Failures when concurrent lazy package installs race #2964

plobsing · 2024-06-19T23:09:06Z

plobsing
Jun 19, 2024

aqua info

$ aqua info
{
  "version": "2.28.1",
  "commit_hash": "4ba02d7a202d20bed54c35471842bd255fe46e25",
  "os": "linux",
  "arch": "amd64",
  "pwd": "/mnt/build/buildkite/global_checkout",
  "root_dir": "/var/lib/(USER)/.local/share/aquaproj-aqua",
  "env": {},
  "config_files": [
    {
      "path": "/mnt/build/buildkite/global_checkout/.aqua/aqua.yaml"
    }
  ]
}

Overview

Seems like concurrent archive extractions get in one another's way and get confused.

Sometimes Aqua sees a concrurrent run's output directory, so it skips the download, but then fails validation since its contemporary has only extracted part of the archive so far - some of the files we expect to find are still unextracted and are reported as missing.

Other times, it seems that laggards are trying to perform the download-and-extract themselves, but they fail when they attempt to
overwrite the executable file that was extracted concurrently and is already in use by some other instance.

How to reproduce

I've only seen this on CI, only sporadically, and in scripts that are a bit big too share; so far, I have been unable to isolate a reliable, minimal, local repro.

We've seen what seem to be concurrent-extraction related failures in a couple of circumstances. We see it when running pre-commit, where it
gets tripped up extracting shellcheck or terraform (from package tenv). We also see it in a custom push script when it does the equivalent of xargs flux push artifact to push many configs to ECR at once, where it gets tripped up extracting amazon-ecr-credential-helper.

aqua.yaml

# https://aquaproj.github.io/
checksum:
  enabled: true
  require_checksums: true
  supported_envs:
    - darwin
    - linux
registries:
  - type: standard
    ref: v4.155.0 # renovate: depName=aquaproj/aqua-registry
packages:
  - name: awslabs/amazon-ecr-credential-helper@v0.8.0
  - name: tofuutils/tenv@v2.1.6
  - name: koalaman/shellcheck@v0.10.0

Other related code such as local Registry

.pre-commit-config.yaml (for pre-commit

repos:
  - repo: local
    hooks:
      - id: shellcheck
        name: shellcheck
        language: system
        entry: shellcheck
        types: [shell]
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.91.0
    hooks:
      - id: terraform_fmt
        args:
          - --env-vars=TENV_AUTO_INSTALL="true"

Executed command and output

$ pre-commit -- run terraform_fmt --all-files --show-diff
$ pre-commit -- run shellcheck --all-files --show-diff

(no direct analog for flux pusher, apologies)

Debug output

Output of a failed terraform_fmt run is here: https://gist.github.com/plobsing/1aa39f24d539cb533962ad33b6f7930c

Aqua logs are a bit interleaved with the rest of the output, but relevant segments indicate a failure to validate the extracted archive, which is reported in a couple of places. For example:

ERRO[0001] check file_src is correct                     aqua_version=2.28.1 env=linux/amd64 error="check file_src is correct: exe_path isn't found: stat /var/lib/buildkite-agent/.local/share/aquaproj-aqua/pkgs/github_release/github.com/tofuutils/tenv/v2.1.6/tenv_v2.1.6_Linux_x86_64.tar.gz/tofu: no such file or directory" exe_name=terraform exe_path=/var/lib/buildkite-agent/.local/share/aquaproj-aqua/pkgs/github_release/github.com/tofuutils/tenv/v2.1.6/tenv_v2.1.6_Linux_x86_64.tar.gz/tofu file_name=tofu package_name=tofuutils/tenv package_version=v2.1.6 program=aqua registry=standard
ERRO[0001] executable files aren't found
Files in the unarchived package:
CHANGELOG.md
tenv
   aqua_version=2.28.1 env=linux/amd64 exe_name=terraform package_name=tofuutils/tenv package_version=v2.1.6 program=aqua registry=standard
FATA[0001] aqua failed                                   aqua_version=2.28.1 env=linux/amd64 error="install the package: check file_src is correct" exe_name=terraform package_name=tofuutils/tenv package_version=v2.1.6 program=aqua

But also in other cases, we see execution passing to binaries from the tenv package, indicating at least some of our concurrent invocations are successful (at least at the Aqua layer):

2024-06-18T18:25:18.616Z [WARN]  tenv: can not write .lock file, will retry: error="open /var/lib/buildkite-agent/.tenv/Terraform/.lock: file exists"
2024-06-18T18:25:20.547Z [WARN]  tenv: can not write .lock file, will retry: error="open /var/lib/buildkite-agent/.tenv/Terraform/.lock: file exists"
2024-06-18T18:25:23.291Z [WARN]  tenv: can not write .lock file, will retry: error="open /var/lib/buildkite-agent/.tenv/Terraform/.lock: file exists"
2024-06-18T18:25:34.481Z [WARN]  tenv: can not write .lock file, will retry: error="open /var/lib/buildkite-agent/.tenv/Terraform/.lock: file exists"

Output of a failed run of my concurrent flux pusher is here: https://gist.github.com/plobsing/8ad5373e498104b7c593bebff855fbac

The relevant bit seems to be

instance-1:push: time="2024-06-18T21:08:35Z" level=fatal msg="aqua failed" aqua_version=2.28.1 env=linux/amd64 error="install the package: open the file (/var/lib/buildkite-agent/.local/share/aquaproj-aqua/pkgs/http/amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.8.0/linux-amd64/docker-credential-ecr-login/docker-credential-ecr-login): open /var/lib/buildkite-agent/.local/share/aquaproj-aqua/pkgs/http/amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.8.0/linux-amd64/docker-credential-ecr-login/docker-credential-ecr-login: text file busy" exe_name=docker-credential-ecr-login package_name=awslabs/amazon-ecr-credential-helper package_version=v0.8.0 program=aqua

which I interpret as the extraction step of the archive trying to open docker-credential-ecr-login for writing, but being rejected with ETXTBSY (because there is already a file there and it is being used as the executable for some other process).

Expected behaviour

I would expect that concurrent invocations of Aqua-managed tools to not interfere with one another, even if lazy installation needs to be performed. It'd also be nice to avoid duplicate work, but that's much less important.

I think there's a few ways that could be achieved. Maybe a lockfile at either aqua root-dir or individual-package granularity. Or some other scheme involving advisory file locking. Or download/extraction to a temporary location followed by an atomic filesystem operation to move the files to the intended destination. Or maybe even just using retries in more places.

Actual behaviour

Sometimes archive-extraction interferes between concurrent runs. See above for details.

Note

Seems this is not the first report for this kind of issue. #537 previously reported issues with shellcheck, although invoked through actionlint rather than pre-commit. That report lead to #545. However that change is already in the version I am using, v2.28.1, so
it probably isn't a full fix.

suzuki-shunsuke · 2024-06-19T23:37:49Z

suzuki-shunsuke
Jun 19, 2024
Maintainer

Thank you for your report.

Seems this is not the first report for this kind of issue.

Yes, this is a known issue of aqua.

The workaround is to avoid parallel installation by lazy install.

actionlint doesn't work well if shellcheck is installed by Lazy Install #537

Install shellcheck before executing actionlint.
$ shellcheck -version # shellcheck is installed by Lazy Install
$ actionlint

To resolve this issue completely, we need to introduce lock mechanism or something but I didn't want to do it because it makes aqua more complicated and may cause trouble related to lock file.
Instead of lock mechanism, we introduced retry mechanism. I know it doesn't solve the issue completely but it would mitigate the issue.

4 replies

suzuki-shunsuke Jun 20, 2024
Maintainer

📝

Go libraries to implement the lock mechanism

Proposal of the lock mechanism

If we implement the lock mechanism, my idea is that we create a status file to AQUA_ROOT_DIR/statuses/<package path>.

e.g. AQUA_ROOT_DIR/statuses/github_release/github.com/cli/cli/v2.51.0/gh_2.51.0_macOS_arm64.zip/status.txt

Check the status of package AQUA_ROOT_DIR/locks/<package path>. Status is either completed or in progress
2 If the status file doesn't exist, create a status file and set the status to in progress and start installing a package
After the installation completes, change the status to completed
If the status file exists but the status is in progress, wait for a while until the status becomes completed
If the status keeps in progress for over 10 minutes, the status file gets expired and is removed and the package directory is removed to reinstall the package
If the status file exists and the status is completed, but the package directory doesn't exists, change the status to in progress and install a package

suzuki-shunsuke Jun 20, 2024
Maintainer

The lock mechanism depends on OS level API, so maybe database such as SQLite is useful.
I'm not familiar with locking, so we need to look into further if we implement this.

plobsing Jun 20, 2024
Author

I'd be happy to try hacking up a solution based on a file locking scheme or SQLite (if you're comfortable taking a dep to make it work).

But I think I see a couple of options that could be simpler. If we focus on correctness, and ignore the efficiency concerns of duplicate work (which is no worse than what is the case today), all we need is an atomic publish-directory operation. Two candidates spring to mind: renaming or symlinking. The way this would be used would go something like:

Check if the package is already installed (a directory exists under $(aqua root-dir)/pkgs in the expected location).
If so, we're done, otherwise...
Create a unique-named temporary work location to non-atomically install into. This should be a sibling to the location where we expect to find the package folder. For instance for shellcheck, the package folder is$(aqua root-dir)/pkgs/github_release/github.com/koalaman/shellcheck, so the temporary work location might be something like $(aqua root-dir)/pkgs/github_release/github.com/koalaman/shellcheck._aqua_install.123456. Name uniqueness could be ensured by using process ID in the name.
Install as normal, but into the temporary location.
Atomically "publish" the temporary location to the package's actual expected location.
If the publish operation succeeds we're done, otherwise...
If the publish operation failed, probably some other process installed the package while we were working. Delete our work dir. Then retry (goto 1).

There is a minor assumption with this process: I assume we can choose a tempdir naming scheme that will not conflict with any actual packages. For example, in the above example, if koalaman decided to publish a new tool named shellcheck._aqua_install.123456, and we wanted to package that up in Aqua, we'd be in a bad way. I don't think that's very likely to happen though.

Why specifically a sibling temp folder? Why not somewehre else? My understanding is that OS' guarantees about atomicity of operations often only extend to single filesystems. A temp folder anywhere else could be mounted on a different filesystem than the destination location, which might lead to weird results sometimes.

Which operation should we use for publication? As I see it, we've got two options, each with pros and cons.

Renaming seems like a simple and obvious solution, but the catch is that directory renaming on Windows might not be atomic all the time. It is unclear if that non-atomicity manifests in ways we'd care about. And even if not atomic, the rename operation would still likely be faster than the other install operations, so the window of time and set of operations against which a race might occur would likely be reduced quite a bit, so its still an improvement for Windows (combined w/ a retry, it might even just straight up be a full fix, but I'm not a Win32 expert).
Creating a symlink to an existing directory is atomic everywhere. But it means we need to leave behind the scratch dir the symlink points to around indefinitely, which is slightly aesthetically displeasing. Also it impacts the package-removal operation, which now needs to read through the symlink to fully clean the package (Go's os.RemoveAll will remove a symlink but not the directory it points to).

What do you think? If you'd like, I could send you a PR (just say which publication method you want). Or if you still prefer one of the other methods, I can try to build that instead. Or if you want to do it yourself, that's also fine with me. Just let me know.

suzuki-shunsuke Jun 20, 2024
Maintainer

Oh, I see. Your idea looks better than my idea.

renaming or symlinking

I think renaming is better than symlinking.

Why specifically a sibling temp folder? Why not somewehre else? My understanding is that OS' guarantees about atomicity of operations often only extend to single filesystems. A temp folder anywhere else could be mounted on a different filesystem than the destination location, which might lead to weird results sometimes.

I think it's reasonable. 👍

aqua installs a package into pkgPath here.

aqua/pkg/installpackage/installer.go

Lines 243 to 259 in bc5dbca

    
           pkgPath, err := pkg.PkgPath(is.rootDir, is.runtime) 
        
           if err != nil { 
        
           	return fmt.Errorf("get the package install path: %w", err) 
        
           } 
        
           if err := is.downloadWithRetry(ctx, logE, &DownloadParam{ 
        
           	Package:         pkg, 
        
           	Dest:            pkgPath, 
        
           	Asset:           assetName, 
        
           	Checksums:       param.Checksums, 
        
           	RequireChecksum: param.RequireChecksum, 
        
           	Checksum:        param.Checksum, 
        
           }); err != nil { 
        
           	return err 
        
           } 
        
           return is.checkFilesWrap(ctx, logE, param, pkgPath)

So I think we can replace pkgPath with a temporary path and move it to pkgPath.

Note that aqua installs go_build type package in checkFilesWrap.

aqua/pkg/installpackage/check_file.go

Lines 92 to 94 in bc5dbca

    
           if err := is.goBuildInstaller.Install(ctx, exePath, exeDir, src); err != nil { 
        
           	return "", fmt.Errorf("build Go tool: %w", err) 
        
           }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aquaproj

Failures when concurrent lazy package installs race #2964

{{title}}

Replies: 1 comment 4 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

aquaproj

Failures when concurrent lazy package installs race #2964

plobsing Jun 19, 2024

aqua info

Overview

How to reproduce

Debug output

Expected behaviour

Actual behaviour

Note

Replies: 1 comment · 4 replies

suzuki-shunsuke Jun 19, 2024 Maintainer

suzuki-shunsuke Jun 20, 2024 Maintainer

Go libraries to implement the lock mechanism

Proposal of the lock mechanism

suzuki-shunsuke Jun 20, 2024 Maintainer

plobsing Jun 20, 2024 Author

suzuki-shunsuke Jun 20, 2024 Maintainer

plobsing
Jun 19, 2024

Replies: 1 comment 4 replies

suzuki-shunsuke
Jun 19, 2024
Maintainer

suzuki-shunsuke Jun 20, 2024
Maintainer

suzuki-shunsuke Jun 20, 2024
Maintainer

plobsing Jun 20, 2024
Author

suzuki-shunsuke Jun 20, 2024
Maintainer