feat(core): protect MFS root in node with lock

[schomatis]

Depends on #8574. Please review and land that first to simplify this diff.

Replace the readily accessible MFS root in the node (FilesRoot) with a lock-protected version (LockedFilesRoot).

Testing: We currently only do a basic test manually (through the temporarily added script test-mfs-lock.bash), but we should look for a robust way to test the lock (preferably not through sharness/bash but through the internal Go API).

Note that this entire logic applies only when having a daemon running where the different GC and files commands contend for the same MFS root. If the commands are run in standalone mode then each one will contend for the entire repo's lock (and this mechanism isn't relevant there).

TODO:

• Update this description according to the new changes.
• Land chore(cmds): encapsulate ipfs rm logic in another function #8574 on which this depends.
• Figure out how to reliably test this (that is, how to test that the race condition doesn't happen anymore). I haven't seen any sharness test that could be used as models.
• Resolve the blocking FIXMEs.
• Review the unlocks and be more fine-grained where possible instead of using defer always.

Closes #6113.

[BigLep]

Assigned to @petar for review as this is a newer area for all the current go-ipfs stewards.

[petar]

@aschmahmann This design takes a high-level lock on all of MFS while running cli commands or the GC. On the one hand, this approach is a little error-prone because we need to make sure that this lock is used in all app-level code that touches MFS. On the other hand, after doing some thinking, I don't think it is easy to implement per-node locking in MFS. So, for now, it seems that the approach in this PR is fine for fixing the issue in the short term.

[aschmahmann]

Taking a high level lock here is unfortunate, but isn't really any different than locking around Pin operations. It also seems fairly straightforward to implement.

In theory we could leverage the existence of the flush command here to allow accumulating data that's protected from GC, but given other work we'd like to do around MFS and GC (independently and together) it doesn't seem worth the effort at the moment.

[schomatis]

@aschmahmann From your previous comment I take it you approve the direction of this PR but could you make it explicit here just to make sure I'm on the right track before proceeding, please?

[aschmahmann]

@schomatis yes, having a global write lock on MFS seems like the best thing to do in this PR.

For reads we might want to be more careful than a global lock though. For example, not locking ipfs files ls or ipfs files stat while GC is ongoing, but preventing corruption between MFS write and read operations (out of date data, is fine with concurrent operations, but corruption would be bad). It might be that MFS already handles some of this, but we should verify.

If we find ourselves stuck with locking on some of the read commands I'd really like ipfs files stat /ipfs/.... to not utilize the same locking mechanism since the data is immutable and shouldn't need to be locked. It's also important in order to make sure nobody has a reason to continue using ipfs object stat.

[schomatis]

Continuing with this.

[schomatis]

I'd really like ipfs files stat /ipfs/.... to not utilize the same locking mechanism since the data is immutable and shouldn't need to be locked.

Confirming this is already the case since the /ipfs/ prefix is handled through a different API and doesn't use the MFS root:

https://github.com/ipfs/go-ipfs/blob/c00065cc8412ec660037f3fed4df7d3fed467b17/core/commands/files.go#L424-L429

[petar]

I would go for this option, because this will help someone using the new version of the code figure out what is going on. It does not look like there is any danger of old incorrect code compiling quietly.

[petar]

Sounds good.

[petar]

I would leave things exactly as you have them right now. There are bigger issues with MFS locking that cannot be resolved by any sort of locking on the root alone. This PR is trying to just fix races between GC and competing command-line MFS operations.

[petar]

I like the interface of LockedFilesRoot, because having only RLock and Lock methods forces whoever is touching this code to think/ask what is going on.

[schomatis]

Yes, sorry, this is actually a non-blocking fixme, just a note of a possible direction down the road, will clarify that.

[petar]

That's the best we can do for now without a total redesign of MFS, I think.

[petar]

See/Similar to comments below. That's the best we can do now. Even though this code has no effect at all (because the root cannot change inside LockedFilesRoot), it still seems useful to make someone staring at the code to be puzzled and investigate what this lock is all about.

[petar]

I think the way you've implemented the timeout the command ipfs files write does not exit until the timeout expires, consequently the lock is never present for the next command ipfs repo gc

[schomatis]

the command ipfs files write does not exit until the timeout expires,

Correct. My bash is very poor but the idea was to have the above command running in the background while ipfs repo gc attempts to take the lock and has to wait until ipfs write releases it, where then I see both command's outputs roughly simultaneously.

But anyway, this is just a temporary ad-hoc test while in the draft stage; I still don't know how to actually test this in production to get this code ready to merge.

[schomatis]

@aschmahmann Petar confirmed the current proposal but I'm still stuck on how to test it other than some manual confirmation than the lock is being taken. How would you like to test this to wrap it up?