Improve resilience of datastore bootstrap reconcile from etcd

* Add store tests with fixtures
* Try connecting to local etcd first, if it is available
* Handle panics from etcd backend code
* Don't try to read WAL and restore v3 snapshots as they almost never exist

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit d300004)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Author: brandond

go.mod

@@ -123,8 +123,8 @@ require (
 	github.com/opencontainers/cgroups v0.0.4
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
-	github.com/opencontainers/selinux v1.13.0
-	github.com/otiai10/copy v1.7.0
+	github.com/opencontainers/selinux v1.13.1
+	github.com/otiai10/copy v1.14.1
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.23.2
 	github.com/prometheus/common v0.66.1
@@ -138,6 +138,7 @@ require (
 	github.com/rootless-containers/rootlesskit v1.1.1
 	github.com/sirupsen/logrus v1.9.4
 	github.com/spegel-org/spegel v0.6.0
+	github.com/spf13/afero v1.15.0
 	github.com/spf13/pflag v1.0.10
 	github.com/stretchr/testify v1.11.1
 	github.com/urfave/cli/v2 v2.27.7
@@ -405,6 +406,7 @@ require (
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/opencontainers/runtime-spec v1.2.1 // indirect
 	github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 // indirect
+	github.com/otiai10/mint v1.6.3 // indirect
 	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect

go.sum

@@ -1115,13 +1115,10 @@ github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 h1:
 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI=
 github.com/opencontainers/selinux v1.13.0 h1:Zza88GWezyT7RLql12URvoxsbLfjFx988+LGaWfbL84=
 github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s=
-github.com/otiai10/copy v1.7.0 h1:hVoPiN+t+7d2nzzwMiDHPSOogsWAStewq3TwU05+clE=
-github.com/otiai10/copy v1.7.0/go.mod h1:rmRl6QPdJj6EiUqXQ/4Nn2lLXoNQjFCQbbNrxgc/t3U=
-github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE=
-github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs=
-github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo=
-github.com/otiai10/mint v1.3.3 h1:7JgpsBaN0uMkyju4tbYHu0mnM55hNKVYLsXmwr15NQI=
-github.com/otiai10/mint v1.3.3/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc=
+github.com/otiai10/copy v1.14.1 h1:5/7E6qsUMBaH5AnQ0sSLzzTg1oTECmcCmT6lvF45Na8=
+github.com/otiai10/copy v1.14.1/go.mod h1:oQwrEDDOci3IM8dJF0d8+jnbfPDllW6vUjNc3DoZm9I=
+github.com/otiai10/mint v1.6.3 h1:87qsV/aw1F5as1eH1zS/yqHY85ANKVMgkDrf9rcxbQs=
+github.com/otiai10/mint v1.6.3/go.mod h1:MJm72SBthJjz8qhefc4z1PYEieWmy8Bku7CjcAqyUSM=
 github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 h1:onHthvaw9LFnH4t2DcNVpwGmV9E1BkGknEliJkfwQj0=
 github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58/go.mod h1:DXv8WO4yhMYhSNPKjeNKa5WY9YCIEBRbNzFFPJbWO6Y=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
@@ -1271,6 +1268,8 @@ github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY52
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
 github.com/spf13/afero v1.10.0/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
+github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
+github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
 github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
 github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
 github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=

pkg/cluster/bootstrap.go

@@ -20,9 +20,12 @@ import (
 	"github.com/k3s-io/k3s/pkg/bootstrap"
 	"github.com/k3s-io/k3s/pkg/clientaccess"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
+	"github.com/k3s-io/k3s/pkg/daemons/executor"
 	"github.com/k3s-io/k3s/pkg/etcd/store"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
+	"github.com/k3s-io/kine/pkg/endpoint"
+	"github.com/k3s-io/kine/pkg/tls"
 	"github.com/otiai10/copy"
 	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -284,11 +287,36 @@ func (c *Cluster) ReconcileBootstrapData(ctx context.Context, buf io.ReadSeeker,
 		}
 
 		var kv *mvccpb.KeyValue
+		var storageClient store.ReadCloser
+
+		if executor.IsSelfHosted() {
+			// etcd will never be running at this point when using embedded executor,
+			// but other executors may opt to leave it running when the supervisor
+			// process is down. In this case, try to connect to local etcd first; if
+			// that fails fall back to reading direct from etcd store on disk.
+			etcdConfig := endpoint.ETCDConfig{
+				Endpoints: []string{fmt.Sprintf("https://%s:2379", c.config.Loopback(true))},
+				TLSConfig: tls.Config{
+					TrustedCAFile: c.config.Runtime.ETCDServerCA,
+					CAFile:        c.config.Runtime.ETCDServerCA,
+					CertFile:      c.config.Runtime.ClientETCDCert,
+					KeyFile:       c.config.Runtime.ClientETCDKey,
+				},
+			}
+			storageClient, err = store.NewRemoteStore(etcdConfig)
+			if err != nil {
+				logrus.Infof("Unable to connect to etcd: %v; trying direct datastore access", err)
+				storageClient = nil
+			}
+		}
 
-		storageClient, err := store.NewTemporaryStore(filepath.Join(c.config.DataDir, "db", "etcd"))
-		if err != nil {
-			return pkgerrors.WithMessage(err, "failed to create temporary datastore client")
+		if storageClient == nil {
+			storageClient, err = store.NewTemporaryStore(filepath.Join(c.config.DataDir, "db", "etcd"))
+			if err != nil {
+				return pkgerrors.WithMessage(err, "failed to create temporary datastore client")
+			}
 		}
+
 		defer storageClient.Close()
 
 		kv, c.saveBootstrap, err = getBootstrapKeyFromStorage(ctx, storageClient, normalizedToken, token)

pkg/etcd/store/store.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"runtime/debug"
 	"time"
 
 	"github.com/k3s-io/kine/pkg/endpoint"
@@ -16,16 +17,14 @@ import (
 	"go.etcd.io/etcd/client/pkg/v3/logutil"
 	clientv3 "go.etcd.io/etcd/client/v3"
 	"go.etcd.io/etcd/server/v3/config"
-	"go.etcd.io/etcd/server/v3/etcdserver/api/snap"
-	"go.etcd.io/etcd/server/v3/etcdserver/cindex"
 	etcderrors "go.etcd.io/etcd/server/v3/etcdserver/errors"
 	"go.etcd.io/etcd/server/v3/lease"
-	"go.etcd.io/etcd/server/v3/storage"
 	"go.etcd.io/etcd/server/v3/storage/backend"
 	"go.etcd.io/etcd/server/v3/storage/mvcc"
 	"go.etcd.io/etcd/server/v3/storage/schema"
-	"go.etcd.io/etcd/server/v3/storage/wal"
+	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
+	"google.golang.org/grpc"
 )
 
 // ReadCloser is a generic wrapper around a MVCC store that provides only read/close functions
@@ -62,9 +61,14 @@ func NewRemoteStore(config endpoint.ETCDConfig) (*RemoteStore, error) {
 	if err != nil {
 		return nil, err
 	}
+	logger = logger.Named("k3s.remotestore")
+
+	logrus.Infof("Opening etcd client connection with endpoints %v", config.Endpoints)
+
 	c, err := clientv3.New(clientv3.Config{
 		Endpoints:   config.Endpoints,
 		DialTimeout: 5 * time.Second,
+		DialOptions: []grpc.DialOption{grpc.WithBlock(), grpc.FailOnNonTempDialError(true)},
 		Logger:      logger,
 		TLS:         tlsConfig,
 	})
@@ -163,7 +167,24 @@ func NewTemporaryStore(dataDir string) (*TemporaryStore, error) {
 		return nil, err
 	}
 
-	if err := copy.Copy(dataDir, tempDir, copy.Options{PreserveOwner: true}); err != nil {
+	// only copy the bbolt backend database; we don't need the WAL, legacy v2
+	// store snapshots, config file, or anything else.
+	// ref: https://etcd.io/docs/v3.6/learning/persistent-storage-files/#long-leaving-files
+	copyOpts := copy.Options{
+		PreserveOwner: true,
+		PreserveTimes: true,
+		NumOfWorkers:  0,
+		Sync:          true,
+		Skip: func(srcinfo os.FileInfo, src, dest string) (bool, error) {
+			switch srcinfo.Name() {
+			case "member", "snap", "db":
+				return false, nil
+			default:
+				return true, nil
+			}
+		},
+	}
+	if err := copy.Copy(dataDir, tempDir, copyOpts); err != nil {
 		return nil, err
 	}
 
@@ -198,69 +219,83 @@ type Store struct {
 	be backend.Backend
 }
 
-func NewStore(dataDir string) (*Store, error) {
-	var currentIndex, latestIndex uint64
+func NewStore(dataDir string) (store *Store, rerr error) {
+	s := &Store{}
+
 	logger, err := logutil.CreateDefaultZapLogger(zapcore.InfoLevel)
 	if err != nil {
 		return nil, err
 	}
 
+	// etcd relies on panic/fatal errors to trigger process exit; we need to
+	// handle it properly by recovering and returning an error.
+	logger = logger.Named("k3s.store").WithOptions(
+		zap.WithPanicHook(zapcore.WriteThenPanic),
+		zap.WithFatalHook(zapcore.WriteThenPanic),
+	)
+
+	// recover from zap panics and ensure kv and backened are closed on error
+	defer func() {
+		if err := recover(); err != nil {
+			msg := fmt.Sprintf("panic: %v", err)
+			if logrus.IsLevelEnabled(logrus.DebugLevel) {
+				msg += " at " + string(debug.Stack())
+			}
+			rerr = errors.New(msg)
+		}
+		if rerr != nil && s != nil {
+			go s.Close()
+		}
+	}()
+
 	cfg := config.ServerConfig{Logger: logger, DataDir: dataDir}
 	path := cfg.BackendPath()
 
-	// need to check for backend path ourselves, as backend.New just logs a panic
-	// via zap if it doesn't exist, which isn't fatal.
+	// need to check for backend path ourselves, as backend.New just creates
+	// a new empty database if the file does not exist or is empty.
 	if _, err := os.Stat(path); err != nil {
 		return nil, pkgerrors.WithMessage(err, "failed to stat MVCC KV store backend path")
 	}
 
-	logrus.Infof("Opening etcd MVCC KV store at %s", path)
+	logrus.Infof("Opening etcd MVCC KV backend database at %s", path)
 
 	// open backend database
 	bcfg := backend.DefaultBackendConfig(logger)
 	bcfg.Path = path
 	bcfg.UnsafeNoFsync = true
-	bcfg.BatchInterval = 0
-	bcfg.BatchLimit = 0
-	be := backend.New(bcfg)
-
-	// get current index from backend
-	currentIndex, _ = schema.ReadConsistentIndex(be.ReadTx())
-
-	// list snapshots from WAL dir
-	walSnaps, err := wal.ValidSnapshotEntries(cfg.Logger, cfg.WALDir())
-	if err != nil {
-		return nil, err
+	bcfg.BatchInterval = time.Hour
+	bcfg.BatchLimit = 100000
+
+	// try to open the bbolt database; this may unrecoverably panic from inside
+	// the bbolt freelist goroutine if the database is in an inconsistent state.
+	s.be = backend.New(bcfg)
+	if s.be == nil {
+		return nil, errors.New("failed to open database")
 	}
 
-	// find latest available snapshot index
-	ss := snap.New(logger, cfg.SnapDir())
-	snapshot, err := ss.LoadNewestAvailable(walSnaps)
-	if err != nil && !errors.Is(err, snap.ErrNoSnapshot) {
-		return nil, err
-	}
-	if snapshot != nil {
-		latestIndex = snapshot.Metadata.Index
+	// try to get current index from backend; this may fail if the bbolt database
+	// was opened successfully but is in an inconsistent state.
+	if currentIndex, _ := schema.ReadConsistentIndex(s.be.ReadTx()); currentIndex == 0 {
+		return nil, errors.New("failed to read consistent index")
 	}
 
-	// restore from snapshot if available
-	if latestIndex > currentIndex {
-		logrus.Warnf("MVCC database index %d is less than latest snapshot index %d", currentIndex, latestIndex)
-		path, err := ss.DBFilePath(latestIndex)
-		if err != nil {
-			logrus.Warnf("MVCC database for snapshot index %d not available; data may be stale", latestIndex)
-		} else {
-			logrus.Infof("MVCC database restoring snapshot index %d from %s", latestIndex, path)
-			be, err = storage.RecoverSnapshotBackend(cfg, be, *snapshot, true, storage.NewBackendHooks(cfg.Logger, cindex.NewConsistentIndex(nil)))
-			if err != nil {
-				be.Close()
-				return nil, err
-			}
-		}
-	}
+	// We do not bother checking the latest snapshot index from the WAL or attempting to
+	// restore from a snapshot, as v3 store snapshots are only created when replicas are
+	// lagging and the leader sends them a fresh copy of the bbolt database - and are
+	// therefore highly unlikely to exist. The .snap files in the snap dir are for the
+	// legacy v2 store, and are of no use.
+	//
+	// ref: https://etcd.io/docs/v3.6/learning/persistent-storage-files/#long-leaving-files
+	// > Note: Periodic snapshots generated on each replica are only emitted in the form of
+	// > *.snap file (not snap.db file). So there is no guarantee the most recent snapshot (in
+	// > WAL log) has the *.snap.db file. But in such a case the backend (snap/db) is expected
+	// > to be newer than the snapshot.
+
+	s.kv = mvcc.NewStore(logger, s.be, &lease.FakeLessor{}, mvcc.StoreConfig{})
+	logrus.Info("Opened etcd MVCC KV store")
 
 	// nb: closing the kv store does not implicitly close its backend; the backend must be closed separately
-	return &Store{kv: mvcc.NewStore(cfg.Logger, be, &lease.FakeLessor{}, mvcc.StoreConfig{}), be: be}, nil
+	return s, nil
 }
 
 func (s *Store) Close() error {