server: Refactor node ID initialization

[bdarnell]

In order for a node to learn its node ID, it must first initialize its stores. The node ID is stored in Node.Descriptor.NodeID by Node.initNodeID. However, the Node.Descriptor struct is shared between the store and the node by a pointer passed to NewStore. Both store and node access this struct without synchronization (which is fine for everything but the node ID, as the rest of the fields are read-only after construction).

The Store needs to access the NodeDescriptor with proper synchronization, and we may need to do an audit to ensure that all such accesses can handle the possibility of accessing the node descriptor before it is fully initialized.

The node ID is only set once at startup, and this race is not triggered by our current startup sequence. Changing store initialization as in #16354 exposed the race.

[a6802739]

@bdarnell could I have a try for this?

[bdarnell]

This is related to some changes @adamgee is working on in #16371. Let's wait until that's done and see if changes are still needed.

[a6802739]

@bdarnell, okay. Got it.

[cuongdo]

@ben 1) does this need to go into 1.1? it seems late to be refactoring
2) would this make a good starter (1-2 week) core project?

[bdarnell]

Moved to 1.2. I think it would probably be a good core starter project.

[a6802739]

@bdarnell, If it's milestones is 1.2, I think we could offer some help here.

[bdarnell]

Great, thanks!

[a6802739]

@bdarnell , Do you mean we should call use sync.Once to initialize the NodeID?

And what do you mean about synchronization between store and node access? If we don't do anything about this synchronization, what will happen?

[bdarnell]

It's more than sync.Once. The NodeDescriptor is mutable, but we share it between the store and node without any synchronization. This happens to work because the node only writes to the node descriptor once, very early, and the store doesn't do much before then, but it's still not very safe.

We partially solved this with the base.NodeIDContainer type. I think the right answer is probably some sort of NodeDescriptorContainer struct which could contain the node descriptor and a lock. We'd need to pass this around instead of a *NodeDescriptor. I'm not sure whether we can replace NodeIDContainer or not, because of package dependency rules.

[a-robinson]

This happens to work because the node only writes to the node descriptor once, very early, and the store doesn't do much before then, but it's still not very safe.

I haven't yet been able to reproduce the exact code path orderings involved, but not having the NodeID when it's needed is behind the somewhat frequent panics in #18085