The changes here look good. I want to check my understanding of the risk and impact of this.

During the next MUPdate from, say, R16, in chronological order:

• Nexus instances will come up, find an old schema, then find that they have implicit access (because the schema is too old), get to DataStoreAction::Update, that will fail because they're not configured with the schema versions, and repeat the retry loop.
• The schema updater tool will also find an old schema, not bother to do an access check because it doesn't care (giving it implicit access), and also wind up with DataStoreAction::Update. But it'll have the schema versions configured so it will do the schema update.
• The existing Nexus instances, on their next loop, will wind up finding a current schema and explicit access because the schema update will have inserted records for them into the table.
• On all subsequent restarts of Nexus after that point, they'll go through that same path.

If there's a subsequent blueprint execution, it won't change the records (assuming no zones have been added or expunged). So again, for all subsequent restarts of Nexus after that point, they'll go through that same flow.

If we MUPdate again after that:

• Nexus instances will come up, find an old schema, but still do an access check because the schema is not too old to do that. They will find explicit access. The result is the same DataStoreAction::Update as above and they'll still loop again.
• The schema updater will see the old schema, not bother with an access check, get DataStoreAction::Update, and then update the schema.
• As above, the existing instances on their next loop will find the current schema and explicit access.
• As before, subsequent restarts and blueprint execution change nothing.

Subsequent MUPdates are like that one until we change the software further (e.g., to have Nexus do schema updates).

Is that all correct? What, if any of that, do you think we want to test manually before landing this?

• Nexus instances will come up, find an old schema, then find that they have implicit access (because the schema is too old), get to DataStoreAction::Update, that will fail because they're not configured with the schema versions, and repeat the retry loop.

Correct, a Nexus which upgrades and has an old schema will run check_schema_and_access, and the implicit access will be granted because the schema in the DB is older than DB_METADATA_NEXUS_SCHEMA_VERSION. This results in SchemaStatus::OlderThanDesiredSkipAccessCheck + NexusAccess::HasImplicitAccess, which creates DatastoreSetupAction::Update.

Without #8912 , this will fail, and hit the retry loop.

• The schema updater tool will also find an old schema, not bother to do an access check because it doesn't care (giving it implicit access), and also wind up with DataStoreAction::Update. But it'll have the schema versions configured so it will do the schema update.

Yup.

• The existing Nexus instances, on their next loop, will wind up finding a current schema and explicit access because the schema update will have inserted records for them into the table.

Yeah, populating these records should come from schema/crdb/populate-db-metadata-nexus/up04.sql.

• On all subsequent restarts of Nexus after that point, they'll go through that same path.

If there's a subsequent blueprint execution, it won't change the records (assuming no zones have been added or expunged). So again, for all subsequent restarts of Nexus after that point, they'll go through that same flow.

Even if those zones are added or expunged, the records should be updated, as a part of #8924

But if the set of zones stay the same, these records should stay the same too.

If we MUPdate again after that:

• Nexus instances will come up, find an old schema, but still do an access check because the schema is not too old to do that. They will find explicit access. The result is the same DataStoreAction::Update as above and they'll still loop again.
• The schema updater will see the old schema, not bother with an access check, get DataStoreAction::Update, and then update the schema.
• As above, the existing instances on their next loop will find the current schema and explicit access.
• As before, subsequent restarts and blueprint execution change nothing.

Subsequent MUPdates are like that one until we change the software further (e.g., to have Nexus do schema updates).

Yup, this matches my understanding.

Is that all correct? What, if any of that, do you think we want to test manually before landing this?

WDYT about a deployment of:

• Have old system
• Mupdate to this version
• Check that "the old path for schema update still works", as expected?

(I can do that manually, or we could merge this and do it as a part of the dogfood rollout - either way would be fine with me)

Is that all correct? What, if any of that, do you think we want to test manually before landing this?
WDYT about a deployment of:

* Have old system

* Mupdate to this version

* Check that "the old path for schema update still works", as expected?

(I can do that manually, or we could merge this and do it as a part of the dogfood rollout - either way would be fine with me)

By "the old path for schema update still works", you mean basically doing this?

• you do the mupdate
• you verify that the new Nexus instances are in a holding pattern
• you do the schema update
• you verify that the new Nexus instances are up again
• maybe: restart them and make sure they come up

That seems pretty good. If it's easy enough to try before landing this, that seems worthwhile.

I'm using rkadm on berlin to test this right now, with:

$ /opt/rackletteadm/bin/rkadm --toml /opt/rackletteadm/configs/berlin/berlin-rkadm.toml run \
  --commit-a-install 032c5569fda856de03de0a5db1f4617351200c01 \
  --commit-b-upgrade fed7aa07df18d4f7d42fcf27194f1db61b7edf01 \
  --tuf-repo-output-dir-a-install /data/local/env/berlin/sean-a \
  --tuf-repo-output-dir-b-upgrade /data/local/env/berlin/sean-b

This upgrades from main (@ 032c556) to this PR (fed7aa0)

Will report back when that update is installed. Should be able to reboot a Nexus after that whole process too.

EDIT: Picked the wrong target commit; merging and trying again...

I'm using rkadm on berlin to test this right now, with:

$ /opt/rackletteadm/bin/rkadm --toml /opt/rackletteadm/configs/berlin/berlin-rkadm.toml run \
  --commit-a-install 032c5569fda856de03de0a5db1f4617351200c01 \
  --commit-b-upgrade fed7aa07df18d4f7d42fcf27194f1db61b7edf01 \
  --tuf-repo-output-dir-a-install /data/local/env/berlin/sean-a \
  --tuf-repo-output-dir-b-upgrade /data/local/env/berlin/sean-b

This upgrades from main (@ 032c556) to this PR (fed7aa0)

Will report back when that update is installed. Should be able to reboot a Nexus after that whole process too.

EDIT: Picked the wrong target commit; merging and trying again...

Okay, took me a couple times, because typing the right commit hashes is apparently a daunting task. Getting the wrong commit certainly showed me the schema update is running, and still doesn't want to downgrade!

From 032c5569fda856de03de0a5db1f4617351200c01 to fed7aa07df18d4f7d42fcf27194f1db61b7edf01:

• The upgrade was successful (going from 188.0.0 -> 188.0.0), and booted with this PR
• Using the crdb shell, I can see the db_metadata_nexus records for three Nexuses. They all look active.
• I also see one blueprint, which has nexus_generation = 1.
• If I restart Nexus, it reads the database, and comes back up online.

That test covers "main -> the addition of this PR".

I'm also going to upgrade using:

$ /opt/rackletteadm/bin/rkadm --toml /opt/rackletteadm/configs/berlin/berlin-rkadm.toml run \
  --commit-a-install 3be1d57fadcca52b82039df9d08ebdfed49b2868 \
  --commit-b-upgrade fed7aa07df18d4f7d42fcf27194f1db61b7edf01 \
  --tuf-repo-output-dir-a-install /data/local/env/berlin/sean-a \
  --tuf-repo-output-dir-b-upgrade /data/local/env/berlin/sean-b

To cover the case where "actually do a schema update", which will come from "a few commits ago -> the addition of this PR".

Note that 3be1d57 was before the chain of db_metadata schema changes merged.

Okay running:

$ /opt/rackletteadm/bin/rkadm --toml /opt/rackletteadm/configs/berlin/berlin-rkadm.toml run \
  --commit-a-install 3be1d57fadcca52b82039df9d08ebdfed49b2868 \
  --commit-b-upgrade fed7aa07df18d4f7d42fcf27194f1db61b7edf01 \
  --tuf-repo-output-dir-a-install /data/local/env/berlin/sean-a \
  --tuf-repo-output-dir-b-upgrade /data/local/env/berlin/sean-b

Also succeeds.

• I see that this performs a schema upgrade with the schema-updater binary, just as we would do through a MUPdate process. Nexus comes up normally.
• I also see the same data in cockroachDB (blueprint has a nexus_generation value, and the db_metadata_nexus records exist)
• Restarting Nexus causes it to come back online.