strategy: add new marker_file strategy
#540
Conversation
src/strategy/filesystem.rs
Outdated
| let mode = attr.permissions().mode(); | ||
|
|
||
| // Octal 100644 represents regular file, rw-r--r--. | ||
| if mode != 0o100644 { |
There was a problem hiding this comment.
I may have missed it, why are we strictly requiring 0644?
There was a problem hiding this comment.
I thought this would be to prevent non-root users from being able to modify it, since this directly affects reboots.
Edit: I found out that as long as we set the directory to be owned by Zincati and not writable by others that'll satisfy our requirements for not letting non-root users add and remove files. So we just need to require it to be a regular file and not writable by others.
|
I'd like to flush out the current pile of changes into a release before getting into reviewing this. Additionally, this should come with some docs for users. |
|
@lucab yep, still working on the docs and possibly some kola tests. (sorry forgot to apply |
|
Notes: |
src/strategy/marker_file.rs
Outdated
| anyhow::bail!("file is not regular file"); | ||
| } | ||
|
|
||
| ensure_owned_by_root(&attr)?; |
There was a problem hiding this comment.
Do we still need this check if /var/lib/zincati is owned by the zincati user already anyway?
There was a problem hiding this comment.
No, we trust systemd-tmpfiles for that (also, it's probably fine if the hierarchy is owned by root either).
kelvinfan001
changed the title
marker_file strategy
| - named `allowfinalize.json` | ||
| - under `/var/lib/zincati/admin/strategy/marker_file` |
There was a problem hiding this comment.
- named `allowfinalize.json`
- under `/var/lib/zincati/admin/strategy/marker_file`
I wonder how this will work if you have multiple containers that might need to control reboot. If they are all trying to edit a single file then it gets problematic. Could or should we support multiple files under here?
There was a problem hiding this comment.
That's a legit point but I'd say it's outside of the scope of this strategy. Specifically, here we have a bias towards a single controller who can be audited/blamed for finalization decisions.
Multiple un-coordinated agents are a likely interesting case but it possibly needs either 1) higher-level coordination, or 2) a different approach (i.e. some kind of rule to determine who makes the final go/no-go call).
| If any of the above is not satisfied in your marker file, Zincati will not allow reboots. | ||
|
|
||
| `allowfinalize.json` can optionally contain an `allowUntil` key with a Unix timestamp integer as its value to indicate the expiry date and time of this marker file. If the current time timestamp is _greater than or equal to_ this timestamp, then reboots will not be allowed. | ||
| Otherwise, if the `allowUntil` key is not present, reboots will be allowed for as long as `allowfinalize.json` exists (in the right location), and it must be removed to disallow reboots. |
There was a problem hiding this comment.
Thinking aloud: do we need this to be optional right now? I am not fully sold on this way to say "allow all finalizations forever". Should we maybe start with making this mandatory and relax this to an Option later on if there is a need to?
There was a problem hiding this comment.
I was thinking that the ability to leave a (valid) file in the directory forever would allow for the use case of "allow reboots for the most part unless I need to disallow it for a while". So for example, if theoretically Dusty's containers had some central controller, that controller could easily make use of this new strategy.
| | sudo tee /var/lib/zincati/admin/strategy/marker_file/allowfinalize.json | ||
| ``` | ||
|
|
||
| Warning: In `jq` versions `1.6` and lower, `jq` [may output incorrect Unix timestamps][jq_bug] for certain datetimes on machines with certain `localtime`s. |
There was a problem hiding this comment.
This sounds scary enough, do we want fromdateiso8601 maybe instead?
There was a problem hiding this comment.
I think fromdateiso8601 is the same as fromdate right now, but right, I think fromdateiso8601 would be more explicit.
src/strategy/marker_file.rs
Outdated
| anyhow::bail!("file is not regular file"); | ||
| } | ||
|
|
||
| ensure_owned_by_root(&attr)?; |
There was a problem hiding this comment.
No, we trust systemd-tmpfiles for that (also, it's probably fine if the hierarchy is owned by root either).
|
Dusty was commenting out-of-band that the name here is still somehow suboptimal, possibly because still too generic. /cc @dustymabe |
|
@kai-uwe-rommel we do envision this strategy (name still to be finalized) to provide the basic primitive for a central manager (like Ansible) pushing finalization markers to individual hosts. |
Yes. We were discussing this in the context of default allow versus default disallow (inhibit). This name is only sub-optimal if it doesn't cover both of those scenarios (which it currently doesn't) and we want to add another strategy later for the default to allow case in which case we might want to make it more obvious what the difference is between the two strategies. Random ideas:
I'm not really in love with any of them. |
Sorry if this had already been discussed/clarified before elsewhere, but I still feel like default allow and default disallow is not too important here for this strategy. In theory, if there were a reliable single controller that is in charge of writing and removing a marker file, then the "defaults" for this strategy is totally up to the controller, right? I do recall vaguely it being mentioned that it is easier to touch a file than to remove a file, or vice versa, and so there might be some preference around whether we would like to default to Zincati being stuck in either constantly allowing reboots or constantly denying reboots. But I feel like this is a separate issue. I think the key point for this strategy, in my opinion, is the emphasis that there should be a single controller that is the single decider on whether finalizations are allowed. If multiple processes/containers wanted to express their intent to allow/disallow reboots, that should be communicated to the central controller, rather than to Zincati's update strategy directly. Let me know if I've misunderstood anything :) |
Thanks. Yes, that looks good, i.e. practical. It would allow us to explicitly upgrade a bunch of machines via a central action (Ansible) within a defined maintenance window. |
|
@lucab I think this should be ready for another look as well. |
bump |
Add a simple, flexible strategy that checks the directory `/var/lib/zincati/admin/marker_file_strategy` for a JSON file (optionally containing an expiry timestamp key) named `allowfinalize.json` and allows update finalization if such file exists and has the proper permissions.
This explains how the `marker_file` strategy works and how to configure it.
|
Will be very useful! Keep up the good work folks. |
|
I'd like to revive this at some point. The PR was closed but it doesn't say who or why it was closed. |
I think what happened there is that the fork was closed, so GitHub auto-closed all PRs from it. |
Add a simple, flexible strategy that checks
/var/lib/zincatifora JSON file (optionally containing an expiry timestamp key) named
allowfinalize.jsonand allows update finalization if such fileexists and has the proper permissions.
See #245 (comment) for the rationale for this new strategy.