MB-39292: 1/n set_collections persist current manifest

set_collections only allows 'forward' progress after checking
that the new manifest is a successor of the current manifest,
however after warm-up we have to accept whatever we are given.

This commit updates set_collections so that for persistent buckets
the new manifest is first stored in the database directory and
then we update from that manifest on-success, now warm-up brings
the manifest back from storage and we can validate that further
updates are a valid successor.

Ephemeral buckets just update with no background task.

This patch stores using Manifest::toJSON and reloads JSON using
Manifest's existing construction with no integrity checking.

Change-Id: Ie548e31f56c4847ecf4c0c4ad866544f6bcd2a5c
Reviewed-on: http://review.couchbase.org/c/kv_engine/+/137161
Reviewed-by: Dave Rigby <[email protected]>
Tested-by: Jim Walker <[email protected]>

Author: jimwwalker

daemon/protocol/mcbp/collections_set_manifest_executor.cc

@@ -29,6 +29,6 @@ void collections_set_manifest_executor(Cookie& cookie) {
                                 val.size()};
     const auto ret = connection.getBucketEngine().set_collection_manifest(
             &cookie, jsonBuffer);
-    Expects(ret != cb::engine_errc::would_block);
+
     handle_executor_status(cookie, ret);
-}
+}

engines/ep/CMakeLists.txt

@@ -229,9 +229,10 @@ SET(CONFIG_SOURCE src/configuration.cc
 SET(COLLECTIONS_SOURCE src/collections/collections_types.cc
                        src/collections/eraser_context.cc
                        src/collections/flush.cc
+                       src/collections/kvstore.cc
                        src/collections/manager.cc
                        src/collections/manifest.cc
-                       src/collections/kvstore.cc
+                       src/collections/persist_manifest_task.cc
                        ${CMAKE_CURRENT_BINARY_DIR}/src/collections/events_generated.h
                        ${CMAKE_CURRENT_BINARY_DIR}/src/collections/kvstore_generated.h
                        src/collections/scan_context.cc

engines/ep/src/collections/collections_types.h

@@ -44,6 +44,10 @@ const char* const ScopeEventDebugTag = "_scope";
 // Couchstore private file name for manifest data
 const char CouchstoreManifest[] = "_local/collections_manifest";
 
+// Name of file where the manifest will be kept on persistent buckets
+const char* const ManifestFile = "collections.manifest";
+static std::string_view ManifestFileName(ManifestFile);
+
 // Length of the string excluding the zero terminator (i.e. strlen)
 const size_t CouchstoreManifestLen = sizeof(CouchstoreManifest) - 1;
 

engines/ep/src/collections/manager.cc

@@ -19,6 +19,7 @@
 #include "bucket_logger.h"
 #include "collections/flush.h"
 #include "collections/manifest.h"
+#include "collections/persist_manifest_task.h"
 #include "collections/vbucket_manifest_handles.h"
 #include "ep_engine.h"
 #include "kv_bucket.h"
@@ -35,11 +36,49 @@ Collections::Manager::Manager() {
 }
 
 cb::engine_error Collections::Manager::update(KVBucket& bucket,
-                                              std::string_view manifest) {
+                                              std::string_view manifestString,
+                                              const void* cookie) {
+    auto lockedUpdateCookie = updateInProgress.wlock();
+    if (*lockedUpdateCookie != nullptr && *lockedUpdateCookie != cookie) {
+        // log this as it's very unexpected, only ever 1 manager
+        return cb::engine_error(
+                cb::engine_errc::too_busy,
+                "An update is already in-progress for another cookie:" +
+                        std::to_string(uintptr_t(*lockedUpdateCookie)));
+    }
+
+    // Now getEngineSpecific - if that is null this is a new command, else
+    // it's the IO complete command
+    void* manifest = bucket.getEPEngine().getEngineSpecific(cookie);
+
+    if (manifest) {
+        // I/O complete path?
+        if (!*lockedUpdateCookie) {
+            // This can occur for a DCP connection, cookie is 'reserved'.
+            EP_LOG_WARN(
+                    "Collections::Manager::update aborted as we have found a "
+                    "manifest:{} but updateInProgress:{}",
+                    manifest,
+                    *lockedUpdateCookie);
+            return cb::engine_error(cb::engine_errc::failed,
+                                    "Collections::Manager::update failure");
+        }
+
+        // Final stage of update now happening, clear the cookie and engine
+        // specific so the next update can start after this one returns.
+        *lockedUpdateCookie = nullptr;
+        bucket.getEPEngine().storeEngineSpecific(cookie, nullptr);
+
+        // Take ownership back of the manifest so it destructs/frees on return
+        std::unique_ptr<Manifest> newManifest(
+                reinterpret_cast<Manifest*>(manifest));
+        return updateFromIOComplete(bucket, std::move(newManifest), cookie);
+    }
+
+    // Construct a new Manifest (ctor will throw if JSON was illegal)
     std::unique_ptr<Manifest> newManifest;
-    // Construct a newManifest (will throw if JSON was illegal)
     try {
-        newManifest = std::make_unique<Manifest>(manifest);
+        newManifest = std::make_unique<Manifest>(manifestString);
     } catch (std::exception& e) {
         EP_LOG_WARN(
                 "Collections::Manager::update can't construct manifest "
@@ -48,35 +87,54 @@ cb::engine_error Collections::Manager::update(KVBucket& bucket,
         return cb::engine_error(
                 cb::engine_errc::invalid_arguments,
                 "Collections::Manager::update manifest json invalid:" +
-                        std::string(manifest));
+                        std::string(manifestString));
     }
 
-    // Get upgrade access to the manifest for the initial part of the update
-    // This gives shared access (other readers allowed) but would block other
-    // attempts to get upgrade access.
+    // Next compare with current
+    // First get an upgrade lock (which is initially read)
+    // Persistence will schedule a task and drop the lock whereas ephemeral will
+    // upgrade from read to write locking and do the update
     auto current = currentManifest.ulock();
-
-    // ignore being told the same manifest
-    if (current->getUid() == newManifest->getUid() &&
-        *newManifest == *current) {
-        return cb::engine_error(
-                cb::engine_errc::success,
-                "Collections::Manager::update ignored matching manifest");
-    }
-
-    // any other uid, and the incoming manifest must be a valid succession
     auto isSuccessorResult = current->isSuccessor(*newManifest);
     if (isSuccessorResult.code() != cb::engine_errc::success) {
         return isSuccessorResult;
     }
 
+    // New manifest is a legal successor the update is going ahead.
+    // Ephemeral bucket can update now, Persistent bucket on wake-up from
+    // successful run of the PeristManifestTask.
+    cb::engine_errc status = cb::engine_errc::success;
+    if (!bucket.maybeScheduleManifestPersistence(cookie, newManifest)) {
+        // Ephemeral case, apply immediately
+        return applyNewManifest(bucket, current, std::move(newManifest));
+    } else {
+        *lockedUpdateCookie = cookie;
+        status = cb::engine_errc::would_block;
+    }
+
+    return cb::engine_error(status,
+                            "Collections::Manager::update part one complete");
+}
+
+cb::engine_error Collections::Manager::updateFromIOComplete(
+        KVBucket& bucket,
+        std::unique_ptr<Manifest> newManifest,
+        const void* cookie) {
+    auto current = currentManifest.ulock(); // Will update to newManifest
+    return applyNewManifest(bucket, current, std::move(newManifest));
+}
+
+// common to ephemeral/persistent, this does the update
+cb::engine_error Collections::Manager::applyNewManifest(
+        KVBucket& bucket,
+        folly::Synchronized<Manifest>::UpgradeLockedPtr& current,
+        std::unique_ptr<Manifest> newManifest) {
     auto updated = updateAllVBuckets(bucket, *newManifest);
     if (updated.has_value()) {
         return cb::engine_error(
                 cb::engine_errc::cannot_apply_collections_manifest,
                 "Collections::Manager::update aborted on " +
-                        updated->to_string() +
-                        ", cannot apply:" + std::string(manifest));
+                        updated->to_string() + ", cannot apply to vbuckets");
     }
 
     // Now switch to write locking and change the manifest. The lock is
@@ -255,6 +313,18 @@ void Collections::Manager::addScopeStats(KVBucket& bucket,
     currentManifest.rlock()->addScopeStats(bucket, cookie, add_stat);
 }
 
+void Collections::Manager::warmupLoadManifest(const std::string& dbpath) {
+    auto rv = Collections::PersistManifestTask::tryAndLoad(dbpath);
+    if (rv) {
+        EP_LOG_INFO(
+                "Collections::Manager::warmupLoadManifest: loaded uid:{:#x}",
+                rv->getUid());
+        *currentManifest.wlock() = std::move(*rv);
+    } else {
+        EP_LOG_INFO("Collections::Manager::warmupLoadManifest: nothing loaded");
+    }
+}
+
 /**
  * Perform actions for a completed warmup - currently check if any
  * collections are 'deleting' and require erasing retriggering.

engines/ep/src/collections/manager.h

@@ -93,14 +93,20 @@ class Manager {
     /**
      * Update the bucket with the latest JSON collections manifest.
      *
-     * Locks the Manager and prevents concurrent updates, concurrent updates
-     * are failed with TMPFAIL as in reality there should be 1 admin connection.
+     * For persistent buckets, this will store the manifest first and then use
+     * IO complete success to perform the apply the new manifest. Ephemeral
+     * buckets the update is 'immediate'.
+     *
+     * Note that a mutex ensures that this update method works serially, no
+     * concurrent admin updates allowed.
      *
      * @param bucket the bucket receiving a set-collections command.
      * @param manifest the json manifest form a set-collections command.
      * @returns engine_error indicating why the update failed.
      */
-    cb::engine_error update(KVBucket& bucket, std::string_view manifest);
+    cb::engine_error update(KVBucket& bucket,
+                            std::string_view manifest,
+                            const void* cookie);
 
     /**
      * Retrieve the current manifest
@@ -168,6 +174,11 @@ class Manager {
                        const void* cookie,
                        const AddStatFn& add_stat) const;
 
+    /**
+     * Called from bucket warmup - see if we have a manifest to resume from
+     */
+    void warmupLoadManifest(const std::string& dbpath);
+
     /**
      * Perform actions for a completed warmup - currently check if any
      * collections are 'deleting' and require erasing retriggering.
@@ -215,6 +226,27 @@ class Manager {
     std::optional<Vbid> updateAllVBuckets(KVBucket& bucket,
                                           const Manifest& newManifest);
 
+    /**
+     * This method handles the IO complete path and allows ::update to
+     * correctly call applyNewManifest
+     */
+    cb::engine_error updateFromIOComplete(KVBucket& bucket,
+                                          std::unique_ptr<Manifest> newManifest,
+                                          const void* cookie);
+
+    /**
+     * Final stage of the manifest update is to roll the new manifest out to
+     * the active vbuckets.
+     *
+     * @param bucket The bucket to work on
+     * @param current The locked, current manifest (which will be replaced)
+     * @param newManifest The new manifest to apply
+     */
+    cb::engine_error applyNewManifest(
+            KVBucket& bucket,
+            folly::Synchronized<Manifest>::UpgradeLockedPtr& current,
+            std::unique_ptr<Manifest> newManifest);
+
     /**
      * Get a copy of stats which are relevant at a per-collection level.
      * The copied stats can then be used to format stats for one or more
@@ -294,6 +326,9 @@ class Manager {
 
     /// Store the most recent (current) manifest received
     folly::Synchronized<Manifest> currentManifest;
+
+    /// Serialise updates to the manifest (set_collections core)
+    folly::Synchronized<const void*> updateInProgress{nullptr};
 };
 
 std::ostream& operator<<(std::ostream& os, const Manager& manager);

engines/ep/src/collections/manifest_checks.txt

@@ -0,0 +1,80 @@
+Aim: Better manifest comparison - full path checks on update
+
+E.g. If I currently have /scope1/c1 and those have ids sid:8 and cid:8 I want to detect:
+
+/scope2/c1 (sid:9 and sid:8) // collection moved to a new scope
+/scope2/c1 (sid:8 and sid:8) // scope changed name
+/scope1/c2 (8 and 8) // collection name changed
+
+
+Problem(s)
+
+1) vbucket_manifest only has IDs
+So if we try and do these detections during the vb.update code we have no name
+for comparison and cannot detect any of the above cases
+
+2) Collections::Manifest stores the last recevied manifest from ns_Server, we
+can apply detections there as it has scope and collection names - but if we
+warmup this object is 'empty'.
+
+3) Leading into how to solve warmup issue, we don't persist scope name, only id
+in _local
+
+
+Per vbucket does store collection names 1) in _local and 2) in system events
+Per vbucket stores scope names in 1) system event only (nothing in _local)
+
+
+Ideas:
+
+I think Collections::Manifest A compare Collections::Manifest B is something to consider and means we need a way to warm-up something comparable. Could also mean some weird stuff from replica?
+
+
+Weird stuff:
+
+Node {
+  Active VB1: Thinks /scope1/c1
+  Replica VB2: Thinks /scope2/c1 (as it got that over replication)  - is this possible in the quorum case?
+}
+or
+
+Node: {
+  Active VB1: Thinks /scope1/c1  (sid:8, cid:8)
+  Replica VB2: Thinks /scope2/c2  (sid:8, cid:8) (as it got that over replication)  - is this possible in the quorum case?
+}
+
+promote VB2 to active
+
+new data structure that can be populated from warmup (_local) and allows storage of {id} ?? this is the manifest right?
+
+hashes?
+
+
+Options:
+
+A) Be defensive for *every* manifest update - this means KV
+
+a) checks manifest.uid is incrementing
+b) checks any scope/collections it knows, the immutable properties are equal (i.e. id == id && name == name)
+
+Reject if the incoming manifest fails checks
+Apply manifest otherwise
+
+This has challenges in terms of comparison (b) - only the 'bucket' Manifest stores names in-memory and that data is populated from ns_server. Following warmup we cannot validate the input.
+
+Solutions?
+
+Store manifest:
+Persist each manifest (we always trust the first Manifest when KV goes from uid 0 to uid 0+). Means storing a new file and possibly changing the collection update logic - i.e. steps become newfile.onperist(update vbuckets to new manifest).
+A new file hmm, flatbuffers + crc32c , not a couchstore file, i guess we already have extra files such as access log - however if this file gets damaged, warmup fails.
+
+Use vbuckets persisted data:
+Re-assemble a manifest from the active vbuckets at warmup. We could warmup with vb 0 being ahead of vb 1 (if we crashed before vb1 persisted a collection change), not necessarily a problem - given though that an update only ever begins if the manifest is progressing, we use the greatest manifest found? However we support a push that can create/drop many collections and these get split over many flush batches, only the final flush updates the manifest id, we could get vbuckets reporting equal manifest uid but being different to each other.
+This is getting messy and the partial persistence issue a problem.
+
+Overall though do we need option A) trust that ns_server updates (non forced) are compliant.
+
+B) Only care for 'force' update (quorum was forcefully removed and we may be given a manifest which changes collection state in some of the unusual ways identified earlier)
+
+In force update case, we can 'afford' to take our time? I.e. read system events or _local data to get names - epehemeral will read system events, persistent can just do one read if it wants - scope names are not on disk.
+