NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.4k

Commit6651c16

authored

fix: avoid terraform state concurrent access, remove global mutex (#5273)

1 parent85a6d14 commit6651c16Copy full SHA for 6651c16

File tree

5 files changed

+63

-54

lines changed

cli
- server.go
provisionerd
- provisionerd.go
provisioner/terraform

5 files changed

+63

-54

lines changed

`‎cli/server.go‎`

Lines changed: 15 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -112,6 +112,14 @@ func Server(vip viper.Viper, newAPI func(context.Context, coderd.Options) (*co`
`112`	`112`	`notifyCtx,notifyStop:=signal.NotifyContext(ctx,InterruptSignals...)`
`113`	`113`	`defernotifyStop()`
`114`	`114`
	`115`	`+// Ensure we have a unique cache directory for this process.`
	`116`	`+cacheDir:=filepath.Join(cfg.CacheDirectory.Value,uuid.NewString())`
	`117`	`+err=os.MkdirAll(cacheDir,0o700)`
	`118`	`+iferr!=nil {`
	`119`	`+returnxerrors.Errorf("create cache directory: %w",err)`
	`120`	`+}`
	`121`	`+deferos.RemoveAll(cacheDir)`
	`122`	`+`
`115`	`123`	`// Clean up idle connections at the end, e.g.`
`116`	`124`	`// embedded-postgres can leave an idle connection`
`117`	`125`	`// which is caught by goleaks.`
`@@ -355,7 +363,7 @@ func Server(vip viper.Viper, newAPI func(context.Context, coderd.Options) (*co`
`355`	`363`	`Database:databasefake.New(),`
`356`	`364`	`DERPMap:derpMap,`
`357`	`365`	`Pubsub:database.NewPubsubInMemory(),`
`358`		`-CacheDir:cfg.CacheDirectory.Value,`
	`366`	`+CacheDir:cacheDir,`
`359`	`367`	`GoogleTokenValidator:googleTokenValidator,`
`360`	`368`	`GitAuthConfigs:gitAuthConfigs,`
`361`	`369`	`RealIPConfig:realIPConfig,`
`@@ -632,7 +640,8 @@ func Server(vip viper.Viper, newAPI func(context.Context, coderd.Options) (*co`
`632`	`640`	`}()`
`633`	`641`	`provisionerdMetrics:=provisionerd.NewMetrics(options.PrometheusRegistry)`
`634`	`642`	`fori:=0;i<cfg.Provisioner.Daemons.Value;i++ {`
`635`		`-daemon,err:=newProvisionerDaemon(ctx,coderAPI,provisionerdMetrics,logger,cfg,errCh,false)`
	`643`	`+daemonCacheDir:=filepath.Join(cacheDir,fmt.Sprintf("provisioner-%d",i))`
	`644`	`+daemon,err:=newProvisionerDaemon(ctx,coderAPI,provisionerdMetrics,logger,cfg,daemonCacheDir,errCh,false)`
`636`	`645`	`iferr!=nil {`
`637`	`646`	`returnxerrors.Errorf("create provisioner daemon: %w",err)`
`638`	`647`	`}`
`@@ -902,6 +911,7 @@ func newProvisionerDaemon(`
`902`	`911`	`metrics provisionerd.Metrics,`
`903`	`912`	`logger slog.Logger,`
`904`	`913`	`cfg*codersdk.DeploymentConfig,`
	`914`	`+cacheDirstring,`
`905`	`915`	`errChchanerror,`
`906`	`916`	`devbool,`
`907`	`917`	`) (srv*provisionerd.Server,errerror) {`
`@@ -912,9 +922,9 @@ func newProvisionerDaemon(`
`912`	`922`	`}`
`913`	`923`	`}()`
`914`	`924`
`915`		`-err=os.MkdirAll(cfg.CacheDirectory.Value,0o700)`
	`925`	`+err=os.MkdirAll(cacheDir,0o700)`
`916`	`926`	`iferr!=nil {`
`917`		`-returnnil,xerrors.Errorf("mkdir %q: %w",cfg.CacheDirectory.Value,err)`
	`927`	`+returnnil,xerrors.Errorf("mkdir %q: %w",cacheDir,err)`
`918`	`928`	`}`
`919`	`929`
`920`	`930`	`terraformClient,terraformServer:=provisionersdk.MemTransportPipe()`
`@@ -930,7 +940,7 @@ func newProvisionerDaemon(`
`930`	`940`	`ServeOptions:&provisionersdk.ServeOptions{`
`931`	`941`	`Listener:terraformServer,`
`932`	`942`	`},`
`933`		`-CachePath:cfg.CacheDirectory.Value,`
	`943`	`+CachePath:cacheDir,`
`934`	`944`	`Logger:logger,`
`935`	`945`	`})`
`936`	`946`	`iferr!=nil&&!xerrors.Is(err,context.Canceled) {`

`‎provisioner/terraform/executor.go‎`

Lines changed: 34 additions & 41 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,27 +23,15 @@ import (`
`23`	`23`	`"github.com/coder/coder/provisionersdk/proto"`
`24`	`24`	`)`
`25`	`25`
`26`		`-// initMut is a global mutex that protects the Terraform cache directory from`
`27`		-// concurrent usage by path. Only `terraform init` commands are guarded by this
`28`		`-// mutex.`
`29`		`-//`
`30`		`-// When cache path is set, we must protect against multiple calls to`
`31`		-// `terraform init`.
`32`		`-//`
`33`		`-// From the Terraform documentation:`
`34`		`-//`
`35`		`-//Note: The plugin cache directory is not guaranteed to be concurrency`
`36`		`-//safe. The provider installer's behavior in environments with multiple`
`37`		`-//terraform init calls is undefined.`
`38`		`-varinitMut=&sync.Mutex{}`
`39`		`-`
`40`	`26`	`typeexecutorstruct {`
	`27`	`+mut*sync.Mutex`
`41`	`28`	`binaryPathstring`
`42`		`-cachePathstring`
`43`		`-workdirstring`
	`29`	`+// cachePath and workdir must not be used by multiple processes at once.`
	`30`	`+cachePathstring`
	`31`	`+workdirstring`
`44`	`32`	`}`
`45`	`33`
`46`		`-func (eexecutor)basicEnv() []string {`
	`34`	`+func (e*executor)basicEnv() []string {`
`47`	`35`	`// Required for "terraform init" to find "git" to`
`48`	`36`	`// clone Terraform modules.`
`49`	`37`	`env:=safeEnviron()`
`@@ -55,7 +43,8 @@ func (e executor) basicEnv() []string {`
`55`	`43`	`returnenv`
`56`	`44`	`}`
`57`	`45`
`58`		`-func (eexecutor)execWriteOutput(ctx,killCtx context.Context,args,env []string,stdOutWriter,stdErrWriter io.WriteCloser) (errerror) {`
	`46`	`+// execWriteOutput must only be called while the lock is held.`
	`47`	`+func (e*executor)execWriteOutput(ctx,killCtx context.Context,args,env []string,stdOutWriter,stdErrWriter io.WriteCloser) (errerror) {`
`59`	`48`	`deferfunc() {`
`60`	`49`	`closeErr:=stdOutWriter.Close()`
`61`	`50`	`iferr==nil&&closeErr!=nil {`
`@@ -98,7 +87,8 @@ func (e executor) execWriteOutput(ctx, killCtx context.Context, args, env []stri`
`98`	`87`	`returncmd.Wait()`
`99`	`88`	`}`
`100`	`89`
`101`		`-func (eexecutor)execParseJSON(ctx,killCtx context.Context,args,env []string,vinterface{})error {`
	`90`	`+// execParseJSON must only be called while the lock is held.`
	`91`	`+func (e*executor)execParseJSON(ctx,killCtx context.Context,args,env []string,vinterface{})error {`
`102`	`92`	`ifctx.Err()!=nil {`
`103`	`93`	`returnctx.Err()`
`104`	`94`	`}`
`@@ -133,7 +123,7 @@ func (e executor) execParseJSON(ctx, killCtx context.Context, args, env []string`
`133`	`123`	`returnnil`
`134`	`124`	`}`
`135`	`125`
`136`		`-func (eexecutor)checkMinVersion(ctx context.Context)error {`
	`126`	`+func (e*executor)checkMinVersion(ctx context.Context)error {`
`137`	`127`	`v,err:=e.version(ctx)`
`138`	`128`	`iferr!=nil {`
`139`	`129`	`returnerr`
`@@ -147,7 +137,8 @@ func (e executor) checkMinVersion(ctx context.Context) error {`
`147`	`137`	`returnnil`
`148`	`138`	`}`
`149`	`139`
`150`		`-func (eexecutor)version(ctx context.Context) (*version.Version,error) {`
	`140`	`+// version doesn't need the lock because it doesn't read or write to any state.`
	`141`	`+func (eexecutor)version(ctx context.Context) (version.Version,error) {`
`151`	`142`	`returnversionFromBinaryPath(ctx,e.binaryPath)`
`152`	`143`	`}`
`153`	`144`
`@@ -177,7 +168,10 @@ func versionFromBinaryPath(ctx context.Context, binaryPath string) (*version.Ver`
`177`	`168`	`returnversion.NewVersion(vj.Version)`
`178`	`169`	`}`
`179`	`170`
`180`		`-func (eexecutor)init(ctx,killCtx context.Context,logrlogSink)error {`
	`171`	`+func (e*executor)init(ctx,killCtx context.Context,logrlogSink)error {`
	`172`	`+e.mut.Lock()`
	`173`	`+defere.mut.Unlock()`
	`174`	`+`
`181`	`175`	`outWriter,doneOut:=logWriter(logr,proto.LogLevel_DEBUG)`
`182`	`176`	`errWriter,doneErr:=logWriter(logr,proto.LogLevel_ERROR)`
`183`	`177`	`deferfunc() {`
`@@ -193,23 +187,14 @@ func (e executor) init(ctx, killCtx context.Context, logr logSink) error {`
`193`	`187`	`"-input=false",`
`194`	`188`	`}`
`195`	`189`
`196`		`-// When cache path is set, we must protect against multiple calls`
`197`		-// to `terraform init`.
`198`		`-//`
`199`		`-// From the Terraform documentation:`
`200`		`-// Note: The plugin cache directory is not guaranteed to be`
`201`		`-// concurrency safe. The provider installer's behavior in`
`202`		`-// environments with multiple terraform init calls is undefined.`
`203`		`-ife.cachePath!="" {`
`204`		`-initMut.Lock()`
`205`		`-deferinitMut.Unlock()`
`206`		`-}`
`207`		`-`
`208`	`190`	`returne.execWriteOutput(ctx,killCtx,args,e.basicEnv(),outWriter,errWriter)`
`209`	`191`	`}`
`210`	`192`
`211`	`193`	`// revive:disable-next-line:flag-parameter`
`212`		`-func (eexecutor)plan(ctx,killCtx context.Context,env,vars []string,logrlogSink,destroybool) (*proto.Provision_Response,error) {`
	`194`	`+func (eexecutor)plan(ctx,killCtx context.Context,env,vars []string,logrlogSink,destroybool) (proto.Provision_Response,error) {`
	`195`	`+e.mut.Lock()`
	`196`	`+defere.mut.Unlock()`
	`197`	`+`
`213`	`198`	`planfilePath:=filepath.Join(e.workdir,"terraform.tfplan")`
`214`	`199`	`args:= []string{`
`215`	`200`	`"plan",`
`@@ -257,7 +242,8 @@ func (e executor) plan(ctx, killCtx context.Context, env, vars []string, logr lo`
`257`	`242`	`},nil`
`258`	`243`	`}`
`259`	`244`
`260`		`-func (eexecutor)planResources(ctx,killCtx context.Context,planfilePathstring) ([]*proto.Resource,error) {`
	`245`	`+// planResources must only be called while the lock is held.`
	`246`	`+func (eexecutor)planResources(ctx,killCtx context.Context,planfilePathstring) ([]proto.Resource,error) {`
`261`	`247`	`plan,err:=e.showPlan(ctx,killCtx,planfilePath)`
`262`	`248`	`iferr!=nil {`
`263`	`249`	`returnnil,xerrors.Errorf("show terraform plan file: %w",err)`
`@@ -270,14 +256,16 @@ func (e executor) planResources(ctx, killCtx context.Context, planfilePath strin`
`270`	`256`	`returnConvertResources(plan.PlannedValues.RootModule,rawGraph)`
`271`	`257`	`}`
`272`	`258`
`273`		`-func (eexecutor)showPlan(ctx,killCtx context.Context,planfilePathstring) (*tfjson.Plan,error) {`
	`259`	`+// showPlan must only be called while the lock is held.`
	`260`	`+func (eexecutor)showPlan(ctx,killCtx context.Context,planfilePathstring) (tfjson.Plan,error) {`
`274`	`261`	`args:= []string{"show","-json","-no-color",planfilePath}`
`275`	`262`	`p:=new(tfjson.Plan)`
`276`	`263`	`err:=e.execParseJSON(ctx,killCtx,args,e.basicEnv(),p)`
`277`	`264`	`returnp,err`
`278`	`265`	`}`
`279`	`266`
`280`		`-func (eexecutor)graph(ctx,killCtx context.Context) (string,error) {`
	`267`	`+// graph must only be called while the lock is held.`
	`268`	`+func (e*executor)graph(ctx,killCtx context.Context) (string,error) {`
`281`	`269`	`ifctx.Err()!=nil {`
`282`	`270`	`return"",ctx.Err()`
`283`	`271`	`}`
`@@ -302,9 +290,12 @@ func (e executor) graph(ctx, killCtx context.Context) (string, error) {`
`302`	`290`	`}`
`303`	`291`
`304`	`292`	`// revive:disable-next-line:flag-parameter`
`305`		`-func (eexecutor)apply(`
	`293`	`+func (e*executor)apply(`
`306`	`294`	`ctx,killCtx context.Context,plan []byte,env []string,logrlogSink,`
`307`	`295`	`) (*proto.Provision_Response,error) {`
	`296`	`+e.mut.Lock()`
	`297`	`+defere.mut.Unlock()`
	`298`	`+`
`308`	`299`	`planFile,err:=ioutil.TempFile("","coder-terrafrom-plan")`
`309`	`300`	`iferr!=nil {`
`310`	`301`	`returnnil,xerrors.Errorf("create plan file: %w",err)`
`@@ -356,7 +347,8 @@ func (e executor) apply(`
`356`	`347`	`},nil`
`357`	`348`	`}`
`358`	`349`
`359`		`-func (eexecutor)stateResources(ctx,killCtx context.Context) ([]*proto.Resource,error) {`
	`350`	`+// stateResources must only be called while the lock is held.`
	`351`	`+func (eexecutor)stateResources(ctx,killCtx context.Context) ([]proto.Resource,error) {`
`360`	`352`	`state,err:=e.state(ctx,killCtx)`
`361`	`353`	`iferr!=nil {`
`362`	`354`	`returnnil,err`
`@@ -375,7 +367,8 @@ func (e executor) stateResources(ctx, killCtx context.Context) ([]*proto.Resourc`
`375`	`367`	`returnresources,nil`
`376`	`368`	`}`
`377`	`369`
`378`		`-func (eexecutor)state(ctx,killCtx context.Context) (*tfjson.State,error) {`
	`370`	`+// state must only be called while the lock is held.`
	`371`	`+func (eexecutor)state(ctx,killCtx context.Context) (tfjson.State,error) {`
`379`	`372`	`args:= []string{"show","-json","-no-color"}`
`380`	`373`	`state:=&tfjson.State{}`
`381`	`374`	`err:=e.execParseJSON(ctx,killCtx,args,e.basicEnv(),state)`

`‎provisioner/terraform/provision_test.go‎`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ func readProvisionLog(t *testing.T, response proto.DRPCProvisioner_ProvisionClie`
`77`	`77`
`78`	`78`	`iflog:=msg.GetLog();log!=nil {`
`79`	`79`	`t.Log(log.Level.String(),log.Output)`
`80`		`-logBuf.WriteString(log.Output)`
	`80`	`+_,_=logBuf.WriteString(log.Output)`
`81`	`81`	`}`
`82`	`82`	`ifc=msg.GetComplete();c!=nil {`
`83`	`83`	`require.Empty(t,c.Error)`
`@@ -190,8 +190,6 @@ func TestProvision_Cancel(t *testing.T) {`
`190`	`190`	`funcTestProvision(t*testing.T) {`
`191`	`191`	`t.Parallel()`
`192`	`192`
`193`		`-ctx,api:=setupProvisioner(t,nil)`
`194`		`-`
`195`	`193`	`testCases:= []struct {`
`196`	`194`	`Namestring`
`197`	`195`	`Filesmap[string]string`
`@@ -329,6 +327,8 @@ func TestProvision(t *testing.T) {`
`329`	`327`	`t.Run(testCase.Name,func(t*testing.T) {`
`330`	`328`	`t.Parallel()`
`331`	`329`
	`330`	`+ctx,api:=setupProvisioner(t,nil)`
	`331`	`+`
`332`	`332`	`directory:=t.TempDir()`
`333`	`333`	`forpath,content:=rangetestCase.Files {`
`334`	`334`	`err:=os.WriteFile(filepath.Join(directory,path), []byte(content),0o600)`

`‎provisioner/terraform/serve.go‎`

Lines changed: 9 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ package terraform`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`	`5`	`"path/filepath"`
	`6`	`+"sync"`
`6`	`7`	`"time"`
`7`	`8`
`8`	`9`	`"github.com/cli/safeexec"`
`@@ -22,8 +23,9 @@ type ServeOptions struct {`
`22`	`23`	`// BinaryPath specifies the "terraform" binary to use.`
`23`	`24`	`// If omitted, the $PATH will attempt to find it.`
`24`	`25`	`BinaryPathstring`
`25`		`-CachePathstring`
`26`		`-Logger slog.Logger`
	`26`	`+// CachePath must not be used by multiple processes at once.`
	`27`	`+CachePathstring`
	`28`	`+Logger slog.Logger`
`27`	`29`
`28`	`30`	`// ExitTimeout defines how long we will wait for a running Terraform`
`29`	`31`	`// command to exit (cleanly) if the provision was stopped. This only`
`@@ -91,6 +93,7 @@ func Serve(ctx context.Context, options *ServeOptions) error {`
`91`	`93`	`options.ExitTimeout=defaultExitTimeout`
`92`	`94`	`}`
`93`	`95`	`returnprovisionersdk.Serve(ctx,&server{`
	`96`	`+execMut:&sync.Mutex{},`
`94`	`97`	`binaryPath:options.BinaryPath,`
`95`	`98`	`cachePath:options.CachePath,`
`96`	`99`	`logger:options.Logger,`
`@@ -99,14 +102,16 @@ func Serve(ctx context.Context, options *ServeOptions) error {`
`99`	`102`	`}`
`100`	`103`
`101`	`104`	`typeserverstruct {`
	`105`	`+execMut*sync.Mutex`
`102`	`106`	`binaryPathstring`
`103`	`107`	`cachePathstring`
`104`	`108`	`logger slog.Logger`
`105`	`109`	`exitTimeout time.Duration`
`106`	`110`	`}`
`107`	`111`
`108`		`-func (s*server)executor(workdirstring)executor {`
`109`		`-returnexecutor{`
	`112`	`+func (sserver)executor(workdirstring)executor {`
	`113`	`+return&executor{`
	`114`	`+mut:s.execMut,`
`110`	`115`	`binaryPath:s.binaryPath,`
`111`	`116`	`cachePath:s.cachePath,`
`112`	`117`	`workdir:workdir,`

`‎provisionerd/provisionerd.go‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,8 @@ type Options struct {`
`57`	`57`	`JobPollJitter time.Duration`
`58`	`58`	`JobPollDebounce time.Duration`
`59`	`59`	`ProvisionersProvisioners`
`60`		`-WorkDirectorystring`
	`60`	`+// WorkDirectory must not be used by multiple processes at once.`
	`61`	`+WorkDirectorystring`
`61`	`62`	`}`
`62`	`63`
`63`	`64`	`// New creates and starts a provisioner daemon.`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit6651c16

File tree

5 files changed

5 files changed

`‎cli/server.go‎`

`‎provisioner/terraform/executor.go‎`

`‎provisioner/terraform/provision_test.go‎`

`‎provisioner/terraform/serve.go‎`

`‎provisionerd/provisionerd.go‎`

0 commit comments