Address problems in concurrent sqlite access #10706
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
espadolini
force-pushed
the
espadolini/sqlite-corruption
branch
from
82c606b to
0644267
Compare
|
@espadolini is it possible that this will also address #5083? |
|
Hopefully yes; if the underlying cause is the same (and I think it is), it should also get fixed by this. There's still some other problems that we'll address in this PR related specifically to caches rather than just the backend, which could also be contributing to the issue. |
espadolini
force-pushed
the
espadolini/sqlite-corruption
branch
6 times, most recently
from
ed89316 to
582627e
Compare
espadolini
requested review from
fspmarshall,
xacrimon,
zmb3 and
rosstimothy
and removed request for
zmb3 and
xacrimon
xacrimon
reviewed
Mar 7, 2022
|
Otherwise LGTM |
xacrimon
previously approved these changes
Mar 7, 2022
|
edit: moved questions in the PR description |
espadolini
force-pushed
the
espadolini/sqlite-corruption
branch
from
474ee2e to
3d387b3
Compare
|
Cache directory cleanup while a sqlite database is still open can cause errors during |
espadolini
force-pushed
the
espadolini/sqlite-corruption
branch
3 times, most recently
from
38500c3 to
a66f0a3
Compare
espadolini
force-pushed
the
espadolini/sqlite-corruption
branch
from
1ba14ea to
409cf65
Compare
rosstimothy
approved these changes
Mar 15, 2022
xacrimon
approved these changes
Mar 15, 2022
espadolini
added a commit
that referenced
this pull request
Mar 16, 2022
* Use BEGIN IMMEDIATE to start transactions This makes it so all transactions grab a write lock rather than a read lock that can be upgraded in case of a write; in case of multiple writers (which, in our case, can only happen during a restart as the new process reopens the same sqlite database) this will prevent two transactions from attempting to upgrade their lock, which would cause a SQLITE_BUSY error in one of them. In regular operation this shouldn't cause a performance hit, as we're using a single connection to the sqlite database (guarded by locks in the go side) anyway. * Escape path in sqlite connection URL This makes it so that the sqlite backend supports paths with ? in them. * Close process storage on TeleportProcess shutdown This aligns the behavior of Shutdown with that of Close. * Allow specifying the journal mode in sqlite This will let sqlite backend users specify WAL mode in their config file, and will allow us to specify alternate journal modes for our on-disk caches in the future. This also removes sqlite memory mode, as it's not used anywhere because of its poor query performance compared to our in-memory backend, and cleans up a bit of old cruft, and runs process storage in FULL sync mode - it's very seldom written to and holds important data.
espadolini
added a commit
that referenced
this pull request
Mar 16, 2022
* Use BEGIN IMMEDIATE to start transactions This makes it so all transactions grab a write lock rather than a read lock that can be upgraded in case of a write; in case of multiple writers (which, in our case, can only happen during a restart as the new process reopens the same sqlite database) this will prevent two transactions from attempting to upgrade their lock, which would cause a SQLITE_BUSY error in one of them. In regular operation this shouldn't cause a performance hit, as we're using a single connection to the sqlite database (guarded by locks in the go side) anyway. * Escape path in sqlite connection URL This makes it so that the sqlite backend supports paths with ? in them. * Close process storage on TeleportProcess shutdown This aligns the behavior of Shutdown with that of Close. * Allow specifying the journal mode in sqlite This will let sqlite backend users specify WAL mode in their config file, and will allow us to specify alternate journal modes for our on-disk caches in the future. This also removes sqlite memory mode, as it's not used anywhere because of its poor query performance compared to our in-memory backend, and cleans up a bit of old cruft, and runs process storage in FULL sync mode - it's very seldom written to and holds important data.
espadolini
added a commit
that referenced
this pull request
Mar 16, 2022
* Use BEGIN IMMEDIATE to start transactions This makes it so all transactions grab a write lock rather than a read lock that can be upgraded in case of a write; in case of multiple writers (which, in our case, can only happen during a restart as the new process reopens the same sqlite database) this will prevent two transactions from attempting to upgrade their lock, which would cause a SQLITE_BUSY error in one of them. In regular operation this shouldn't cause a performance hit, as we're using a single connection to the sqlite database (guarded by locks in the go side) anyway. * Escape path in sqlite connection URL This makes it so that the sqlite backend supports paths with ? in them. * Close process storage on TeleportProcess shutdown This aligns the behavior of Shutdown with that of Close. * Allow specifying the journal mode in sqlite This will let sqlite backend users specify WAL mode in their config file, and will allow us to specify alternate journal modes for our on-disk caches in the future. This also removes sqlite memory mode, as it's not used anywhere because of its poor query performance compared to our in-memory backend, and cleans up a bit of old cruft, and runs process storage in FULL sync mode - it's very seldom written to and holds important data.
This was referenced Mar 16, 2022
espadolini
added a commit
that referenced
this pull request
Mar 17, 2022
* Use BEGIN IMMEDIATE to start transactions This makes it so all transactions grab a write lock rather than a read lock that can be upgraded in case of a write; in case of multiple writers (which, in our case, can only happen during a restart as the new process reopens the same sqlite database) this will prevent two transactions from attempting to upgrade their lock, which would cause a SQLITE_BUSY error in one of them. In regular operation this shouldn't cause a performance hit, as we're using a single connection to the sqlite database (guarded by locks in the go side) anyway. * Escape path in sqlite connection URL This makes it so that the sqlite backend supports paths with ? in them. * Close process storage on TeleportProcess shutdown This aligns the behavior of Shutdown with that of Close. * Allow specifying the journal mode in sqlite This will let sqlite backend users specify WAL mode in their config file, and will allow us to specify alternate journal modes for our on-disk caches in the future. This also removes sqlite memory mode, as it's not used anywhere because of its poor query performance compared to our in-memory backend, and cleans up a bit of old cruft, and runs process storage in FULL sync mode - it's very seldom written to and holds important data.
espadolini
added a commit
that referenced
this pull request
Mar 17, 2022
* Use BEGIN IMMEDIATE to start transactions This makes it so all transactions grab a write lock rather than a read lock that can be upgraded in case of a write; in case of multiple writers (which, in our case, can only happen during a restart as the new process reopens the same sqlite database) this will prevent two transactions from attempting to upgrade their lock, which would cause a SQLITE_BUSY error in one of them. In regular operation this shouldn't cause a performance hit, as we're using a single connection to the sqlite database (guarded by locks in the go side) anyway. * Escape path in sqlite connection URL This makes it so that the sqlite backend supports paths with ? in them. * Close process storage on TeleportProcess shutdown This aligns the behavior of Shutdown with that of Close. * Allow specifying the journal mode in sqlite This will let sqlite backend users specify WAL mode in their config file, and will allow us to specify alternate journal modes for our on-disk caches in the future. This also removes sqlite memory mode, as it's not used anywhere because of its poor query performance compared to our in-memory backend, and cleans up a bit of old cruft, and runs process storage in FULL sync mode - it's very seldom written to and holds important data.
espadolini
added a commit
that referenced
this pull request
Mar 17, 2022
* Use BEGIN IMMEDIATE to start transactions This makes it so all transactions grab a write lock rather than a read lock that can be upgraded in case of a write; in case of multiple writers (which, in our case, can only happen during a restart as the new process reopens the same sqlite database) this will prevent two transactions from attempting to upgrade their lock, which would cause a SQLITE_BUSY error in one of them. In regular operation this shouldn't cause a performance hit, as we're using a single connection to the sqlite database (guarded by locks in the go side) anyway. * Escape path in sqlite connection URL This makes it so that the sqlite backend supports paths with ? in them. * Close process storage on TeleportProcess shutdown This aligns the behavior of Shutdown with that of Close. * Allow specifying the journal mode in sqlite This will let sqlite backend users specify WAL mode in their config file, and will allow us to specify alternate journal modes for our on-disk caches in the future. This also removes sqlite memory mode, as it's not used anywhere because of its poor query performance compared to our in-memory backend, and cleans up a bit of old cruft, and runs process storage in FULL sync mode - it's very seldom written to and holds important data.
This was referenced Mar 21, 2022
Closed
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR addresses an issue related to our use of sqlite during restarts, both in-process (typically as a result of CA rotation) and across processes (as a result of a user-initiated graceful restart, with SIGHUP or SIGUSR2/SIGQUIT): the sqlite backend can't handle multiple processes working over the same database, as the "busy" error that's returned when a transaction must be retried due to concurrent access is treated as a fatal database error.
The issue is fixed by changing a
go-sqlite3parameter that changes how locks are acquired in transactions; by starting every transaction withBEGIN IMMEDIATE, the write lock is acquired unconditionally at the very beginning of the transaction, so there's never any need for a forced rollback and the busy timeout can handle concurrency while multiple processes are handling the same database (which only happens during restarts).In addition, this PR cleans up some of the sqlite backend code (including the removal of in-memory sqlite, which has significantly worse performance than our radix tree in-memory backend), adds a way for users to specify the journal mode for sqlite auth backends, and sets the sync mode for process storage to
FULL, as process storage is quite important and seldom written to (a corrupted process storage db requires wiping the db and rejoining the cluster with a token).No changes are made to the default sync mode of
OFFand to the default journal mode (not specified by the code, and thus defaulting to the deferredDELETEmode) which applies both to test code that spawns sqlite backends and, more importantly, to sqlite auth backends, because of performance concerns; we ought to document that "light" production use with the sqlite backend should specify a stronger filesystem sync mode, however.Partially fixes the sqlite issues in #10332, #9815, #5083 and most other occurrences of
database is closed, however our use of the same cache backend storage across restarts is still problematic, and will be addressed in #11022.