OK. If it's alright with you, I'll leave this one open as a complete PR to show the big picture, and also open one PR at a time to get the individual pieces merged.

[ehazlett]

nice! design sgtm

[aaronlehmann]

Split the commits as discussed, and opened #1828 to review/merge the first piece. I've seen a few integration test failures with just this first one locally, but it's tricky to reproduce and I can't understand why this change would cause issues (since it's just exposing some services in a way that nothing uses yet). I wonder if the failures are related to a recent change on master instead of the changes here.

[aaronlehmann]

I have a theory about why this PR makes the integration tests flaky. I think it changes the timing enough that a demoted node can end up with a worker certificate before Raft creates outgoing connections. Then the manager blocks in WaitForLeader instead of shutting down on demotion like it's supposed to.

I'm going to open a PR to change demotion so that the manager is always shut down explicitly after a role change instead of shutting itself down. Even if that doesn't fix the problem here, it's something that badly needs to be done.

[aaronlehmann]

I'm going to open a PR to change demotion so that the manager is always shut down explicitly after a role change instead of shutting itself down. Even if that doesn't fix the problem here, it's something that badly needs to be done.

WIP PR at #1829. Unfortunately, it doesn't work yet.

[diogomonica]

Design LGTM.

[aaronlehmann]

I've rebased this on top of #1829 and made a few fixes. #1829 introduced an interesting issue. With this PR, a node that's a manager will always connect to itself instead of a random other manager for dispatcher and CA operations. However, if it has been demoted, it may not be able to issue certificates, and the CA client would not retry with other managers, so the demotion would not complete. I've fixed this so that after the first attempt to renew a certificate, the client will explicitly prefer random managers over the local connection. Also, a timeout was necessary for the certificate renewal request. If the node was demoted, it can get into a state where it waits forever for a leader.

This seems quite stable now. I'm not seeing any more issues with the integration tests.

I'll keep this open as a meta-PR, and update it as individual bits get merged. #1829 should be merged before #1828, and after that I can open more PRs for the other pieces.

[aaronlehmann]

#1829 was merged. Rebased.

[aaronlehmann]

#1828 was merged. Rebased to remove that part of this meta-PR.

Opened #1850 as the next step in getting these pieces merged.

[aaronlehmann]

connectionbroker was merged in #1850. Opened next PR: #1851.

[dperny]

Can you document what these two mutexes control in a comment?

[dperny]

I guess it's more obvious when i look at the rest of the code.

[aaronlehmann]

Added comments

[dperny]

This is closing the control listener and then returning an error, if binding the remote fails, right?

[aaronlehmann]

Yes. It's safe to read from m.controlListener because this is before Run, so nothing else will be reading from that channel.

[dperny]

I'm not clear on why these listeners are returned through channels.

[dperny]

I think I see now; they're channels so the listeners (most importantly, the remote listener) can be hot-swapped, like when we take a "closed" one-node cluster and make it "open"?

[aaronlehmann]

Correct.

[dperny]

Nit: it may make more sense to put these methods definitions in the order that they're called in the initialization.

[aaronlehmann]

Order changed

[dperny]

I don't understand what this loop does.

[aaronlehmann]

As we discussed offline, currently only the leader can submit proposals such as configuration changes. For now, this SetAddr function is intended to address the narrow use case of a single-node cluster that didn't have ports bound before. Since the cluster only has one member, this node must be the leader, but there can be delays before that leadership is confirmed, for example at startup. This loop waits until the current node becomes the leader.

If/when we extend SetAddr to handle more general cases, we'll need some other approach here, such as an RPC we can use to tell the leader to update a node's address.

[cyli]

Out of curiosity why the change to a pointer?

[aaronlehmann]

So it can be nil before it's initialized

[cyli]

I meant why not just check the default value, as opposed to nil? If ListenAddr is "", there is no remote api set, right? I'm not arguing that's better or anything - more just asking pointers are generally preferred over checking against the default value.

[aaronlehmann]

What you're suggesting should work fine. I felt that since RemoteAddrs is a struct, it might be confusing to check one particular field to see if the struct is initialized.

[cyli]

Ah ok, thank you for explaining

[cyli]

Non-blocking: maybe we can move the copying of the RaftMember object inside this block, since we don't need to make an update if the address hasn't changed?

[aaronlehmann]

Fixed

[cyli]

LGTM

[LK4D4]

I think it's better to just return here on !n.IsMember()

[LK4D4]

signalledLeadership is really weird name now :) we should call it isLeader and use it instead of isLeader function. Otherwise, it's quite confusing here.
Probably in another PR.

[aaronlehmann]

Rebased, PTAL

[aaronlehmann]

Rebased again, and added t.Parallel to the new test.

This should be ready to merge.

[LK4D4]

I wonder if we should clear this in case of error.

[aaronlehmann]

Fixed

[LK4D4]

I'm not sure, but seems like this ctx might be context.Background() and it's possible that node could be stopped during this loop. Maybe we should use WithContext.

[aaronlehmann]

Switched to WithContext.

[LK4D4]

Is this really possible?

[aaronlehmann]

Yeah, I encountered it in the late-binding integration test. It happens when you create a manager without a bound port, then later bind one. The node update that adds the address gets committed to raft at some point, and new nodes that join the cluster may take a little while to catch up to that.

[LK4D4]

It's quite weird. newPeer calls grpc.Dial which is supposed to check if address is empty :/

[aaronlehmann]

Hmm, should we avoid calling grpc.Dial if newPeer is passed an empty address?

[LK4D4]

I dunno, there shouldn't be empty addresses and I wonder why it works and registers in peer list at all.

[LK4D4]

This can hang forever. So probably you need to check len(l).

[aaronlehmann]

Yes, this looks wrong. This code should only run if config.ControlAPI != "". I've fixed that.

[cyli]

Is there a use case where there is a remote API, but no control API?

[aaronlehmann]

There isn't currently any use case without a control API. It's structured that way to be consistent with BindRemote.

[LK4D4]

Shouldn't we close listener here as well?

[aaronlehmann]

If BindControl returns an error, there is no listener to close.

[LK4D4]

nice!

[LK4D4]

I don't really understand events sequence. What ensures that BindRemote is called before Run?

[aaronlehmann]

It does not need to be called before Run. See the new test TestServiceCreateLateBind, where it is called afterwards.

[LK4D4]

Then I don't understand how does it work. Isn't it possible to call JoinAndStart before BindRemote and get attempted to join raft cluster without knowing own address?

[aaronlehmann]

You need to bind first if you are trying to join a cluster, but if you're starting a new cluster then you hit the n.opts.JoinAddr == "" branch and having an address is not required.

[LK4D4]

LGTM