Go to file
James Andariese 44677c8a90 initial import
This version will demonstrate locking and the health check but will not
run any commands other than the health check.  The next minor version
will have an ergonomic CLI and will run the service commands.
2024-07-23 21:19:05 -05:00
src initial import 2024-07-23 21:19:05 -05:00
.gitignore initial import 2024-07-23 21:19:05 -05:00
Cargo.lock initial import 2024-07-23 21:19:05 -05:00
Cargo.toml initial import 2024-07-23 21:19:05 -05:00
LICENSE initial import 2024-07-23 21:19:05 -05:00
README.md initial import 2024-07-23 21:19:05 -05:00

putex

Process Mutex

Used to manage a lock and timing components of an at-most-once execution system.

NATS

This currently uses NATS exclusively for locking but there is the possibility to extend this to using other locks.

NATS is used via optimistic locking of a kv bucket entry. If it's able to write the lock with its own value before it's changed by the current owner through renewal or by another agent becoming the owner, it gets to be the owner. The agents follow a set of rules and a common execution plan which ensures they will always elect a single leader and never accidentally overlap execution (as long as the operator also follows the rules!)

The Variables

R - Lock Renewal Interval

How often the active agent will run its health check and assert its activeness.

F - Failure Threshold

How many R must pass without the lock being updated before an agent may take the lock. This is the maximum timeout of a health check as well because returning after this time will result in an expected failover anyway.

C - Confirmation Count

How many R must pass between a new agent becomes active and when it is allowed to fence other nodes and activate its service.

The Rules

Operator (YOU)

  • healthcheck
    • The healthcheck will be given an argument of active or standby indicating whether the lock is currently held by this agent. If it is active, a more thorough check should be performed, if possible. If it is standby, the healthcheck should indicate whether we believe that healthcheck active would pass after the confirmation cycles
    • The health check should not take more than R in normal circumstances but may run over R in exceptional circumstances which do not require a failover such as a switch power cycling somewhere causing a 2 second outage where you have R=1000 and F=3 (so you have allotted 3 seconds and the health check takes 2 seconds to return a result because of the packet loss -- this is greater than R but less than R*F so a warning will be produced but failover will not occur.
    • The health check MUST NOT take more than RF to run or else it will have lost its lock to another agent. If the health check might take more than RF in circumstances where failover would not be appropriate, R, F, or both should be increased, with F increasing the overall failover window and R slowing the system down overall to allow the health check to keep up.
  • activation
    • The activation script should first fence the other hosts, if possible and necessary for the use case. The activation script will have been called after at least C*R so this should happen immediately followed immediately by the service being started.
  • deactivation
    • Deactivation must take place within C*R. If deactivation will need more time than is allotted, increasing C or R will accomplish this with R affecting all aspects of the system and slowing it down in general.

Agent Operation Theory

Uses a specific key in a specific bucket in a NATS cluster to lock a runner for a specific process.

my-hostname:~$ natslock nats.cluster.local locks spof-service my-hostname

Each token should be unique, generally the hostname. These will also be in the kv store and can serve to document the current state of the system.

The implementation should ensure that time skew does not affect synchronization.

R = lock renewal interval F = lock renewal failures before taking the lock C = lock renewals to wait before starting after takeover T = lock timeout = R * F consider the example of F=1 to ensure the logic makes sense. if R = 1s and F=1 then a renewal needs to happen within a 1s period from when we check first to when we want to take the lock. With these parameters, after 1s with no updates, we would expect to take the lock immediately and so T=R*F.

A client has the lock and should run the service when its token is present in the key for C full renewal interval(s) or immediately if this is the first revision or if the current token is empty.

  • When done after takeover, this gives the former system time to shutdown, if necessary. C should generally be 1 and the shutdown/fencing mechanism should be instantaneous (iptables/kill -9).

A client obtains the lock by writing its token to the key.

A client may write to the key when there have been no writes for T seconds or when the key does not exist.

A client may only write to the key if it does not exist or if it has not been updated since the last read (in addition to other rules of the protocol). Does not exist: use create which will fail if the key has been created Exists: use update with revision to ensure the revision that was read is also the one being replaced.

Both may be attempted in parallel since only one may possibly succeed.

Any failure to write to the key must result in the underlying application being killed or otherwise fenced immediately (within R from the last interval).

A client renews its lock after running its health check. The health check should take less than R but MUST take less than T or else the client will lose its lock. Since it must lose its lock and must recognize that this has happened, the health check will always timeout after T and the lock will be given up immediately.