cephfs: safeguard localClusterState struct from race conditions #4163
Conversation
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
This fixes #4162. feel free to attach the issue to the PR |
internal/cephfs/core/volume.go
Outdated
| var clusterAdditionalInfo = make(map[string]*localClusterState) | ||
| var clusterAdditionalInfoMutex sync.Mutex |
There was a problem hiding this comment.
Early suggestion:- use sync.Map instead of map and sync.Mutex
There was a problem hiding this comment.
It'll make things more complex.
We'll need to get variable and convert to clusterState type every time and then store it back.
The race condition happens only when we are writing so current code should be good.
The upper map uses a mutex and members themselves are atomic.
|
/retest ci/centos/mini-e2e/k8s-1.27 |
Rakshith-R
force-pushed
the
fix-crash
branch
2 times, most recently
from
61b19fa to
0f0d56a
Compare
internal/cephfs/core/volume.go
Outdated
| const ( | ||
| unknown operationState = iota | ||
| unknown int64 = iota |
There was a problem hiding this comment.
not sure why this was int64 before, as we have minimal values we should have used uint32.
internal/cephfs/core/volume.go
Outdated
| if clusterAdditionalInfo[s.clusterID].resizeState.Load() == unknown || | ||
| clusterAdditionalInfo[s.clusterID].resizeState.Load() == supported { |
There was a problem hiding this comment.
This should also go to the helper function like in metadata.go as an enhancement.
| clusterAdditionalInfo = make(map[string]*localClusterState) | ||
| // clusterAdditionalInfoMutex is used to synchronize access to | ||
| // clusterAdditionalInfo map. | ||
| clusterAdditionalInfoMutex = sync.Mutex{} |
There was a problem hiding this comment.
Would a sync.RWMutex not be better?
If you only mean to protect against concurrent writes, please state it clearly.
internal/cephfs/core/volume.go
Outdated
| @@ -232,7 +238,7 @@ func (s *subVolumeClient) CreateVolume(ctx context.Context) error { | |||
| } | |||
|
|
|||
| // create subvolumegroup if not already created for the cluster. | |||
| if !clusterAdditionalInfo[s.clusterID].subVolumeGroupsCreated[s.FsName] { | |||
| if _, found := clusterAdditionalInfo[s.clusterID].subVolumeGroupsCreated.Load(s.FsName); !found { | |||
There was a problem hiding this comment.
This is still racy. If the subVolumeGroup is not found, there is a timespan where multiple processes can try to create it. This is something that should be protected by a Mutex.
If creating the subVolumeGroup multiple times is not problematic, please leave a comment in the code about it.
internal/cephfs/core/volume.go
Outdated
| resizeState operationState | ||
| subVolMetadataState operationState | ||
| subVolSnapshotMetadataState operationState | ||
| resizeState atomic.Int64 |
There was a problem hiding this comment.
I do not understand why using an atomic int is safer here. Can you explain that in the commit message?
mergify
bot
dismissed
riya-singhal31’s stale review
Pull request has been modified.
|
On deeper inspection, indeed atomic really didn't serve the purpose and subVolgroupCreated was still kinda buggy. Rewrote the code to use RWMutex locks individually with lot of helpers. Please take a look again. |
|
/retest ci/centos/mini-e2e/k8s-1.27 |
internal/cephfs/core/volume.go
Outdated
| subVolSnapshotMetadataState operationState | ||
| resizeState operationStateMutex | ||
| subVolMetadataState operationStateMutex | ||
| subVolSnapshotMetadataState operationStateMutex |
There was a problem hiding this comment.
this may be overdoing it, is the subVolumeGroupsRWMutex of this struct not sufficient to protect its members?
There was a problem hiding this comment.
this may be overdoing it, is the
subVolumeGroupsRWMutexof this struct not sufficient to protect its members?
No, all are independent parameters.
- with R-Locks it should basically not have much overhead.
There was a problem hiding this comment.
It is not about the performance overhead. I am worried about the complexity that looks unneeded.
internal/cephfs/core/volume.go
Outdated
| @@ -240,7 +247,7 @@ func (s *subVolumeClient) CreateVolume(ctx context.Context) error { | |||
| } | |||
|
|
|||
| // create subvolumegroup if not already created for the cluster. | |||
| if !clusterAdditionalInfo[s.clusterID].subVolumeGroupsCreated[s.FsName] { | |||
| if !s.isSubVolumeGroupCreated(s.SubvolumeGroup) { | |||
There was a problem hiding this comment.
This is still racy. two or more go routines can call the function, and both can continue to create the SubVolumeGroup.
In order to prevent races, you will need to take a lock on the clusterAdditionalInfo[s.clusterID] object (a single lock for all members to keep it simple would be fine), or
- lock the
.subVolumeGroupsRWMutex - create the SubVolumeGroup
- unlock the
.subVolumeGroupsRWMutex
If access to the different members needs similar serialization, use a single Mutex to update any of the members and have other go routines block until the updating is done.
There was a problem hiding this comment.
This is still racy. two or more go routines can call the function, and both can continue to create the SubVolumeGroup.
In order to prevent races, you will need to take a lock on the
clusterAdditionalInfo[s.clusterID]object (a single lock for all members to keep it simple would be fine), or
- lock the
.subVolumeGroupsRWMutex- create the SubVolumeGroup
- unlock the
.subVolumeGroupsRWMutexIf access to the different members needs similar serialization, use a single Mutex to update any of the members and have other go routines block until the updating is done.
Yes that is intentional,
The mentioned parallel create will happen only once and there's no side affects to svg create cmd being called more than once. The follow on update will still be guarded by rwlock so we're fine.
I don't want to hold locks while we wait for a response from ceph.
And I want don't want other members to wait while one is being updated.
There was a problem hiding this comment.
Sorry, but that is not what the commit message describes:
Multiple go-routines may simultaneously check for
presence of a clusterID's metadata such as
subvolumegroup created state, resize state,
metadata state and snapshot metadata state in the
clusterAdditionalInfo map and update an entry after creation
if it is absent. This set of operation needs to be serialized.
There is no serialization in this commit. This commit add atomically setting/reading a value. Usually an int is atomic already, and sufficient if there are no calculations done with it. I do not think the mutex per member in the operationState contributes to preventing race conditions.
|
👍 |
|
@Mergifyio queue |
✅ The pull request has been merged automaticallyThe pull request has been merged automatically at d516a1d |
Multiple go-routines may simultaneously check for a clusterID's presence in clusterAdditionalInfo and create an entry if it is absent. This set of operation needs to be serialized. Therefore, this commit safeguards clusterAdditionalInfo map from concurrent writes with a mutex to prevent the above problem. Signed-off-by: Rakshith R <[email protected]>
Multiple go-routines may simultaneously create the subVolumeGroupCreated map or write into it for a particular group. This commit safeguards subVolumeGroupCreated map from concurrent creation/writes while allowing for multiple readers. Signed-off-by: Rakshith R <[email protected]>
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/upgrade-tests-rbd |
|
/test ci/centos/k8s-e2e-external-storage/1.26 |
|
/test ci/centos/k8s-e2e-external-storage/1.27 |
|
/test ci/centos/mini-e2e-helm/k8s-1.26 |
|
/test ci/centos/mini-e2e-helm/k8s-1.27 |
|
/test ci/centos/k8s-e2e-external-storage/1.28 |
|
/test ci/centos/mini-e2e/k8s-1.26 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/mini-e2e-helm/k8s-1.28 |
|
/test ci/centos/mini-e2e/k8s-1.28 |
|
@Mergifyio backport release-3.9 |
❌ No backport have been created
GitHub error: |
|
@Mergifyio backport release-v3.9 |
🟠 Pending
|
Describe what this PR does
This commit uses atomic.Int64 and sync.Map with members of localClusterState and safeguards clusterAdditionalInfo map operations with a mutex.
Is the change backward compatible?
yes
Are there concerns around backward compatibility?
no
Related issues
Fixes: #4162
Show available bot commands
These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:
/retest ci/centos/<job-name>: retest the<job-name>after unrelatedfailure (please report the failure too!)