Merge remote-tracking branch 'origin/candidate-10.2.x'

Signed-off-by: Gavin Halliday <gavin.halliday@lexisnexis.com>

Author: ghalliday

common/remote/hooks/azure/azureapiutils.cpp

@@ -34,14 +34,45 @@ using namespace std::chrono;
 
 bool areManagedIdentitiesEnabled()
 {
-    // Check for Azure AD Workload Identity or legacy managed identity
-    static bool hasWorkloadIdentity = std::getenv("AZURE_CLIENT_ID") &&
-                                     std::getenv("AZURE_TENANT_ID") &&
-                                     std::getenv("AZURE_FEDERATED_TOKEN_FILE");
-
-    static bool hasManagedIdentity = std::getenv("MSI_ENDPOINT") || std::getenv("IDENTITY_ENDPOINT");
+    static bool hasIMDS = []() {
+        // Check for Azure AD Workload Identity or legacy managed identity
+        if (std::getenv("AZURE_CLIENT_ID") && std::getenv("AZURE_TENANT_ID") && std::getenv("AZURE_FEDERATED_TOKEN_FILE"))
+            return true;
+
+        // Check for App Service / Container Instances managed identity
+        if (std::getenv("MSI_ENDPOINT") || std::getenv("IDENTITY_ENDPOINT"))
+            return true;
+
+        // Check for Azure VM managed identity via IMDS (Instance Metadata Service) probe (once).
+        // 169.254.169.254 is a non-routable link-local address that Azure uses to expose the
+        // IMDS to VMs running on its platform. It is only reachable from within an Azure VM.
+        // See: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
+        try
+        {
+            Azure::Core::Http::Request request(Azure::Core::Http::HttpMethod::Get, Azure::Core::Url("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"));
+            request.SetHeader("Metadata", "true");
+
+            auto transport = std::make_shared<Azure::Core::Http::CurlTransport>();
+            Azure::Core::Context context;
+            // Use a short timeout to avoid blocking startup if not on Azure
+            context = context.WithDeadline(std::chrono::system_clock::now() + std::chrono::seconds(2));
+
+            auto response = transport->Send(request, context);
+            auto statusCode = response->GetStatusCode();
+            // 200 = identity assigned and working
+            // 400 = IMDS reachable but identity may not be properly configured
+            if (statusCode == Azure::Core::Http::HttpStatusCode::BadRequest)
+                OWARNLOG("Azure IMDS probe returned 400 (Bad Request) — managed identity endpoint is reachable but may not be properly configured");
+            return statusCode == Azure::Core::Http::HttpStatusCode::Ok;
+        }
+        catch (...)
+        {
+            // Connection refused, timeout, not on Azure — IMDS not available
+            return false;
+        }
+    }();
 
-    return hasWorkloadIdentity || hasManagedIdentity;
+    return hasIMDS;
 }
 
 std::shared_ptr<Azure::Storage::StorageSharedKeyCredential> getAzureSharedKeyCredential(const char * accountName, const char * secretName)

dali/base/dadfs.cpp

@@ -5259,8 +5259,9 @@ protected: friend class CDistributedFilePart;
                 StringBuffer newfn;
                 newrfn.getRemotePath(newfn);
                 Owned<IFile> f = createIFile(oldrfn);
+                Owned<IFile> destFile = createIFile(newrfn);
                 if (!isrep||f->exists()) { // ignore non-existant replicates
-                    f->move(newfn.str());
+                    f->move(destFile->queryFilename());
                     PROGLOG("Succeeded rename %s to %s",oldfn.str(),newfn.str());
                 }
                 done = true;

dali/base/dadiags.cpp

@@ -195,9 +195,18 @@ class CDaliDiagnosticsServer: public IDaliServer, public Thread
                     if (success)
                         mb.append(connectionInfo);
                 }
-                else if (0 == stricmp(id, "save")) {
+                else if (0 == stricmp(id, "save"))
+                {
                     PROGLOG("Dalidiag requests SDS save");
-                    querySDSServer().saveRequest();
+                    try
+                    {
+                        querySDSServer().saveRequest();
+                    }
+                    catch (IException *e)
+                    {
+                        serializeException(e, mb);
+                        e->Release();
+                    }
                 }
                 else if (0 == stricmp(id, "settracetransactions")) {
                     PROGLOG("Dalidiag requests Trace Transactions");

dali/base/dasds.cpp

@@ -2108,7 +2108,7 @@ class CCovenSDSManager : public CSDSManagerBase, implements ISDSManagerServer, i
     CheckedCriticalSection treeRegCrit;
     Owned<Thread> unhandledThread;
     unsigned writeTransactions;
-    bool ignoreExternals;
+    std::atomic<bool> ignoreExternals;
     StringAttr dataPath;
     StringAttr daliName;
     Owned<IPropertyTree> properties;
@@ -6832,11 +6832,6 @@ void CCovenSDSManager::loadStore(const bool *abort)
 
 void CCovenSDSManager::saveStore(const char *storeName, SaveStoreFlags flags)
 {
-    struct CIgnore
-    {
-        CIgnore() { SDSManager->ignoreExternals=true; }
-        ~CIgnore() { SDSManager->ignoreExternals=false; }
-    } ignore;
     if (hasMask(flags, ssf_stop))
     {
         // Dali is stopping, we don't care about any inflight transactions any more, we're about to save and quit
@@ -6848,6 +6843,14 @@ void CCovenSDSManager::saveStore(const char *storeName, SaveStoreFlags flags)
         // lock blockedSaveCrit after flush, since deltaWriter itself blocks on blockedSaveCrit
         deltaWriter.flush(); // transactions will be blocked at this stage, no new deltas will be added to writer
     }
+
+    if (ignoreExternals.exchange(true)) // NB: This is set during save to prevent serialization of externals during the save
+    {
+        Owned<IException> exception = makeStringException(0, "Save already in progress");
+        EXCLOG(exception);
+        throw exception.getClear();
+    }
+    COnScopeExit resetIgnoreExternals([&]() { ignoreExternals = false; });
     CHECKEDCRITICALBLOCK(blockedSaveCrit, fakeCritTimeout);
     iStoreHelper->saveStore(root, NULL);
     unsigned initNodeTableSize = allNodes.maxElements()+OVERFLOWSIZE;

dali/base/dasds.ipp

@@ -428,7 +428,10 @@ public:
     int errorCode() const { return errCode; }
     StringBuffer &errorMessage(StringBuffer &out) const
     {
-        return translateCode(out).append("\n").append(errMsg.str());
+        translateCode(out);
+        if (errMsg.length())
+            out.append(" - ").append(errMsg.str());
+        return out;
     }
     MessageAudience errorAudience() const { return MSGAUD_user; }
 

dali/base/sysinfologger.cpp

@@ -601,6 +601,8 @@ unsigned deleteLogSysInfoMsg(IConstSysInfoLoggerMsgFilter * msgFilter)
 {
     std::vector<std::string> deleteXpathList;
     Owned<IRemoteConnection> conn = querySDS().connect(SYS_INFO_ROOT, myProcessSession(), RTM_LOCK_WRITE, SDS_LOCK_TIMEOUT);
+    if (!conn)
+        return 0;
     {
         Owned<ISysInfoLoggerMsgIterator> iter = createSysInfoLoggerMsgIterator(conn, msgFilter, false);
         ForEach(*iter)

dali/dalidiag/dalidiag.cpp

@@ -640,7 +640,16 @@ int main(int _argc, char* argv[])
                     MemoryBuffer mb;
                     mb.append("save");
                     getDaliDiagnosticValue(mb);
-                    PROGLOG("SDS store saved");
+                    Owned<IException> exception;
+                    if (mb.length())
+                        exception.setown(deserializeException(mb));
+                    if (exception)
+                    {
+                        StringBuffer errMsg;
+                        PROGLOG("Dali SDS save failed: [%d, %s]", exception->errorCode(), exception->errorMessage(errMsg).str());
+                    }
+                    else
+                        PROGLOG("SDS store saved");
                     break;
                 }
                 if (0 == stricmp(arg, "locks")) {