Implement record based Crucible reference counting #6805
Conversation
Crucible volumes are created by layering read-write regions over a
hierarchy of read-only resources. Originally only a region snapshot
could be used as a read-only resource for a volume. With the
introduction of read-only regions (created during the region snapshot
replacement process) this is no longer true!
Read-only resources can be used by many volumes, and because of this
they need to have a reference count so they can be deleted when they're
not referenced anymore. The region_snapshot table uses a
`volume_references` column, which counts how many uses there are. The
region table does not have this column, and more over a simple integer
works for reference counting but does not tell you _what_ volume that
use is from. This can be determined (see omdb's validate volume
references command) but it's information that is tossed out, as Nexus
knows what volumes use what resources! Instead, record what read-only
resources a volume uses in a new table.
As part of the schema change to add the new `volume_resource_usage`
table, a migration is included that will create the appropriate records
for all region snapshots.
In testing, a few bugs were found: the worst being that read-only
regions did not have their read_only column set to true. This would be a
problem if read-only regions are created, but they're currently only
created during region snapshot replacement. To detect if any of these
regions were created, find all regions that were allocated for a
snapshot volume:
SELECT id FROM region
WHERE volume_id IN (SELECT volume_id FROM snapshot);
A similar bug was found in the simulated Crucible agent.
This commit also reverts oxidecomputer#6728, enabling region snapshot replacement
again - it was disabled due to a lack of read-only region reference
counting, so it can be enabled once again.
| /// this column, and more over a simple integer works for reference counting but | ||
| /// does not tell you _what_ volume that use is from. This can be determined | ||
| /// (see omdb's validate volume references command) but it's information that is | ||
| /// tossed out, as Nexus knows what volumes use what resources! Instead, record |
There was a problem hiding this comment.
The wording of the comment here, I'm having trouble tracking what the "Instead" is referencing.
We are recording what read-only resources a volume uses instead of doing what?
There was a problem hiding this comment.
In this context I mean "instead of tossing out information, record it in the usage table", where "tossing out information" means to just increment and decrement the volume_references integer in the region snapshot table
There was a problem hiding this comment.
Cool, could we update the comment with that?
| VolumeResourceUsage::ReadOnlyRegion { | ||
| region_id: record | ||
| .region_id | ||
| .expect("valid read-only region usage record"), |
There was a problem hiding this comment.
For this and the .expects below, this message is printed when we panic, right? If so, should it be saying that we did not find a valid region usage record?
There was a problem hiding this comment.
Conservatively, this should maybe be a TryFrom implementation. As it exists today, someone could modify a column in the database and cause Nexus to panic with these .expects
There was a problem hiding this comment.
agreed, that's in 0a45763
| for read_only_target in crucible_targets.read_only_targets { | ||
| let sub_err = OptionalError::new(); | ||
|
|
||
| let maybe_usage = Self::read_only_target_to_volume_resource_usage( |
There was a problem hiding this comment.
Nit: This line and a few others here seem to have escaped cargo fmt as they are super long.
| @@ -2409,24 +2956,188 @@ impl DataStore { | |||
| read_only_parent: None, | |||
| }; | |||
|
|
|||
| let volume_data = serde_json::to_string(&vcr) | |||
| let volume_data = serde_json::to_string(&vcr) | |||
There was a problem hiding this comment.
Man, there is a lot going on inside this transaction :)
| ) | ||
| }) | ||
| })? | ||
| // XXX be smart enough to .filter the above query |
There was a problem hiding this comment.
make this a TODO, you can get smart enough!
| 'region_snapshot' | ||
| ); | ||
|
|
||
| CREATE TABLE IF NOT EXISTS omicron.public.volume_resource_usage ( |
There was a problem hiding this comment.
I know it exists elsewhere in this PR, but I think this table would benefit from some text explaining what it is.
There was a problem hiding this comment.
you're right, done in bd2ef84
| pub region_id: Option<Uuid>, | ||
|
|
||
| pub region_snapshot_dataset_id: Option<Uuid>, | ||
| pub region_snapshot_region_id: Option<Uuid>, | ||
| pub region_snapshot_snapshot_id: Option<Uuid>, |
There was a problem hiding this comment.
I had no idea reading the DB schema that these were two groups of columns, and "either one or the other is non-null".
If that's the intent -- and it seems to be, based on VolumeResourceUsage as an enum -- maybe we could add a CHECK on the table validating this?
Something like:
CONSTRAINT exactly_one_usage_source CHECK (
(
(usage_type = 'readonlyregion') AND
(region_id IS NOT NULL) AND
(region_snapshot_dataset_id IS NULL AND region_snaphshot_region_id IS NULL AND region_snapshot_snapshot_id IS NULL)
) OR
(
(usage_type = 'regionsnapshot') AND
(region_id NOT NULL) AND
(region_snapshot_dataset_id IS NOT NULL AND region_snaphshot_region_id IS NOT NULL AND region_snapshot_snapshot_id IS NOT NULL)
)
)There was a problem hiding this comment.
nice, done in bd2ef84
| VolumeResourceUsage::ReadOnlyRegion { | ||
| region_id: record | ||
| .region_id | ||
| .expect("valid read-only region usage record"), |
There was a problem hiding this comment.
Conservatively, this should maybe be a TryFrom implementation. As it exists today, someone could modify a column in the database and cause Nexus to panic with these .expects
| @@ -264,7 +264,7 @@ impl DataStore { | |||
| block_size, | |||
| blocks_per_extent, | |||
| extent_count, | |||
| read_only: false, | |||
| read_only: maybe_snapshot_id.is_some(), | |||
There was a problem hiding this comment.
Was this a bug before this PR?
There was a problem hiding this comment.
Note though that currently the only thing in Nexus that creates read-only regions is region snapshot replacement, so this wasn't a bug that was hit anywhere.
| enum VolumeCreationError { | ||
| #[error("Error from Volume creation: {0}")] | ||
| Public(Error), | ||
| let maybe_volume: Option<Volume> = dsl::volume |
There was a problem hiding this comment.
Volume has a time_deleted column -- do we not care about that here?
There was a problem hiding this comment.
Not here, no - if the caller is trying to call volume_create with a volume that has the same ID as one that already exists or is soft-deleted, then we should disallow that.
| // This function may be called with a replacement volume | ||
| // that is completely blank, to be filled in later by this | ||
| // function. `volume_create` will have been called but will | ||
| // not have added any volume resource usage records, because | ||
| // it was blank! |
There was a problem hiding this comment.
I'm confused about this comment, in this location - namely, I'm not sure who is calling volume_create in this situation where we're saying "volume_create will have been called". Is this something we're doing within the body of this function, and I'm not seeing it? Or is this something someone else could concurrently be doing?
| // not have added any volume resource usage records, because | ||
| // it was blank! | ||
| // | ||
| // The indention leaving this transaction is that the |
There was a problem hiding this comment.
| // The indention leaving this transaction is that the | |
| // The intention leaving this transaction is that the |
| // We don't support a pure Region VCR at the volume | ||
| // level in the database, so this choice should | ||
| // never be encountered. | ||
| panic!("Region not supported as a top level volume"); |
There was a problem hiding this comment.
This seems like a footgun to me, to have a pub fn with an undocumented panic?
| OVERLAY( | ||
| OVERLAY( | ||
| MD5(volume.id::TEXT || dataset_id::TEXT || region_id::TEXT || snapshot_id::TEXT || snapshot_addr || volume_references::TEXT) | ||
| PLACING '4' from 13 |
There was a problem hiding this comment.
What is this doing? Why '4'? Why from 13?
There was a problem hiding this comment.
This code creates a deterministic V4 UUID from the other columns, which has the shape of
xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx
12345678 9111 1111 1112 222222222333
012 3456 7890 123456789012
where the first hexadecimal digit in the third group always starts with a 4 means that M = 4, and I put a "random" value (read: volume references) in for N (the variant field).
But from https://datatracker.ietf.org/doc/html/rfc9562#name-uuid-version-4:
Alternatively, an implementation MAY choose to randomly generate the exact required number of bits for random_a, random_b, and random_c (122 bits total) and then concatenate the version and variant in the required position.
I don't think I'm doing this right - position 17 shouldn't be "random":
var:
The 2-bit variant field as defined by Section 4.1, set to 0b10.
I can fix this tomorrow
| MD5(volume.id::TEXT || dataset_id::TEXT || region_id::TEXT || snapshot_id::TEXT || snapshot_addr || volume_references::TEXT) | ||
| PLACING '4' from 13 | ||
| ) | ||
| PLACING TO_HEX(volume_references) from 17 |
The garbage collection of read/write regions must be separate from read-only regions: - read/write regions are garbage collected by either being deleted during a volume soft delete, or by appearing later during the "find deleted volume regions" section of the volume delete saga - read-only regions are garbage collected only in the volume soft delete code, when there are no more references to them `find_deleted_volume_regions` was changed to only operate on read/write regions, and no longer returns the optional RegionSnapshot object: that check was moved from the volume delete saga into the function, as it didn't make sense that it was separated. This commit also adds checks to validate that invariants related to volumes are not violated during tests. One invalid test was deleted (regions will never be deleted when they're in use!) In order to properly test the separate region deletion routines, the first part of the fixes for dealing with deleted volumes during region snapshot replacement were brought in from that branch: these are the changes to region_snapshot_replacement_step.rs and region_snapshot_replacement_start.rs.
add comment to table as well
Crucible volumes are created by layering read-write regions over a hierarchy of read-only resources. Originally only a region snapshot could be used as a read-only resource for a volume. With the introduction of read-only regions (created during the region snapshot replacement process) this is no longer true!
Read-only resources can be used by many volumes, and because of this they need to have a reference count so they can be deleted when they're not referenced anymore. The region_snapshot table uses a
volume_referencescolumn, which counts how many uses there are. The region table does not have this column, and more over a simple integer works for reference counting but does not tell you what volume that use is from. This can be determined (see omdb's validate volume references command) but it's information that is tossed out, as Nexus knows what volumes use what resources! Instead, record what read-only resources a volume uses in a new table.As part of the schema change to add the new
volume_resource_usagetable, a migration is included that will create the appropriate records for all region snapshots.In testing, a few bugs were found: the worst being that read-only regions did not have their read_only column set to true. This would be a problem if read-only regions are created, but they're currently only created during region snapshot replacement. To detect if any of these regions were created, find all regions that were allocated for a snapshot volume:
A similar bug was found in the simulated Crucible agent.
This commit also reverts #6728, enabling region snapshot replacement again - it was disabled due to a lack of read-only region reference counting, so it can be enabled once again.