Reconcile remote and existing inodes at update time
#386
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
To date we haven't thought too carefully about what happens if objects are put/deleted from the S3 bucket while conflicting state is present locally. There are a lot of edge cases here -- the Cartesian product of existing state (local/remote file/directory) and new remote state (file/directory), as well as two paths for inodes to be updated (readdir vs lookup). This change defines a semantics for these permutations. The overall idea is that (a) remote state shadows local state, and (b) directories shadow files. But those axioms alone aren't enough to break all ties; for example, what if the existing state is a local directory but the new state is a remote file -- which should win? I chose to break the tie by saying that remote directories > any local state > remote files. So, for example, if a user creates a local directory, and then a conflicting object appears in the remote bucket, the directory will still be visible instead of the new file. I spent some time trying to patch the existing inode update path to do what I needed but it ended up being easier to just refactor it. I think we could still find a better factoring for this path, but it now explicitly accounts for all the permutations above and does the right thing (at least according to our reference model) for them all. Happily, proptest has done a good job at rooting out the many edge cases, as you can see by all the new regression tests in this change. Signed-off-by: James Bornholt <bornholt@amazon.com>
jamesbornholt
temporarily deployed
to
PR integration tests
GitHub Actions
Inactive
jamesbornholt
temporarily deployed
to
PR integration tests
GitHub Actions
Inactive
jamesbornholt
temporarily deployed
to
PR integration tests
GitHub Actions
Inactive
jamesbornholt
temporarily deployed
to
PR integration tests
GitHub Actions
Inactive
jamesbornholt
commented
Jul 18, 2023
| @@ -62,7 +62,7 @@ impl Node { | |||
| #[derive(Debug)] | |||
| pub struct Reference { | |||
| /// Contents of our S3 bucket | |||
| remote_keys: Vec<(String, MockObject)>, | |||
| remote_keys: BTreeMap<String, MockObject>, | |||
There was a problem hiding this comment.
This change is just to de-duplicate keys. A HashMap would work too, but BTreeMap's ordering is deterministic.
passaro
requested changes
Jul 18, 2023
monthonk
reviewed
Jul 18, 2023
There was a problem hiding this comment.
Great work! it's nice to see we handle these edge cases properly and also be able to model them in the prop tests.
+1 on @passaro's comment that this behavior should be documented though I'm not sure where. The semantics document seems to be higher level than this, I think at least we should have it as Rust document at update_from_remote function.
Signed-off-by: James Bornholt <bornholt@amazon.com>
jamesbornholt
temporarily deployed
to
PR integration tests
GitHub Actions
Inactive
jamesbornholt
temporarily deployed
to
PR integration tests
GitHub Actions
Inactive
jamesbornholt
temporarily deployed
to
PR integration tests
GitHub Actions
Inactive
jamesbornholt
temporarily deployed
to
PR integration tests
GitHub Actions
Inactive
|
Going to do a broader documentation update for this separately. |
monthonk
approved these changes
Jul 19, 2023
passaro
approved these changes
Jul 19, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of change
To date we haven't thought too carefully about what happens if objects are put/deleted from the S3 bucket while conflicting state is present locally. There are a lot of edge cases here -- the Cartesian product of existing state (local/remote file/directory) and new remote state (file/directory), as well as two paths for inodes to be updated (readdir vs lookup).
This change defines a semantics for these permutations. The overall idea is that (a) remote state shadows local state, and (b) directories shadow files. But those axioms alone aren't enough to break all ties; for example, what if the existing state is a local directory but the new state is a remote file -- which should win? I chose to break the tie by saying that remote directories > any local state > remote files. So, for example, if a user creates a local directory, and then a conflicting object appears in the remote bucket, the directory will still be visible instead of the new file.
I spent some time trying to patch the existing inode update path to do what I needed but it ended up being clearer to just refactor it. I think we could still find a better factoring for this path, but it now explicitly accounts for all the permutations above and does the right thing (at least according to our reference model) for them all. Happily, proptest has done a good job at rooting out the many edge cases, as you can see by all the new regression tests in this change.
I've tested this change by running the proptests with 100,000 test cases and didn't see any failures.
Semantics details
Here's a table of the various permutations of new and existing state for a given inode and how we reconcile them:
I think the two unclear cases here are (Local file, Directory) and (Local directory, File). For the first one, if we preferred the local file over the directory, the file would disappear from view as soon as it became remote, which seems more surprising than just making it invisible immediately. For the second one, if we preferred the remote file over the local directory,
rmdirno longer works on the local directory, so it's not really "local" any more.The other interesting case is (Local file, File). I chose to prefer the local file because otherwise a user could read from "the same file" (actually the same path but a different file) while writing to it, which would give confusing behavior (can't read your own writes).
Fixes #128.
Does this change impact existing behavior?
Yes, this change specifies behavior for cases that previously were emergent. We've never defined the semantics for concurrent accesses before, so this change does so for the first time, and modifies some existing behaviors (mostly around remote objects changing between files and directories) to match that semantics.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and I agree to the terms of the Developer Certificate of Origin (DCO).