On 08/03/16 06:48, Stian Thorgersen wrote:
What about obtaining a database lock on a table/column? That would
automatically be freed if the transaction dies.
You mean something like "Give
me lock for table XY until end of
transaction" ? I doubt there is some universal solution for something
like this, which will reliably work with all databases which we need to
support :/ Otherwise I guess liquibase would already use it too?
Currently it works the way that lock is obtained by updating the column
in database. Something similar to "UPDATE DATABASECHANGELOGLOCK set
LOCKED=true where ID=1" .
Note there is always single record in this table with ID=1. Something
similar is done for Mongo too.
The lock is released in "finally" block if something fails. The only
possibility how can DB remains locked is if someone force to kill the
process (like "kill -9" command, then finally blocks are not called) or
if network connection between server and DB is lost. The chance of this
is very low IMO and we have option to manually recover from this.
Marek
-1 To having a timeout, I agree it's dangerous and could leave the DB
inconsistent so we shouldn't do it
On 7 March 2016 at 21:59, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
Then the record in DB will remain locked and needs to be fixed
manually. Actually the same behaviour like liquibase. The
possibilities to repair from this state is:
- Run keycloak with system property
"-Dkeycloak.dblock.forceUnlock=true" . Then Keycloak will release
the existing lock at startup and acquire new lock. The warning is
written to server.log that this property should be used carefully
just to repair DB
- Manually delete lock record from DATABASECHANGELOGLOCK table (or
"dblock" collection in mongo)
The other possibility is that after timeout, node2 will assume the
current lock is timed-out and will forcefully release existing
lock and replace with it's own lock. However I didn't it this way
as it's potentially dangerous though - there is some chance that 2
nodes run migration or import at the same time and DB will end in
inconsistent state. Or is it acceptable risk?
Marek
On 07/03/16 19:50, Stian Thorgersen wrote:
> 900 seconds is probably ok, but what happens if the node holding
> the lock dies?
>
> On 7 March 2016 at 11:03, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>> wrote:
>
> Send PR with added support for $subject .
>
https://github.com/keycloak/keycloak/pull/2332 .
>
> Few details:
> - Added DBLockProvider, which handles acquire and release of
> DB lock.
> When lock is acquired, the cluster node2 needs to wait until
> node1
> release the lock
>
> - The lock is acquired at startup for the migrating model
> (both model
> specific and generic migration), importing realms and adding
> initial
> admin user. So this can be done always just by one node at a
> time.
>
> - The lock is implemented at DB level, so it works even if
> infinispan
> cluster is not correctly configured. For the JPA, I've added
> implementation, which is reusing liquibase DB locking with
> the bugfix,
> which prevented builtin liquibase lock to work correctly.
> I've added
> implementation for Mongo too.
>
> - Added DBLockTest, which simulates 20 threads racing for
> acquire lock
> concurrently. It's passing with all databases.
>
> - Default timeout for acquire lock is 900 seconds and the
> time for lock
> recheck is 2 seconds. So if node2 is not able to acquire lock
> within 900
> seconds, it fails to start. There is possibility to change in
> keycloak-server.json. Is 900 seconds too much? I was thinking
> about the
> case when there is some large realm file importing at startup.
>
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> <mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>