clusterversion: prevent upgrades from development versions #86345
Conversation
|
This change is |
dt
changed the title
|
I went back and forth on what the flow should be on release branches: should every addition of a version -- of which there should be few / none after the mint -- adjust the unstable-above pointer to end-of-list? I didn't want to to be automatic, at least not on master, as that'd defeat the point. Should I condition on isReleaseBranch? Should release team just mint a new version for each beta/rc and be in charge of moving the pointer when they do so, e.g. so a random build from the release branch between RCs would call any new versions since the last unstable? What about the fact that we just forgot to set isReleaseBranch on a release branch for months? I think I found something I'm happy with in the most recent revisions here though, doing away with the mistake-prone isReleaseBranch while I'm at it: Thus, I believe the flow now would be:
|
dt
force-pushed
the
no-upgrade-master
branch
2 times, most recently
from
5b0a96f
to
d271321
Compare
dt
force-pushed
the
no-upgrade-master
branch
2 times, most recently
from
9947a5b
to
5a511c2
Compare
There was a problem hiding this comment.
Thanks for putting this safeguard into place.
This makes sense to me --
Reviewed 2 of 4 files at r3, 12 of 12 files at r4, all commit messages.
Reviewable status:complete! 1 of 0 LGTMs obtained (waiting on @ajwerner, @bdarnell, @dt, and @stevendanna)
pkg/clusterversion/cockroach_versions.go line 536 at r4 (raw file):
// release, while on release branches it can be set to invalidVersionKey to // disable marking any versions as development versions. unstableVersionsAbove = V22_1
Ack. We'll update the stability period runbook accordingly, thanks.
Code quote:
// release, while on release branches it can be set to invalidVersionKey to
// disable marking any versions as development versions.
unstableVersionsAbove = V22_1
|
@ajwerner I'm going to leave this one to you to bors if you like it and approve it, or just close if you don't (which is also ok with me; I don't have my heart set on it). |
There was a problem hiding this comment.
Reviewed 4 of 4 files at r3, 9 of 12 files at r4.
Reviewable status:
Previously this isReleaseBranch could be easily forgotten during the release process leaving the check disabled. Now it will fail loudly if the binary version looks like a minted final ensuring we remember to set it. Release note: none. Release justification: low risk, high benefit change to make sure an existing safety check is used.
celiala
force-pushed
the
no-upgrade-master
branch
from
5a511c2
to
403400d
Compare
celiala
force-pushed
the
no-upgrade-master
branch
from
403400d
to
50aead6
Compare
This change defines a new "unstableVersionsAbove" point on the cluster version line, above which any cluster versions are considered unstable development-only versions which are still subject to change. Performing an upgrade to a version while it is still unstable leaves a cluster in a state where it persists a version that claims it has done that upgrade and all prior, however those upgrades are still subject to change by nature of being unstable. If it subsequently upgraded to a stable version, this could result in subtle and nearly impossible to detect issues, as being at or above a particular version is used to assume that all subsequent version upgrades _as released_ were run; on a cluster that ran an earlier iteration of an upgrade this does not hold. Thus to prevent clusters which upgrade to development versions from subsequently upgrading to a stable version, we offset all development versions -- those above the unstableVersionsAbove point -- into the far future by adding one million to their major version e.g. v22.x-y becomes 1000022.x-y. This means an attempt to subsequently "upgrade" to a stable version -- such as v22.2 -- will look like a downgrade and be forbidden. On the release branch, prior to starting to publish upgradable releases, the unstableVersionsAbove value should be set to invalidVersionKey to reflect that all version upgrades in that release branch are now considered to be stable, meaning they must be treated as immutable and append-only. Release note (ops change): clusters that are upgraded to an alpha or other manual build from the development branch will not be able to be subsequently upgraded to a release build. Release justification: high-priority change to existing functionality, to allow releasing alphas with known version upgrade bugs while ensuring they do not subsequently upgrade into stable version but silently corrupted clusters.
celiala
force-pushed
the
no-upgrade-master
branch
from
50aead6
to
ebb812e
Compare
|
TFTR! bors r=ajwerner |
|
Build succeeded: |
This change defines a new "unstableVersionsAbove" point on the cluster
version line, above which any cluster versions are considered unstable
development-only versions which are still subject to change.
Performing an upgrade to a version while it is still unstable leaves a
cluster in a state where it persists a version that claims it has done
that upgrade and all prior, however those upgrades are still subject to
change by nature of being unstable. If it subsequently upgraded to a
stable version, this could result in subtle and nearly impossible to
detect issues, as being at or above a particular version is used to
assume that all subsequent version upgrades as released were run; on a
cluster that ran an earlier iteration of an upgrade this does not hold.
Thus to prevent clusters which upgrade to development versions from
subsequently upgrading to a stable version, we offset all development
versions -- those above the unstableVersionsAbove point -- into the far
future by adding one million to their major version e.g. v22.x-y becomes
1000022.x-y. This means an attempt to subsequently "upgrade" to a stable
version -- such as v22.2 -- will look like a downgrade and be forbidden.
On the release branch, prior to starting to publish upgradable releases,
the unstableVersionsAbove value should be set to invalidVersionKey to
reflect that all version upgrades in that release branch are now
considered to be stable, meaning they must be treated as immutable and
append-only.
Release note (ops change): clusters that are upgraded to an alpha or
other manual build from the development branch will not be able to be
subsequently upgraded to a release build.
Release justification: high-priority change to existing functionality,
to allow releasing alphas with known version upgrade bugs while ensuring
they do not subsequently upgrade into stable version but silently
corrupted clusters.