Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add undeletetree command #2380

Closed
wants to merge 227 commits into from
Closed

Add undeletetree command #2380

wants to merge 227 commits into from

Conversation

pgporada
Copy link
Contributor

@pgporada pgporada commented Mar 1, 2021

While going through the steps to freeze testflume 2019 and 2020, I misstepped requiring me to undelete those shards. Thankfully you've all provided the UndeleteTree api call which made this far less stressful. The misstep was figuring out how to get a frozen_sth for certificate-transparency-go.

Here's how I detected that I needed this

$ curl -s https://testflume.ct.letsencrypt.org/2019/ct/v1/get-sth
Not Found
rpc error: code = NotFound desc = tree 7098813260217451818 not found

$ ./undeletetree --admin_server log-server:8090 --log_id=${LOG_ID}

MariaDB [database]> select TreeId,TreeState,DisplayName,Deleted from Trees;
+---------------------+-----------+-------------+---------+
| TreeId              | TreeState | DisplayName | Deleted |
+---------------------+-----------+-------------+---------+
| 2115833961257890595 | FROZEN    | 2020        |       1 |  
| 7098813260217451818 | FROZEN    | 2019        |       0 |   <==== undeleted
+---------------------+-----------+-------------+---------+
2 rows in set (0.001 sec)

$ curl -s https://testflume.ct.letsencrypt.org/2019/ct/v1/get-sth
{"tree_size":666628491,"timestamp":1614610745490,"sha256_root_hash":"ul1sABvz3nsF6GhyCPDOC2keQPQ8JWDKWIZXqqEWBcM=","tree_head_signature":"BAMARzBFAiAzRHa5zMh0g80Do0U51mGlzoK8uvbCLVgcYHfVdTKlsAIhAMnqPQ53hW9P5bnhksrxUI1yU8fwvt/lkr92bF9Oq84k"}

Here's what I should have done instead:

  1. Run updatetree --admin_server log-server:8090 --tree_id=${LOG_ID} -print -tree_state DRAINING
  2. Run updatetree --admin_server log-server:8090 --tree_id=${LOG_ID} -print -tree_state FROZEN
  3. Get the STH
  4. Run deletetree --admin_server log-server:8090 --tree_id=${LOG_ID}

@pgporada pgporada requested a review from a team as a code owner March 1, 2021 23:48
@Martin2112
Copy link
Contributor

If you're just freezing the tree then you don't need to call delete on it, it can stay in frozen state. There is a doc for this process. The draining state is to wait for integration of previous submissions to complete, new ones are blocked.

Maybe the code in this PR could be added to the deletetree command as a flag to avoid duplicating all the gRPC boilerplate?

pav-kv and others added 3 commits March 2, 2021 10:58
@pav-kv
NodeID: Remove unused BigInt format (google#2379)
6b396b7 
This format was only used by HStar2 which was recently removed.
@mhutchinson
Upgraded to a version of etcd compatible with newer grpc (google#2376)
074ffbb 
Trillian has been stuck on grpc < 1.30 - google#2195. This uses the v3 version of etcd which isn't using the experimental (and now deleted) grpc APIs

I've deleted the prometheus `etcdiscover` tool in this commit. This can be re-added if it is used, and we can find a way to test it. The upgrade path for this looks non-trivial (the etcd watcher API has changed significantly).
@pgporada
Move undelete_tree flag into deletetree binary
a9920a6
@pgporada
Copy link
Contributor Author

pgporada commented Mar 2, 2021

@Martin2112 Good idea. I've pushed a change that adds a new flag to deletetree.

@pgporada
Copy link
Contributor Author

pgporada commented Mar 2, 2021

If you're just freezing the tree then you don't need to call delete on it, it can stay in frozen state. There is a doc for this process. The draining state is to wait for integration of previous submissions to complete, new ones are blocked.

I followed the doc and built one tailored to our specific environment. We want to have the treeGC delete the frozen data hence the deletetree call. However, upon running deletetree I was unable to get an STH prompting me to use undeletetree.

Currently our shards are frozen, not deleted. When I find a solution to google/certificate-transparency-go#773 I will be deleting the shards.

dependabot-preview bot and others added 20 commits March 2, 2021 18:58
@dependabot-preview @NatalieDoduc
Bump github.com/apache/beam from 2.27.0+incompatible to 2.28.0+incomp…
c0945bb 
…atible (google#2371)

* Bump github.com/apache/beam

Bumps [github.com/apache/beam](https://github.com/apache/beam) from 2.27.0+incompatible to 2.28.0+incompatible.
- [Release notes](https://github.com/apache/beam/releases)
- [Changelog](https://github.com/apache/beam/blob/master/CHANGES.md)
- [Commits](apache/beam@v2.27.0...v2.28.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Run `go mod tidy` on dependabot change.

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: NatalieDoduc <nataliedoduc@google.com>
@mhutchinson
Bumped cloud.google.com/go/spanner and mod tidy (google#2382)
bea0969 
This supersedes google#2374.
@mhutchinson
Support skipping processing go mod tidy (google#2383)
305ae4c 
This allows the cloudbuild to accept diffs from dependabot without more manual intervention. It does allow humans to also submit changes without running mod tidy, but hopefully we're all better disciplined than that. By default, ./scripts/presubmit will still fix up the go.sum file.
@mhutchinson
Fix errors about missing go_package in proto files (google#2384)
996b438 
Warnings are otherwise being printed saying that these proto files will not be supported in a future version of the compiler.

This requires more magic options being passed to protoc via gen.go files, but only along the same theme that we have in the other gen.go files in the codebase (without this the pb.go files are put in a hilariously nested directory starting `github.com/` rooted at the `gen.go` file, which seems like something that nobody would want, ever).
@dependabot-preview @mhutchinson
Bump go.opencensus.io from 0.22.4 to 0.23.0 (google#2372)
6486c50 
Bumps [go.opencensus.io](https://github.com/census-instrumentation/opencensus-go) from 0.22.4 to 0.23.0.
- [Release notes](https://github.com/census-instrumentation/opencensus-go/releases)
- [Commits](census-instrumentation/opencensus-go@v0.22.4...v0.23.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Martin Hutchinson <mhutchinson@gmail.com>
@dependabot-preview @mhutchinson
Bump contrib.go.opencensus.io/exporter/stackdriver from 0.13.4 to 0.1…
f75d650 
…3.5 (google#2314)

* Bump contrib.go.opencensus.io/exporter/stackdriver from 0.13.4 to 0.13.5

Bumps [contrib.go.opencensus.io/exporter/stackdriver](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver) from 0.13.4 to 0.13.5.
- [Release notes](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver/releases)
- [Commits](census-ecosystem/opencensus-go-exporter-stackdriver@v0.13.4...v0.13.5)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* go mod tidy

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Martin Hutchinson <mhutchinson@gmail.com>
@dependabot-preview @mhutchinson
Bump github.com/pseudomuto/protoc-gen-doc from 1.3.2 to 1.4.1 (google…
b48ce37 
…#2293)

* Bump github.com/pseudomuto/protoc-gen-doc from 1.3.2 to 1.4.1

Bumps [github.com/pseudomuto/protoc-gen-doc](https://github.com/pseudomuto/protoc-gen-doc) from 1.3.2 to 1.4.1.
- [Release notes](https://github.com/pseudomuto/protoc-gen-doc/releases)
- [Changelog](https://github.com/pseudomuto/protoc-gen-doc/blob/master/CHANGELOG.md)
- [Commits](pseudomuto/protoc-gen-doc@v1.3.2...v1.4.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* go mod tidy

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Martin Hutchinson <mhutchinson@gmail.com>
@paulmattei
update gcp terraform config (google#2387)
6d6ecd6 
* use gke version 1.19

* Changed cpu type to e2

* updated cluster name to match ci env

* added terrafrom change
@mhutchinson
go mod tidy with go1.16 (google#2388)
d328916 
This version of go prunes the go.sum file a little harder, so getting this in now so it doesn't fall into another PR as an incidental change.
@dependabot-preview @mhutchinson
Bump github.com/lib/pq from 1.9.0 to 1.10.0 (google#2385)
4675d76 
* Bump github.com/lib/pq from 1.9.0 to 1.10.0

Bumps [github.com/lib/pq](https://github.com/lib/pq) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/lib/pq/releases)
- [Commits](lib/pq@v1.9.0...v1.10.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* go mod tidy

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Martin Hutchinson <mhutchinson@gmail.com>
@dependabot-preview @mhutchinson
Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (google#2386)
89aa92d 
* Bump github.com/google/go-cmp from 0.5.4 to 0.5.5

Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.4 to 0.5.5.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](google/go-cmp@v0.5.4...v0.5.5)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* go mod tidy

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Martin Hutchinson <mhutchinson@gmail.com>
@pav-kv
dump_tree: Collate various bits in one place (google#2390)
3ca5674
@dependabot-preview
Create Dependabot config file (google#2392)
e2f3f42 
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

This will make dependabot use the latest version instead of the legacy version.
@dependabot
Bump google.golang.org/api from 0.40.0 to 0.41.0 (google#2393)
a9d251b 
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.40.0 to 0.41.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/master/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.40.0...v0.41.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@pav-kv
storage: Remove revision from GetMerkleNodes (google#2391)
bfb7a0d 
Log trees always read from the revision corresponding to the root which
is read in the beginning of the transaction. There is no need for it to
make a roundtrip to the application layer.
@pav-kv
Use 64 bits for node IDs and SubtreeCache (google#2394)
a431457
@pav-kv
storage: Use compact.NodeID (google#2395)
fa9aa84 
The old NodeID type is very complex. This change replaces it with
the simple compact.NodeID from the application layer all the way down
to SubtreeCache, but the latter still uses the old type. In follow-up
changes it will be removed completely.
@pav-kv
storage: Remove unused convert package (google#2397)
88ed3bf
@pphaneuf
Add myself to the CODEOWNERS file for protos.
eaa8d4d
@pav-kv
storage: Remove unused proto (google#2396)
2781120
dependabot bot and others added 15 commits October 5, 2021 09:41
@dependabot
Bump golang.org/x/tools from 0.1.6 to 0.1.7 (google#2618)
7840688 
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.1.6 to 0.1.7.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.1.6...v0.1.7)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @AlCutter
Bump google.golang.org/grpc from 1.40.0 to 1.41.0
ebdb68e 
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.40.0 to 1.41.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.40.0...v1.41.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @AlCutter
Bump google.golang.org/api from 0.57.0 to 0.58.0
472e3d9 
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.57.0 to 0.58.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/master/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.57.0...v0.58.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @AlCutter
Bump github.com/fullstorydev/grpcurl from 1.8.2 to 1.8.5
3ee622f 
Bumps [github.com/fullstorydev/grpcurl](https://github.com/fullstorydev/grpcurl) from 1.8.2 to 1.8.5.
- [Release notes](https://github.com/fullstorydev/grpcurl/releases)
- [Changelog](https://github.com/fullstorydev/grpcurl/blob/master/.goreleaser.yml)
- [Commits](fullstorydev/grpcurl@v1.8.2...v1.8.5)

---
updated-dependencies:
- dependency-name: github.com/fullstorydev/grpcurl
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @AlCutter
Bump github.com/apache/beam from 2.32.0+incompatible to 2.33.0+incomp…
5af22d0 
…atible (google#2620)

* Bump github.com/apache/beam

Bumps [github.com/apache/beam](https://github.com/apache/beam) from 2.32.0+incompatible to 2.33.0+incompatible.
- [Release notes](https://github.com/apache/beam/releases)
- [Changelog](https://github.com/apache/beam/blob/master/CHANGES.md)
- [Commits](apache/beam@v2.32.0...v2.33.0)

---
updated-dependencies:
- dependency-name: github.com/apache/beam
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* go get beam@2.33.0+incompatible

* go get github.com/apache/beam/sdks/v2

* Update code with v2 beam sdks import path

* go get more beam deps

* Regenerate shims

* missing etcdctl command

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Al Cutter <al@google.com>
@mhutchinson
Use an older version of kaniko to attempt build fix (google#2629)
4ed4156 
Looks like this was updated yesterday and the 'latest' tag is pointing at something new, and we're seeing auth problems. This is a stab in the dark to see if using the old version fixes the problem. If this works, it should be temporary.
@mhutchinson
Added beam tool used in 'go generate' to tools (google#2628)
9332c08 
Also 'go mod tidy' to clean it up. This will unblock dependabot which is stumbling over this at the moment. Unclear what has changed.
@dependabot
Bump cloud.google.com/go/spanner from 1.25.0 to 1.27.0 (google#2630)
ef6a852 
Bumps [cloud.google.com/go/spanner](https://github.com/googleapis/google-cloud-go) from 1.25.0 to 1.27.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/master/CHANGES.md)
- [Commits](googleapis/google-cloud-go@spanner/v1.25.0...spanner/v1.27.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/spanner
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@mhutchinson
Bump go.etcd.io/etcd/*/v3 from 3.5.0 to 3.5.1 (google#2631)
41db1b0
@dependabot
Bump google.golang.org/api from 0.58.0 to 0.59.0 (google#2632)
c3be644 
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.58.0 to 0.59.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/master/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.58.0...v0.59.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump contrib.go.opencensus.io/exporter/stackdriver (google#2634)
936c953 
Bumps [contrib.go.opencensus.io/exporter/stackdriver](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver) from 0.13.8 to 0.13.10.
- [Release notes](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver/releases)
- [Commits](census-ecosystem/opencensus-go-exporter-stackdriver@v0.13.8...v0.13.10)

---
updated-dependencies:
- dependency-name: contrib.go.opencensus.io/exporter/stackdriver
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump google.golang.org/api from 0.59.0 to 0.60.0 (google#2633)
b020860 
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.59.0 to 0.60.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/master/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.59.0...v0.60.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump google.golang.org/grpc from 1.41.0 to 1.42.0 (google#2635)
050f91c 
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.41.0 to 1.42.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.41.0...v1.42.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@mhutchinson
Use the extracted merkle library (google#2636)
8f8d6d2 
The merkle library in this repo can be marked as deprecated after this. New clients would be better served by using the smaller module, especially for client-side code which will not need all the server-side dependencies that this repository has collected.
@pgporada
Address presubmit lint warning
c73f2a7
@pgporada
Copy link
Contributor Author

@mhutchinson Could you do a /gcbrun for this please?

@mhutchinson
Copy link
Contributor

/gcbrun

@dependabot
Bump bitbucket.org/creachadair/shell from 0.0.6 to 0.0.7 (google#2637)
081150f 
Bumps [bitbucket.org/creachadair/shell](https://bitbucket.org/creachadair/shell) from 0.0.6 to 0.0.7.
- [Commits](https://bitbucket.org/creachadair/shell/branches/compare/v0.0.7..v0.0.6)

---
updated-dependencies:
- dependency-name: bitbucket.org/creachadair/shell
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@mhutchinson
Copy link
Contributor

This is failing cloudbuild with errors unrelated to this change:

Running: kubectl apply --server-dry-run -f=examples/deployment/kubernetes/etcd-deployment.yaml
Error: unknown flag: --server-dry-run

This appears to be Praqma/helmsman#607, which is old, but does align with the time this PR was first created.

@pgporada can you rebase this and we'll try again?

@mhutchinson
Copy link
Contributor

mhutchinson commented Nov 18, 2021
edited
Loading

Actually it's even simpler than that. It's just that the flag format was actually changed in this repo to work around the change upstream: 54802f7. Once we have that change in this PR we should be golden.

@mhutchinson mhutchinson mentioned this pull request Nov 29, 2021
Merged
@mhutchinson
Copy link
Contributor

mhutchinson commented Nov 29, 2021
edited
Loading

This rebase seems to have gone awry and all of the recent history in the repo is showing as being applied. When I check this out locally the diff against master is fine, but I don't know what's going to happen with the commit history here. I've cherry picked the logical changes on top of HEAD and proposed #2638 in the interests of getting this in. If you are able to fix the git history then we can drop the other and merge this. In case it's helpful, the flow I use for updating branches for github is:

  • git checkout master
  • git pull
  • git checkout $workingbranch
  • git rebase -i master
  • git push -f

@mhutchinson
Copy link
Contributor

#2638 is merged. Going to close this one now. Thanks for adding this Phil :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pphaneuf pphaneuf pphaneuf left review comments

@Martin2112 Martin2112 Martin2112 approved these changes

@mhutchinson mhutchinson Awaiting requested review from mhutchinson mhutchinson is a code owner

@AlCutter AlCutter Awaiting requested review from AlCutter AlCutter is a code owner

Assignees

@pgporada pgporada

Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@pgporada @Martin2112 @mhutchinson @pphaneuf @googlebot @pav-kv @paulmattei @AlCutter @smeiklej