kutils: Make the validation and the preloading of PackageCommitter parametric #7460
Conversation
remyhaemmerle-da
force-pushed
the
remy-engine-validate-2
branch
4 times, most recently
from
91f3b9f to
8e20001
Compare
...r/ledger-on-memory/src/main/scala/com/daml/ledger/on/memory/InMemoryLedgerReaderWriter.scala
Outdated
Show resolved
Hide resolved
...s/src/main/scala/com/daml/ledger/participant/state/kvutils/CommitPackageValidationMode.scala
Outdated
Show resolved
Hide resolved
...s/src/main/scala/com/daml/ledger/participant/state/kvutils/CommitPackageValidationMode.scala
Outdated
Show resolved
Hide resolved
...ls/src/main/scala/com/daml/ledger/participant/state/kvutils/committer/PackageCommitter.scala
Outdated
Show resolved
Hide resolved
...-state/kvutils/app/src/main/scala/com/daml/ledger/participant/state/kvutils/app/Config.scala
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Looks like the right direction. It would be good to have a test case for the different validation modes in kvutils. Since it isn't clear how we roll out the change I would at this point strive to get the functionality in (with enough test coverage!) and then work on getting consensus on how to roll this out.
daml-lf/transaction/src/main/scala/com/digitalasset/daml/lf/crypto/Hash.scala
Outdated
Show resolved
Hide resolved
...s/src/main/scala/com/daml/ledger/participant/state/kvutils/CommitPackageValidationMode.scala
Outdated
Show resolved
Hide resolved
...te/kvutils/src/main/scala/com/daml/ledger/participant/state/kvutils/KeyValueCommitting.scala
Outdated
Show resolved
Hide resolved
...ls/src/main/scala/com/daml/ledger/participant/state/kvutils/committer/PackageCommitter.scala
Outdated
Show resolved
Hide resolved
...s/src/main/scala/com/daml/ledger/participant/state/kvutils/CommitPackageValidationMode.scala
Outdated
Show resolved
Hide resolved
...s/src/main/scala/com/daml/ledger/participant/state/kvutils/CommitPackageValidationMode.scala
Outdated
Show resolved
Hide resolved
...s/src/main/scala/com/daml/ledger/participant/state/kvutils/CommitPackageValidationMode.scala
Outdated
Show resolved
Hide resolved
...s/src/main/scala/com/daml/ledger/participant/state/kvutils/CommitPackageValidationMode.scala
Outdated
Show resolved
Hide resolved
...ls/src/main/scala/com/daml/ledger/participant/state/kvutils/committer/PackageCommitter.scala
Outdated
Show resolved
Hide resolved
...ls/src/main/scala/com/daml/ledger/participant/state/kvutils/committer/PackageCommitter.scala
Outdated
Show resolved
Hide resolved
remyhaemmerle-da
force-pushed
the
remy-engine-validate-2
branch
from
2caec22 to
41b70d7
Compare
remyhaemmerle-da
force-pushed
the
remy-engine-validate-2
branch
from
41b70d7 to
bb1e49f
Compare
Currently there is no migration plan. We just add the possibility of pre-commit validation. |
remyhaemmerle-da
force-pushed
the
remy-engine-validate-2
branch
2 times, most recently
from
316bd88 to
77f0126
Compare
| "decode_entry" -> decodeEntry, | ||
| "validate_entry" -> validateEntry, | ||
| "filter_duplicates" -> filterDuplicates, | ||
| "preload" -> preload, |
There was a problem hiding this comment.
Do we need synchronous preloading ?
There was a problem hiding this comment.
No I don't think we need that, unless it's more efficient to validate+preload when committing rather than validating and loading the package to engine separately.
There was a problem hiding this comment.
Actually, I think the system is more predictable if we preload it synchronously when committing as that means as soon as the package upload completes we can start using the package without having a surprising delay on the first transaction. What do you think?
There was a problem hiding this comment.
I see a trade off:
- If we preload we are indeed more predictable. It is also slightly more efficient as we decode only once. (I think our bigger dars need around 20s to decode).
- If we don't, we do not overload the engine with useless packages. Potentially the code for scenario/trigger/script can end in the dar even it is useless for the Ledger engine.
There was a problem hiding this comment.
I see the feature useful for testing/development. In production, dar upload should be so seldom that it should not really matter.
There was a problem hiding this comment.
I think the preload should by synchronous for the pro-preload reasons you both mentioned.
There was a problem hiding this comment.
We will preload in the 3 cases.
...c/main/scala/com/daml/ledger/participant/state/kvutils/committer/DummyPackageCommitter.scala
Outdated
Show resolved
Hide resolved
|
|
||
| override protected val committerName: String = "package_upload" | ||
|
|
||
| metrics.daml.kvutils.committer.packageUpload.loadedPackages(() => |
There was a problem hiding this comment.
Not sure if this is inherited from earlier code or not, but this would only update the metric once at startup which isn't the idea. It should be done from within a step or probably preferably this is a metric that the engine should maintain and it shouldn't belong here.
There was a problem hiding this comment.
It is from the original code.
Currently the Engine does not handle metric. If we want to do so, I will prefer wrapping it in a kv specific class.
For now, I moved this code at the end of the preload step.
| override def context: Context = NoContext | ||
|
|
||
| override protected def prettyInternal: String = | ||
| s"the set of packages ${pkgIds.mkString("{", ",", "}")} is not self consistent, it missing the dependencies ${pkgIds |
There was a problem hiding this comment.
| s"the set of packages ${pkgIds.mkString("{", ",", "}")} is not self consistent, it missing the dependencies ${pkgIds | |
| s"The set of packages ${pkgIds.mkString("{", ",", "}")} is not self-consistent, it is missing the dependencies ${pkgIds |
| // This mode is useful for ledger integrations that cannot handle | ||
| // long-running submissions (> 10s). | ||
| // See PackageCommitter for more detail. | ||
| // FIXME: Currently `PostCommit` is the mode used by default |
There was a problem hiding this comment.
We should have an issue and a plan for addressing this. Probably not worth leaving a FIXME in the code.
There was a problem hiding this comment.
I opened KVL-578 to make the validation mode configurable.
| * When using this committer, packages on the ledger cannot be trusted and should be | ||
| * validated each time uploaded to the engine. | ||
| */ | ||
| private[committer] class PackageUploader( |
There was a problem hiding this comment.
Sorry for not bringing this up in previous review round, but the naming here is also confusing. Could you name these so that it's clear to the reader that these are different "PackageCommitter" variants? E.g. NonValidatingPackageCommitter, HashValidatingPackageCommitter and maybe FullValidatingPackageCommitter (or better names if you can think of them). This way it's clear at a glance what these are.
|
|
||
| override protected val steps: Iterable[(StepInfo, Step)] = | ||
| List( | ||
| "deduplicate_submission" -> deduplicateSubmission, |
There was a problem hiding this comment.
It makes me little bit nervous that the step lists are duplicated. If one needs to add a new step one needs to remember to add it to all three places. Since all of them are extra validation steps the order isn't as important, so could it be safer to have e.g. "extra_validation_steps" or some such that gets spliced into steps in PackageCommitter? What do you think?
There was a problem hiding this comment.
I share @dajmaki's concern.
| private val logger = LoggerFactory.getLogger(this.getClass) | ||
|
|
||
| def this(engine: Engine, metrics: Metrics) = this(engine, metrics, false) | ||
| def this(engine: Engine, metrics: Metrics) = | ||
| this(engine, metrics, false, CommitPackageValidationMode.PostCommit) |
There was a problem hiding this comment.
We should avoid having multiple places with default values. I think this constructor should also have the packageValidation parameter. Any concerns with such an API change, @miklos-da?
There was a problem hiding this comment.
I dropped the default values.
...cala/com/daml/ledger/participant/state/kvutils/committer/NonValidatingPackageCommitter.scala
Outdated
Show resolved
Hide resolved
|
|
||
| override protected val steps: Iterable[(StepInfo, Step)] = | ||
| List( | ||
| "deduplicate_submission" -> deduplicateSubmission, |
There was a problem hiding this comment.
I share @dajmaki's concern.
| * When using this committer, packages on the ledger cannot be trusted and should be | ||
| * validated each time uploaded to the engine. | ||
| */ | ||
| private[committer] class PackageUploader( |
| "decode_entry" -> decodeEntry, | ||
| "validate_entry" -> validateEntry, | ||
| "filter_duplicates" -> filterDuplicates, | ||
| "preload" -> preload, |
There was a problem hiding this comment.
I think the preload should by synchronous for the pro-preload reasons you both mentioned.
remyhaemmerle-da
force-pushed
the
remy-engine-validate-2
branch
5 times, most recently
from
fb23c6b to
89ff6d7
Compare
...ls/src/main/scala/com/daml/ledger/participant/state/kvutils/committer/PackageCommitter.scala
Outdated
Show resolved
Hide resolved
remyhaemmerle-da
force-pushed
the
remy-engine-validate-2
branch
3 times, most recently
from
850d0e7 to
d3b6c9c
Compare
remyhaemmerle-da
requested review from
dasormeter and
fabiotudone-da
as code owners
remyhaemmerle-da
requested review from
miklos-da,
mziolekda,
rautenrieth-da and
stefanobaghino-da
as code owners
remyhaemmerle-da
force-pushed
the
remy-engine-validate-2
branch
from
d3b6c9c to
bed80e2
Compare
remyhaemmerle-da
changed the title
daml-lf/archive/src/main/scala/com/digitalasset/daml/lf/archive/Reader.scala
Outdated
Show resolved
Hide resolved
...ls/src/main/scala/com/daml/ledger/participant/state/kvutils/committer/PackageCommitter.scala
Outdated
Show resolved
Hide resolved
...ls/src/main/scala/com/daml/ledger/participant/state/kvutils/committer/PackageCommitter.scala
Outdated
Show resolved
Hide resolved
...ls/src/main/scala/com/daml/ledger/participant/state/kvutils/committer/PackageCommitter.scala
Outdated
Show resolved
Hide resolved
...ls/src/main/scala/com/daml/ledger/participant/state/kvutils/committer/PackageCommitter.scala
Outdated
Show resolved
Hide resolved
...t/suite/scala/com/daml/ledger/participant/state/kvutils/committer/PackageCommitterSpec.scala
Outdated
Show resolved
Hide resolved
...t/suite/scala/com/daml/ledger/participant/state/kvutils/committer/PackageCommitterSpec.scala
Outdated
Show resolved
Hide resolved
...t/suite/scala/com/daml/ledger/participant/state/kvutils/committer/PackageCommitterSpec.scala
Outdated
Show resolved
Hide resolved
...t/suite/scala/com/daml/ledger/participant/state/kvutils/committer/PackageCommitterSpec.scala
Outdated
Show resolved
Hide resolved
...ib/scala/com/daml/ledger/participant/state/kvutils/ParticipantStateIntegrationSpecBase.scala
Outdated
Show resolved
Hide resolved
remyhaemmerle-da
changed the title
There was a problem hiding this comment.
Thanks, @remyhaemmerle-da! The separation into preloading and validation is great!
...ls/src/main/scala/com/daml/ledger/participant/state/kvutils/committer/PackageCommitter.scala
Outdated
Show resolved
Hide resolved
...c/main/scala/com/daml/ledger/participant/state/kvutils/committer/PackageValidationMode.scala
Outdated
Show resolved
Hide resolved
...c/main/scala/com/daml/ledger/participant/state/kvutils/committer/PackageValidationMode.scala
Outdated
Show resolved
Hide resolved
| @@ -712,6 +710,15 @@ object ParticipantStateIntegrationSpecBase { | |||
| private val darFile = new File(rlocation("ledger/test-common/model-tests.dar")) | |||
| private val archives = darReader.readArchiveFromFile(darFile).get.all | |||
|
|
|||
| // 2 self consistent archives | |||
There was a problem hiding this comment.
They don't have dependencies to other archives.
This PR creates 3 validation modes: + `Strict` : Specifies that the committer should validate the package before committing them to the ledger. When using this mode, the packages committed to the ledger can be fully trusted and do not have to be validated when loaded into the engine. + `Lenient`: Specifies that the committer should perform a fast validation of the packages before committing them to the ledger. This mode is useful for ledger integrations that cannot handle long-running submissions (> 10s). When using this mode, the packages committed to the ledger cannot be trusted and must be validated every time they are loaded into the engine. + `No` : Specifies that the committer should not perform any validation the packages before committing them to the ledger. This should be used only by non distributed ledgers, like DAML-on-SQL, where the validation done in the API server is can be trusted. This PR creates 3 preloading modes: + `Synchronous` : Specifies that the packages should be preloading into the engine before committed. + `Asynchronous`: Specify that the packages should be preloaded into the engine asynchronously with the rest of the commit process. This mode is useful for ledger integrations that cannot handle long-running submissions (> 10s). Failure of the preloading process will not affect the commit. + `Preloading`: Specify that the packages should not be preloaded into the engine. CHANGELOG_BEGIN - [Integration Kit] In kvutils, add metric `daml.kvutils.committer.package_upload.validate_timer` to track package validation time. CHANGELOG_END
Co-authored-by: Miklos <57664299+miklos-da@users.noreply.github.com>
Co-authored-by: Gerolf Seitz <gerolf.seitz@daml.com> Co-authored-by: Miklos <57664299+miklos-da@users.noreply.github.com>
remyhaemmerle-da
force-pushed
the
remy-engine-validate-2
branch
from
0e9aa62 to
0a4599b
Compare
|
Command 'rerun' is not supported by Azure Pipelines. Supported commands
See additional documentation. |
|
Azure Pipelines successfully started running 1 pipeline(s). |
This PR fixes a bug in the PackageCommitter introduced recently. Dependencies not decoded are assumed to be already preloaded and should not bee looked for. CHANGELOG_BEGIN CHANGELOG_END
This PR fixes a bug in the PackageCommitter introduced recently. Dependencies not decoded are assumed to be already preloaded and should not bee looked for. CHANGELOG_BEGIN CHANGELOG_END
This PR fixes a bug in the PackageCommitter introduced recently. Dependencies not decoded are assumed to be already preloaded and should not bee looked for. CHANGELOG_BEGIN CHANGELOG_END
stefanobaghino-da
added
component/json-api
This PR creates 3 validation modes:
Strict: Specifies that the committer should validate the packagebefore committing them to the ledger. When using this mode, the
packages committed to the ledger can be fully trusted and do not
have to be validated when loaded into the engine.
Lenient: Specifies that the committer should perform a fastvalidation of the packages before committing them to the ledger.
This mode is useful for ledger integrations that cannot handle
long-running submissions (> 10s). When using this mode, the
packages committed to the ledger cannot be trusted and must be
validated every time they are loaded into the engine.
No: Specifies that the committer should not perform anyvalidation the packages before committing them to the ledger. This
should be used only by non distributed ledgers, like DAML-on-SQL,
where the validation done in the API server can be trusted.
This PR creates 3 preloading modes:
Synchronous: Specifies that the packages should be preloadinginto the engine before committed.
Asynchronous: Specify that the packages should be preloaded intothe engine asynchronously with the rest of the commit process. This
mode is useful for ledger integrations that cannot handle
long-running submissions (> 10s). Failure of the preloading process
will not affect the commit.
Preloading: Specify that the packages should not be preloaded intothe engine.
CHANGELOG_BEGIN
daml.kvutils.committer.package_upload.validate_timerto trackpackage validation time.
CHANGELOG_END
Pull Request Checklist
CHANGELOG_BEGINandCHANGELOG_ENDtagsNOTE: CI is not automatically run on non-members pull-requests for security
reasons. The reviewer will have to comment with
/AzurePipelines runtotrigger the build.