fix: Add consensus-independent vat snapshot/transcript archiving configuration

[gibson042]

Fixes #10036

Description

Adds consensus-independent vat-{snapshot,transcript}-archive-dir cosmos-sdk swingset configuration for propagation in AG_COSMOS_INIT. When set, gzip-compressed vat snapshot/transcript files are written to the respective directory (the former when created, the latter when finalized by rollover).

It also includes miscellaneous documentation and code improvements, most significantly a new helper for replacing const cleanups = []; return aggregateTryFinally(async () => { … cleanups.push(…); … }, async () => { await PromiseAllOrErrors(cleanups.reverse().map(fn => Promise.resolve().then(() => fn()))); }); with return withDeferredCleanup(async addCleanup => { … addCleanup(…); … }); (i.e., folding in the cleanup registration and ordering).

Best reviewed commit-by-commit.

Security Considerations

This provides a new interface by which the Swingset kernel can write to its host filesystem, albeit indirectly via callback. But as such, it is a potential vector for filling up a disk or possibly overwriting files, although subject to an operator's own bad configuration and/or elevated permissions.

Scaling Considerations

When one or both new settings are active and the disk is full or slow, performance may suffer. I considered performing these writes in the background, but decided that silent failures or slow writes would be worse than the new awaits (and when active, the archive dir will likely be on the same filesystem as the database anyway).

Documentation Considerations

I think I've covered what I need to, although there might be some other Markdown files worth updating.

Testing Considerations

New features are covered by unit tests.

Upgrade Considerations

This is all kernel code that can be used at any node restart (i.e., because the configuration is consensus-independent, it doesn't even need to wait for a chain software upgrade). But we should mention the new cosmos-sdk configuration in release notes, because it won't be added to existing app.toml files already in use.

[mhofman]

As a matter of process, could we split and merge the first part of this PR that addresses #10054? It seems like it can stand on its own and is sufficiently different than the archive change. I have reviewed that set of commit and would approve such a PR.

[mhofman]

Let's add a comment that closeSpan does not note any changes to the .current export and that the caller is in charge of that. An alternative would be to always note a deletion of that export when closing, but that's unnecessary churn for the common case.

[gibson042]

Done.

[cloudflare-workers-and-pages]

Deploying agoric-sdk with    Cloudflare Pages

Latest commit:	bf76e00
Status:	✅  Deploy successful!
Preview URL:	https://1af799c3.agoric-sdk.pages.dev
Branch Preview URL:	https://gibson-10036-archive-transcr.agoric-sdk.pages.dev

View logs

[mhofman]

Overall this looks good, but please consider some of the suggested refactorings.

[mhofman]

Why use ReturnType here instead of Promise<T> ?

[gibson042]

No strong reason, just a way to emphasize that the happy-path result is just decoration of the function.

[mhofman]

I think addCleanup should be allowed to accept a function that returns something else than a promise, but the problem is that Promise<void> | void has undesirable behavior. Maybe Promise<any> | any, just for documentation purposes?

[gibson042]

I think it'd be easier to just wrap with async () => { … }, but we can cross that bridge if/when we get there. This is an internal async helper, and there's no current need for supporting non-async callbacks.

[mhofman]

Consider extracting the asyncification in a standalone refactor commit.

[gibson042]

It actually started that way, but it turned out that only two of the changes were non-fundamental.

[mhofman]

What do you mean by "non-fundamental". I consider making a function and all its callers transitively async to be a pure refactor.

[gibson042]

Do you mean that you want to see a commit which is just marking functions as async and inserting await at their call sites, with no point-in-time motivation for such a refactor until the following commit adds internal awaits, as opposed to a42c45f including both? I don't think I would find that useful.

[mhofman]

That would be my soft preference, yes. It's similar to moving some code around in a first commit in preparation for a subsequent commit which has a more minimal behavioral change.

[mhofman]

Consider extracting the rename of path and tmp in a standalone refactor commit.

[mhofman]

Given that the swingStore does extra / different work when archiveTranscript is present, should this be a variation of the test?

Same for archiveSnapshot, especially if we end up teeing the compression stream.

[gibson042]

The work is purely additive, so I figured it was fine to always check in these tests rather than multiply its configuration to the cross product of keepTranscripts={true,false} and archiveTranscript={undefined,fn}—plus there's lots of testing that covers initSwingStore with archiveTranscript=undefined, including in this file. Do you feel strongly about making this a test variation?

[mhofman]

Not strongly no, but since we already have a macro, I thought it could be cheap enough. Not all permutations need to be tested (e.g. transcript options are fully independent of the snapshot option)

[mhofman]

Why use the sync version if we're in an async function ?

[gibson042]

No strong reason; this step doesn't need to be async and honestly wouldn't benefit from it anyway.

[mhofman]

I'm just wondering because I believe it means the removeCallback is sync, which may be unexpected (according to types) for the cleanup. I do remember that tmp had some surprising changes in behavior between sync and async, but I'm not sure what those where now.

[gibson042]

As a matter of process, could we split and merge the first part of this PR that addresses #10054? It seems like it can stand on its own and is sufficiently different than the archive change. I have reviewed that set of commit and would approve such a PR.

#10060

[gibson042]

This is necessary to preserve the log ordering in terminate.test.js. Alternatively (or additionally), we could update bootstrap-terminate-with-presence.js to tolerate ordering variation.

[mhofman]

I am confused about why the simple await was not working.

[gibson042]

Figuring it out was an interesting dive... vat-vat-admin.js terminateWithFailure ends with a synchronous call to D(vatAdminDev).terminateWithFailure, which through further synchronous calls in device-vat-admin.js → kernel/deviceManager.js → kernel.js → kernelSyscall.js → vat-admin-hooks.js
invokes void terminateVat(vatID, true, marshalledReason), which means that only the synchronous prelude of terminateVat has an effect before the result promise of E(vatAdminNode).terminateWithFailure(reason) settles and enqueues notifies.

Before this PR, kernelKeeper.removeVatFromSwingStoreExports was synchronous and therefore could not impede the following step's rejection of promises yet to be decided by the terminating vat (which therefore preceded fulfillment of the terminateWithFailure result promise).

But now that this PR is making removeVatFromSwingStoreExports async, a naïve await thereof would end the synchronous prelude before dead promise rejection, which is what caused the assertion in terminate.test.js to fail. Deferring the await restores the expected ordering, although we may want to move it even further down to avoid bumping following logic out of the synchronous prelude, e.g.:

    if (critical) {
      // The following error construction is a bit awkward, but (1) it saves us
      // from doing unmarshaling while in the kernel, while (2) it protects
      // against the info not actually encoding an error, but (3) it still
      // provides some diagnostic information back to the host, and (4) this
      // should happen rarely enough that if you have to do a little bit of
      // extra interpretive work on the receiving end to diagnose the problem,
      // it's going to be a small cost compared to the trouble you're probably
      // already in anyway if this happens.
      panic(`critical vat ${vatID} failed`, Error(info.body));
    } else if (vatAdminRootKref) {
      // static vat termination can happen before vat admin vat exists
      notifyTermination(
        vatID,
        vatAdminRootKref,
        shouldReject,
        info,
        queueToKref,
      );
    } else {
      console.log(
        `warning: vat ${vatID} terminated without a vatAdmin to report to`,
      );
    }

    // worker, if present, needs to be stopped (note that this only applies to ephemeral vats)
    deferred.push(() => vatWarehouse.stopWorker(vatID));

    await Promise.all(deferred);

[mhofman]

I actually would want to go a step further and remove the async nature of this function, but still make it return a promise. However that would release zalgo somewhat, so we should not do that in a hurry now.

Please go ahead with the proposed change above, but use PromiseAllOrErrors to avoid swallowing multiple errors.

[mhofman]

Filed #10073 to track addressing this footgun