Merge lp:~salgado/launchpad/easier-read-only-switch into lp:launchpad

= Summary =

Today, switching an app server to run in read-only mode means putting
new configs in place and restarting the server using a different
LPCONFIG env var. That's rather painful to LOSAs, who need to do it for
all app servers before a roll out, so we'll make that easier.

== Proposed fix ==

From now on, to turn read-only mode on, one just need to create a
read-only.txt file under the root of our tree. No more config changes and/or
server restarts.

The [database] config section doesn't have main_master/slave variables
anymore. These are now properties on DatabaseConfig, which return
ro_main_master/slave or rw_main_master/slave, depending on the mode we are on
(i.e. what is returned by IIsReadOnly.isReadOnly()).

When .isReadOnly() is called as part of processing a request, we cache its
return value in the request so that it doesn't need to hit the filesystem in
further calls.

At the beginning of a request, we check the databases to which the main_master
and main_slave stores are connected to. If they differ from
dbconfig.main_master/slave, we remove these stores from ZStorm, forcing them
to be created again the next time they are needed. When they're created again
they get a new connection, which uses dbconfig.main_master/slave and thus will
go to the correct db.

After removing the stores from ZStorm, this is what happens when the store is
needed again:

   - ZStorm.get('main-master', 'launchpad:main-master') is called
   - ZStorm finds a Database object for that uri
   - ZStorm instantiates a new Store object, passing the existing Database
   - Store calls Database.connect(), which instantiates and returns a
     Connection
   - The Connection's __init__() calls Database.raw_connect(), which finally
     reads dbconfig.main_master/slave and creates a new psycopg2 connection
     using that.

The above only works because our custom Database class (LaunchpadDatabase)
sets self._dsn inside raw_connect(), instead of inside __init__() (like its
parent class does). That's needed because the Database objects are reused
across threads/stores by ZStorm.

Tests
=====

- pagetests/standalone/xx-read-only-mode.txt works as the integration test
- test_readonly.py
- webapp/tests/test_publication.py

= Launchpad lint =

Checking for conflicts. and issues in doctests and templates.
Running jslint, xmllint, pyflakes, and pylint.
Using normal rules.

Linting changed files:
  lib/canonical/database/sqlbase.py
  configs/test-playground/launchpad-lazr.conf
  lib/canonical/librarian/client.py
  lib/canonical/launchpad/webapp/publication.py
  lib/canonical/config/schema-lazr.conf
  lib/canonical/launchpad/doc/canonical-config.txt
  lib/canonical/launchpad/webapp/authorization.py
  lib/canonical/launchpad/webapp/tests/test_publication.py
  lib/canonical/launchpad/readonly.py
  lib/canonical/launchpad/pagetests/standalone/xx-read-only-mode.txt
  lib/canonical/testing/ftests/test_mockdb.py
  lib/canonical/launchpad/pagetests/standalone/xx-opstats.txt
  lib/canonical/launchpad/webapp/login.py
  lib/lp/translations/model/pofile.py
  BRANCH.TODO
  lib/canonical/launchpad/tests/test_readonly.py
  lib/canonical/launchpad/webapp/configure.zcml
  lib/canon...

On IRC, I asked for a comment explaining use of _template suffix for readonly dbs in config.

Correcting this would be nice:

lib/canonical/launchpad/webapp/publication.py
    573: [E1002, LaunchpadBrowserPublication.beginErrorHandlingTransaction] Use super on an old style class

DatabaseConfig.main_master: zcml issue we discussed...

I'm eager to see QA on staging from SAs. Have you discussed with LOSAs how we might test this on staging? I wonder if this would warrant a CP.

I asked you about the first two assertions in TestDatabaseConfig.test_overlay, because I didn't really see the point of them. You said that they look up the values in the wrong config section, which doesn't seem all that compelling to me, but you also said that you had simply moved those from the class' docstring to the new location. I won't worry about them, then.

The following looks like it deserves a bug.

397 + # XXX: Instead of all this we could probably just remove the
398 + # store from ZStorm (zstorm.remove(store)).

Twice you assert that we must use a rw db in a given context. Would it be relatively easy and quick to hint as to why, or do you think that it is quite obvious in context of the full code, rather than the diff?

What would you think of _touch_read_only_file and _remove_read_only_file losing their initial underline and moving to a "testing" module somewhere? They seem to be imported a lot for tests, so they really are a testing API AFAICT, and should be encouraged for (only) that purpose.

Shouldn't lib/canonical/launchpad/readonly.py have an __all__?

In this line from lib/canonical/launchpad/readonly.py...

603 +named read-only.txt under the root of the Launchpad tree.

...I suggest s/under/in/.

In lib/canonical/launchpad/readonly.py, I suggest using os.path.absdir to calculate the ``root`` path just for cleanliness. (There's probably a way to get the path from an environmental var that buildout sets so you don't have to do path funny business, but there's precedent for the funny business, so I'm OK with what you have.)

lib/canonical/launchpad/readonly.py: _currently_in_read_only: is that really part of the utility's interface? It seems like it is an implementation detail.

lib/canonical/launchpad/readonly.py: Just for Python 2.5 fun, why don't you use ``from __future__ import with_statement`` and then ``with self._lock`` instead of the whole try/except acquire/release dance?

I'm submitting these notes now since I am breaking for lunch. More when I return.

There was only one test failing after my changes, and the fix for it is below:

=== modified file 'lib/canonical/launchpad/webapp/tests/test_authorization.py'
--- lib/canonical/launchpad/webapp/tests/test_authorization.py 2009-06-25 05:30:52 +0000
+++ lib/canonical/launchpad/webapp/tests/test_authorization.py 2010-01-13 18:30:34 +0000
@@ -18,6 +18,7 @@
 from canonical.lazr.interfaces import IObjectPrivacy

 from canonical.launchpad.interfaces.account import IAccount
+from canonical.launchpad.readonly import IIsReadOnly
 from canonical.launchpad.security import AuthorizationBase
 from canonical.launchpad.webapp.authentication import LaunchpadPrincipal
 from canonical.launchpad.webapp.authorization import (
@@ -129,6 +130,11 @@
         pass

+class FakeIsReadOnlyUtility:
+ def isReadOnly(self):
+ return False
+
+
 class TestCheckPermissionCaching(CleanUp, unittest.TestCase):
     """Test the caching done by `LaunchpadSecurityPolicy.checkPermission`."""

@@ -137,6 +143,9 @@
         super(TestCheckPermissionCaching, self).setUp()
         self.factory = ObjectFactory()
         ztapi.provideUtility(IStoreSelector, FakeStoreSelector)
+ # LaunchpadSecurityPolicy.checkPermission() needs an IIsReadOnly
+ # utility, so we provide a fake one to please it.
+ ztapi.provideUtility(IIsReadOnly, FakeIsReadOnlyUtility())

     def makeRequest(self):
         """Construct an arbitrary `LaunchpadBrowserRequest` object."""

On Wed, 2010-01-13 at 18:12 +0000, Gary Poster wrote:
> On IRC, I asked for a comment explaining use of _template suffix for readonly dbs in config.
>
> Correcting this would be nice:
>
> lib/canonical/launchpad/webapp/publication.py
> 573: [E1002,
> LaunchpadBrowserPublication.beginErrorHandlingTransaction] Use super
> on an old style class

It actually is a new-style class, I think thanks to the __metaclass__ =
type line we have there. I don't know why pylint is confused here, but
I could suppress that error.

>
> DatabaseConfig.main_master: zcml issue we discussed...
>
> I'm eager to see QA on staging from SAs. Have you discussed with
> LOSAs how we might test this on staging? I wonder if this would
> warrant a CP.

No, I haven't talked to them about that yet, but I'm guessing we'll need
a read-only database to be able to QA this properly.

We could CP it a few days before the roll out. That way we get some
real-world testing (on edge) of the changes I did to webapp/ code and we
can still take advantage of the easier switching during the roll out
itself.

>
> I asked you about the first two assertions in
> TestDatabaseConfig.test_overlay, because I didn't really see the point
> of them. You said that they look up the values in the wrong config
> section, which doesn't seem all that compelling to me, but you also
> said that you had simply moved those from the class' docstring to the
> new location. I won't worry about them, then.
>
> The following looks like it deserves a bug.
>
> 397 + # XXX: Instead of all this we could probably just
> remove the
> 398 + # store from ZStorm (zstorm.remove(store)).

I'm going to do the change there (in another branch) and run the test
suite again. If it succeeds, great, otherwise I'll revert it and the
bug probably won't be needed. For now I'll just remove the XXX from
here.

>
> Twice you assert that we must use a rw db in a given context. Would
> it be relatively easy and quick to hint as to why, or do you think
> that it is quite obvious in context of the full code, rather than the
> diff?

In the case of database/sqlbase.py it may not be, so I changed the
comment. The other is in librarian/client.py, in the method to upload a
new file, so I don't think a comment change is needed there.

>
> What would you think of _touch_read_only_file and
> _remove_read_only_file losing their initial underline and moving to a
> "testing" module somewhere? They seem to be imported a lot for tests,
> so they really are a testing API AFAICT, and should be encouraged for
> (only) that purpose.

That's correct, they are a testing API and as such I'll move them to a
more appropriate place.

>
> Shouldn't lib/canonical/launchpad/readonly.py have an __all__?

Yes, that and a __metaclass__ one.

>
> In this line from lib/canonical/launchpad/readonly.py...
>
> 603 +named read-only.txt under the root of the Launchpad tree.
>
> ...I suggest s/under/in/.

Sure thing; changed.

>
> In lib/canonical/launchpad/readonly.py, I suggest using os.path.absdir
> to calculate the ``root`` path just for cleanliness. (There's
> probably a way to get the path from an environmental var...

Continuing the review notes from the previous comment...

You are using ztapi because other code is doing it (``ztapi.provideUtility(IIsReadOnly, FakeIsReadOnlyUtility())`` in test_authorization.py). ztapi is deprecated in favor of zope.component; it now has all the necessary convenience functions (although the order of arguments for zope.component.provideUtility is reversed IIRC). I'd like to see new code use the "one way to do it".

In lib/canonical/launchpad/readonly.py...

686 + # Only call get_current_browser_request() when we have an interaction,
687 + # or else it will choke.
688 + if queryInteraction() is not None:
689 + request = get_current_browser_request()

...this is a look-before-you-leap approach. Python style guides generally prefers try-except, and I do too. :-)

I question have IIsReadOnly as a utility. Why don't we just have this as a function? The ``_currently_in_read_only`` value (which I said I believe is an implementation detail above) would be a module global--and you already have a mutex to handle modifying that well anyway. Then people would import the function rather than the interface, and things would be more direct. The only downside I can see is that it might be a bit harder to change the behavior of the isReadOnly function for tests--but do you really need to? So in sum, making this a utility doesn't buy us anything AFAICS, and adds extra indirection when a simple function would do.

Do I need to know why/when we use DatabaseBlockedPolicy?

OK, saving these comments; back soon. :-)

On Wed, 2010-01-13 at 19:54 +0000, Gary Poster wrote:
> Continuing the review notes from the previous comment...
>
> You are using ztapi because other code is doing it
> (``ztapi.provideUtility(IIsReadOnly, FakeIsReadOnlyUtility())`` in
> test_authorization.py). ztapi is deprecated in favor of
> zope.component; it now has all the necessary convenience functions
> (although the order of arguments for zope.component.provideUtility is
> reversed IIRC). I'd like to see new code use the "one way to do it".

I didn't know about that and indeed had just copied and pasted the
existing code. That test no longer uses ztapi now.

>
> In lib/canonical/launchpad/readonly.py...
>
> 686 + # Only call get_current_browser_request() when we have an
> interaction,
> 687 + # or else it will choke.
> 688 + if queryInteraction() is not None:
> 689 + request = get_current_browser_request()
>
> ...this is a look-before-you-leap approach. Python style guides
> generally prefers try-except, and I do too. :-)

I didn't do that because I think get_current_browser_request() should
return None and not let an AttributeError through when there's no
interaction. I'd fix the function myself, but it's in lazr.restful so I
wouldn't benefit instantly.

I guess the best would be to turn my comment into an XXX and file a bug
against lazr.restful?

>
> I question have IIsReadOnly as a utility. Why don't we just have this
> as a function? The ``_currently_in_read_only`` value (which I said I
> believe is an implementation detail above) would be a module
> global--and you already have a mutex to handle modifying that well
> anyway. Then people would import the function rather than the
> interface, and things would be more direct. The only downside I can
> see is that it might be a bit harder to change the behavior of the
> isReadOnly function for tests--but do you really need to? So in sum,
> making this a utility doesn't buy us anything AFAICS, and adds extra
> indirection when a simple function would do.

I think that'd work, and I don't need to change its behaviour for tests,
so I'll give this a try tomorrow morning.

>
> Do I need to know why/when we use DatabaseBlockedPolicy?

Oh, right, that's the policy used for the +opstas page, to make sure
nothing tries to use the database during a request for that page.

>
> OK, saving these comments; back soon. :-)

--
Guilherme Salgado <email address hidden>

test_no_mode_changes: Would it be worthwhile to check that we have the same connection object? It is black box, but it might be nice to verify that we don't trash the connection unnecessarily.

Now relying to your replies:

> > Correcting this would be nice:
> >
> > lib/canonical/launchpad/webapp/publication.py
> > 573: [E1002,
> > LaunchpadBrowserPublication.beginErrorHandlingTransaction] Use super
> > on an old style class
>
> It actually is a new-style class, I think thanks to the __metaclass__ =
> type line we have there. I don't know why pylint is confused here, but
> I could suppress that error.

Yes, let's go ahead and do that, please.

In regards to your comments on QA and a CP, I have a call on Friday with Tom and James. I'll talk to them about that then. I'll invite you on the call if you are available.

> > ...this is a look-before-you-leap approach. Python style guides
> > generally prefers try-except, and I do too. :-)
>
> I didn't do that because I think get_current_browser_request() should
> return None and not let an AttributeError through when there's no
> interaction. I'd fix the function myself, but it's in lazr.restful so I
> wouldn't benefit instantly.

I see.

> I guess the best would be to turn my comment into an XXX and file a bug
> against lazr.restful?

+1.

The rest looks good. Thank you very much for the great work.

I'm going to approve this, but ask Tom Haddon for a review so that we have a discussion of QA before we merge.

Gary

Tom, I asked you for a review so that we could discuss QA.

I think we're delivering exactly what we discussed, but I'd also like verification of that as well. As Salgado says, if you add a read-only.txt to the top the tree, or remove it, the application should notice as soon as it processes a new request. It will then acknowledge the change in the main launchpad.log. Because our requests time out in about 15 seconds, webapp machines should be ready to switch easily within a minute. This does not affect long running processes, which would presumably need to be stopped when switching to readonly, and restarted when resuming (as usual?).

This sounds good in terms of delivering what was specified, and we're happy to deal with long running processes by killing them if we need to when switching from read-write to read-only.

In terms of QA, I think we'd want to start by merging this branch as is onto staging, creating the read-only.txt file and then trying to perform some changes. Just let me know when the branch is ready.

We'll also want to prepare the changes to lp-production-configs and canonical-identity-provider at the same time, from what I understand.

Thanks, Tom

On Wed, 2010-01-13 at 21:30 +0000, Gary Poster wrote:
> Review: Approve
> test_no_mode_changes: Would it be worthwhile to check that we have the
> same connection object? It is black box, but it might be nice to
> verify that we don't trash the connection unnecessarily.

It won't hurt to do this extra check there, so, sure.

>
> Now relying to your replies:
>
> > > Correcting this would be nice:
> > >
> > > lib/canonical/launchpad/webapp/publication.py
> > > 573: [E1002,
> > > LaunchpadBrowserPublication.beginErrorHandlingTransaction] Use super
> > > on an old style class
> >
> > It actually is a new-style class, I think thanks to the __metaclass__ =
> > type line we have there. I don't know why pylint is confused here, but
> > I could suppress that error.
>
> Yes, let's go ahead and do that, please.

Done.

>
> In regards to your comments on QA and a CP, I have a call on Friday
> with Tom and James. I'll talk to them about that then. I'll invite
> you on the call if you are available.

Ok

>
> > > ...this is a look-before-you-leap approach. Python style guides
> > > generally prefers try-except, and I do too. :-)
> >
> > I didn't do that because I think get_current_browser_request() should
> > return None and not let an AttributeError through when there's no
> > interaction. I'd fix the function myself, but it's in lazr.restful so I
> > wouldn't benefit instantly.
>
> I see.
>
> > I guess the best would be to turn my comment into an XXX and file a bug
> > against lazr.restful?
>
> +1.

https://bugs.edge.launchpad.net/lazr.restful/+bug/507447

>
> The rest looks good. Thank you very much for the great work.
>
> I'm going to approve this, but ask Tom Haddon for a review so that we
> have a discussion of QA before we merge.
>
> Gary

--
Guilherme Salgado <email address hidden>

http://paste.ubuntu.com/356558/ is how I got rid of the IIsReadOnly utility by using a function and module globals.

I've tested this on staging and can confirm it works as expected. So, fwiw, +1 from me :)