Symlink-atomic reads for private key/certificate pairs

[htuch]

In #10163, support is added to load both private key and certificate on an inotify event. However, this is not fully atomic w.r.t. symlink changes. Imagine you have foo/ pointing at bar/ containing key.pem and cert.pem. Then you relink foo/ to point at baz/ with key.pem and cert.pem during a rotation. In our current solution, there is a race, where key.pem might be read from bar/ and cert.pem from baz/ during the relink.

We need to fully resolve a symlink with readlink before reading the key/cert pair.

I think this might actually also affect runtime snapshots; is this true @mattklein123?

CC @tsaarni @lizan

[mattklein123]

I think this might actually also affect runtime snapshots; is this true @mattklein123?

I don't believe so. This is why there is a level of indirection for the symlink and the snapshot directory. It reads the entire new directory at once after the swap. I think we would need to do something similar for the cert case where we introduce a base directory and do the swap there.

[htuch]

Yes, this makes sense. We can also just use readlink to resolve to the real directory and then read individual files, so we don't need to force that structure.

[mattklein123]

Yeah if we assume that the parent directory is consistent, readlink would work also agreed.

[tsaarni]

Adding readlink for atomic reads sounds good solution to me as well.

Is it a scenario where a new TLS connection happens to be established right at the moment of the rotation? I guess in theory there is yet another, but probably less likely race: at the end of the rotation the when old certificate & key files get removed, the old resolved path could cause open to fail.

[markdroth]

FYI, gRPC is going to support this without depending on readlink(2), for two reasons:

1. readlink(2) isn't portable, and we didn't want to have to provide a separate solution for Windows.
2. We didn't want to force people to use a symlink in cases where it might not be necessary. For example, it's actually fully possible to do this swap safely without a symlink by creating a new directory with new files and then renaming the directories to swap the new one into place. And there may be cases where the certs aren't actually ever going to change, in which case the symlink is unnecessary.

So gRPC is going to handle this by having a file-watcher CertificateProvider whose config will indicate the directory containing the cert and key files and the filenames within that directory of the two files. The provider will check the timestamps of both the directory and the files, then read the files, then check the timestamps again. If the "before" and "after" timestamps don't match, then it will assume that it did not get a safe atomic read, so it will throw away the result and try again.

There are some edge cases where it is possible to get a non-atomic read with this approach, but they are exceedingly rare (e.g., if the system clock gets set backward by exactly the time difference between when the old and new files were written, or if the files' timestamps are explicitly set to the same values), so we're not really worried about them.

[htuch]

Interesting. A few questions / comments:

• The current design doesn't require a symlink, or even readlink really, just some form of path canonicalization.
• How do you know there has been an update in gRPC? Are you still using inotify?
• Why not hash? We actually hash already in the watcher, so we could do a hash based scheme similar to what you describe that is even more robust and doesn't rely on timestamps.

I think there's actually three orthogonal things to figure out here:

1. How do we build an API to be more explicit about what we're watching. Currently, it's very implicit and assumes just looking at parent directory based on path decomposition.
2. How are watches performed? I think this is inherently platform specific, Envoy already supports watching on various platforms.
3. How do we deal with atomicity? sds: additional support for symlink-based key rotation. #13721 uses readlink/realpath (alternative), but we could also reasonably read the files twice and look at hashes after two successive reads.

The WatchedDirectory API is largely about (1) in #13721. It aims to strike a balance in terms of supporting backwards compatibility with DataSource and providing control. I'd be open to other suggestions if the ergonomics are better.

I think (3) can be dealt with independently as an implementation detail. I'm good with switching to hashes if folks prefer. CC @wrowe for Windows perspective (i.e. should we avoid symlink/canonicalization?).