github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21422 Commits
1703 Branches
457 Tags
697 MiB
Tree: ab794b59f8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ab794b59f8'
${ noResults }
consul/agent/local/state.go

1658 lines
50 KiB
Raw Normal View History Unescape

copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files
2 years ago
// Copyright (c) HashiCorp, Inc.
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
1 year ago
// SPDX-License-Identifier: BUSL-1.1
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files
2 years ago
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
package local
First pass at local state + anti-entropy
11 years ago
import (
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700)
2 years ago
"context"
Validation ServiceID/CheckID when deleting in deleteService() in local.go
10 years ago
"fmt"
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
"reflect"
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
"strconv"
agent: Handle service ACLs when doing anti-entropy
10 years ago
"strings"
First pass at local state + anti-entropy
11 years ago
"sync"
agent: adding ability to pause syncing
11 years ago
"sync/atomic"
First pass at local state + anti-entropy
11 years ago
"time"
agent: Handle service ACLs when doing anti-entropy
10 years ago
continue anti-entropy sync when failures exist (#17560)
1 year ago
"github.com/hashicorp/consul/acl"
Move ACLResolveResult into acl/resolver package (#13467) Having this type live in the agent/consul package makes it difficult to put anything that relies on token resolution (e.g. the new gRPC services) in separate packages without introducing import cycles. For example, if package foo imports agent/consul for the ACLResolveResult type it means that agent/consul cannot import foo to register its service. We've previously worked around this by wrapping the ACLResolver to "downgrade" its return type to an acl.Authorizer - aside from the added complexity, this also loses the resolved identity information. In the future, we may want to move the whole ACLResolver into the acl/resolver package. For now, putting the result type there at least, fixes the immediate import cycle issues.
2 years ago
"github.com/hashicorp/consul/acl/resolver"
continue anti-entropy sync when failures exist (#17560)
1 year ago
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/agent/token"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/lib"
auto-reload configuration when config files change (#12329) * add config watcher to the config package * add logging to watcher * add test and refactor to add WatcherEvent. * add all API calls and fix a bug with recreated files * add tests for watcher * remove the unnecessary use of context * Add debug log and a test for file rename * use inode to detect if the file is recreated/replaced and only listen to create events. * tidy ups (#1535) * tidy ups * Add tests for inode reconcile * fix linux vs windows syscall * fix linux vs windows syscall * fix windows compile error * increase timeout * use ctime ID * remove remove/creation test as it's a use case that fail in linux * fix linux/windows to use Ino/CreationTime * fix the watcher to only overwrite current file id * fix linter error * fix remove/create test * set reconcile loop to 200 Milliseconds * fix watcher to not trigger event on remove, add more tests * on a remove event try to add the file back to the watcher and trigger the handler if success * fix race condition * fix flaky test * fix race conditions * set level to info * fix when file is removed and get an event for it after * fix to trigger handler when we get a remove but re-add fail * fix error message * add tests for directory watch and fixes * detect if a file is a symlink and return an error on Add * rename Watcher to FileWatcher and remove symlink deref * add fsnotify@v1.5.1 * fix go mod * do not reset timer on errors, rename OS specific files * rename New func * events trigger on write and rename * add missing test * fix flaking tests * fix flaky test * check reconcile when removed * delete invalid file * fix test to create files with different mod time. * back date file instead of sleeping * add watching file in agent command. * fix watcher call to use new API * add configuration and stop watcher when server stop * add certs as watched files * move FileWatcher to the agent start instead of the command code * stop watcher before replacing it * save watched files in agent * add add and remove interfaces to the file watcher * fix remove to not return an error * use `Add` and `Remove` to update certs files * fix tests * close events channel on the file watcher even when the context is done * extract `NotAutoReloadableRuntimeConfig` is a separate struct * fix linter errors * add Ca configs and outgoing verify to the not auto reloadable config * add some logs and fix to use background context * add tests to auto-config reload * remove stale test * add tests to changes to config files * add check to see if old cert files still trigger updates * rename `NotAutoReloadableRuntimeConfig` to `StaticRuntimeConfig` * fix to re add both key and cert file. Add test to cover this case. * review suggestion Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * add check to static runtime config changes * fix test * add changelog file * fix review comments * Apply suggestions from code review Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * update flag description Co-authored-by: FFMMM <FFMMM@users.noreply.github.com> * fix compilation error * add static runtime config support * fix test * fix review comments * fix log test * Update .changelog/12329.txt Co-authored-by: Dan Upton <daniel@floppy.co> * transfer tests to runtime_test.go * fix filewatcher Replace to not deadlock. * avoid having lingering locks Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * split ReloadConfig func * fix warning message Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * convert `FileWatcher` into an interface * fix compilation errors * fix tests * extract func for adding and removing files Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: FFMMM <FFMMM@users.noreply.github.com> Co-authored-by: Daniel Upton <daniel@floppy.co>
3 years ago
"github.com/hashicorp/consul/lib/stringslice"
continue anti-entropy sync when failures exist (#17560)
1 year ago
"github.com/hashicorp/consul/types"
auto-reload configuration when config files change (#12329) * add config watcher to the config package * add logging to watcher * add test and refactor to add WatcherEvent. * add all API calls and fix a bug with recreated files * add tests for watcher * remove the unnecessary use of context * Add debug log and a test for file rename * use inode to detect if the file is recreated/replaced and only listen to create events. * tidy ups (#1535) * tidy ups * Add tests for inode reconcile * fix linux vs windows syscall * fix linux vs windows syscall * fix windows compile error * increase timeout * use ctime ID * remove remove/creation test as it's a use case that fail in linux * fix linux/windows to use Ino/CreationTime * fix the watcher to only overwrite current file id * fix linter error * fix remove/create test * set reconcile loop to 200 Milliseconds * fix watcher to not trigger event on remove, add more tests * on a remove event try to add the file back to the watcher and trigger the handler if success * fix race condition * fix flaky test * fix race conditions * set level to info * fix when file is removed and get an event for it after * fix to trigger handler when we get a remove but re-add fail * fix error message * add tests for directory watch and fixes * detect if a file is a symlink and return an error on Add * rename Watcher to FileWatcher and remove symlink deref * add fsnotify@v1.5.1 * fix go mod * do not reset timer on errors, rename OS specific files * rename New func * events trigger on write and rename * add missing test * fix flaking tests * fix flaky test * check reconcile when removed * delete invalid file * fix test to create files with different mod time. * back date file instead of sleeping * add watching file in agent command. * fix watcher call to use new API * add configuration and stop watcher when server stop * add certs as watched files * move FileWatcher to the agent start instead of the command code * stop watcher before replacing it * save watched files in agent * add add and remove interfaces to the file watcher * fix remove to not return an error * use `Add` and `Remove` to update certs files * fix tests * close events channel on the file watcher even when the context is done * extract `NotAutoReloadableRuntimeConfig` is a separate struct * fix linter errors * add Ca configs and outgoing verify to the not auto reloadable config * add some logs and fix to use background context * add tests to auto-config reload * remove stale test * add tests to changes to config files * add check to see if old cert files still trigger updates * rename `NotAutoReloadableRuntimeConfig` to `StaticRuntimeConfig` * fix to re add both key and cert file. Add test to cover this case. * review suggestion Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * add check to static runtime config changes * fix test * add changelog file * fix review comments * Apply suggestions from code review Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * update flag description Co-authored-by: FFMMM <FFMMM@users.noreply.github.com> * fix compilation error * add static runtime config support * fix test * fix review comments * fix log test * Update .changelog/12329.txt Co-authored-by: Dan Upton <daniel@floppy.co> * transfer tests to runtime_test.go * fix filewatcher Replace to not deadlock. * avoid having lingering locks Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * split ReloadConfig func * fix warning message Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * convert `FileWatcher` into an interface * fix compilation errors * fix tests * extract func for adding and removing files Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: FFMMM <FFMMM@users.noreply.github.com> Co-authored-by: Daniel Upton <daniel@floppy.co>
3 years ago
first pass on agent-configured prometheusDefs and adding defs for every consul metric
4 years ago
"github.com/armon/go-metrics"
"github.com/armon/go-metrics/prometheus"
local: mark service and checks as InSync when added If the existing service and checks are the same as the new registration.
4 years ago
"github.com/hashicorp/go-hclog"
continue anti-entropy sync when failures exist (#17560)
1 year ago
"github.com/hashicorp/go-multierror"
local: fixes a data race in anti-entropy sync (#12324) The race detector noticed this initially in `TestAgentConfigWatcherSidecarProxy` but it is not restricted to just tests. The two main changes here were: - ensure that before we mutate the internal `agent/local` representation of a Service (for tags or VIPs) we clone those fields - ensure that there's no function argument joint ownership between the caller of a function and the local state when calling `AddService`, `AddCheck`, and related using `copystructure` for now.
3 years ago
"github.com/mitchellh/copystructure"
First pass at local state + anti-entropy
11 years ago
)
first pass on agent-configured prometheusDefs and adding defs for every consul metric
4 years ago
var StateCounters = []prometheus.CounterDefinition{
{
finish adding static server metrics
4 years ago
Name: []string{"acl", "blocked", "service", "registration"},
trim help strings to save a few bytes
4 years ago
Help: "Increments whenever a registration fails for a service (blocked by an ACL)",
first pass on agent-configured prometheusDefs and adding defs for every consul metric
4 years ago
},
{
finish adding static server metrics
4 years ago
Name: []string{"acl", "blocked", "service", "deregistration"},
trim help strings to save a few bytes
4 years ago
Help: "Increments whenever a deregistration fails for a service (blocked by an ACL)",
first pass on agent-configured prometheusDefs and adding defs for every consul metric
4 years ago
},
{
finish adding static server metrics
4 years ago
Name: []string{"acl", "blocked", "check", "registration"},
trim help strings to save a few bytes
4 years ago
Help: "Increments whenever a registration fails for a check (blocked by an ACL)",
first pass on agent-configured prometheusDefs and adding defs for every consul metric
4 years ago
},
{
finish adding static server metrics
4 years ago
Name: []string{"acl", "blocked", "check", "deregistration"},
trim help strings to save a few bytes
4 years ago
Help: "Increments whenever a deregistration fails for a check (blocked by an ACL)",
first pass on agent-configured prometheusDefs and adding defs for every consul metric
4 years ago
},
{
add the service name in the agent rather than in the definitions themselves
4 years ago
Name: []string{"acl", "blocked", "node", "registration"},
trim help strings to save a few bytes
4 years ago
Help: "Increments whenever a registration fails for a node (blocked by an ACL)",
finish adding static server metrics
4 years ago
},
first pass on agent-configured prometheusDefs and adding defs for every consul metric
4 years ago
}
ae: use stale requests when performing full sync (#5873) Read requests performed during anti antropy full sync currently target the leader only. This generates a non-negligible load on the leader when the DC is large enough and can be offloaded to the followers following the "eventually consistent" policy for the agent state. We switch the AE read calls to use stale requests with a small (2s) MaxStaleDuration value and make sure we do not read too fast after a write.
6 years ago
const fullSyncReadMaxStale = 2 * time.Second
local state: update comments
7 years ago
// Config is the configuration for the State.
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
type Config struct {
agent: fix pending data races between localState and agent This patch creates a local config structure for the local state which is independent from the agent but populated from its configuration. This avoids data races between the agent configuration which can change during tests and concurrent go routines using the configuraiton at the same time.
8 years ago
AdvertiseAddr string
CheckUpdateInterval time.Duration
Datacenter string
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
DiscardCheckOutput bool
agent: fix pending data races between localState and agent This patch creates a local config structure for the local state which is independent from the agent but populated from its configuration. This avoids data races between the agent configuration which can change during tests and concurrent go routines using the configuraiton at the same time.
8 years ago
NodeID types.NodeID
NodeName string
allow setting locality on services and nodes (#16581)
2 years ago
NodeLocality *structs.Locality
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
Partition string // this defaults if empty
agent: fix pending data races between localState and agent This patch creates a local config structure for the local state which is independent from the agent but populated from its configuration. This avoids data races between the agent configuration which can change during tests and concurrent go routines using the configuraiton at the same time.
8 years ago
TaggedAddresses map[string]string
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
// ServiceState describes the state of a service record.
type ServiceState struct {
// Service is the local copy of the service record.
Service *structs.NodeService
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
// Token is the ACL to update or delete the service record on the
// server.
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
Token string
// InSync contains whether the local state of the service record
// is in sync with the remote state on the server.
InSync bool
// Deleted is true when the service record has been marked as deleted
// but has not been removed on the server yet.
Deleted bool
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
6 years ago
Add new config_file_service_registration token (#15828)
2 years ago
// IsLocallyDefined indicates whether the service was defined locally in config
// as opposed to being registered through the Agent API.
IsLocallyDefined bool
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
5 years ago
// WatchCh is closed when the service state changes. Suitable for use in a
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
6 years ago
// memdb.WatchSet when watching agent local changes with hash-based blocking.
WatchCh chan struct{}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
}
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
6 years ago
// Clone returns a shallow copy of the object. The service record still points
// to the original service record and must not be modified. The WatchCh is also
// still pointing to the original so the clone will be update when the original
// is.
local state: tests compile
7 years ago
func (s *ServiceState) Clone() *ServiceState {
s2 := new(ServiceState)
*s2 = *s
return s2
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
// CheckState describes the state of a health check record.
type CheckState struct {
// Check is the local copy of the health check record.
agent: fix several data races and bugs related to node-local alias checks (#5876) The observed bug was that a full restart of a consul datacenter (servers and clients) in conjunction with a restart of a connect-flavored application with bring-your-own-service-registration logic would very frequently cause the envoy sidecar service check to never reflect the aliased service. Over the course of investigation several bugs and unfortunate interactions were corrected: (1) local.CheckState objects were only shallow copied, but the key piece of data that gets read and updated is one of the things not copied (the underlying Check with a Status field). When the stock code was run with the race detector enabled this highly-relevant-to-the-test-scenario field was found to be racy. Changes: a) update the existing Clone method to include the Check field b) copy-on-write when those fields need to change rather than incrementally updating them in place. This made the observed behavior occur slightly less often. (2) If anything about how the runLocal method for node-local alias check logic was ever flawed, there was no fallback option. Those checks are purely edge-triggered and failure to properly notice a single edge transition would leave the alias check incorrect until the next flap of the aliased check. The change was to introduce a fallback timer to act as a control loop to double check the alias check matches the aliased check every minute (borrowing the duration from the non-local alias check logic body). This made the observed behavior eventually go away when it did occur. (3) Originally I thought there were two main actions involved in the data race: A. The act of adding the original check (from disk recovery) and its first health evaluation. B. The act of the HTTP API requests coming in and resetting the local state when re-registering the same services and checks. It took awhile for me to realize that there's a third action at work: C. The goroutines associated with the original check and the later checks. The actual sequence of actions that was causing the bad behavior was that the API actions result in the original check to be removed and re-added _without waiting for the original goroutine to terminate_. This means for brief windows of time during check definition edits there are two goroutines that can be sending updates for the alias check status. In extremely unlikely scenarios the original goroutine sees the aliased check start up in `critical` before being removed but does not get the notification about the nearly immediate update of that check to `passing`. This is interlaced wit the new goroutine coming up, initializing its base case to `passing` from the current state and then listening for new notifications of edge triggers. If the original goroutine "finishes" its update, it then commits one more write into the local state of `critical` and exits leaving the alias check no longer reflecting the underlying check. The correction here is to enforce that the old goroutines must terminate before spawning the new one for alias checks.
6 years ago
//
// Must Clone() the overall CheckState before mutating this. After mutation
Fix segfault when removing both a service and associated check (#7108) * Fix segfault when removing both a service and associated check updateSyncState creates entries in the services and checks maps for remote services/checks that are not found locally, so that we can then make sure to delete them in our reconciliation process. However, the values added to the map are missing key fields that the rest of the code expects to not be nil. * Add comment stating Check field can be nil
5 years ago
// reinstall into the checks map. If Deleted is true, this field can be nil.
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
Check *structs.HealthCheck
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
// Token is the ACL record to update or delete the health check
// record on the server.
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
Token string
// CriticalTime is the last time the health check status went
// from non-critical to critical. When the health check is not
// in critical state the value is the zero value.
CriticalTime time.Time
// DeferCheck is used to delay the sync of a health check when
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
// only the output has changed. This rate limits changes which
// do not affect the state of the node and/or service.
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
DeferCheck *time.Timer
// InSync contains whether the local state of the health check
// record is in sync with the remote state on the server.
InSync bool
// Deleted is true when the health check record has been marked as
// deleted but has not been removed on the server yet.
Deleted bool
Add new config_file_service_registration token (#15828)
2 years ago
// IsLocallyDefined indicates whether the check was defined locally in config
// as opposed to being registered through the Agent API.
IsLocallyDefined bool
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
}
agent: fix several data races and bugs related to node-local alias checks (#5876) The observed bug was that a full restart of a consul datacenter (servers and clients) in conjunction with a restart of a connect-flavored application with bring-your-own-service-registration logic would very frequently cause the envoy sidecar service check to never reflect the aliased service. Over the course of investigation several bugs and unfortunate interactions were corrected: (1) local.CheckState objects were only shallow copied, but the key piece of data that gets read and updated is one of the things not copied (the underlying Check with a Status field). When the stock code was run with the race detector enabled this highly-relevant-to-the-test-scenario field was found to be racy. Changes: a) update the existing Clone method to include the Check field b) copy-on-write when those fields need to change rather than incrementally updating them in place. This made the observed behavior occur slightly less often. (2) If anything about how the runLocal method for node-local alias check logic was ever flawed, there was no fallback option. Those checks are purely edge-triggered and failure to properly notice a single edge transition would leave the alias check incorrect until the next flap of the aliased check. The change was to introduce a fallback timer to act as a control loop to double check the alias check matches the aliased check every minute (borrowing the duration from the non-local alias check logic body). This made the observed behavior eventually go away when it did occur. (3) Originally I thought there were two main actions involved in the data race: A. The act of adding the original check (from disk recovery) and its first health evaluation. B. The act of the HTTP API requests coming in and resetting the local state when re-registering the same services and checks. It took awhile for me to realize that there's a third action at work: C. The goroutines associated with the original check and the later checks. The actual sequence of actions that was causing the bad behavior was that the API actions result in the original check to be removed and re-added _without waiting for the original goroutine to terminate_. This means for brief windows of time during check definition edits there are two goroutines that can be sending updates for the alias check status. In extremely unlikely scenarios the original goroutine sees the aliased check start up in `critical` before being removed but does not get the notification about the nearly immediate update of that check to `passing`. This is interlaced wit the new goroutine coming up, initializing its base case to `passing` from the current state and then listening for new notifications of edge triggers. If the original goroutine "finishes" its update, it then commits one more write into the local state of `critical` and exits leaving the alias check no longer reflecting the underlying check. The correction here is to enforce that the old goroutines must terminate before spawning the new one for alias checks.
6 years ago
// Clone returns a shallow copy of the object.
//
// The defer timer still points to the original value and must not be modified.
local state: tests compile
7 years ago
func (c *CheckState) Clone() *CheckState {
c2 := new(CheckState)
*c2 = *c
agent: fix several data races and bugs related to node-local alias checks (#5876) The observed bug was that a full restart of a consul datacenter (servers and clients) in conjunction with a restart of a connect-flavored application with bring-your-own-service-registration logic would very frequently cause the envoy sidecar service check to never reflect the aliased service. Over the course of investigation several bugs and unfortunate interactions were corrected: (1) local.CheckState objects were only shallow copied, but the key piece of data that gets read and updated is one of the things not copied (the underlying Check with a Status field). When the stock code was run with the race detector enabled this highly-relevant-to-the-test-scenario field was found to be racy. Changes: a) update the existing Clone method to include the Check field b) copy-on-write when those fields need to change rather than incrementally updating them in place. This made the observed behavior occur slightly less often. (2) If anything about how the runLocal method for node-local alias check logic was ever flawed, there was no fallback option. Those checks are purely edge-triggered and failure to properly notice a single edge transition would leave the alias check incorrect until the next flap of the aliased check. The change was to introduce a fallback timer to act as a control loop to double check the alias check matches the aliased check every minute (borrowing the duration from the non-local alias check logic body). This made the observed behavior eventually go away when it did occur. (3) Originally I thought there were two main actions involved in the data race: A. The act of adding the original check (from disk recovery) and its first health evaluation. B. The act of the HTTP API requests coming in and resetting the local state when re-registering the same services and checks. It took awhile for me to realize that there's a third action at work: C. The goroutines associated with the original check and the later checks. The actual sequence of actions that was causing the bad behavior was that the API actions result in the original check to be removed and re-added _without waiting for the original goroutine to terminate_. This means for brief windows of time during check definition edits there are two goroutines that can be sending updates for the alias check status. In extremely unlikely scenarios the original goroutine sees the aliased check start up in `critical` before being removed but does not get the notification about the nearly immediate update of that check to `passing`. This is interlaced wit the new goroutine coming up, initializing its base case to `passing` from the current state and then listening for new notifications of edge triggers. If the original goroutine "finishes" its update, it then commits one more write into the local state of `critical` and exits leaving the alias check no longer reflecting the underlying check. The correction here is to enforce that the old goroutines must terminate before spawning the new one for alias checks.
6 years ago
if c.Check != nil {
c2.Check = c.Check.Clone()
}
local state: tests compile
7 years ago
return c2
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
// Critical returns true when the health check is in critical state.
func (c *CheckState) Critical() bool {
return !c.CriticalTime.IsZero()
}
// CriticalFor returns the amount of time the service has been in critical
// state. Its value is undefined when the service is not in critical state.
func (c *CheckState) CriticalFor() time.Duration {
return time.Since(c.CriticalTime)
}
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
type rpc interface {
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700)
2 years ago
RPC(ctx context.Context, method string, args interface{}, reply interface{}) error
Move ACLResolveResult into acl/resolver package (#13467) Having this type live in the agent/consul package makes it difficult to put anything that relies on token resolution (e.g. the new gRPC services) in separate packages without introducing import cycles. For example, if package foo imports agent/consul for the ACLResolveResult type it means that agent/consul cannot import foo to register its service. We've previously worked around this by wrapping the ACLResolver to "downgrade" its return type to an acl.Authorizer - aside from the added complexity, this also loses the resolved identity information. In the future, we may want to move the whole ACLResolver into the acl/resolver package. For now, putting the result type there at least, fixes the immediate import cycle issues.
2 years ago
ResolveTokenAndDefaultMeta(token string, entMeta *acl.EnterpriseMeta, authzContext *acl.AuthorizerContext) (resolver.Result, error)
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
}
// State is used to represent the node's services,
local state: update comments
7 years ago
// and checks. We use it to perform anti-entropy with the
First pass at local state + anti-entropy
11 years ago
// catalog representation
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
type State struct {
agent: add service/check token methods to reduce invasiveness
10 years ago
sync.RWMutex
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
// Delegate the RPC interface to the consul server or agent.
//
// It is set after both the state and the consul server/agent have
// been created.
Delegate rpc
// TriggerSyncChanges is used to notify the state syncer that a
// partial sync should be performed.
//
// It is set after both the state and the state syncer have been
// created.
TriggerSyncChanges func()
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
logger hclog.Logger
First pass at local state + anti-entropy
11 years ago
Seperate localState from Agent
11 years ago
// Config is the agent config
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
config Config
Seperate localState from Agent
11 years ago
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com>
3 years ago
agentEnterpriseMeta acl.EnterpriseMeta
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
// nodeInfoInSync tracks whether the server has our correct top-level
Adds catalog support for node IDs.
8 years ago
// node information in sync
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
nodeInfoInSync bool
First pass at local state + anti-entropy
11 years ago
// Services tracks the local services
Sync of OSS changes to support namespaces (#6909)
5 years ago
services map[structs.ServiceID]*ServiceState
First pass at local state + anti-entropy
11 years ago
agent/local: support local alias checks
6 years ago
// Checks tracks the local checks. checkAliases are aliased checks.
Sync of OSS changes to support namespaces (#6909)
5 years ago
checks map[structs.CheckID]*CheckState
checkAliases map[structs.ServiceID]map[structs.CheckID]chan<- struct{}
agent: Cleanup handling of defer checks
11 years ago
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
// metadata tracks the node metadata fields
Add support for setting node metadata fields
8 years ago
metadata map[string]string
agent: add option to discard health output (#3562) * agent: add option to discard health output In high volatile environments consul will have checks with "noisy" output which changes every time even though the status does not change. Since the output is stored in the raft log every health check update unblocks a blocking call on health checks since the raft index has changed even though the status of the health checks may not have changed at all. By discarding the output of the health checks the users can choose a different tradeoff. Less visibility on why a check failed in exchange for a reduced change rate on the raft log. * agent: discard output also when adding a check * agent: add test for discard check output * agent: update docs * go vet * Adds discard_check_output to reloadable config table. * Updates the change log.
7 years ago
// discardCheckOutput stores whether the output of health checks
// is stored in the raft log.
discardCheckOutput atomic.Value // bool
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
// tokens contains the ACL tokens
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
tokens *token.Store
Added connect proxy config and local agent state setup on boot.
7 years ago
Proxy Config Manager (#4729) * Proxy Config Manager This component watches for local state changes on the agent and ensures that each service registered locally with Kind == connect-proxy has it's state being actively populated in the cache. This serves two purposes: 1. For the built-in proxy, it ensures that the state needed to accept connections is available in RAM shortly after registration and likely before the proxy actually starts accepting traffic. 2. For (future - next PR) xDS server and other possible future proxies that require _push_ based config discovery, this provides a mechanism to subscribe and be notified about updates to a proxy instance's config including upstream service discovery results. * Address review comments * Better comments; Better delivery of latest snapshot for slow watchers; Embed Config * Comment typos * Add upstream Stringer for funsies
6 years ago
// notifyHandlers is a map of registered channel listeners that are sent
// messages whenever state changes occur. For now these events only include
// service registration and deregistration since that is all that is needed
connect: remove managed proxies (#6220) * connect: remove managed proxies implementation and all supporting config options and structs * connect: remove deprecated ProxyDestination * command: remove CONNECT_PROXY_TOKEN env var * agent: remove entire proxyprocess proxy manager * test: remove all managed proxy tests * test: remove irrelevant managed proxy note from TestService_ServerTLSConfig * test: update ContentHash to reflect managed proxy removal * test: remove deprecated ProxyDestination test * telemetry: remove managed proxy note * http: remove /v1/agent/connect/proxy endpoint * ci: remove deprecated test exclusion * website: update managed proxies deprecation page to note removal * website: remove managed proxy configuration API docs * website: remove managed proxy note from built-in proxy config * website: add note on removing proxy subdirectory of data_dir
5 years ago
// but the same mechanism could be used for other state changes. Any
// future notifications should re-use this mechanism.
Proxy Config Manager (#4729) * Proxy Config Manager This component watches for local state changes on the agent and ensures that each service registered locally with Kind == connect-proxy has it's state being actively populated in the cache. This serves two purposes: 1. For the built-in proxy, it ensures that the state needed to accept connections is available in RAM shortly after registration and likely before the proxy actually starts accepting traffic. 2. For (future - next PR) xDS server and other possible future proxies that require _push_ based config discovery, this provides a mechanism to subscribe and be notified about updates to a proxy instance's config including upstream service discovery results. * Address review comments * Better comments; Better delivery of latest snapshot for slow watchers; Embed Config * Comment typos * Add upstream Stringer for funsies
6 years ago
notifyHandlers map[chan<- struct{}]struct{}
First pass at local state + anti-entropy
11 years ago
}
Added connect proxy config and local agent state setup on boot.
7 years ago
// NewState creates a new local state for the agent.
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
func NewState(c Config, logger hclog.Logger, tokens *token.Store) *State {
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
l := &State{
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
config: c,
logger: logger,
services: make(map[structs.ServiceID]*ServiceState),
checks: make(map[structs.CheckID]*CheckState),
checkAliases: make(map[structs.ServiceID]map[structs.CheckID]chan<- struct{}),
metadata: make(map[string]string),
tokens: tokens,
notifyHandlers: make(map[chan<- struct{}]struct{}),
agentEnterpriseMeta: *structs.NodeEnterpriseMetaInPartition(c.Partition),
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
}
l.SetDiscardCheckOutput(c.DiscardCheckOutput)
agent: add option to discard health output (#3562) * agent: add option to discard health output In high volatile environments consul will have checks with "noisy" output which changes every time even though the status does not change. Since the output is stored in the raft log every health check update unblocks a blocking call on health checks since the raft index has changed even though the status of the health checks may not have changed at all. By discarding the output of the health checks the users can choose a different tradeoff. Less visibility on why a check failed in exchange for a reduced change rate on the raft log. * agent: discard output also when adding a check * agent: add test for discard check output * agent: update docs * go vet * Adds discard_check_output to reloadable config table. * Updates the change log.
7 years ago
return l
Seperate localState from Agent
11 years ago
}
local state: update comments
7 years ago
// SetDiscardCheckOutput configures whether the check output
// is discarded. This can be changed at runtime.
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
func (l *State) SetDiscardCheckOutput(b bool) {
agent: add option to discard health output (#3562) * agent: add option to discard health output In high volatile environments consul will have checks with "noisy" output which changes every time even though the status does not change. Since the output is stored in the raft log every health check update unblocks a blocking call on health checks since the raft index has changed even though the status of the health checks may not have changed at all. By discarding the output of the health checks the users can choose a different tradeoff. Less visibility on why a check failed in exchange for a reduced change rate on the raft log. * agent: discard output also when adding a check * agent: add test for discard check output * agent: update docs * go vet * Adds discard_check_output to reloadable config table. * Updates the change log.
7 years ago
l.discardCheckOutput.Store(b)
}
agent/local: do not persist the agent tokens Only default to the user token and agent token for the sync. Change the exported methods to only return the stored tokens associated with a specific check or service.
4 years ago
// ServiceToken returns the ACL token associated with the service. If the service is
// not found, or does not have a token, the empty string is returned.
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) ServiceToken(id structs.ServiceID) string {
agent: safer read methods for tokens
10 years ago
l.RLock()
defer l.RUnlock()
agent/local: do not persist the agent tokens Only default to the user token and agent token for the sync. Change the exported methods to only return the stored tokens associated with a specific check or service.
4 years ago
if s := l.services[id]; s != nil {
return s.Token
}
return ""
agent: safer read methods for tokens
10 years ago
}
agent/local: do not persist the agent tokens Only default to the user token and agent token for the sync. Change the exported methods to only return the stored tokens associated with a specific check or service.
4 years ago
// aclTokenForServiceSync returns an ACL token associated with a service. If there is
agent/local: only fallback to agent token for deletes Fallback to the default user token for synching registrations.
4 years ago
// no ACL token associated with the service, fallback is used to return a value.
local state: update comments
7 years ago
// This method is not synchronized and the lock must already be held.
Add new config_file_service_registration token (#15828)
2 years ago
func (l *State) aclTokenForServiceSync(id structs.ServiceID, fallbacks ...func() string) string {
agent/local: only fallback to agent token for deletes Fallback to the default user token for synching registrations.
4 years ago
if s := l.services[id]; s != nil && s.Token != "" {
return s.Token
agent: add service/check token methods to reduce invasiveness
10 years ago
}
Add new config_file_service_registration token (#15828)
2 years ago
for _, fb := range fallbacks {
if tok := fb(); tok != "" {
return tok
}
}
return ""
agent: add service/check token methods to reduce invasiveness
10 years ago
}
Add new config_file_service_registration token (#15828)
2 years ago
func (l *State) addServiceLocked(service *structs.NodeService, token string, isLocal bool) error {
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
if service == nil {
return fmt.Errorf("no service")
}
local: fixes a data race in anti-entropy sync (#12324) The race detector noticed this initially in `TestAgentConfigWatcherSidecarProxy` but it is not restricted to just tests. The two main changes here were: - ensure that before we mutate the internal `agent/local` representation of a Service (for tags or VIPs) we clone those fields - ensure that there's no function argument joint ownership between the caller of a function and the local state when calling `AddService`, `AddCheck`, and related using `copystructure` for now.
3 years ago
// Avoid having the stored service have any call-site ownership.
var err error
service, err = cloneService(service)
if err != nil {
return err
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
// use the service name as id if the id was omitted
if service.ID == "" {
service.ID = service.Service
}
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
if l.agentEnterpriseMeta.PartitionOrDefault() != service.PartitionOrDefault() {
Clarify service and check error messages (use ID) Error messages related to service and check operations previously included the following substrings: - service %q - check %q From this error message, it isn't clear that the expected field is the ID for the entity, not the name. For example, if the user has a service named test, the error message would read 'Unknown service "test"'. This is misleading - a service with that *name* does exist, but not with that *ID*. The substrings above have been modified to make it clear that ID is needed, not name: - service with ID %q - check with ID %q
3 years ago
return fmt.Errorf("cannot add service ID %q to node in partition %q", service.CompoundServiceID(), l.config.Partition)
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
}
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
6 years ago
l.setServiceStateLocked(&ServiceState{
Add new config_file_service_registration token (#15828)
2 years ago
Service: service,
Token: token,
IsLocallyDefined: isLocal,
local state: tests compile
7 years ago
})
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
return nil
Revert "local state: rename Add{Check,Service}State to Set{Check,Service}State" This reverts commit 9280841a80d98b253a8f23967875e45e5e37e093.
7 years ago
}
Add new config_file_service_registration token (#15828)
2 years ago
// AddServiceWithChecks adds a service entry and its checks to the local state
// atomically This entry is persistent and the agent will make a best effort to
// ensure it is registered. The isLocallyDefined parameter indicates whether
// the service and checks are sourced from local agent configuration files.
func (l *State) AddServiceWithChecks(service *structs.NodeService, checks []*structs.HealthCheck, token string, isLocallyDefined bool) error {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
6 years ago
l.Lock()
defer l.Unlock()
Add new config_file_service_registration token (#15828)
2 years ago
if err := l.addServiceLocked(service, token, isLocallyDefined); err != nil {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
6 years ago
return err
}
for _, check := range checks {
Add new config_file_service_registration token (#15828)
2 years ago
if err := l.addCheckLocked(check, token, isLocallyDefined); err != nil {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
6 years ago
return err
}
}
return nil
}
First pass at local state + anti-entropy
11 years ago
// RemoveService is used to remove a service entry from the local state.
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
// The agent will make a best effort to ensure it is deregistered.
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) RemoveService(id structs.ServiceID) error {
Seperate localState from Agent
11 years ago
l.Lock()
defer l.Unlock()
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
6 years ago
return l.removeServiceLocked(id)
}
// RemoveServiceWithChecks removes a service and its check from the local state atomically
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) RemoveServiceWithChecks(serviceID structs.ServiceID, checkIDs []structs.CheckID) error {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
6 years ago
l.Lock()
defer l.Unlock()
if err := l.removeServiceLocked(serviceID); err != nil {
return err
}
for _, id := range checkIDs {
if err := l.removeCheckLocked(id); err != nil {
return err
}
}
return nil
}
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) removeServiceLocked(id structs.ServiceID) error {
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
s := l.services[id]
if s == nil || s.Deleted {
Clarify service and check error messages (use ID) Error messages related to service and check operations previously included the following substrings: - service %q - check %q From this error message, it isn't clear that the expected field is the ID for the entity, not the name. For example, if the user has a service named test, the error message would read 'Unknown service "test"'. This is misleading - a service with that *name* does exist, but not with that *ID*. The substrings above have been modified to make it clear that ID is needed, not name: - service with ID %q - check with ID %q
3 years ago
// Take care if modifying this error message.
// deleteService assumes the Catalog.Deregister RPC call will include "Unknown service"
// in the error if deregistration fails due to a service with that ID not existing.
// When the service register endpoint is called, this error message is also typically
// shadowed by vetServiceUpdateWithAuthorizer, which checks for the existence of the
// service and, if none is found, returns an error before this function is ever called.
return fmt.Errorf("Unknown service ID %q. Ensure that the service ID is passed, not the service name.", id)
Improve logging when deregistering a nonexistent service (#2492) Log a warning instead of a success message when attempting to deregister a nonexistent service. In Consul 0.8 this can be changed to giving an error outright, but for now we can keep the idempotent delete behavior.
8 years ago
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
// To remove the service on the server we need the token.
// Therefore, we mark the service as deleted and keep the
// entry around until it is actually removed.
s.InSync = false
s.Deleted = true
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
6 years ago
if s.WatchCh != nil {
close(s.WatchCh)
s.WatchCh = nil
}
Notify alias checks when aliased service is [de]registered (#8456)
4 years ago
l.notifyIfAliased(id)
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
l.TriggerSyncChanges()
Proxy Config Manager (#4729) * Proxy Config Manager This component watches for local state changes on the agent and ensures that each service registered locally with Kind == connect-proxy has it's state being actively populated in the cache. This serves two purposes: 1. For the built-in proxy, it ensures that the state needed to accept connections is available in RAM shortly after registration and likely before the proxy actually starts accepting traffic. 2. For (future - next PR) xDS server and other possible future proxies that require _push_ based config discovery, this provides a mechanism to subscribe and be notified about updates to a proxy instance's config including upstream service discovery results. * Address review comments * Better comments; Better delivery of latest snapshot for slow watchers; Embed Config * Comment typos * Add upstream Stringer for funsies
6 years ago
l.broadcastUpdateLocked()
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
Improve logging when deregistering a nonexistent service (#2492) Log a warning instead of a success message when attempting to deregister a nonexistent service. In Consul 0.8 this can be changed to giving an error outright, but for now we can keep the idempotent delete behavior.
8 years ago
return nil
First pass at local state + anti-entropy
11 years ago
}
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
// Service returns the locally registered service that the agent is aware of
// with this ID and are being kept in sync with the server.
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) Service(id structs.ServiceID) *structs.NodeService {
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
l.RLock()
defer l.RUnlock()
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
s := l.services[id]
if s == nil || s.Deleted {
return nil
}
return s.Service
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
}
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
// ServicesByName returns all the locally registered service instances that the
// agent is aware of with this name and are being kept in sync with the server
func (l *State) ServicesByName(sn structs.ServiceName) []*structs.NodeService {
l.RLock()
defer l.RUnlock()
var found []*structs.NodeService
for id, s := range l.services {
if s.Deleted {
continue
}
if !sn.EnterpriseMeta.Matches(&id.EnterpriseMeta) {
continue
}
if s.Service.Service == sn.Name {
found = append(found, s.Service)
}
}
return found
}
// AllServices returns the locally registered services that the
Exposing the agent checks and services over HTTP endpoints
11 years ago
// agent is aware of and are being kept in sync with the server
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
func (l *State) AllServices() map[structs.ServiceID]*structs.NodeService {
return l.listServices(false, nil)
}
// Services returns the locally registered services that the agent is aware of
// and are being kept in sync with the server
//
// Results are scoped to the provided namespace and partition.
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com>
3 years ago
func (l *State) Services(entMeta *acl.EnterpriseMeta) map[structs.ServiceID]*structs.NodeService {
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
return l.listServices(true, entMeta)
}
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com>
3 years ago
func (l *State) listServices(filtered bool, entMeta *acl.EnterpriseMeta) map[structs.ServiceID]*structs.NodeService {
agent: add service/check token methods to reduce invasiveness
10 years ago
l.RLock()
defer l.RUnlock()
Exposing the agent checks and services over HTTP endpoints
11 years ago
Sync of OSS changes to support namespaces (#6909)
5 years ago
m := make(map[structs.ServiceID]*structs.NodeService)
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
for id, s := range l.services {
if s.Deleted {
continue
}
Sync of OSS changes to support namespaces (#6909)
5 years ago
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
if filtered && !entMeta.Matches(&id.EnterpriseMeta) {
Sync of OSS changes to support namespaces (#6909)
5 years ago
continue
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
m[id] = s.Service
Exposing the agent checks and services over HTTP endpoints
11 years ago
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
return m
Exposing the agent checks and services over HTTP endpoints
11 years ago
}
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
6 years ago
// ServiceState returns a shallow copy of the current service state record. The
// service record still points to the original service record and must not be
// modified. The WatchCh for the copy returned will also be closed when the
// actual service state is changed.
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) ServiceState(id structs.ServiceID) *ServiceState {
local state: tests compile
7 years ago
l.RLock()
defer l.RUnlock()
s := l.services[id]
if s == nil || s.Deleted {
return nil
}
return s.Clone()
}
local state: rename Add{Check,Service}State to Set{Check,Service}State
7 years ago
// SetServiceState is used to overwrite a raw service state with the given
// state. This method is safe to be called concurrently but should only be used
// during testing. You should most likely call AddService instead.
func (l *State) SetServiceState(s *ServiceState) {
l.Lock()
defer l.Unlock()
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
if l.agentEnterpriseMeta.PartitionOrDefault() != s.Service.PartitionOrDefault() {
return
}
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
6 years ago
l.setServiceStateLocked(s)
}
func (l *State) setServiceStateLocked(s *ServiceState) {
Sync of OSS changes to support namespaces (#6909)
5 years ago
key := s.Service.CompoundServiceID()
old, hasOld := l.services[key]
local: mark service and checks as InSync when added If the existing service and checks are the same as the new registration.
4 years ago
if hasOld {
s.InSync = s.Service.IsSame(old.Service)
}
Sync of OSS changes to support namespaces (#6909)
5 years ago
l.services[key] = s
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
6 years ago
local: mark service and checks as InSync when added If the existing service and checks are the same as the new registration.
4 years ago
s.WatchCh = make(chan struct{}, 1)
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
6 years ago
if hasOld && old.WatchCh != nil {
close(old.WatchCh)
}
Notify alias checks when aliased service is [de]registered (#8456)
4 years ago
if !hasOld {
// The status of an alias check is updated if the alias service is added/removed
// Only try notify alias checks if service didn't already exist (!hasOld)
l.notifyIfAliased(key)
}
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
6 years ago
local state: rename Add{Check,Service}State to Set{Check,Service}State
7 years ago
l.TriggerSyncChanges()
Proxy Config Manager (#4729) * Proxy Config Manager This component watches for local state changes on the agent and ensures that each service registered locally with Kind == connect-proxy has it's state being actively populated in the cache. This serves two purposes: 1. For the built-in proxy, it ensures that the state needed to accept connections is available in RAM shortly after registration and likely before the proxy actually starts accepting traffic. 2. For (future - next PR) xDS server and other possible future proxies that require _push_ based config discovery, this provides a mechanism to subscribe and be notified about updates to a proxy instance's config including upstream service discovery results. * Address review comments * Better comments; Better delivery of latest snapshot for slow watchers; Embed Config * Comment typos * Add upstream Stringer for funsies
6 years ago
l.broadcastUpdateLocked()
local state: rename Add{Check,Service}State to Set{Check,Service}State
7 years ago
}
local state: tests compile
7 years ago
// ServiceStates returns a shallow copy of all service state records.
// The service record still points to the original service record and
// must not be modified.
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com>
3 years ago
func (l *State) ServiceStates(entMeta *acl.EnterpriseMeta) map[structs.ServiceID]*ServiceState {
local state: tests compile
7 years ago
l.RLock()
defer l.RUnlock()
Sync of OSS changes to support namespaces (#6909)
5 years ago
m := make(map[structs.ServiceID]*ServiceState)
local state: tests compile
7 years ago
for id, s := range l.services {
if s.Deleted {
continue
}
Sync of OSS changes to support namespaces (#6909)
5 years ago
if !entMeta.Matches(&id.EnterpriseMeta) {
continue
}
local state: tests compile
7 years ago
m[id] = s.Clone()
}
return m
}
agent/local: do not persist the agent tokens Only default to the user token and agent token for the sync. Change the exported methods to only return the stored tokens associated with a specific check or service.
4 years ago
// CheckToken returns the ACL token associated with the check. If the check is
// not found, or does not have a token, the empty string is returned.
func (l *State) CheckToken(id structs.CheckID) string {
agent: safer read methods for tokens
10 years ago
l.RLock()
defer l.RUnlock()
agent/local: do not persist the agent tokens Only default to the user token and agent token for the sync. Change the exported methods to only return the stored tokens associated with a specific check or service.
4 years ago
if c := l.checks[id]; c != nil {
return c.Token
}
return ""
agent: safer read methods for tokens
10 years ago
}
agent/local: do not persist the agent tokens Only default to the user token and agent token for the sync. Change the exported methods to only return the stored tokens associated with a specific check or service.
4 years ago
// aclTokenForCheckSync returns an ACL token associated with a check. If there is
agent/local: only fallback to agent token for deletes Fallback to the default user token for synching registrations.
4 years ago
// no ACL token associated with the check, the callback is used to return a value.
local state: update comments
7 years ago
// This method is not synchronized and the lock must already be held.
Add new config_file_service_registration token (#15828)
2 years ago
func (l *State) aclTokenForCheckSync(id structs.CheckID, fallbacks ...func() string) string {
agent/local: only fallback to agent token for deletes Fallback to the default user token for synching registrations.
4 years ago
if c := l.checks[id]; c != nil && c.Token != "" {
return c.Token
agent: add service/check token methods to reduce invasiveness
10 years ago
}
Add new config_file_service_registration token (#15828)
2 years ago
for _, fb := range fallbacks {
if tok := fb(); tok != "" {
return tok
}
}
return ""
agent: add service/check token methods to reduce invasiveness
10 years ago
}
Add new config_file_service_registration token (#15828)
2 years ago
// AddCheck is used to add a health check to the local state. This entry is
// persistent and the agent will make a best effort to ensure it is registered.
// The isLocallyDefined parameter indicates whether the checks are sourced from
// local agent configuration files.
func (l *State) AddCheck(check *structs.HealthCheck, token string, isLocallyDefined bool) error {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
6 years ago
l.Lock()
defer l.Unlock()
Add new config_file_service_registration token (#15828)
2 years ago
return l.addCheckLocked(check, token, isLocallyDefined)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
6 years ago
}
Add new config_file_service_registration token (#15828)
2 years ago
func (l *State) addCheckLocked(check *structs.HealthCheck, token string, isLocal bool) error {
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
if check == nil {
return fmt.Errorf("no check")
}
Adding tests for checks and services endpoints
11 years ago
local: fixes a data race in anti-entropy sync (#12324) The race detector noticed this initially in `TestAgentConfigWatcherSidecarProxy` but it is not restricted to just tests. The two main changes here were: - ensure that before we mutate the internal `agent/local` representation of a Service (for tags or VIPs) we clone those fields - ensure that there's no function argument joint ownership between the caller of a function and the local state when calling `AddService`, `AddCheck`, and related using `copystructure` for now.
3 years ago
// Avoid having the stored check have any call-site ownership.
var err error
check, err = cloneCheck(check)
if err != nil {
return err
}
local state: clone check to avoid side effect
7 years ago
agent: add option to discard health output (#3562) * agent: add option to discard health output In high volatile environments consul will have checks with "noisy" output which changes every time even though the status does not change. Since the output is stored in the raft log every health check update unblocks a blocking call on health checks since the raft index has changed even though the status of the health checks may not have changed at all. By discarding the output of the health checks the users can choose a different tradeoff. Less visibility on why a check failed in exchange for a reduced change rate on the raft log. * agent: discard output also when adding a check * agent: add test for discard check output * agent: update docs * go vet * Adds discard_check_output to reloadable config table. * Updates the change log.
7 years ago
if l.discardCheckOutput.Load().(bool) {
check.Output = ""
}
Removed unit test, added clarifying comment and returned a friendlier error message similar to the one in agent's AddService method Fixes #3297
7 years ago
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
// hard-set the node name and partition
check.Node = l.config.NodeName
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com>
3 years ago
check.EnterpriseMeta = acl.NewEnterpriseMetaWithPartition(
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
l.agentEnterpriseMeta.PartitionOrEmpty(),
check.NamespaceOrEmpty(),
)
Removed unit test, added clarifying comment and returned a friendlier error message similar to the one in agent's AddService method Fixes #3297
7 years ago
// if there is a serviceID associated with the check, make sure it exists before adding it
// NOTE - This logic may be moved to be handled within the Agent's Addcheck method after a refactor
Sync of OSS changes to support namespaces (#6909)
5 years ago
if _, ok := l.services[check.CompoundServiceID()]; check.ServiceID != "" && !ok {
Clarify service and check error messages (use ID) Error messages related to service and check operations previously included the following substrings: - service %q - check %q From this error message, it isn't clear that the expected field is the ID for the entity, not the name. For example, if the user has a service named test, the error message would read 'Unknown service "test"'. This is misleading - a service with that *name* does exist, but not with that *ID*. The substrings above have been modified to make it clear that ID is needed, not name: - service with ID %q - check with ID %q
3 years ago
return fmt.Errorf("Check ID %q refers to non-existent service ID %q", check.CheckID, check.ServiceID)
Fix race condition between removing a service and adding a check for the same service, which was causing orphaned checks
7 years ago
}
Removed unit test, added clarifying comment and returned a friendlier error message similar to the one in agent's AddService method Fixes #3297
7 years ago
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
6 years ago
l.setCheckStateLocked(&CheckState{
Add new config_file_service_registration token (#15828)
2 years ago
Check: check,
Token: token,
IsLocallyDefined: isLocal,
local state: tests compile
7 years ago
})
Revert "local state: tests compile" This reverts commit 1af52bf7be02d952e16e14209899a9715451f7ba.
7 years ago
return nil
Revert "local state: rename Add{Check,Service}State to Set{Check,Service}State" This reverts commit 9280841a80d98b253a8f23967875e45e5e37e093.
7 years ago
}
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
6 years ago
// AddAliasCheck creates an alias check. When any check for the srcServiceID is
// changed, checkID will reflect that using the same semantics as
agent/local: support local alias checks
6 years ago
// checks.CheckAlias.
//
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
6 years ago
// This is a local optimization so that the Alias check doesn't need to use
// blocking queries against the remote server for check updates for local
// services.
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) AddAliasCheck(checkID structs.CheckID, srcServiceID structs.ServiceID, notifyCh chan<- struct{}) error {
agent/local: support local alias checks
6 years ago
l.Lock()
defer l.Unlock()
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
if l.agentEnterpriseMeta.PartitionOrDefault() != checkID.PartitionOrDefault() {
Clarify service and check error messages (use ID) Error messages related to service and check operations previously included the following substrings: - service %q - check %q From this error message, it isn't clear that the expected field is the ID for the entity, not the name. For example, if the user has a service named test, the error message would read 'Unknown service "test"'. This is misleading - a service with that *name* does exist, but not with that *ID*. The substrings above have been modified to make it clear that ID is needed, not name: - service with ID %q - check with ID %q
3 years ago
return fmt.Errorf("cannot add alias check ID %q to node in partition %q", checkID.String(), l.config.Partition)
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
}
if l.agentEnterpriseMeta.PartitionOrDefault() != srcServiceID.PartitionOrDefault() {
return fmt.Errorf("cannot add alias check for %q to node in partition %q", srcServiceID.String(), l.config.Partition)
}
agent/local: support local alias checks
6 years ago
m, ok := l.checkAliases[srcServiceID]
if !ok {
Sync of OSS changes to support namespaces (#6909)
5 years ago
m = make(map[structs.CheckID]chan<- struct{})
agent/local: support local alias checks
6 years ago
l.checkAliases[srcServiceID] = m
}
m[checkID] = notifyCh
return nil
}
checks: when a service does not exists in an alias, consider it failing (#7384) In current implementation of Consul, check alias cannot determine if a service exists or not. Because a service without any check is semantically considered as passing, so when no healthchecks are found for an agent, the check was considered as passing. But this make little sense as the current implementation does not make any difference between: * a non-existing service (passing) * a service without any check (passing as well) In order to make it work, we have to ensure that when a check did not find any healthcheck, the service does indeed exists. If it does not, lets consider the check as failing.
5 years ago
// ServiceExists return true if the given service does exists
func (l *State) ServiceExists(serviceID structs.ServiceID) bool {
tests: ensure that the ServiceExists helper function normalizes entmeta (#8025) This fixes a unit test failure over in enterprise due to https://github.com/hashicorp/consul/pull/7384
5 years ago
serviceID.EnterpriseMeta.Normalize()
checks: when a service does not exists in an alias, consider it failing (#7384) In current implementation of Consul, check alias cannot determine if a service exists or not. Because a service without any check is semantically considered as passing, so when no healthchecks are found for an agent, the check was considered as passing. But this make little sense as the current implementation does not make any difference between: * a non-existing service (passing) * a service without any check (passing as well) In order to make it work, we have to ensure that when a check did not find any healthcheck, the service does indeed exists. If it does not, lets consider the check as failing.
5 years ago
l.Lock()
defer l.Unlock()
return l.services[serviceID] != nil
}
agent/local: support local alias checks
6 years ago
// RemoveAliasCheck removes the mapping for the alias check.
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) RemoveAliasCheck(checkID structs.CheckID, srcServiceID structs.ServiceID) {
agent/local: support local alias checks
6 years ago
l.Lock()
defer l.Unlock()
if m, ok := l.checkAliases[srcServiceID]; ok {
delete(m, checkID)
if len(m) == 0 {
delete(l.checkAliases, srcServiceID)
}
}
}
First pass at local state + anti-entropy
11 years ago
// RemoveCheck is used to remove a health check from the local state.
// The agent will make a best effort to ensure it is deregistered
fix typos reported by golangci-lint:misspell (#5434)
6 years ago
// todo(fs): RemoveService returns an error for a non-existent service. RemoveCheck should as well.
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
// todo(fs): Check code that calls this to handle the error.
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) RemoveCheck(id structs.CheckID) error {
Seperate localState from Agent
11 years ago
l.Lock()
defer l.Unlock()
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
6 years ago
return l.removeCheckLocked(id)
}
First pass at local state + anti-entropy
11 years ago
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) removeCheckLocked(id structs.CheckID) error {
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
c := l.checks[id]
if c == nil || c.Deleted {
Clarify service and check error messages (use ID) Error messages related to service and check operations previously included the following substrings: - service %q - check %q From this error message, it isn't clear that the expected field is the ID for the entity, not the name. For example, if the user has a service named test, the error message would read 'Unknown service "test"'. This is misleading - a service with that *name* does exist, but not with that *ID*. The substrings above have been modified to make it clear that ID is needed, not name: - service with ID %q - check with ID %q
3 years ago
return fmt.Errorf("Check ID %q does not exist", id)
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
}
Update alias checks on local add and remove
6 years ago
// If this is a check for an aliased service, then notify the waiters.
Sync of OSS changes to support namespaces (#6909)
5 years ago
l.notifyIfAliased(c.Check.CompoundServiceID())
Update alias checks on local add and remove
6 years ago
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
// To remove the check on the server we need the token.
// Therefore, we mark the service as deleted and keep the
// entry around until it is actually removed.
c.InSync = false
c.Deleted = true
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
l.TriggerSyncChanges()
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
return nil
First pass at local state + anti-entropy
11 years ago
}
// UpdateCheck is used to update the status of a check
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) UpdateCheck(id structs.CheckID, status, output string) {
Seperate localState from Agent
11 years ago
l.Lock()
defer l.Unlock()
First pass at local state + anti-entropy
11 years ago
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
c := l.checks[id]
if c == nil || c.Deleted {
First pass at local state + anti-entropy
11 years ago
return
}
agent: add option to discard health output (#3562) * agent: add option to discard health output In high volatile environments consul will have checks with "noisy" output which changes every time even though the status does not change. Since the output is stored in the raft log every health check update unblocks a blocking call on health checks since the raft index has changed even though the status of the health checks may not have changed at all. By discarding the output of the health checks the users can choose a different tradeoff. Less visibility on why a check failed in exchange for a reduced change rate on the raft log. * agent: discard output also when adding a check * agent: add test for discard check output * agent: update docs * go vet * Adds discard_check_output to reloadable config table. * Updates the change log.
7 years ago
if l.discardCheckOutput.Load().(bool) {
output = ""
}
Adds ability to deregister a service based on critical check state longer than a timeout.
8 years ago
// Update the critical time tracking (this doesn't cause a server updates
// so we can always keep this up to date).
Remove duplicate constants This patch removes duplicate internal copies of constants in the structs package which are also defined in the api package. The api.KVOp type with all its values for the TXN endpoint and the api.HealthXXX constants are now used throughout the codebase. This resulted in some circular dependencies in the testutil package which have been resolved by copying code and constants and moving the WaitForLeader function into a separate testrpc package.
8 years ago
if status == api.HealthCritical {
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
if !c.Critical() {
c.CriticalTime = time.Now()
Adds ability to deregister a service based on critical check state longer than a timeout.
8 years ago
}
} else {
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
c.CriticalTime = time.Time{}
Adds ability to deregister a service based on critical check state longer than a timeout.
8 years ago
}
First pass at local state + anti-entropy
11 years ago
// Do nothing if update is idempotent
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
if c.Check.Status == status && c.Check.Output == output {
First pass at local state + anti-entropy
11 years ago
return
}
agent: fix several data races and bugs related to node-local alias checks (#5876) The observed bug was that a full restart of a consul datacenter (servers and clients) in conjunction with a restart of a connect-flavored application with bring-your-own-service-registration logic would very frequently cause the envoy sidecar service check to never reflect the aliased service. Over the course of investigation several bugs and unfortunate interactions were corrected: (1) local.CheckState objects were only shallow copied, but the key piece of data that gets read and updated is one of the things not copied (the underlying Check with a Status field). When the stock code was run with the race detector enabled this highly-relevant-to-the-test-scenario field was found to be racy. Changes: a) update the existing Clone method to include the Check field b) copy-on-write when those fields need to change rather than incrementally updating them in place. This made the observed behavior occur slightly less often. (2) If anything about how the runLocal method for node-local alias check logic was ever flawed, there was no fallback option. Those checks are purely edge-triggered and failure to properly notice a single edge transition would leave the alias check incorrect until the next flap of the aliased check. The change was to introduce a fallback timer to act as a control loop to double check the alias check matches the aliased check every minute (borrowing the duration from the non-local alias check logic body). This made the observed behavior eventually go away when it did occur. (3) Originally I thought there were two main actions involved in the data race: A. The act of adding the original check (from disk recovery) and its first health evaluation. B. The act of the HTTP API requests coming in and resetting the local state when re-registering the same services and checks. It took awhile for me to realize that there's a third action at work: C. The goroutines associated with the original check and the later checks. The actual sequence of actions that was causing the bad behavior was that the API actions result in the original check to be removed and re-added _without waiting for the original goroutine to terminate_. This means for brief windows of time during check definition edits there are two goroutines that can be sending updates for the alias check status. In extremely unlikely scenarios the original goroutine sees the aliased check start up in `critical` before being removed but does not get the notification about the nearly immediate update of that check to `passing`. This is interlaced wit the new goroutine coming up, initializing its base case to `passing` from the current state and then listening for new notifications of edge triggers. If the original goroutine "finishes" its update, it then commits one more write into the local state of `critical` and exits leaving the alias check no longer reflecting the underlying check. The correction here is to enforce that the old goroutines must terminate before spawning the new one for alias checks.
6 years ago
// Ensure we only mutate a copy of the check state and put the finalized
// version into the checks map when complete.
//
// Note that we are relying upon the earlier deferred mutex unlock to
// happen AFTER this defer. As per the Go spec this is true, but leaving
// this note here for the future in case of any refactorings which may not
// notice this relationship.
c = c.Clone()
defer func(c *CheckState) {
l.checks[id] = c
}(c)
agent: Defer sync based on CheckUpdateInterval
11 years ago
// Defer a sync if the output has changed. This is an optimization around
// frequent updates of output. Instead, we update the output internally,
// and periodically do a write-back to the servers. If there is a status
// change we do the write immediately.
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
if l.config.CheckUpdateInterval > 0 && c.Check.Status == status {
c.Check.Output = output
if c.DeferCheck == nil {
d := l.config.CheckUpdateInterval
intv := time.Duration(uint64(d)/2) + lib.RandomStagger(d)
c.DeferCheck = time.AfterFunc(intv, func() {
agent: Defer sync based on CheckUpdateInterval
11 years ago
l.Lock()
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
defer l.Unlock()
c := l.checks[id]
if c == nil {
return
}
c.DeferCheck = nil
if c.Deleted {
return
agent: Prevent anti-entropy from doing early sync of check output
11 years ago
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
c.InSync = false
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
l.TriggerSyncChanges()
agent: Defer sync based on CheckUpdateInterval
11 years ago
})
}
return
}
agent/local: support local alias checks
6 years ago
// If this is a check for an aliased service, then notify the waiters.
Sync of OSS changes to support namespaces (#6909)
5 years ago
l.notifyIfAliased(c.Check.CompoundServiceID())
agent/local: support local alias checks
6 years ago
First pass at local state + anti-entropy
11 years ago
// Update status and mark out of sync
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
c.Check.Status = status
c.Check.Output = output
c.InSync = false
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
l.TriggerSyncChanges()
First pass at local state + anti-entropy
11 years ago
}
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
// Check returns the locally registered check that the
// agent is aware of and are being kept in sync with the server
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) Check(id structs.CheckID) *structs.HealthCheck {
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
l.RLock()
defer l.RUnlock()
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
c := l.checks[id]
if c == nil || c.Deleted {
return nil
}
return c.Check
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
}
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
// AllChecks returns the locally registered checks that the
// agent is aware of and are being kept in sync with the server
func (l *State) AllChecks() map[structs.CheckID]*structs.HealthCheck {
return l.listChecks(false, nil)
}
Exposing the agent checks and services over HTTP endpoints
11 years ago
// Checks returns the locally registered checks that the
// agent is aware of and are being kept in sync with the server
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
//
// Results are scoped to the provided namespace and partition.
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com>
3 years ago
func (l *State) Checks(entMeta *acl.EnterpriseMeta) map[structs.CheckID]*structs.HealthCheck {
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
return l.listChecks(true, entMeta)
}
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com>
3 years ago
func (l *State) listChecks(filtered bool, entMeta *acl.EnterpriseMeta) map[structs.CheckID]*structs.HealthCheck {
Sync of OSS changes to support namespaces (#6909)
5 years ago
m := make(map[structs.CheckID]*structs.HealthCheck)
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
for id, c := range l.listCheckStates(filtered, entMeta) {
local state: tests compile
7 years ago
m[id] = c.Check
}
return m
}
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) ChecksForService(serviceID structs.ServiceID, includeNodeChecks bool) map[structs.CheckID]*structs.HealthCheck {
m := make(map[structs.CheckID]*structs.HealthCheck)
l.RLock()
defer l.RUnlock()
for id, c := range l.checks {
if c.Deleted {
continue
}
if c.Check.ServiceID != "" {
sid := c.Check.CompoundServiceID()
structs: Fix printing of IDs These types are used as values (not pointers) in other structs. Using a pointer receiver causes problems when the value is printed. fmt will not call the String method if it is passed a value and the String method has a pointer receiver. By using a value receiver the correct string is printed. Also remove some unused methods.
4 years ago
if !serviceID.Matches(sid) {
Sync of OSS changes to support namespaces (#6909)
5 years ago
continue
}
} else if !includeNodeChecks {
continue
}
m[id] = c.Check.Clone()
}
return m
}
agent: fix several data races and bugs related to node-local alias checks (#5876) The observed bug was that a full restart of a consul datacenter (servers and clients) in conjunction with a restart of a connect-flavored application with bring-your-own-service-registration logic would very frequently cause the envoy sidecar service check to never reflect the aliased service. Over the course of investigation several bugs and unfortunate interactions were corrected: (1) local.CheckState objects were only shallow copied, but the key piece of data that gets read and updated is one of the things not copied (the underlying Check with a Status field). When the stock code was run with the race detector enabled this highly-relevant-to-the-test-scenario field was found to be racy. Changes: a) update the existing Clone method to include the Check field b) copy-on-write when those fields need to change rather than incrementally updating them in place. This made the observed behavior occur slightly less often. (2) If anything about how the runLocal method for node-local alias check logic was ever flawed, there was no fallback option. Those checks are purely edge-triggered and failure to properly notice a single edge transition would leave the alias check incorrect until the next flap of the aliased check. The change was to introduce a fallback timer to act as a control loop to double check the alias check matches the aliased check every minute (borrowing the duration from the non-local alias check logic body). This made the observed behavior eventually go away when it did occur. (3) Originally I thought there were two main actions involved in the data race: A. The act of adding the original check (from disk recovery) and its first health evaluation. B. The act of the HTTP API requests coming in and resetting the local state when re-registering the same services and checks. It took awhile for me to realize that there's a third action at work: C. The goroutines associated with the original check and the later checks. The actual sequence of actions that was causing the bad behavior was that the API actions result in the original check to be removed and re-added _without waiting for the original goroutine to terminate_. This means for brief windows of time during check definition edits there are two goroutines that can be sending updates for the alias check status. In extremely unlikely scenarios the original goroutine sees the aliased check start up in `critical` before being removed but does not get the notification about the nearly immediate update of that check to `passing`. This is interlaced wit the new goroutine coming up, initializing its base case to `passing` from the current state and then listening for new notifications of edge triggers. If the original goroutine "finishes" its update, it then commits one more write into the local state of `critical` and exits leaving the alias check no longer reflecting the underlying check. The correction here is to enforce that the old goroutines must terminate before spawning the new one for alias checks.
6 years ago
// CheckState returns a shallow copy of the current health check state record.
//
// The defer timer still points to the original value and must not be modified.
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) CheckState(id structs.CheckID) *CheckState {
local state: tests compile
7 years ago
l.RLock()
defer l.RUnlock()
local state: tests compile
7 years ago
c := l.checks[id]
if c == nil || c.Deleted {
return nil
}
return c.Clone()
}
local state: rename Add{Check,Service}State to Set{Check,Service}State
7 years ago
// SetCheckState is used to overwrite a raw check state with the given
// state. This method is safe to be called concurrently but should only be used
// during testing. You should most likely call AddCheck instead.
func (l *State) SetCheckState(c *CheckState) {
l.Lock()
defer l.Unlock()
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
if l.agentEnterpriseMeta.PartitionOrDefault() != c.Check.PartitionOrDefault() {
return
}
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
6 years ago
l.setCheckStateLocked(c)
}
func (l *State) setCheckStateLocked(c *CheckState) {
local: mark service and checks as InSync when added If the existing service and checks are the same as the new registration.
4 years ago
id := c.Check.CompoundCheckID()
existing := l.checks[id]
if existing != nil {
c.InSync = c.Check.IsSame(existing.Check)
bug: prevent go routine leakage due to existing DeferCheck (#18558) * bug: prevent go routine leakage due to existing DeferCheck * add changelog
1 year ago
// If the existing check has a Defercheck, it needs to be
// assigned to the new check
if existing.DeferCheck != nil && c.DeferCheck == nil {
c.DeferCheck = existing.DeferCheck
c.InSync = false
}
local: mark service and checks as InSync when added If the existing service and checks are the same as the new registration.
4 years ago
}
l.checks[id] = c
Update alias checks on local add and remove
6 years ago
// If this is a check for an aliased service, then notify the waiters.
Sync of OSS changes to support namespaces (#6909)
5 years ago
l.notifyIfAliased(c.Check.CompoundServiceID())
Update alias checks on local add and remove
6 years ago
local state: rename Add{Check,Service}State to Set{Check,Service}State
7 years ago
l.TriggerSyncChanges()
}
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
// AllCheckStates returns a shallow copy of all health check state records.
// The map contains a shallow copy of the current check states.
//
// The defer timers still point to the original values and must not be modified.
func (l *State) AllCheckStates() map[structs.CheckID]*CheckState {
return l.listCheckStates(false, nil)
}
local state: tests compile
7 years ago
// CheckStates returns a shallow copy of all health check state records.
agent: fix several data races and bugs related to node-local alias checks (#5876) The observed bug was that a full restart of a consul datacenter (servers and clients) in conjunction with a restart of a connect-flavored application with bring-your-own-service-registration logic would very frequently cause the envoy sidecar service check to never reflect the aliased service. Over the course of investigation several bugs and unfortunate interactions were corrected: (1) local.CheckState objects were only shallow copied, but the key piece of data that gets read and updated is one of the things not copied (the underlying Check with a Status field). When the stock code was run with the race detector enabled this highly-relevant-to-the-test-scenario field was found to be racy. Changes: a) update the existing Clone method to include the Check field b) copy-on-write when those fields need to change rather than incrementally updating them in place. This made the observed behavior occur slightly less often. (2) If anything about how the runLocal method for node-local alias check logic was ever flawed, there was no fallback option. Those checks are purely edge-triggered and failure to properly notice a single edge transition would leave the alias check incorrect until the next flap of the aliased check. The change was to introduce a fallback timer to act as a control loop to double check the alias check matches the aliased check every minute (borrowing the duration from the non-local alias check logic body). This made the observed behavior eventually go away when it did occur. (3) Originally I thought there were two main actions involved in the data race: A. The act of adding the original check (from disk recovery) and its first health evaluation. B. The act of the HTTP API requests coming in and resetting the local state when re-registering the same services and checks. It took awhile for me to realize that there's a third action at work: C. The goroutines associated with the original check and the later checks. The actual sequence of actions that was causing the bad behavior was that the API actions result in the original check to be removed and re-added _without waiting for the original goroutine to terminate_. This means for brief windows of time during check definition edits there are two goroutines that can be sending updates for the alias check status. In extremely unlikely scenarios the original goroutine sees the aliased check start up in `critical` before being removed but does not get the notification about the nearly immediate update of that check to `passing`. This is interlaced wit the new goroutine coming up, initializing its base case to `passing` from the current state and then listening for new notifications of edge triggers. If the original goroutine "finishes" its update, it then commits one more write into the local state of `critical` and exits leaving the alias check no longer reflecting the underlying check. The correction here is to enforce that the old goroutines must terminate before spawning the new one for alias checks.
6 years ago
// The map contains a shallow copy of the current check states.
//
// The defer timers still point to the original values and must not be modified.
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
//
// Results are scoped to the provided namespace and partition.
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com>
3 years ago
func (l *State) CheckStates(entMeta *acl.EnterpriseMeta) map[structs.CheckID]*CheckState {
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
return l.listCheckStates(true, entMeta)
}
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com>
3 years ago
func (l *State) listCheckStates(filtered bool, entMeta *acl.EnterpriseMeta) map[structs.CheckID]*CheckState {
local state: tests compile
7 years ago
l.RLock()
defer l.RUnlock()
Sync of OSS changes to support namespaces (#6909)
5 years ago
m := make(map[structs.CheckID]*CheckState)
fix data race Since state.Checks() returns a shallow copy its elements must not be modified. Copying the elements in the handler does not guarantee consistency since that list is guarded by a different lock. Therefore, the only solution is to have state.Checks() return a deep copy.
7 years ago
for id, c := range l.checks {
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
if c.Deleted {
continue
}
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
if filtered && !entMeta.Matches(&id.EnterpriseMeta) {
Sync of OSS changes to support namespaces (#6909)
5 years ago
continue
}
local state: tests compile
7 years ago
m[id] = c.Clone()
Exposing the agent checks and services over HTTP endpoints
11 years ago
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
return m
Revert "local state: replace multi-map state with structs" This reverts commit ccbae7da5bceeb2328ab7993a8badbf2e72a4597.
7 years ago
}
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
// AllCriticalCheckStates returns the locally registered checks that the
// agent is aware of and are being kept in sync with the server.
// The map contains a shallow copy of the current check states.
//
// The defer timers still point to the original values and must not be modified.
func (l *State) AllCriticalCheckStates() map[structs.CheckID]*CheckState {
return l.listCriticalCheckStates(false, nil)
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
// CriticalCheckStates returns the locally registered checks that the
local state: update comments
7 years ago
// agent is aware of and are being kept in sync with the server.
agent: fix several data races and bugs related to node-local alias checks (#5876) The observed bug was that a full restart of a consul datacenter (servers and clients) in conjunction with a restart of a connect-flavored application with bring-your-own-service-registration logic would very frequently cause the envoy sidecar service check to never reflect the aliased service. Over the course of investigation several bugs and unfortunate interactions were corrected: (1) local.CheckState objects were only shallow copied, but the key piece of data that gets read and updated is one of the things not copied (the underlying Check with a Status field). When the stock code was run with the race detector enabled this highly-relevant-to-the-test-scenario field was found to be racy. Changes: a) update the existing Clone method to include the Check field b) copy-on-write when those fields need to change rather than incrementally updating them in place. This made the observed behavior occur slightly less often. (2) If anything about how the runLocal method for node-local alias check logic was ever flawed, there was no fallback option. Those checks are purely edge-triggered and failure to properly notice a single edge transition would leave the alias check incorrect until the next flap of the aliased check. The change was to introduce a fallback timer to act as a control loop to double check the alias check matches the aliased check every minute (borrowing the duration from the non-local alias check logic body). This made the observed behavior eventually go away when it did occur. (3) Originally I thought there were two main actions involved in the data race: A. The act of adding the original check (from disk recovery) and its first health evaluation. B. The act of the HTTP API requests coming in and resetting the local state when re-registering the same services and checks. It took awhile for me to realize that there's a third action at work: C. The goroutines associated with the original check and the later checks. The actual sequence of actions that was causing the bad behavior was that the API actions result in the original check to be removed and re-added _without waiting for the original goroutine to terminate_. This means for brief windows of time during check definition edits there are two goroutines that can be sending updates for the alias check status. In extremely unlikely scenarios the original goroutine sees the aliased check start up in `critical` before being removed but does not get the notification about the nearly immediate update of that check to `passing`. This is interlaced wit the new goroutine coming up, initializing its base case to `passing` from the current state and then listening for new notifications of edge triggers. If the original goroutine "finishes" its update, it then commits one more write into the local state of `critical` and exits leaving the alias check no longer reflecting the underlying check. The correction here is to enforce that the old goroutines must terminate before spawning the new one for alias checks.
6 years ago
// The map contains a shallow copy of the current check states.
//
// The defer timers still point to the original values and must not be modified.
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
//
// Results are scoped to the provided namespace and partition.
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com>
3 years ago
func (l *State) CriticalCheckStates(entMeta *acl.EnterpriseMeta) map[structs.CheckID]*CheckState {
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
return l.listCriticalCheckStates(true, entMeta)
}
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com>
3 years ago
func (l *State) listCriticalCheckStates(filtered bool, entMeta *acl.EnterpriseMeta) map[structs.CheckID]*CheckState {
Adds ability to deregister a service based on critical check state longer than a timeout.
8 years ago
l.RLock()
defer l.RUnlock()
Sync of OSS changes to support namespaces (#6909)
5 years ago
m := make(map[structs.CheckID]*CheckState)
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
for id, c := range l.checks {
if c.Deleted || !c.Critical() {
continue
Adds ability to deregister a service based on critical check state longer than a timeout.
8 years ago
}
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
if filtered && !entMeta.Matches(&id.EnterpriseMeta) {
Sync of OSS changes to support namespaces (#6909)
5 years ago
continue
}
local state: tests compile
7 years ago
m[id] = c.Clone()
Adds ability to deregister a service based on critical check state longer than a timeout.
8 years ago
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
return m
Adds ability to deregister a service based on critical check state longer than a timeout.
8 years ago
}
Proxy Config Manager (#4729) * Proxy Config Manager This component watches for local state changes on the agent and ensures that each service registered locally with Kind == connect-proxy has it's state being actively populated in the cache. This serves two purposes: 1. For the built-in proxy, it ensures that the state needed to accept connections is available in RAM shortly after registration and likely before the proxy actually starts accepting traffic. 2. For (future - next PR) xDS server and other possible future proxies that require _push_ based config discovery, this provides a mechanism to subscribe and be notified about updates to a proxy instance's config including upstream service discovery results. * Address review comments * Better comments; Better delivery of latest snapshot for slow watchers; Embed Config * Comment typos * Add upstream Stringer for funsies
6 years ago
// broadcastUpdateLocked assumes l is locked and delivers an update to all
// registered watchers.
func (l *State) broadcastUpdateLocked() {
for ch := range l.notifyHandlers {
// Do not block
select {
case ch <- struct{}{}:
default:
}
}
}
// Notify will register a channel to receive messages when the local state
// changes. Only service add/remove are supported for now. See notes on
// l.notifyHandlers for more details.
//
// This will not block on channel send so ensure the channel has a buffer. Note
// that any buffer size is generally fine since actual data is not sent over the
// channel, so a dropped send due to a full buffer does not result in any loss
// of data. The fact that a buffer already contains a notification means that
// the receiver will still be notified that changes occurred.
func (l *State) Notify(ch chan<- struct{}) {
l.Lock()
defer l.Unlock()
l.notifyHandlers[ch] = struct{}{}
}
// StopNotify will deregister a channel receiving state change notifications.
// Pair this with all calls to Notify to clean up state.
func (l *State) StopNotify(ch chan<- struct{}) {
l.Lock()
defer l.Unlock()
delete(l.notifyHandlers, ch)
}
Add support for setting node metadata fields
8 years ago
// Metadata returns the local node metadata fields that the
// agent is aware of and are being kept in sync with the server
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
func (l *State) Metadata() map[string]string {
Add support for setting node metadata fields
8 years ago
l.RLock()
defer l.RUnlock()
local state: update documentation of updateSyncState
7 years ago
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
m := make(map[string]string)
for k, v := range l.metadata {
m[k] = v
Add support for setting node metadata fields
8 years ago
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
return m
Add support for setting node metadata fields
8 years ago
}
local state: move Metadata methods together
7 years ago
// LoadMetadata loads node metadata fields from the agent config and
// updates them on the local agent.
func (l *State) LoadMetadata(data map[string]string) error {
l.Lock()
defer l.Unlock()
for k, v := range data {
l.metadata[k] = v
}
l.TriggerSyncChanges()
return nil
}
// UnloadMetadata resets the local metadata state
func (l *State) UnloadMetadata() {
l.Lock()
defer l.Unlock()
l.metadata = make(map[string]string)
}
// Stats is used to get various debugging state from the sub-systems
func (l *State) Stats() map[string]string {
l.RLock()
defer l.RUnlock()
services := 0
for _, s := range l.services {
if s.Deleted {
continue
}
services++
}
checks := 0
for _, c := range l.checks {
if c.Deleted {
continue
}
checks++
}
return map[string]string{
"services": strconv.Itoa(services),
"checks": strconv.Itoa(checks),
}
}
local: mark service and checks as InSync when added If the existing service and checks are the same as the new registration.
4 years ago
// updateSyncState queries the server for all the services and checks in the catalog
// registered to this node, and updates the local entries as InSync or Deleted.
local state: fix anti-entropy state tests The anti-entropy tests relied on the side-effect of the StartSync() method to perform a full sync instead of a partial sync. This lead to multiple anti-entropy go routines being started unnecessary retry loops. This change changes the behavior to perform synchronous full syncs when necessary removing the need for all of the time.Sleep and most of the retry loops.
7 years ago
func (l *State) updateSyncState() error {
local state: update documentation of updateSyncState
7 years ago
// Get all checks and services from the master
First pass at local state + anti-entropy
11 years ago
req := structs.NodeSpecificRequest{
ae: use stale requests when performing full sync (#5873) Read requests performed during anti antropy full sync currently target the leader only. This generates a non-negligible load on the leader when the DC is large enough and can be offloaded to the followers following the "eventually consistent" policy for the agent state. We switch the AE read calls to use stale requests with a small (2s) MaxStaleDuration value and make sure we do not read too fast after a write.
6 years ago
Datacenter: l.config.Datacenter,
Node: l.config.NodeName,
QueryOptions: structs.QueryOptions{
Token: l.tokens.AgentToken(),
AllowStale: true,
MaxStaleDuration: fullSyncReadMaxStale,
},
structs: rename the last helper method. This one gets used a bunch, but we can rename it to make the behaviour more obvious.
3 years ago
EnterpriseMeta: *l.agentEnterpriseMeta.WithWildcardNamespace(),
First pass at local state + anti-entropy
11 years ago
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
Sync of OSS changes to support namespaces (#6909)
5 years ago
var out1 structs.IndexedNodeServiceList
remoteServices := make(map[structs.ServiceID]*structs.NodeService)
var svcNode *structs.Node
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700)
2 years ago
if err := l.Delegate.RPC(context.Background(), "Catalog.NodeServiceList", &req, &out1); err == nil {
Sync of OSS changes to support namespaces (#6909)
5 years ago
for _, svc := range out1.NodeServices.Services {
remoteServices[svc.CompoundServiceID()] = svc
}
svcNode = out1.NodeServices.Node
} else if errMsg := err.Error(); strings.Contains(errMsg, "rpc: can't find method") {
// fallback to the old RPC
var out1 structs.IndexedNodeServices
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700)
2 years ago
if err := l.Delegate.RPC(context.Background(), "Catalog.NodeServices", &req, &out1); err != nil {
Sync of OSS changes to support namespaces (#6909)
5 years ago
return err
}
if out1.NodeServices != nil {
for _, svc := range out1.NodeServices.Services {
remoteServices[svc.CompoundServiceID()] = svc
}
svcNode = out1.NodeServices.Node
}
} else {
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
return err
Revert "local state: replace multi-map state with structs" This reverts commit ccbae7da5bceeb2328ab7993a8badbf2e72a4597.
7 years ago
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
var out2 structs.IndexedHealthChecks
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700)
2 years ago
if err := l.Delegate.RPC(context.Background(), "Health.NodeChecks", &req, &out2); err != nil {
First pass at local state + anti-entropy
11 years ago
return err
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
Sync of OSS changes to support namespaces (#6909)
5 years ago
remoteChecks := make(map[structs.CheckID]*structs.HealthCheck, len(out2.HealthChecks))
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
for _, rc := range out2.HealthChecks {
Sync of OSS changes to support namespaces (#6909)
5 years ago
remoteChecks[rc.CompoundCheckID()] = rc
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
}
local state: update documentation of updateSyncState
7 years ago
// Traverse all checks, services and the node info to determine
// which entries need to be updated on or removed from the server
First pass at local state + anti-entropy
11 years ago
Seperate localState from Agent
11 years ago
l.Lock()
defer l.Unlock()
First pass at local state + anti-entropy
11 years ago
local state: update documentation of updateSyncState
7 years ago
// Check if node info needs syncing
Sync of OSS changes to support namespaces (#6909)
5 years ago
if svcNode == nil || svcNode.ID != l.config.NodeID ||
!reflect.DeepEqual(svcNode.TaggedAddresses, l.config.TaggedAddresses) ||
allow setting locality on services and nodes (#16581)
2 years ago
!reflect.DeepEqual(svcNode.Locality, l.config.NodeLocality) ||
Sync of OSS changes to support namespaces (#6909)
5 years ago
!reflect.DeepEqual(svcNode.Meta, l.metadata) {
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
l.nodeInfoInSync = false
}
local state: update documentation of updateSyncState
7 years ago
// Check which services need syncing
agent: handle nil node services in anti-entropy
10 years ago
local state: update documentation of updateSyncState
7 years ago
// Look for local services that do not exist remotely and mark them for
// syncing so that they will be pushed to the server later
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
for id, s := range l.services {
if remoteServices[id] == nil {
s.InSync = false
agent: anti-entropy sync services/checks if they don't exist in the catalog
10 years ago
}
}
local state: update documentation of updateSyncState
7 years ago
// Traverse the list of services from the server.
// Remote services which do not exist locally have been deregistered.
// Otherwise, check whether the two definitions are still in sync.
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
for id, rs := range remoteServices {
ls := l.services[id]
if ls == nil {
local state: update documentation of updateSyncState
7 years ago
// The consul service is managed automatically and does
// not need to be deregistered
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
if structs.IsConsulServiceID(id) {
Cleans up version 8 ACLs in the agent and the docs. (#3248) * Moves magic check and service constants into shared structs package. * Removes the "consul" service from local state. Since this service is added by the leader, it doesn't really make sense to also keep it in local state (which requires special ACLs to configure), and requires a bunch of special cases in the local state logic. This requires fewer special cases and makes ACL bootstrapping cleaner. * Makes coordinate update ACL log message a warning, similar to other AE warnings. * Adds much more detailed examples for bootstrapping ACLs. This can hopefully replace https://gist.github.com/slackpad/d89ce0e1cc0802c3c4f2d84932fa3234.
7 years ago
continue
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
local state: update documentation of updateSyncState
7 years ago
// Mark a remote service that does not exist locally as deleted so
// that it will be removed on the server later.
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
l.services[id] = &ServiceState{Deleted: true}
continue
}
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
// If the service is already scheduled for removal skip it
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
if ls.Deleted {
agent: handle nil node services in anti-entropy
10 years ago
continue
agent: Handle API changes
11 years ago
}
agent: handle nil node services in anti-entropy
10 years ago
local: fixes a data race in anti-entropy sync (#12324) The race detector noticed this initially in `TestAgentConfigWatcherSidecarProxy` but it is not restricted to just tests. The two main changes here were: - ensure that before we mutate the internal `agent/local` representation of a Service (for tags or VIPs) we clone those fields - ensure that there's no function argument joint ownership between the caller of a function and the local state when calling `AddService`, `AddCheck`, and related using `copystructure` for now.
3 years ago
// Make a shallow copy since we may mutate it below and other readers
// may be reading it and we want to avoid a race.
nextService := *ls.Service
changed := false
Makes a detached copy of the tags when doing the override.
9 years ago
// If our definition is different, we need to update it. Make a
// copy so that we don't retain a pointer to any actual state
// store info for in-memory RPCs.
local: fixes a data race in anti-entropy sync (#12324) The race detector noticed this initially in `TestAgentConfigWatcherSidecarProxy` but it is not restricted to just tests. The two main changes here were: - ensure that before we mutate the internal `agent/local` representation of a Service (for tags or VIPs) we clone those fields - ensure that there's no function argument joint ownership between the caller of a function and the local state when calling `AddService`, `AddCheck`, and related using `copystructure` for now.
3 years ago
if nextService.EnableTagOverride {
auto-reload configuration when config files change (#12329) * add config watcher to the config package * add logging to watcher * add test and refactor to add WatcherEvent. * add all API calls and fix a bug with recreated files * add tests for watcher * remove the unnecessary use of context * Add debug log and a test for file rename * use inode to detect if the file is recreated/replaced and only listen to create events. * tidy ups (#1535) * tidy ups * Add tests for inode reconcile * fix linux vs windows syscall * fix linux vs windows syscall * fix windows compile error * increase timeout * use ctime ID * remove remove/creation test as it's a use case that fail in linux * fix linux/windows to use Ino/CreationTime * fix the watcher to only overwrite current file id * fix linter error * fix remove/create test * set reconcile loop to 200 Milliseconds * fix watcher to not trigger event on remove, add more tests * on a remove event try to add the file back to the watcher and trigger the handler if success * fix race condition * fix flaky test * fix race conditions * set level to info * fix when file is removed and get an event for it after * fix to trigger handler when we get a remove but re-add fail * fix error message * add tests for directory watch and fixes * detect if a file is a symlink and return an error on Add * rename Watcher to FileWatcher and remove symlink deref * add fsnotify@v1.5.1 * fix go mod * do not reset timer on errors, rename OS specific files * rename New func * events trigger on write and rename * add missing test * fix flaking tests * fix flaky test * check reconcile when removed * delete invalid file * fix test to create files with different mod time. * back date file instead of sleeping * add watching file in agent command. * fix watcher call to use new API * add configuration and stop watcher when server stop * add certs as watched files * move FileWatcher to the agent start instead of the command code * stop watcher before replacing it * save watched files in agent * add add and remove interfaces to the file watcher * fix remove to not return an error * use `Add` and `Remove` to update certs files * fix tests * close events channel on the file watcher even when the context is done * extract `NotAutoReloadableRuntimeConfig` is a separate struct * fix linter errors * add Ca configs and outgoing verify to the not auto reloadable config * add some logs and fix to use background context * add tests to auto-config reload * remove stale test * add tests to changes to config files * add check to see if old cert files still trigger updates * rename `NotAutoReloadableRuntimeConfig` to `StaticRuntimeConfig` * fix to re add both key and cert file. Add test to cover this case. * review suggestion Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * add check to static runtime config changes * fix test * add changelog file * fix review comments * Apply suggestions from code review Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * update flag description Co-authored-by: FFMMM <FFMMM@users.noreply.github.com> * fix compilation error * add static runtime config support * fix test * fix review comments * fix log test * Update .changelog/12329.txt Co-authored-by: Dan Upton <daniel@floppy.co> * transfer tests to runtime_test.go * fix filewatcher Replace to not deadlock. * avoid having lingering locks Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * split ReloadConfig func * fix warning message Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * convert `FileWatcher` into an interface * fix compilation errors * fix tests * extract func for adding and removing files Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: FFMMM <FFMMM@users.noreply.github.com> Co-authored-by: Daniel Upton <daniel@floppy.co>
3 years ago
nextService.Tags = stringslice.CloneStringSlice(rs.Tags)
local: fixes a data race in anti-entropy sync (#12324) The race detector noticed this initially in `TestAgentConfigWatcherSidecarProxy` but it is not restricted to just tests. The two main changes here were: - ensure that before we mutate the internal `agent/local` representation of a Service (for tags or VIPs) we clone those fields - ensure that there's no function argument joint ownership between the caller of a function and the local state when calling `AddService`, `AddCheck`, and related using `copystructure` for now.
3 years ago
changed = true
Add EnableTagDrift logic to command/agent/local.go
9 years ago
}
consul: add virtual IP generation for connect services
3 years ago
// Merge any tagged addresses with the consul- prefix (set by the server)
// back into the local state.
local: fixes a data race in anti-entropy sync (#12324) The race detector noticed this initially in `TestAgentConfigWatcherSidecarProxy` but it is not restricted to just tests. The two main changes here were: - ensure that before we mutate the internal `agent/local` representation of a Service (for tags or VIPs) we clone those fields - ensure that there's no function argument joint ownership between the caller of a function and the local state when calling `AddService`, `AddCheck`, and related using `copystructure` for now.
3 years ago
if !reflect.DeepEqual(nextService.TaggedAddresses, rs.TaggedAddresses) {
Fix races in anti-entropy tests (#12028)
3 years ago
// Make a copy of TaggedAddresses to prevent races when writing
// since other goroutines may be reading from the map
m := make(map[string]structs.ServiceAddress)
local: fixes a data race in anti-entropy sync (#12324) The race detector noticed this initially in `TestAgentConfigWatcherSidecarProxy` but it is not restricted to just tests. The two main changes here were: - ensure that before we mutate the internal `agent/local` representation of a Service (for tags or VIPs) we clone those fields - ensure that there's no function argument joint ownership between the caller of a function and the local state when calling `AddService`, `AddCheck`, and related using `copystructure` for now.
3 years ago
for k, v := range nextService.TaggedAddresses {
Fix races in anti-entropy tests (#12028)
3 years ago
m[k] = v
consul: add virtual IP generation for connect services
3 years ago
}
for k, v := range rs.TaggedAddresses {
if strings.HasPrefix(k, structs.MetaKeyReservedPrefix) {
Fix races in anti-entropy tests (#12028)
3 years ago
m[k] = v
consul: add virtual IP generation for connect services
3 years ago
}
}
local: fixes a data race in anti-entropy sync (#12324) The race detector noticed this initially in `TestAgentConfigWatcherSidecarProxy` but it is not restricted to just tests. The two main changes here were: - ensure that before we mutate the internal `agent/local` representation of a Service (for tags or VIPs) we clone those fields - ensure that there's no function argument joint ownership between the caller of a function and the local state when calling `AddService`, `AddCheck`, and related using `copystructure` for now.
3 years ago
nextService.TaggedAddresses = m
changed = true
}
if changed {
ls.Service = &nextService
consul: add virtual IP generation for connect services
3 years ago
}
Fix races in anti-entropy tests (#12028)
3 years ago
ls.InSync = ls.Service.IsSame(rs)
First pass at local state + anti-entropy
11 years ago
}
local state: update documentation of updateSyncState
7 years ago
// Check which checks need syncing
agent: remove an N^2 check. See #1265
9 years ago
local state: update documentation of updateSyncState
7 years ago
// Look for local checks that do not exist remotely and mark them for
// syncing so that they will be pushed to the server later
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
for id, c := range l.checks {
if remoteChecks[id] == nil {
c.InSync = false
agent: anti-entropy sync services/checks if they don't exist in the catalog
10 years ago
}
}
local state: update documentation of updateSyncState
7 years ago
// Traverse the list of checks from the server.
// Remote checks which do not exist locally have been deregistered.
// Otherwise, check whether the two definitions are still in sync.
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
for id, rc := range remoteChecks {
lc := l.checks[id]
if lc == nil {
// The Serf check is created automatically and does not
Cleans up version 8 ACLs in the agent and the docs. (#3248) * Moves magic check and service constants into shared structs package. * Removes the "consul" service from local state. Since this service is added by the leader, it doesn't really make sense to also keep it in local state (which requires special ACLs to configure), and requires a bunch of special cases in the local state logic. This requires fewer special cases and makes ACL bootstrapping cleaner. * Makes coordinate update ACL log message a warning, similar to other AE warnings. * Adds much more detailed examples for bootstrapping ACLs. This can hopefully replace https://gist.github.com/slackpad/d89ce0e1cc0802c3c4f2d84932fa3234.
7 years ago
// need to be deregistered.
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
if structs.IsSerfCheckID(id) {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
l.logger.Debug("Skipping remote check since it is managed automatically", "check", structs.SerfCheckID)
Handle the serf check and consul service
11 years ago
continue
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
local state: update documentation of updateSyncState
7 years ago
// Mark a remote check that does not exist locally as deleted so
// that it will be removed on the server later.
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
l.checks[id] = &CheckState{Deleted: true}
continue
}
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
// If the check is already scheduled for removal skip it.
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
if lc.Deleted {
First pass at local state + anti-entropy
11 years ago
continue
}
// If our definition is different, we need to update it
agent: Prevent anti-entropy from doing early sync of check output
11 years ago
if l.config.CheckUpdateInterval == 0 {
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
lc.InSync = lc.Check.IsSame(rc)
continue
agent: Prevent anti-entropy from doing early sync of check output
11 years ago
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
// Copy the existing check before potentially modifying
// it before the compare operation.
lcCopy := lc.Check.Clone()
// Copy the server's check before modifying, otherwise
// in-memory RPCs will have side effects.
rcCopy := rc.Clone()
// If there's a defer timer active then we've got a
// potentially spammy check so we don't sync the output
// during this sweep since the timer will mark the check
// out of sync for us. Otherwise, it is safe to sync the
// output now. This is especially important for checks
// that don't change state after they are created, in
// which case we'd never see their output synced back ever.
if lc.DeferCheck != nil {
lcCopy.Output = ""
rcCopy.Output = ""
}
lc.InSync = lcCopy.IsSame(rcCopy)
First pass at local state + anti-entropy
11 years ago
}
return nil
}
local state: fix anti-entropy state tests The anti-entropy tests relied on the side-effect of the StartSync() method to perform a full sync instead of a partial sync. This lead to multiple anti-entropy go routines being started unnecessary retry loops. This change changes the behavior to perform synchronous full syncs when necessary removing the need for all of the time.Sleep and most of the retry loops.
7 years ago
// SyncFull determines the delta between the local and remote state
// and synchronizes the changes.
func (l *State) SyncFull() error {
// note that we do not acquire the lock here since the methods
Spelling (#3958) * spelling: another * spelling: autopilot * spelling: beginning * spelling: circonus * spelling: default * spelling: definition * spelling: distance * spelling: encountered * spelling: enterprise * spelling: expands * spelling: exits * spelling: formatting * spelling: health * spelling: hierarchy * spelling: imposed * spelling: independence * spelling: inspect * spelling: last * spelling: latest * spelling: client * spelling: message * spelling: minimum * spelling: notify * spelling: nonexistent * spelling: operator * spelling: payload * spelling: preceded * spelling: prepared * spelling: programmatically * spelling: required * spelling: reconcile * spelling: responses * spelling: request * spelling: response * spelling: results * spelling: retrieve * spelling: service * spelling: significantly * spelling: specifies * spelling: supported * spelling: synchronization * spelling: synchronous * spelling: themselves * spelling: unexpected * spelling: validations * spelling: value
7 years ago
// we are calling will do that themselves.
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
//
// Also note that we don't hold the lock for the entire operation
// but release it between the two calls. This is not an issue since
// the algorithm is best-effort to achieve eventual consistency.
// SyncChanges will sync whatever updateSyncState() has determined
// needs updating.
local state: fix anti-entropy state tests The anti-entropy tests relied on the side-effect of the StartSync() method to perform a full sync instead of a partial sync. This lead to multiple anti-entropy go routines being started unnecessary retry loops. This change changes the behavior to perform synchronous full syncs when necessary removing the need for all of the time.Sleep and most of the retry loops.
7 years ago
if err := l.updateSyncState(); err != nil {
return err
}
return l.SyncChanges()
}
local state: update documentation of updateSyncState
7 years ago
// SyncChanges pushes checks, services and node info data which has been
// marked out of sync or deleted to the server.
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
func (l *State) SyncChanges() error {
Seperate localState from Agent
11 years ago
l.Lock()
defer l.Unlock()
First pass at local state + anti-entropy
11 years ago
agent: ensure node info sync and full sync. (#7189) This fixes #7020. There are two problems this PR solves: * if the node info changes it is highly likely to get service and check registration permission errors unless those service tokens have node:write. Hopefully services you register don’t have this permission. * the timer for a full sync gets reset for every partial sync which means that many partial syncs are preventing a full sync from happening Instead of syncing node info last, after services and checks, and possibly saving one RPC because it is included in every service sync, I am syncing node info first. It is only ever going to be a single RPC that we are only doing when node info has changed. This way we are guaranteed to sync node info even when something goes wrong with services or checks which is more likely because there are more syncs happening for them.
5 years ago
// Sync the node level info if we need to.
Update node info sync comment (#11465)
3 years ago
// At the start to guarantee sync even if services or checks fail,
// which is more likely because there are more syncs happening for them.
agent: ensure node info sync and full sync. (#7189) This fixes #7020. There are two problems this PR solves: * if the node info changes it is highly likely to get service and check registration permission errors unless those service tokens have node:write. Hopefully services you register don’t have this permission. * the timer for a full sync gets reset for every partial sync which means that many partial syncs are preventing a full sync from happening Instead of syncing node info last, after services and checks, and possibly saving one RPC because it is included in every service sync, I am syncing node info first. It is only ever going to be a single RPC that we are only doing when node info has changed. This way we are guaranteed to sync node info even when something goes wrong with services or checks which is more likely because there are more syncs happening for them.
5 years ago
if l.nodeInfoInSync {
l.logger.Debug("Node info in sync")
} else {
if err := l.syncNodeInfo(); err != nil {
return err
}
}
continue anti-entropy sync when failures exist (#17560)
1 year ago
var errs error
agent: simplify anti-entropy of services with multiple checks, add tests
10 years ago
// Sync the services
local state: update documentation of updateSyncState
7 years ago
// (logging happens in the helper methods)
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
for id, s := range l.services {
var err error
switch {
case s.Deleted:
err = l.deleteService(id)
case !s.InSync:
err = l.syncService(id)
default:
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
l.logger.Debug("Service in sync", "service", id.String())
First pass at local state + anti-entropy
11 years ago
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
if err != nil {
continue anti-entropy sync when failures exist (#17560)
1 year ago
errs = multierror.Append(errs, err)
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
}
First pass at local state + anti-entropy
11 years ago
}
local state: update documentation of updateSyncState
7 years ago
// Sync the checks
// (logging happens in the helper methods)
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
for id, c := range l.checks {
var err error
switch {
case c.Deleted:
err = l.deleteCheck(id)
case !c.InSync:
if c.DeferCheck != nil {
c.DeferCheck.Stop()
c.DeferCheck = nil
Revert "local state: replace multi-map state with structs" This reverts commit ccbae7da5bceeb2328ab7993a8badbf2e72a4597.
7 years ago
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
err = l.syncCheck(id)
default:
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
l.logger.Debug("Check in sync", "check", id.String())
First pass at local state + anti-entropy
11 years ago
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
if err != nil {
continue anti-entropy sync when failures exist (#17560)
1 year ago
errs = multierror.Append(errs, err)
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
}
First pass at local state + anti-entropy
11 years ago
}
continue anti-entropy sync when failures exist (#17560)
1 year ago
return errs
First pass at local state + anti-entropy
11 years ago
}
// deleteService is used to delete a service from the server
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) deleteService(key structs.ServiceID) error {
if key.ID == "" {
Validation ServiceID/CheckID when deleting in deleteService() in local.go
10 years ago
return fmt.Errorf("ServiceID missing")
}
Use agent token for service/check deregistration during anti-entropy (#16097) Use only the agent token for deregistration during anti-entropy The previous behavior had the agent attempt to use the "service" token (i.e. from the `token` field in a service definition file), and if that was not set then it would use the agent token. The previous behavior was problematic because, if the service token had been deleted, the deregistration request would fail. The agent would retry the deregistration during each anti-entropy sync, and the situation would never resolve. The new behavior is to only/always use the agent token for service and check deregistration during anti-entropy. This approach is: * Simpler: No fallback logic to try different tokens * Faster (slightly): No time spent attempting the service token * Correct: The agent token is able to deregister services on that agent's node, because: * node:write permissions allow deregistration of services/checks on that node. * The agent token must have node:write permission, or else the agent is not be able to (de)register itself into the catalog Co-authored-by: Vesa Hagström <weeezes@gmail.com>
2 years ago
// Always use the agent token to delete without trying the service token.
// This works because the agent token really must have node:write
// permission and node:write allows deregistration of services/checks on
// that node. Because the service token may have been deleted, using the
// agent token without fallback logic is a bit faster, simpler, and safer.
st := l.tokens.AgentToken()
First pass at local state + anti-entropy
11 years ago
req := structs.DeregisterRequest{
Sync of OSS changes to support namespaces (#6909)
5 years ago
Datacenter: l.config.Datacenter,
Node: l.config.NodeName,
ServiceID: key.ID,
EnterpriseMeta: key.EnterpriseMeta,
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
WriteRequest: structs.WriteRequest{Token: st},
First pass at local state + anti-entropy
11 years ago
}
var out struct{}
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700)
2 years ago
err := l.Delegate.RPC(context.Background(), "Catalog.Deregister", &req, &out)
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
switch {
case err == nil || strings.Contains(err.Error(), "Unknown service"):
Sync of OSS changes to support namespaces (#6909)
5 years ago
delete(l.services, key)
agent: do not deregister service checks twice (#6168) Deregistering a service from the catalog automatically deregisters its checks, however the agent still performs a deregister call for each service checks even after the service has been deregistered. With ACLs enabled this results in logs like: "message:consul: "Catalog.Deregister" RPC failed to server server_ip:8300: rpc error making call: rpc error making call: Unknown check 'check_id'" This change removes associated checks from the agent state when deregistering a service, which results in less calls to the servers and supresses the error logs.
5 years ago
// service deregister also deletes associated checks
for _, c := range l.checks {
Fix check deletion in anti-entropy sync (#7690) * Incorporate entMeta into service equality check
5 years ago
if c.Deleted && c.Check != nil {
sid := c.Check.CompoundServiceID()
structs: Fix printing of IDs These types are used as values (not pointers) in other structs. Using a pointer receiver causes problems when the value is printed. fmt will not call the String method if it is passed a value and the String method has a pointer receiver. By using a value receiver the correct string is printed. Also remove some unused methods.
4 years ago
if sid.Matches(key) {
Fix check deletion in anti-entropy sync (#7690) * Incorporate entMeta into service equality check
5 years ago
l.pruneCheck(c.Check.CompoundCheckID())
}
agent: do not deregister service checks twice (#6168) Deregistering a service from the catalog automatically deregisters its checks, however the agent still performs a deregister call for each service checks even after the service has been deregistered. With ACLs enabled this results in logs like: "message:consul: "Catalog.Deregister" RPC failed to server server_ip:8300: rpc error making call: rpc error making call: Unknown check 'check_id'" This change removes associated checks from the agent state when deregistering a service, which results in less calls to the servers and supresses the error logs.
5 years ago
}
}
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
l.logger.Info("Deregistered service", "service", key.ID)
Keeps the service and check tokens around for deregistration. We fixed a few related issues while we were in here. We now only let services register checks with a matching token, and we also close out service and check delete operations if the catalog deregister claims it doesn't know about the ID of the service or check being deleted.
8 years ago
return nil
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
[Fix] Services sometimes not being synced with acl_enforce_version_8 = false (#4771) Fixes: https://github.com/hashicorp/consul/issues/3676 This fixes a bug were registering an agent with a non-existent ACL token can prevent other services registered with a good token from being synced to the server when using `acl_enforce_version_8 = false`. ## Background When `acl_enforce_version_8` is off the agent does not check the ACL token validity before storing the service in its state. When syncing a service registered with a missing ACL token we fall into the default error handling case (https://github.com/hashicorp/consul/blob/master/agent/local/state.go#L1255) and stop the sync (https://github.com/hashicorp/consul/blob/master/agent/local/state.go#L1082) without setting its Synced property to true like in the permission denied case. This means that the sync will always stop at the faulty service(s). The order in which the services are synced is random since we iterate on a map. So eventually all services with good ACL tokens will be synced, this can however take some time and is influenced by the cluster size, the bigger the slower because retries are less frequent. Having a service in this state also prevent all further sync of checks as they are done after the services. ## Changes This change modify the sync process to continue even if there is an error. This fixes the issue described above as well as making the sync more error tolerant: if the server repeatedly refuses a service (the ACL token could have been deleted by the time the service is synced, the servers were upgraded to a newer version that has more strict checks on the service definition...). Then all services and check that can be synced will, and those that don't will be marked as errors in the logs instead of blocking the whole process.
6 years ago
case acl.IsErrPermissionDenied(err), acl.IsErrNotFound(err):
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
// todo(fs): mark the service to be in sync to prevent excessive retrying before next full sync
// todo(fs): some backoff strategy might be a better solution
Sync of OSS changes to support namespaces (#6909)
5 years ago
l.services[key].InSync = true
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
accessorID := l.aclAccessorID(st)
Output user-friendly name for anonymous token (#15884)
2 years ago
l.logger.Warn("Service deregistration blocked by ACLs",
"service", key.String(),
"accessorID", acl.AliasIfAnonymousToken(accessorID))
Removed labels from new ACL denied metrics
7 years ago
metrics.IncrCounter([]string{"acl", "blocked", "service", "deregistration"}, 1)
Keeps the service and check tokens around for deregistration. We fixed a few related issues while we were in here. We now only let services register checks with a matching token, and we also close out service and check delete operations if the catalog deregister claims it doesn't know about the ID of the service or check being deleted.
8 years ago
return nil
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
default:
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
l.logger.Warn("Deregistering service failed.",
"service", key.String(),
"error", err,
)
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
return err
First pass at local state + anti-entropy
11 years ago
}
}
Adds ability to deregister a service based on critical check state longer than a timeout.
8 years ago
// deleteCheck is used to delete a check from the server
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) deleteCheck(key structs.CheckID) error {
if key.ID == "" {
Validation ServiceID/CheckID when deleting in deleteService() in local.go
10 years ago
return fmt.Errorf("CheckID missing")
}
Use agent token for service/check deregistration during anti-entropy (#16097) Use only the agent token for deregistration during anti-entropy The previous behavior had the agent attempt to use the "service" token (i.e. from the `token` field in a service definition file), and if that was not set then it would use the agent token. The previous behavior was problematic because, if the service token had been deleted, the deregistration request would fail. The agent would retry the deregistration during each anti-entropy sync, and the situation would never resolve. The new behavior is to only/always use the agent token for service and check deregistration during anti-entropy. This approach is: * Simpler: No fallback logic to try different tokens * Faster (slightly): No time spent attempting the service token * Correct: The agent token is able to deregister services on that agent's node, because: * node:write permissions allow deregistration of services/checks on that node. * The agent token must have node:write permission, or else the agent is not be able to (de)register itself into the catalog Co-authored-by: Vesa Hagström <weeezes@gmail.com>
2 years ago
// Always use the agent token for deletion. Refer to deleteService() for
// an explanation.
ct := l.tokens.AgentToken()
First pass at local state + anti-entropy
11 years ago
req := structs.DeregisterRequest{
Sync of OSS changes to support namespaces (#6909)
5 years ago
Datacenter: l.config.Datacenter,
Node: l.config.NodeName,
CheckID: key.ID,
EnterpriseMeta: key.EnterpriseMeta,
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
WriteRequest: structs.WriteRequest{Token: ct},
First pass at local state + anti-entropy
11 years ago
}
var out struct{}
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700)
2 years ago
err := l.Delegate.RPC(context.Background(), "Catalog.Deregister", &req, &out)
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
switch {
case err == nil || strings.Contains(err.Error(), "Unknown check"):
agent: do not deregister service checks twice (#6168) Deregistering a service from the catalog automatically deregisters its checks, however the agent still performs a deregister call for each service checks even after the service has been deregistered. With ACLs enabled this results in logs like: "message:consul: "Catalog.Deregister" RPC failed to server server_ip:8300: rpc error making call: rpc error making call: Unknown check 'check_id'" This change removes associated checks from the agent state when deregistering a service, which results in less calls to the servers and supresses the error logs.
5 years ago
l.pruneCheck(key)
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
l.logger.Info("Deregistered check", "check", key.String())
Keeps the service and check tokens around for deregistration. We fixed a few related issues while we were in here. We now only let services register checks with a matching token, and we also close out service and check delete operations if the catalog deregister claims it doesn't know about the ID of the service or check being deleted.
8 years ago
return nil
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
[Fix] Services sometimes not being synced with acl_enforce_version_8 = false (#4771) Fixes: https://github.com/hashicorp/consul/issues/3676 This fixes a bug were registering an agent with a non-existent ACL token can prevent other services registered with a good token from being synced to the server when using `acl_enforce_version_8 = false`. ## Background When `acl_enforce_version_8` is off the agent does not check the ACL token validity before storing the service in its state. When syncing a service registered with a missing ACL token we fall into the default error handling case (https://github.com/hashicorp/consul/blob/master/agent/local/state.go#L1255) and stop the sync (https://github.com/hashicorp/consul/blob/master/agent/local/state.go#L1082) without setting its Synced property to true like in the permission denied case. This means that the sync will always stop at the faulty service(s). The order in which the services are synced is random since we iterate on a map. So eventually all services with good ACL tokens will be synced, this can however take some time and is influenced by the cluster size, the bigger the slower because retries are less frequent. Having a service in this state also prevent all further sync of checks as they are done after the services. ## Changes This change modify the sync process to continue even if there is an error. This fixes the issue described above as well as making the sync more error tolerant: if the server repeatedly refuses a service (the ACL token could have been deleted by the time the service is synced, the servers were upgraded to a newer version that has more strict checks on the service definition...). Then all services and check that can be synced will, and those that don't will be marked as errors in the logs instead of blocking the whole process.
6 years ago
case acl.IsErrPermissionDenied(err), acl.IsErrNotFound(err):
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
// todo(fs): mark the check to be in sync to prevent excessive retrying before next full sync
// todo(fs): some backoff strategy might be a better solution
Sync of OSS changes to support namespaces (#6909)
5 years ago
l.checks[key].InSync = true
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
accessorID := l.aclAccessorID(ct)
Output user-friendly name for anonymous token (#15884)
2 years ago
l.logger.Warn("Check deregistration blocked by ACLs",
"check", key.String(),
"accessorID", acl.AliasIfAnonymousToken(accessorID))
Removed labels from new ACL denied metrics
7 years ago
metrics.IncrCounter([]string{"acl", "blocked", "check", "deregistration"}, 1)
Keeps the service and check tokens around for deregistration. We fixed a few related issues while we were in here. We now only let services register checks with a matching token, and we also close out service and check delete operations if the catalog deregister claims it doesn't know about the ID of the service or check being deleted.
8 years ago
return nil
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
default:
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
l.logger.Warn("Deregistering check failed.",
"check", key.String(),
"error", err,
)
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
return err
First pass at local state + anti-entropy
11 years ago
}
}
agent: do not deregister service checks twice (#6168) Deregistering a service from the catalog automatically deregisters its checks, however the agent still performs a deregister call for each service checks even after the service has been deregistered. With ACLs enabled this results in logs like: "message:consul: "Catalog.Deregister" RPC failed to server server_ip:8300: rpc error making call: rpc error making call: Unknown check 'check_id'" This change removes associated checks from the agent state when deregistering a service, which results in less calls to the servers and supresses the error logs.
5 years ago
func (l *State) pruneCheck(id structs.CheckID) {
c := l.checks[id]
if c != nil && c.DeferCheck != nil {
c.DeferCheck.Stop()
}
delete(l.checks, id)
}
Add new config_file_service_registration token (#15828)
2 years ago
// serviceRegistrationTokenFallback returns a fallback function to be used when
// determining the token to use for service sync.
//
// The fallback function will return the config file registration token if the
// given service was sourced from a service definition in a config file.
func (l *State) serviceRegistrationTokenFallback(key structs.ServiceID) func() string {
return func() string {
if s := l.services[key]; s != nil && s.IsLocallyDefined {
return l.tokens.ConfigFileRegistrationToken()
}
return ""
}
}
func (l *State) checkRegistrationTokenFallback(key structs.CheckID) func() string {
return func() string {
if s := l.checks[key]; s != nil && s.IsLocallyDefined {
return l.tokens.ConfigFileRegistrationToken()
}
return ""
}
}
First pass at local state + anti-entropy
11 years ago
// syncService is used to sync a service to the server
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) syncService(key structs.ServiceID) error {
Add new config_file_service_registration token (#15828)
2 years ago
st := l.aclTokenForServiceSync(key, l.serviceRegistrationTokenFallback(key), l.tokens.UserToken)
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
Revert "local state: replace multi-map state with structs" This reverts commit ccbae7da5bceeb2328ab7993a8badbf2e72a4597.
7 years ago
// If the service has associated checks that are out of sync,
// piggyback them on the service sync so they are part of the
// same transaction and are registered atomically. We only let
// checks ride on service registrations with the same token,
// otherwise we need to register them separately so they don't
// pick up privileges from the service token.
var checks structs.HealthChecks
Sync of OSS changes to support namespaces (#6909)
5 years ago
for checkKey, c := range l.checks {
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
if c.Deleted || c.InSync {
continue
}
structs: Fix printing of IDs These types are used as values (not pointers) in other structs. Using a pointer receiver causes problems when the value is printed. fmt will not call the String method if it is passed a value and the String method has a pointer receiver. By using a value receiver the correct string is printed. Also remove some unused methods.
4 years ago
if !key.Matches(c.Check.CompoundServiceID()) {
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
continue
Revert "local state: replace multi-map state with structs" This reverts commit ccbae7da5bceeb2328ab7993a8badbf2e72a4597.
7 years ago
}
Add new config_file_service_registration token (#15828)
2 years ago
if st != l.aclTokenForCheckSync(checkKey, l.checkRegistrationTokenFallback(checkKey), l.tokens.UserToken) {
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
continue
}
checks = append(checks, c.Check)
}
req := structs.RegisterRequest{
Datacenter: l.config.Datacenter,
ID: l.config.NodeID,
Node: l.config.NodeName,
Address: l.config.AdvertiseAddr,
TaggedAddresses: l.config.TaggedAddresses,
NodeMeta: l.metadata,
Sync of OSS changes to support namespaces (#6909)
5 years ago
Service: l.services[key].Service,
EnterpriseMeta: key.EnterpriseMeta,
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
WriteRequest: structs.WriteRequest{Token: st},
agent: ensure node info sync and full sync. (#7189) This fixes #7020. There are two problems this PR solves: * if the node info changes it is highly likely to get service and check registration permission errors unless those service tokens have node:write. Hopefully services you register don’t have this permission. * the timer for a full sync gets reset for every partial sync which means that many partial syncs are preventing a full sync from happening Instead of syncing node info last, after services and checks, and possibly saving one RPC because it is included in every service sync, I am syncing node info first. It is only ever going to be a single RPC that we are only doing when node info has changed. This way we are guaranteed to sync node info even when something goes wrong with services or checks which is more likely because there are more syncs happening for them.
5 years ago
SkipNodeUpdate: l.nodeInfoInSync,
Revert "local state: replace multi-map state with structs" This reverts commit ccbae7da5bceeb2328ab7993a8badbf2e72a4597.
7 years ago
}
agent: comments for new anti-entropy functionality
10 years ago
// Backwards-compatibility for Consul < 0.5
agent: simplify anti-entropy of services with multiple checks, add tests
10 years ago
if len(checks) == 1 {
req.Check = checks[0]
} else {
req.Checks = checks
}
First pass at local state + anti-entropy
11 years ago
var out struct{}
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700)
2 years ago
err := l.Delegate.RPC(context.Background(), "Catalog.Register", &req, &out)
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
switch {
case err == nil:
Sync of OSS changes to support namespaces (#6909)
5 years ago
l.services[key].InSync = true
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
// Given how the register API works, this info is also updated
// every time we sync a service.
l.nodeInfoInSync = true
agent: simplify anti-entropy of services with multiple checks, add tests
10 years ago
for _, check := range checks {
agent/structs: Remove ServiceID.Init and CheckID.Init The Init method provided the same functionality as the New constructor. The constructor is both more widely used, and more idiomatic, so remove the Init method. This change is in preparation for fixing printing of these IDs.
5 years ago
checkKey := structs.NewCheckID(check.CheckID, &check.EnterpriseMeta)
Sync of OSS changes to support namespaces (#6909)
5 years ago
l.checks[checkKey].InSync = true
agent: simplify anti-entropy of services with multiple checks, add tests
10 years ago
}
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
l.logger.Info("Synced service", "service", key.String())
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
return nil
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
[Fix] Services sometimes not being synced with acl_enforce_version_8 = false (#4771) Fixes: https://github.com/hashicorp/consul/issues/3676 This fixes a bug were registering an agent with a non-existent ACL token can prevent other services registered with a good token from being synced to the server when using `acl_enforce_version_8 = false`. ## Background When `acl_enforce_version_8` is off the agent does not check the ACL token validity before storing the service in its state. When syncing a service registered with a missing ACL token we fall into the default error handling case (https://github.com/hashicorp/consul/blob/master/agent/local/state.go#L1255) and stop the sync (https://github.com/hashicorp/consul/blob/master/agent/local/state.go#L1082) without setting its Synced property to true like in the permission denied case. This means that the sync will always stop at the faulty service(s). The order in which the services are synced is random since we iterate on a map. So eventually all services with good ACL tokens will be synced, this can however take some time and is influenced by the cluster size, the bigger the slower because retries are less frequent. Having a service in this state also prevent all further sync of checks as they are done after the services. ## Changes This change modify the sync process to continue even if there is an error. This fixes the issue described above as well as making the sync more error tolerant: if the server repeatedly refuses a service (the ACL token could have been deleted by the time the service is synced, the servers were upgraded to a newer version that has more strict checks on the service definition...). Then all services and check that can be synced will, and those that don't will be marked as errors in the logs instead of blocking the whole process.
6 years ago
case acl.IsErrPermissionDenied(err), acl.IsErrNotFound(err):
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
// todo(fs): mark the service and the checks to be in sync to prevent excessive retrying before next full sync
// todo(fs): some backoff strategy might be a better solution
Sync of OSS changes to support namespaces (#6909)
5 years ago
l.services[key].InSync = true
Revert "local state: replace multi-map state with structs" This reverts commit ccbae7da5bceeb2328ab7993a8badbf2e72a4597.
7 years ago
for _, check := range checks {
agent/structs: Remove ServiceID.Init and CheckID.Init The Init method provided the same functionality as the New constructor. The constructor is both more widely used, and more idiomatic, so remove the Init method. This change is in preparation for fixing printing of these IDs.
5 years ago
checkKey := structs.NewCheckID(check.CheckID, &check.EnterpriseMeta)
Sync of OSS changes to support namespaces (#6909)
5 years ago
l.checks[checkKey].InSync = true
Revert "local state: replace multi-map state with structs" This reverts commit ccbae7da5bceeb2328ab7993a8badbf2e72a4597.
7 years ago
}
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
accessorID := l.aclAccessorID(st)
Output user-friendly name for anonymous token (#15884)
2 years ago
l.logger.Warn("Service registration blocked by ACLs",
"service", key.String(),
"accessorID", acl.AliasIfAnonymousToken(accessorID))
Removed labels from new ACL denied metrics
7 years ago
metrics.IncrCounter([]string{"acl", "blocked", "service", "registration"}, 1)
agent: Handle service ACLs when doing anti-entropy
10 years ago
return nil
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
default:
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
l.logger.Warn("Syncing service failed.",
"service", key.String(),
"error", err,
)
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
return err
First pass at local state + anti-entropy
11 years ago
}
}
Fix typo
9 years ago
// syncCheck is used to sync a check to the server
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) syncCheck(key structs.CheckID) error {
c := l.checks[key]
Add new config_file_service_registration token (#15828)
2 years ago
ct := l.aclTokenForCheckSync(key, l.checkRegistrationTokenFallback(key), l.tokens.UserToken)
agent: simplify anti-entropy of services with multiple checks, add tests
10 years ago
req := structs.RegisterRequest{
Sets up config for more address tags down the road, renames struct members.
9 years ago
Datacenter: l.config.Datacenter,
Adds catalog support for node IDs.
8 years ago
ID: l.config.NodeID,
Sets up config for more address tags down the road, renames struct members.
9 years ago
Node: l.config.NodeName,
Address: l.config.AdvertiseAddr,
TaggedAddresses: l.config.TaggedAddresses,
Add support for setting node metadata fields
8 years ago
NodeMeta: l.metadata,
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
Check: c.Check,
Sync of OSS changes to support namespaces (#6909)
5 years ago
EnterpriseMeta: c.Check.EnterpriseMeta,
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
WriteRequest: structs.WriteRequest{Token: ct},
agent: ensure node info sync and full sync. (#7189) This fixes #7020. There are two problems this PR solves: * if the node info changes it is highly likely to get service and check registration permission errors unless those service tokens have node:write. Hopefully services you register don’t have this permission. * the timer for a full sync gets reset for every partial sync which means that many partial syncs are preventing a full sync from happening Instead of syncing node info last, after services and checks, and possibly saving one RPC because it is included in every service sync, I am syncing node info first. It is only ever going to be a single RPC that we are only doing when node info has changed. This way we are guaranteed to sync node info even when something goes wrong with services or checks which is more likely because there are more syncs happening for them.
5 years ago
SkipNodeUpdate: l.nodeInfoInSync,
First pass at local state + anti-entropy
11 years ago
}
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
agent/structs: Remove ServiceID.Init and CheckID.Init The Init method provided the same functionality as the New constructor. The constructor is both more widely used, and more idiomatic, so remove the Init method. This change is in preparation for fixing printing of these IDs.
5 years ago
serviceKey := structs.NewServiceID(c.Check.ServiceID, &key.EnterpriseMeta)
Sync of OSS changes to support namespaces (#6909)
5 years ago
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
// Pull in the associated service if any
Sync of OSS changes to support namespaces (#6909)
5 years ago
s := l.services[serviceKey]
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
if s != nil && !s.Deleted {
req.Service = s.Service
}
agent: simplify anti-entropy of services with multiple checks, add tests
10 years ago
var out struct{}
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700)
2 years ago
err := l.Delegate.RPC(context.Background(), "Catalog.Register", &req, &out)
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
switch {
case err == nil:
Sync of OSS changes to support namespaces (#6909)
5 years ago
l.checks[key].InSync = true
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
// Given how the register API works, this info is also updated
Keeps the service and check tokens around for deregistration. We fixed a few related issues while we were in here. We now only let services register checks with a matching token, and we also close out service and check delete operations if the catalog deregister claims it doesn't know about the ID of the service or check being deleted.
8 years ago
// every time we sync a check.
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
l.nodeInfoInSync = true
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
l.logger.Info("Synced check", "check", key.String())
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
return nil
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
[Fix] Services sometimes not being synced with acl_enforce_version_8 = false (#4771) Fixes: https://github.com/hashicorp/consul/issues/3676 This fixes a bug were registering an agent with a non-existent ACL token can prevent other services registered with a good token from being synced to the server when using `acl_enforce_version_8 = false`. ## Background When `acl_enforce_version_8` is off the agent does not check the ACL token validity before storing the service in its state. When syncing a service registered with a missing ACL token we fall into the default error handling case (https://github.com/hashicorp/consul/blob/master/agent/local/state.go#L1255) and stop the sync (https://github.com/hashicorp/consul/blob/master/agent/local/state.go#L1082) without setting its Synced property to true like in the permission denied case. This means that the sync will always stop at the faulty service(s). The order in which the services are synced is random since we iterate on a map. So eventually all services with good ACL tokens will be synced, this can however take some time and is influenced by the cluster size, the bigger the slower because retries are less frequent. Having a service in this state also prevent all further sync of checks as they are done after the services. ## Changes This change modify the sync process to continue even if there is an error. This fixes the issue described above as well as making the sync more error tolerant: if the server repeatedly refuses a service (the ACL token could have been deleted by the time the service is synced, the servers were upgraded to a newer version that has more strict checks on the service definition...). Then all services and check that can be synced will, and those that don't will be marked as errors in the logs instead of blocking the whole process.
6 years ago
case acl.IsErrPermissionDenied(err), acl.IsErrNotFound(err):
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
// todo(fs): mark the check to be in sync to prevent excessive retrying before next full sync
// todo(fs): some backoff strategy might be a better solution
Sync of OSS changes to support namespaces (#6909)
5 years ago
l.checks[key].InSync = true
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
accessorID := l.aclAccessorID(ct)
Output user-friendly name for anonymous token (#15884)
2 years ago
l.logger.Warn("Check registration blocked by ACLs",
"check", key.String(),
"accessorID", acl.AliasIfAnonymousToken(accessorID))
Removed labels from new ACL denied metrics
7 years ago
metrics.IncrCounter([]string{"acl", "blocked", "check", "registration"}, 1)
agent: simplify anti-entropy of services with multiple checks, add tests
10 years ago
return nil
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
default:
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
l.logger.Warn("Syncing check failed.",
"check", key.String(),
"error", err,
)
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
return err
agent: simplify anti-entropy of services with multiple checks, add tests
10 years ago
}
First pass at local state + anti-entropy
11 years ago
}
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
7 years ago
func (l *State) syncNodeInfo() error {
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
at := l.tokens.AgentToken()
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
req := structs.RegisterRequest{
Datacenter: l.config.Datacenter,
Adds catalog support for node IDs.
8 years ago
ID: l.config.NodeID,
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
Node: l.config.NodeName,
Address: l.config.AdvertiseAddr,
TaggedAddresses: l.config.TaggedAddresses,
allow setting locality on services and nodes (#16581)
2 years ago
Locality: l.config.NodeLocality,
Add support for setting node metadata fields
8 years ago
NodeMeta: l.metadata,
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
EnterpriseMeta: l.agentEnterpriseMeta,
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
WriteRequest: structs.WriteRequest{Token: at},
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
}
var out struct{}
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700)
2 years ago
err := l.Delegate.RPC(context.Background(), "Catalog.Register", &req, &out)
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
switch {
case err == nil:
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
l.nodeInfoInSync = true
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
l.logger.Info("Synced node info")
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
7 years ago
return nil
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
[Fix] Services sometimes not being synced with acl_enforce_version_8 = false (#4771) Fixes: https://github.com/hashicorp/consul/issues/3676 This fixes a bug were registering an agent with a non-existent ACL token can prevent other services registered with a good token from being synced to the server when using `acl_enforce_version_8 = false`. ## Background When `acl_enforce_version_8` is off the agent does not check the ACL token validity before storing the service in its state. When syncing a service registered with a missing ACL token we fall into the default error handling case (https://github.com/hashicorp/consul/blob/master/agent/local/state.go#L1255) and stop the sync (https://github.com/hashicorp/consul/blob/master/agent/local/state.go#L1082) without setting its Synced property to true like in the permission denied case. This means that the sync will always stop at the faulty service(s). The order in which the services are synced is random since we iterate on a map. So eventually all services with good ACL tokens will be synced, this can however take some time and is influenced by the cluster size, the bigger the slower because retries are less frequent. Having a service in this state also prevent all further sync of checks as they are done after the services. ## Changes This change modify the sync process to continue even if there is an error. This fixes the issue described above as well as making the sync more error tolerant: if the server repeatedly refuses a service (the ACL token could have been deleted by the time the service is synced, the servers were upgraded to a newer version that has more strict checks on the service definition...). Then all services and check that can be synced will, and those that don't will be marked as errors in the logs instead of blocking the whole process.
6 years ago
case acl.IsErrPermissionDenied(err), acl.IsErrNotFound(err):
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
// todo(fs): mark the node info to be in sync to prevent excessive retrying before next full sync
// todo(fs): some backoff strategy might be a better solution
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
l.nodeInfoInSync = true
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
accessorID := l.aclAccessorID(at)
Output user-friendly name for anonymous token (#15884)
2 years ago
l.logger.Warn("Node info update blocked by ACLs",
"node", l.config.NodeID,
"accessorID", acl.AliasIfAnonymousToken(accessorID))
Removed labels from new ACL denied metrics
7 years ago
metrics.IncrCounter([]string{"acl", "blocked", "node", "registration"}, 1)
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
return nil
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
default:
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
l.logger.Warn("Syncing node info failed.", "error", err)
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
7 years ago
return err
Moves tagged wan address to be managed by anti-entropy, not serf.
9 years ago
}
}
Update alias checks on local add and remove
6 years ago
Notify alias checks when aliased service is [de]registered (#8456)
4 years ago
// notifyIfAliased will notify waiters of changes to an aliased service
Sync of OSS changes to support namespaces (#6909)
5 years ago
func (l *State) notifyIfAliased(serviceID structs.ServiceID) {
Update alias checks on local add and remove
6 years ago
if aliases, ok := l.checkAliases[serviceID]; ok && len(aliases) > 0 {
for _, notifyCh := range aliases {
// Do not block. All notify channels should be buffered to at
// least 1 in which case not-blocking does not result in loss
// of data because a failed send means a notification is
// already queued. This must be called with the lock held.
select {
case notifyCh <- struct{}{}:
default:
}
}
}
}
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
// aclAccessorID is used to convert an ACLToken's secretID to its accessorID for non-
// critical purposes, such as logging. Therefore we interpret all errors as empty-string
// so we can safely log it without handling non-critical errors at the usage site.
func (l *State) aclAccessorID(secretID string) string {
acl: remove ResolveTokenToIdentity By exposing the AccessorID from the primary ResolveToken method we can remove this duplication.
3 years ago
ident, err := l.Delegate.ResolveTokenAndDefaultMeta(secretID, nil, nil)
various tweaks on top of the hclog work (#7165)
5 years ago
if acl.IsErrNotFound(err) {
return ""
}
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
if err != nil {
various tweaks on top of the hclog work (#7165)
5 years ago
l.logger.Debug("non-critical error resolving acl token accessor for logging", "error", err)
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
return ""
}
acl: remove ResolveTokenToIdentity By exposing the AccessorID from the primary ResolveToken method we can remove this duplication.
3 years ago
return ident.AccessorID()
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
5 years ago
}
local: fixes a data race in anti-entropy sync (#12324) The race detector noticed this initially in `TestAgentConfigWatcherSidecarProxy` but it is not restricted to just tests. The two main changes here were: - ensure that before we mutate the internal `agent/local` representation of a Service (for tags or VIPs) we clone those fields - ensure that there's no function argument joint ownership between the caller of a function and the local state when calling `AddService`, `AddCheck`, and related using `copystructure` for now.
3 years ago
func cloneService(ns *structs.NodeService) (*structs.NodeService, error) {
// TODO: consider doing a hand-managed clone function
raw, err := copystructure.Copy(ns)
if err != nil {
return nil, err
}
return raw.(*structs.NodeService), err
}
func cloneCheck(check *structs.HealthCheck) (*structs.HealthCheck, error) {
// TODO: consider doing a hand-managed clone function
raw, err := copystructure.Copy(check)
if err != nil {
return nil, err
}
return raw.(*structs.HealthCheck), err
}