cls/rgw: rgw_dir_suggest_changes detects race with completion

[cbodley]

if bucket listing races with a pending index transaction, its suggested removal may be mistakenly applied if that index transaction completes before the osd receives this suggestion

in rgw_dir_suggest_changes(), the sole condition for applying a suggested change is that the cur_disk.pending_map is empty. this is true after rgw_bucket_complete_op()

on index completion, rgw_bucket_dir_entry::index_ver is updated to match the new value of rgw_bucket_dir_header::ver. because most of struct rgw_bucket_dir_entry makes the round trip through bucket listing -> dir_suggest, we have access to the index_ver of the suggested entry. by comparing this against the stored entry, we can ignore any suggestions that were sent before the most recent completion

Fixes: https://tracker.ceph.com/issues/54528

Show available Jenkins commands

• jenkins retest this please
• jenkins test classic perf
• jenkins test crimson perf
• jenkins test signed
• jenkins test make check
• jenkins test make check arm64
• jenkins test submodules
• jenkins test dashboard
• jenkins test dashboard cephadm
• jenkins test api
• jenkins test docs
• jenkins render docs
• jenkins test ceph-volume all
• jenkins test ceph-volume tox
• jenkins test windows

[mattbenjamin]

mirabile dictu

[mattbenjamin]

it's amazing this step was missed before (or maybe got removed?); it seems clearly part of the design

[yehudasa]

I think the dir_suggest code path might not have been tested much

[ivancich]

I'm guessing this will merge before my instrumentation PR, which it should. Then I can convert this to the instrumented version.

[mattbenjamin]

+1

[cbodley]

added a simple test case that passes with this fix:

[ RUN      ] cls_rgw.index_suggest_complete
[       OK ] cls_rgw.index_suggest_complete (6 ms)

..and fails against master:

[ RUN      ] cls_rgw.index_suggest_complete
/home/cbodley/ceph/src/test/cls_rgw/test_cls_rgw.cc:430: Failure
Expected equality of these values:
  1
  entries.size()
    Which is: 0
[  FAILED  ] cls_rgw.index_suggest_complete (7 ms)

[yehudasa]

@cbodley the fact that we get dir_suggest happening on listing before completion is called and is effective makes me think we have an issue with the time delta calculation, as it really should only happen after a very long period of time (hours). I remember seeing such a bug relatively recently.

[mattbenjamin]

@cbodley the fact that we get dir_suggest happening on listing before completion is called and is effective makes me think we have an issue with the time delta calculation, as it really should only happen after a very long period of time (hours). I remember seeing such a bug relatively recently.

The hard-coded timeout has been 120s, and we just made it configurable. I assumed it would be some value in hours, as well. But also, that's the "tag timeout" and from what I understand, this path isn't even covered by it?

[cbodley]

@cbodley the fact that we get dir_suggest happening on listing before completion is called and is effective makes me think we have an issue with the time delta calculation, as it really should only happen after a very long period of time (hours).

are you talking about timing with respect to the tag timeout? we were also expecting that to prevent these racing suggestions from being applied to the index

but the tag timeout only applies to pending transactions in pending_map - in this case, we get the call to rgw_bucket_complete_op() first, which clears its pending entry. and once pending_map is empty, rgw_dir_suggest_changes() will apply any changes it gets

[yehudasa]

@cbodley the fact that we get dir_suggest happening on listing before completion is called and is effective makes me think we have an issue with the time delta calculation, as it really should only happen after a very long period of time (hours).

are you talking about timing with respect to the tag timeout? we were also expecting that to prevent these racing suggestions from being applied to the index

but the tag timeout only applies to pending transactions in pending_map - in this case, we get the call to rgw_bucket_complete_op() first, which clears its pending entry. and once pending_map is empty, rgw_dir_suggest_changes() will apply any changes it gets

Ah, I see. Yeah, makes sense.

And apparently I changed the tag timeout to 120 seconds from 24 hours here: 99efdc6.

[cbodley]

And apparently I changed the tag timeout to 120 seconds from 24 hours here: 99efdc6.

oh cool. there were some conversations recently about raising that default, but it's good to see your explanation for why it should stay relatively small - at least in multisite

[mattbenjamin]

And apparently I changed the tag timeout to 120 seconds from 24 hours here: 99efdc6.

oh cool. there were some conversations recently about raising that default, but it's good to see your explanation for why it should stay relatively small - at least in multisite

I don't feel convinced. 120s is just 2 * the most common client timeout for S3 requests. It seems completely unreasonable to have a timeout based mechanism that changes the apparent result of operations acked to clients on the basis of such a timeout.

[mkogan1]

ACK, tested on the reproducer environment and the BZ no longer reproduces
(rhbz2042585 -- Client uploaded S3 object not listed but can be downloaded)

[mkogan1]

jenkins test make check

[cbodley]

passed qa in https://pulpito.ceph.com/cbodley-2022-03-17_18:05:42-rgw-wip-cbodley-testing-distro-default-smithi/