feat: implement optimistic and pessimistic locking for sandbox metadata

- Add update_version field to SandboxInfo/SandboxRecord and lock_sandbox_key() helper
- Add LockResult enum and lock operations to RedisProvider (create_and_acquire, acquire, optimistic_update, release)
- Add version-guarded update() to SandboxTable to skip stale writes
- Implement SandboxRepository lock context managers (create_and_acquire_lock, acquire_lock) and version-aware CRUD
- Wrap SandboxManager.start_async/stop with pessimistic lock context managers; remove _check_sandbox_exists_in_redis
- Add tests for optimistic update behaviour in SandboxRepository
- Add update_version to SandboxInfoField Literal type

Author: zhangjaycee

rock/actions/sandbox/_generated_types.py

@@ -26,4 +26,5 @@
     "create_time",
     "start_time",
     "stop_time",
+    "update_version",
 ]

rock/actions/sandbox/sandbox_info.py

@@ -24,3 +24,4 @@ class SandboxInfo(TypedDict, total=False):
     create_time: str
     start_time: str
     stop_time: str
+    update_version: int

rock/admin/core/redis_key.py

@@ -1,5 +1,6 @@
 ALIVE_PREFIX = "alive:"
 TIMEOUT_PREFIX = "timeout:"
+LOCK_PREFIX = "lock:"
 
 
 def alive_sandbox_key(sandbox_id: str) -> str:
@@ -8,3 +9,7 @@ def alive_sandbox_key(sandbox_id: str) -> str:
 
 def timeout_sandbox_key(sandbox_id: str) -> str:
     return f"{TIMEOUT_PREFIX}{sandbox_id}"
+
+
+def lock_sandbox_key(sandbox_id: str) -> str:
+    return f"{LOCK_PREFIX}{sandbox_id}"

rock/admin/core/sandbox_table.py

@@ -54,16 +54,33 @@ async def get(self, sandbox_id: str) -> SandboxInfo | None:
             return _record_to_sandbox_info(record)
 
     async def update(self, sandbox_id: str, data: SandboxInfo) -> None:
-        """Partial update of an existing sandbox record."""
+        """Partial update of an existing sandbox record.
+
+        When *data* contains ``update_version``, the write is skipped if the DB
+        record already carries an equal-or-higher version (prevents stale
+        fire-and-forget writes from overwriting newer state).
+        """
         filtered = self._filter_data(data)
         if not filtered:
             return
-
+        new_version: int | None = filtered.get("update_version")
         async with self._db.session() as session:
             record = await session.get(SandboxRecord, sandbox_id)
             if record is None:
                 logger.warning("update: sandbox_id=%s not found", sandbox_id)
                 return
+            if (
+                new_version is not None
+                and record.update_version is not None
+                and new_version <= record.update_version
+            ):
+                logger.debug(
+                    "update: skip stale write sandbox_id=%s new_version=%s current=%s",
+                    sandbox_id,
+                    new_version,
+                    record.update_version,
+                )
+                return
             for key, value in filtered.items():
                 setattr(record, key, value)
             await session.commit()

rock/admin/core/schema.py

@@ -8,7 +8,7 @@
 
 from typing import Any, ClassVar
 
-from sqlalchemy import Boolean, Column, Float, Index, String
+from sqlalchemy import Boolean, Column, Float, Index, Integer, String
 from sqlalchemy.dialects.postgresql import JSONB
 from sqlalchemy.orm import DeclarativeBase
 from sqlalchemy.types import JSON
@@ -48,6 +48,7 @@ class SandboxRecord(Base):
     create_user_gray_flag = Column(Boolean, nullable=True)
     phases = Column(_JSONB_VARIANT, nullable=True)
     port_mapping = Column(_JSONB_VARIANT, nullable=True)
+    update_version = Column(Integer, nullable=True)
 
     __table_args__ = (
         Index("ix_sandbox_record_user_id", "user_id"),

rock/sandbox/sandbox_manager.py

@@ -39,8 +39,6 @@
 from rock.sdk.common.exceptions import BadRequestRockError, InternalServerRockError
 from rock.utils.crypto_utils import AESEncryption
 from rock.utils.format import convert_to_gb, parse_size_to_bytes
-from rock.utils.providers.redis_provider import RedisProvider
-from rock.utils.service import build_sandbox_from_redis
 from rock.utils.system import get_iso8601_timestamp
 
 logger = init_logger(__name__)
@@ -79,12 +77,6 @@ async def refresh_aes_key(self):
             logger.error(f"update aes key failed, error: {e}")
             raise InternalServerRockError(f"update aes key failed, {str(e)}")
 
-    async def _check_sandbox_exists_in_redis(self, config: DeploymentConfig):
-        if isinstance(config, DockerDeploymentConfig) and config.container_name:
-            sandbox_id = config.container_name
-            if self._meta_repo and await self._meta_repo.exists(sandbox_id):
-                raise BadRequestRockError(f"Sandbox {sandbox_id} already exists")
-
     def _setup_sandbox_actor_metadata(self, sandbox_actor: SandboxActor, user_info: UserInfo) -> None:
         user_id = user_info.get("user_id", "default")
         experiment_id = user_info.get("experiment_id", "default")
@@ -112,7 +104,6 @@ async def _build_sandbox_info_metadata(
     async def start_async(
         self, config: DeploymentConfig, user_info: UserInfo = {}, cluster_info: ClusterInfo = {}
     ) -> SandboxStartResponse:
-        await self._check_sandbox_exists_in_redis(config)
         self.validate_sandbox_spec(self.rock_config.runtime, config)
         docker_deployment_config: DockerDeploymentConfig = await self.deployment_manager.init_config(config)
 
@@ -125,15 +116,24 @@ async def start_async(
             )
             docker_deployment_config.cpus = self.rock_config.runtime.standard_spec.cpus
             docker_deployment_config.memory = self.rock_config.runtime.standard_spec.memory
-        sandbox_info: SandboxInfo = await self._operator.submit(docker_deployment_config, user_info)
+
         stop_time = str(int(time.time()) + docker_deployment_config.auto_clear_time * 60)
         auto_clear_time_dict = {
             env_vars.ROCK_SANDBOX_AUTO_CLEAR_TIME_KEY: str(docker_deployment_config.auto_clear_time),
             env_vars.ROCK_SANDBOX_EXPIRE_TIME_KEY: stop_time,
         }
-        await self._build_sandbox_info_metadata(sandbox_info, user_info, cluster_info)
+
         if self._meta_repo:
-            await self._meta_repo.create(sandbox_id, sandbox_info, timeout_info=auto_clear_time_dict)
+            async with self._meta_repo.create_and_acquire_lock(sandbox_id) as version:
+                sandbox_info: SandboxInfo = await self._operator.submit(docker_deployment_config, user_info)
+                await self._build_sandbox_info_metadata(sandbox_info, user_info, cluster_info)
+                await self._meta_repo.create(
+                    sandbox_id, sandbox_info, timeout_info=auto_clear_time_dict, version=version
+                )
+        else:
+            sandbox_info = await self._operator.submit(docker_deployment_config, user_info)
+            await self._build_sandbox_info_metadata(sandbox_info, user_info, cluster_info)
+
         return SandboxStartResponse(
             sandbox_id=sandbox_id,
             host_name=sandbox_info.get("host_name"),
@@ -170,27 +170,37 @@ async def start(self, config: DeploymentConfig) -> SandboxStartResponse:
     @monitor_sandbox_operation()
     async def stop(self, sandbox_id):
         logger.info(f"stop sandbox {sandbox_id}")
-        sandbox_info: SandboxInfo | None = await self._meta_repo.get(sandbox_id) if self._meta_repo else None
-        if sandbox_info is None:
-            sandbox_info = {}
-        sandbox_info["state"] = State.STOPPED
-        if sandbox_info.get("start_time"):
-            sandbox_info["stop_time"] = get_iso8601_timestamp()
-            log_billing_info(sandbox_info=sandbox_info)
-        try:
-            await self._operator.stop(sandbox_id)
-        except ValueError as e:
-            logger.error(f"ray get actor, actor {sandbox_id} not exist", exc_info=e)
-            if self._meta_repo:
-                await self._meta_repo.archive(sandbox_id, sandbox_info)
+
+        if not self._meta_repo:
+            try:
+                await self._operator.stop(sandbox_id)
+            except ValueError as e:
+                logger.error(f"ray get actor, actor {sandbox_id} not exist", exc_info=e)
+            try:
+                self._sandbox_meta.pop(sandbox_id)
+            except KeyError:
+                logger.debug(f"{sandbox_id} key not found")
             return
-        try:
-            self._sandbox_meta.pop(sandbox_id)
-        except KeyError:
-            logger.debug(f"{sandbox_id} key not found")
-        logger.info(f"sandbox {sandbox_id} stopped")
-        if self._meta_repo:
-            await self._meta_repo.archive(sandbox_id, sandbox_info)
+
+        async with self._meta_repo.acquire_lock(sandbox_id) as version:
+            sandbox_info: SandboxInfo = await self._meta_repo.get(sandbox_id) or {}
+            sandbox_info["state"] = State.STOPPED
+            if sandbox_info.get("start_time"):
+                sandbox_info["stop_time"] = get_iso8601_timestamp()
+                log_billing_info(sandbox_info=sandbox_info)
+            try:
+                await self._operator.stop(sandbox_id)
+            except ValueError as e:
+                logger.error(f"ray get actor, actor {sandbox_id} not exist", exc_info=e)
+                await self._meta_repo.archive(sandbox_id, sandbox_info, version)
+                return
+            try:
+                self._sandbox_meta.pop(sandbox_id)
+            except KeyError:
+                logger.debug(f"{sandbox_id} key not found")
+            logger.info(f"sandbox {sandbox_id} stopped")
+            await self._meta_repo.archive(sandbox_id, sandbox_info, version)
+        # lock_release in context manager silently no-ops: archive already deleted the lock key
 
     async def get_mount(self, sandbox_id):
         async with self._ray_service.get_ray_rwlock().read_lock():

rock/sandbox/sandbox_repository.py

@@ -7,17 +7,21 @@
 from __future__ import annotations
 
 import asyncio
+import socket
 import time
 from collections.abc import AsyncIterator, Awaitable, Callable
+from contextlib import asynccontextmanager
 from typing import Any
+from uuid import uuid4
 
 from rock.actions.sandbox._generated_types import SandboxInfoField
 from rock.actions.sandbox.response import State
 from rock.actions.sandbox.sandbox_info import SandboxInfo
-from rock.admin.core.redis_key import ALIVE_PREFIX, alive_sandbox_key, timeout_sandbox_key
+from rock.admin.core.redis_key import ALIVE_PREFIX, alive_sandbox_key, lock_sandbox_key, timeout_sandbox_key
 from rock.admin.core.sandbox_table import SandboxTable
 from rock.logger import init_logger
-from rock.utils.providers.redis_provider import RedisProvider
+from rock.sdk.common.exceptions import BadRequestRockError
+from rock.utils.providers.redis_provider import LockResult, RedisProvider
 
 logger = init_logger(__name__)
 
@@ -53,56 +57,78 @@ async def create(
         sandbox_id: str,
         sandbox_info: SandboxInfo,
         timeout_info: dict[str, str] | None = None,
+        version: int = 1,
     ) -> None:
         """Write sandbox info to the Redis alive key and fire-and-forget a DB insert.
 
         Parameters
         ----------
         timeout_info:
             If provided, also write the timeout key (``auto_clear_time`` / ``expire_time``).
+        version:
+            The version number from ``create_and_acquire_lock``.  Stored as
+            ``update_version`` in both the alive key and the DB record.
         """
         if self._redis:
-            await self._redis.json_set(alive_sandbox_key(sandbox_id), "$", sandbox_info)
+            info_with_version: SandboxInfo = {**sandbox_info, "update_version": version}
+            await self._redis.json_set(alive_sandbox_key(sandbox_id), "$", info_with_version)
             if timeout_info is not None:
                 await self._redis.json_set(timeout_sandbox_key(sandbox_id), "$", timeout_info)
+        else:
+            info_with_version = sandbox_info
 
-        self._fire_db_insert(sandbox_id, sandbox_info)
+        self._fire_db_insert(sandbox_id, {**info_with_version, "update_version": version})
 
     async def update(self, sandbox_id: str, sandbox_info: SandboxInfo) -> None:
-        """Merge *sandbox_info* into the existing Redis alive key and fire-and-forget a DB update."""
+        """Merge *sandbox_info* into the alive key via optimistic lock; fire DB only on success.
+
+        Uses an atomic Lua increment on the lock key:
+        - ``KEY_ABSENT`` — sandbox was archived; skip.
+        - ``LOCK_HELD``  — a pessimistic operation is in progress; skip.
+        - ``OK``         — this writer owns version slot *old_version*; write through.
+
+        When no Redis is configured, falls through to DB update unconditionally.
+        """
         if self._redis:
             current = await self._redis.json_get(alive_sandbox_key(sandbox_id), "$")
-            merged: dict[str, Any] = {**(current[0] if current else {}), **sandbox_info}
-            await self._redis.json_set(alive_sandbox_key(sandbox_id), "$", merged)
+            current_doc: dict[str, Any] = current[0] if current else {}
 
-        self._fire_db_update(sandbox_id, sandbox_info)
+            result, old_version = await self._redis.lock_optimistic_update(lock_sandbox_key(sandbox_id))
+            if result != LockResult.OK:
+                return  # KEY_ABSENT or LOCK_HELD — skip
+
+            merged: dict[str, Any] = {**current_doc, **sandbox_info, "update_version": old_version + 1}
+            await self._redis.json_set(alive_sandbox_key(sandbox_id), "$", merged)
+            self._fire_db_update(sandbox_id, merged)
+        else:
+            self._fire_db_update(sandbox_id, sandbox_info)
 
     async def delete(self, sandbox_id: str) -> None:
-        """Delete Redis alive + timeout keys and fire-and-forget a DB delete."""
+        """Delete Redis alive + timeout + lock keys and fire-and-forget a DB delete."""
         if self._redis:
             await self._redis.json_delete(alive_sandbox_key(sandbox_id))
             await self._redis.json_delete(timeout_sandbox_key(sandbox_id))
+            await self._redis.json_delete(lock_sandbox_key(sandbox_id))
 
         self._fire_db_delete(sandbox_id)
 
-    async def archive(self, sandbox_id: str, final_info: SandboxInfo) -> None:
-        """Persist final state to DB, then remove sandbox from Redis.
-
-        Unlike ``delete``, the DB record is preserved and updated with
-        ``final_info`` (e.g. ``stop_time``, ``state``).  Use this when a
-        sandbox has finished its lifecycle and the final state should be
-        queryable from the DB.
+    async def archive(
+        self, sandbox_id: str, final_info: SandboxInfo, version: int | None = None
+    ) -> None:
+        """Persist final state to DB, then remove sandbox from Redis including lock key.
 
-        The DB write is awaited before the Redis keys are deleted so that
-        the final state is always durably stored before the alive key
-        disappears.  If the DB write fails the exception is swallowed and
-        logged, but Redis cleanup still proceeds.
+        The DB write is awaited before Redis cleanup.  *version* (from
+        ``acquire_lock``) is merged into *final_info* so the DB record carries
+        the correct version.
         """
+        if version is not None:
+            final_info = {**final_info, "update_version": version}
         await self._await_db_update(sandbox_id, final_info)
 
         if self._redis:
             await self._redis.json_delete(alive_sandbox_key(sandbox_id))
             await self._redis.json_delete(timeout_sandbox_key(sandbox_id))
+            await self._redis.json_delete(lock_sandbox_key(sandbox_id))
 
     async def get(self, sandbox_id: str) -> SandboxInfo | None:
         """Read sandbox info from the Redis alive key."""
@@ -241,6 +267,63 @@ async def is_expired(self, sandbox_id: str) -> bool:
         expire_time = int(timeout_info.get("expire_time", 0))
         return int(time.time()) > expire_time
 
+    # ------------------------------------------------------------------
+    # Lock context managers (pessimistic locking for start / stop)
+    # ------------------------------------------------------------------
+
+    @asynccontextmanager
+    async def create_and_acquire_lock(self, sandbox_id: str) -> AsyncIterator[int]:
+        """NX-create and immediately acquire the sandbox lock (for ``start``).
+
+        Yields the initial version number (1).  Raises ``BadRequestRockError``
+        when the sandbox already exists.  Always releases the lock on exit even
+        if the body raises.
+
+        When no Redis is configured, yields 1 without any locking.
+        """
+        if not self._redis:
+            yield 1
+            return
+
+        uuid_str = str(uuid4())
+        holder = f"{uuid_str}@{socket.gethostname()}"
+        result, version = await self._redis.lock_create_and_acquire(
+            lock_sandbox_key(sandbox_id), holder, 1
+        )
+        if result == LockResult.ALREADY_EXISTS:
+            raise BadRequestRockError(f"Sandbox {sandbox_id} already exists")
+        try:
+            yield version
+        finally:
+            await self._redis.lock_release(lock_sandbox_key(sandbox_id), uuid_str)
+
+    @asynccontextmanager
+    async def acquire_lock(self, sandbox_id: str) -> AsyncIterator[int]:
+        """Acquire the sandbox lock on an existing key (for ``stop``).
+
+        Yields the new version number (incremented by acquire).  Raises
+        ``BadRequestRockError`` when the sandbox does not exist or another
+        operation holds the lock.  Always releases on exit.
+
+        When no Redis is configured, yields 1 without any locking.
+        """
+        if not self._redis:
+            yield 1
+            return
+
+        uuid_str = str(uuid4())
+        holder = f"{uuid_str}@{socket.gethostname()}"
+        result, version = await self._redis.lock_acquire(lock_sandbox_key(sandbox_id), holder)
+        if result == LockResult.KEY_ABSENT:
+            raise BadRequestRockError(f"Sandbox {sandbox_id} not found")
+        if result == LockResult.LOCK_HELD:
+            raise BadRequestRockError(f"Sandbox {sandbox_id} is busy")
+        try:
+            yield version
+        finally:
+            # lock key is deleted by archive(); lock_release silently no-ops when key is absent
+            await self._redis.lock_release(lock_sandbox_key(sandbox_id), uuid_str)
+
     # ------------------------------------------------------------------
     # Internal helpers
     # ------------------------------------------------------------------