Partial Failure in RSS setup can cause hang due to sled agent setup

[smklein]

• Suppose RSS gets partway through setup, and fails, for whatever reason. Suppose that all sleds have bootstrap agents which know how to start sled agents. This information is recorded durably, so sled agents can reboot autonomously from that point onwards. This is important - remember, the sled agents will be booting on their own from this point.
• On reboot, RSS should attempt to re-inject the requests, using the same rss-plan.toml file.
• If it does this, RSS will be stuck here:

omicron/sled-agent/src/rack_setup/service.rs

Lines 560 to 576 in b4366f1

	// Forward the sled initialization requests to our sled-agent.
	local_bootstrap_agent
	.initialize_sleds(
	plan.iter()
	.map(move |(bootstrap_addr, allocation)| {
	(
	*bootstrap_addr,
	allocation.initialization_request.clone(),
	maybe_rack_secret_shares
	.as_mut()
	.map(|shares| shares.next().unwrap()),
	)
	})
	.collect(),
	)
	.await
	.map_err(SetupServiceError::SledInitialization)?;

• This call to initialize_sleds ends up blocked on a request to bootstrap agents, for them to initialize their sled agents:

omicron/sled-agent/src/bootstrap/rss_handle.rs

Lines 92 to 105 in f8f076a

	let sled_agent_initialize = || async {
	client
	.start_sled(request, trust_quorum_share.clone())
	.await
	.map_err(BackoffError::transient)?;
	Ok::<(), BackoffError<bootstrap_agent_client::Error>>(())
	};
	let log_failure = |error, _| {
	warn!(log, "failed to start sled agent"; "error" => ?error);
	};
	retry_notify(internal_service_policy(), sled_agent_initialize, log_failure)
	.await?;

• I can see in the logs, this returns the following error from the bootstrap agent itself:

omicron/sled-agent/src/bootstrap/server.rs

Lines 362 to 368 in b4366f1

	Request::SledAgentRequest(request, _trust_quorum_share) => {
	warn!(
	log, "Received sled agent request after we're initialized";
	"request" => ?request,
	);
	Err("Sled agent already initialized".to_string())
	}

I believe this is a bug - instead of returning Ok(()), RSS will be stuck behind a sled agent that booted by itself.

@jgallagher , WDYT - would it be okay to just idempotently return Ok if the sled agent already exists?

[jgallagher]

This is exactly what @Nieuwejaar ran into yesterday; thanks for writing this up. I don't think we can return Ok(_) here; we would need to check that request and trust_quorum_share match the values that our sled agent used when it started, and the trust_quorum_share is guaranteed NOT to match unless it's disabled entirely:

• RSS generates a new rack secret on startup, which is intentionally not persisted
• If RSS got partway through initialization and distributed secret shares to some sleds which recorded them, but is now rerunning with a new rack secret, we'll end up with some sleds using old shares and some sleds using new shares

This problem of partial initialization is a big part of the (or maybe the primary?) motivation for the bootstore work @andrewjstone started but has paused to do MUP/wicket things. I'm not entirely sure what to suggest we do in the meantime - we could put in checks on request and trust_quorum_share and return Ok(_) if they match, knowing that in practice that will only work for single-sled systems? I believe request_agent() already has a check like this, so maybe we could change this to something like

        Request::SledAgentRequest(request, trust_quorum_share) => {
            let trust_quorum_share =
                trust_quorum_share.map(ShareDistribution::from);

            match bootstrap_agent
                .request_agent(&request, &trust_quorum_share)
                .await
            {
                Ok(response) => {
                    Ok(Response::SledAgentResponse(response))
                }
                Err(err) => {
                    warn!(log, "Sled agent request failed"; "err" => %err);
                    Err(format!("Sled agent request failed: {err}"))
                }
            }
        }
}

which is similar to the handler in serve_request_before_quorum_initialization() above. This will still fail if multiple sleds are involved, but (a) it's better than today, particularly for single-sled dev work and (b) the error message should be more obvious.

[andrewjstone]

I think putting in the checks for the trust_quorum_share matching is probably the right short term solution here. Although, as @jgallagher mentions if we have a real rack secret the shares will never match because RSS will always generate a new random shared secret. However a real rack secret will only be needed on a multi-node system which we aren't currently testing. The multi-node partial initialization will eventually be fixed by the bootstore work, and I don't think we should put any effort into trying to solve it with the code as it is currently structured. What this all means then, is that we can probably just check if trust_quorum_share == None, and if so just ignore the re-initialization and return Ok(()) as @smklein suggests.

[davepacheco]

See #1880 for context. The sled-agent log is also there for more details about how this manifested. (It sounds like y'all already understand the behavior well enough but I figured I'd drop this here for the record.)

In that case, we ran into a problem setting up the CockroachDB zone and sled-agent was explicitly restarted before that finished. We were surprised to find that RSS was apparently not trying to finish setup. It was, actually, but it was stuck in this phase of initializing sled agents because of the "already initialized" error.