Store the client ID in an additional plaintext file and report on regeneration

Author: badboy

.dictionary

@@ -1,4 +1,4 @@
-personal_ws-1.1 en 304 utf-8
+personal_ws-1.1 en 306 utf-8
 AAR
 AARs
 ABI
@@ -233,13 +233,15 @@ pdoc
 perrymcmanis
 pidcat
 pipenv
+plaintext
 polyfill
 pre
 prebuilt
 preinit
 profiler
 py
 pytest
+regenerations
 rethrow
 retransmission
 rfloor

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 [Full changelog](https://github.com/mozilla/glean/compare/v66.0.1...main)
 
+* General
+  * Store the client ID in an additional plaintext file and report on regeneration ([#3292](https://github.com/mozilla/glean/pull/3292))
+
 # v66.0.1 (2025-10-30)
 
 [Full changelog](https://github.com/mozilla/glean/compare/v66.0.0...v66.0.1)

docs/dev/SUMMARY.md

@@ -40,4 +40,5 @@
     - [Debug Pings](core/internal/debug-pings.md)
     - [Upload mechanism](core/internal/upload.md)
     - [Implementations](core/internal/implementations.md)
+    - [Client ID recovery](core/internal/client_id_recovery.md)
 - [API Documentation](api/index.md)

docs/dev/core/internal/client_id_recovery.md

@@ -0,0 +1,58 @@
+# Client ID recovery
+
+Currently (2025-10-31, Glean v66) we see some unexplained Glean SDK database resets.
+These are noticeable in data as client ID regenerations:
+A client application with telemetry enabled, which previously already sent data,
+regenerates its client ID on initialize and thus looks like a new client.
+
+That's undesirable and a bug.
+However we have yet to track down the actual faulty code path.
+Until that bug is found and fixed, the Glean SDK provides an extra mitigation.
+
+From Glean v66.1.0 on the SDK will store the client ID in a `client_id.txt` in the provided data path.
+Any inconsistencies in that data compared to the database will be reported
+and, if applicable, the client ID restored.
+
+**Note:** Glean v66.1.0 will only report the inconsistency, but will not restore a recovered client ID.
+This allows us to measure the impact.
+The mitigation will be enabled in a later release ([bug 1996862](https://bugzilla.mozilla.org/show_bug.cgi?id=1996862)).
+
+The exact flow of decisions is depicted in the chart below.
+The implementation is in [`glean-core/src/core/mod.rs`](https://github.com/mozilla/glean/blob/HEAD/glean-core/src/core/mod.rs#L264)
+
+```mermaid
+flowchart TD
+    A["Glean.init"] -->B
+    B{client_id.txt exists?} -->|yes| C
+    B -->|no| D
+    C["(a) load file ID"] --> E
+    D["load DB ID"] --> D3
+    D3{DB ID empty} -->|yes| D4
+    D3 -->|no| S
+    D4["generate DB ID"] --> S
+    E{valid file and ID?} -->|yes| H
+    E -->|no| G
+    G["(b) record file read error"] --> H
+    H{"(c) DB size <= 0"} -->|yes| J
+    H -->|no| F
+    J["(d) record empty DB error
+    report recovered ID: file ID"] --> Q
+    F["load DB ID"] --> N
+    L{file ID == DB ID} --> |yes| Z
+    L -->|no| T
+    N{DB ID empty?} -->|yes| O
+    N -->|no| L
+    O["(f) record regen error"] --> Q
+    P["(g) record mismatch error
+    report recovered ID: file ID"] --> S
+    Q["(e) mitigation:
+    set DB ID = file ID"] --> Z
+    S["(h) write DB ID to file"] --> Z
+    T{"DB ID == 'c0ffee'"}
+    T -->|yes| U
+    T -->|no| P
+    U["(i) record c0ffee error
+    report recovered ID: file ID"] --> Q
+    
+    Z(normal operation)
+```

docs/dev/core/internal/index.md

@@ -21,3 +21,4 @@ This includes:
 * [Debug Pings](debug-pings.md)
 * [Upload mechanism](upload.md)
 * [Implementations](implementations.md)
+* [Client ID recovery](client_id_recovery.md)

glean-core/metrics.yaml

@@ -1158,3 +1158,92 @@ glean.health:
     expires: never
     send_in_pings:
       - health
+
+  exception_state:
+    type: string
+    lifetime: ping
+    description: |
+      An exceptional state was detected upon trying to laod the database.
+
+      Valid options are:
+        - empty-db
+        - regen-db
+        - c0ffee-in-db
+        - client-id-mismatch
+    notification_emails:
+      - [email protected]
+      - [email protected]
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1994757
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1994757#c2
+    data_sensitivity:
+      - technical
+    expires: never
+    send_in_pings:
+      - health
+
+  recovered_client_id:
+    type: uuid
+    lifetime: ping
+    description: |
+      A client_id recovered from a `client_id.txt` file on disk.
+      Only expected to have a value for the exception states `empty-db`, `c0ffee-in-db` and `client-id-mismatch`.
+      See `exception_state` for different exception states when this can happen.
+    notification_emails:
+      - [email protected]
+      - [email protected]
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1994757
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1994757#c2
+    data_sensitivity:
+      - technical
+    expires: never
+    send_in_pings:
+      - health
+
+  file_read_error:
+    type: labeled_counter
+    lifetime: ping
+    description: |
+      Count of different errors that happened when trying to read the `client_id.txt` file from disk.
+    notification_emails:
+      - [email protected]
+      - [email protected]
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1994757
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1994757#c2
+    data_sensitivity:
+      - technical
+    expires: never
+    send_in_pings:
+      - health
+    labels:
+      - parse
+      - permission-denied
+      - io
+      - c0ffee-in-file
+
+  file_write_error:
+    type: labeled_counter
+    lifetime: ping
+    description: |
+      Count of different errors that happened when trying to write the `client_id.txt` file to disk.
+    notification_emails:
+      - [email protected]
+      - [email protected]
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1994757
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1994757#c2
+    data_sensitivity:
+      - technical
+    expires: never
+    send_in_pings:
+      - health
+    labels:
+      - permission-denied
+      - io
+      - not-found

glean-core/rlb/src/net/mod.rs

@@ -124,6 +124,7 @@ impl UploadManager {
             )
             .is_err()
         {
+            log::trace!("glean.upload thread running. Not starting another one.");
             return;
         }
 

glean-core/rlb/tests/health_ping.rs

@@ -124,6 +124,11 @@ fn test_pre_post_init_health_pings_exist() {
             .count()
     );
 
+    let exception_state = &preinits[0].1["metrics"]["string"]["glean.health_exception_state"];
+    assert_eq!(&JsonValue::Null, exception_state);
+    let exception_uuid = &preinits[0].1["metrics"]["uuid"]["glean.health_recovered_client_id"];
+    assert_eq!(&JsonValue::Null, exception_uuid);
+
     // An initial preinit "health" ping will show no db file sizes
     let load_sizes = preinits[0].1["metrics"]["object"]["glean.database.load_sizes"]
         .as_object()

glean-core/rlb/tests/health_ping_file_overwrite.rs

@@ -0,0 +1,85 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! This integration test should model how the RLB is used when embedded in another Rust application
+//! (e.g. FOG/Firefox Desktop).
+//!
+//! We write a single test scenario per file to avoid any state keeping across runs
+//! (different files run as different processes).
+
+mod common;
+
+use std::{fs, io::Read};
+
+use crossbeam_channel::{bounded, Sender};
+use flate2::read::GzDecoder;
+use glean::{net, ConfigurationBuilder};
+use serde_json::Value as JsonValue;
+
+// Define a fake uploader that reports when and what it uploads.
+#[derive(Debug)]
+struct ReportingUploader {
+    sender: Sender<JsonValue>,
+}
+
+impl net::PingUploader for ReportingUploader {
+    fn upload(&self, upload_request: net::CapablePingUploadRequest) -> net::UploadResult {
+        let upload_request = upload_request.capable(|_| true).unwrap();
+        let body = upload_request.body;
+        let decode = |body: Vec<u8>| {
+            let mut gzip_decoder = GzDecoder::new(&body[..]);
+            let mut s = String::with_capacity(body.len());
+
+            gzip_decoder
+                .read_to_string(&mut s)
+                .ok()
+                .map(|_| &s[..])
+                .or_else(|| std::str::from_utf8(&body).ok())
+                .and_then(|payload| serde_json::from_str(payload).ok())
+                .unwrap()
+        };
+
+        self.sender.send(decode(body)).unwrap();
+        net::UploadResult::http_status(200)
+    }
+}
+
+/// Test scenario: Write a client ID to the backup file and check that it's used after initialization.
+#[test]
+fn test_pre_post_init_health_pings_exist() {
+    common::enable_test_logging();
+
+    // Create a custom configuration to use a validating uploader.
+    let dir = tempfile::tempdir().unwrap();
+    let tmpname = dir.path().to_path_buf();
+
+    let client_id = "e03cc2de-bc8b-4f9c-862f-b474d910899e";
+
+    // We write a random but fixed client ID, without there being a Glean database.
+    let clientid_txt = tmpname.join("client_id.txt");
+    fs::write(&clientid_txt, client_id.as_bytes()).unwrap();
+
+    let (tx, rx) = bounded(1);
+    let cfg = ConfigurationBuilder::new(true, tmpname.clone(), "health-ping-test")
+        .with_server_endpoint("invalid-test-host")
+        .with_use_core_mps(false)
+        .with_uploader(ReportingUploader { sender: tx })
+        .build();
+    common::initialize(cfg);
+
+    glean_core::glean_test_destroy_glean(false, Some(tmpname.display().to_string()));
+
+    // Check for the initialization pings.
+    // Wait for the ping to arrive.
+    let payload = rx.recv().unwrap();
+
+    let exception_state = &payload["metrics"]["string"]["glean.health.exception_state"];
+    assert_eq!("empty-db", exception_state);
+    let exception_uuid = &payload["metrics"]["uuid"]["glean.health_recovered_client_id"];
+    assert_eq!(&JsonValue::Null, exception_uuid);
+
+    // TODO(bug 1996862): We don't run the mitigation yet.
+    //let ping_client_id = &payload["client_info"]["client_id"];
+    //assert_eq!(client_id, ping_client_id);
+}