[fm] resource deletion: tombstones, version guard, tracker-based GC

[mergeconflict]

This PR lets us delete resources that were created by executing a FM sitrep. This turns out to be tricky, so there are a few parts to it. First, two new bits of data we persist in CRDB:

• We introduce a new singleton fm_rendezvous_progress table that identifies the latest sitrep version that was successfully, completely executed.
• We also introduce a time_deleted tombstone on alerts and support bundles. When an alert or bundle that was created by FM is deleted (out of band, say, by an operator), we tombstone it rather than hard-deleting.

We use these new tools together as follows:

• First, the progress tracker, used as a guard in SitrepVersionGuardedInsert, prevents us from attempting to insert resources in stale sitreps that were already previously executed.
• Next, the tombstone, along with our use of ON CONFLICT DO NOTHING in the create transaction, prevents us from inadvertently resurrecting a deleted resource.
• Finally, the two work together: we know that we can hard-delete a tombstoned resource when no sitrep version greater than or equal to the progress tracker contains an AlertRequest or SupportBundleRequest for that resource.

I thought at first that these two mechanisms must be redundant, but they aren't. Without the progress tracker, it would never be safe to hard-delete a tombstoned resource, because any Nexus instance can have an arbitrarily stale sitrep in memory. And without the tombstones, newer sitrep versions that have copied forward a previously executed AlertRequest or SupportBundleRequest would resurrect deleted resources.

Closes #10248.

[smklein]

Production code really should not be doing full table scans - this is a lever we've permitted for tests, but it's something we really need to avoid in queries a customer might issue.

It violates the principle from RFD 192:

Database queries should be scalable, by which we mean the latency should be pretty consistent even as the database grows.

[smklein]

Yeah, this is a problem! I don't think we should merge this as-is.

This should be doable if we have sufficient indices on the target table - only scanning through the "deleted rows", or a fraction of the deleted rows (e.g., ordered by time), with appropriate indices SHOULD NOT require a full-table scan.

We have examples of several tests which use explain_async, from nexus/db-queries/src/db/explain.rs, to EXPLAIN the query, and validate that it does not contain FULL SCAN. For example: explain_rx_list_resendable_events - that's a pretty quick feedback loop for fixing/testing this.

[smklein]

Just to confirm, this means that if any of the rendezvous/execution tasks in a sitrep encounter an error, we'll be unable to mark it as "fully processed"? this seems like a pretty significant downside

[smklein]

Nit: I kinda think this is a smell - it's requiring modify access to the db, and it couuuuuld be increasing contention depending on when CRDB is locking?

I agree that it's "probably fine" for tests but I would not recommend doing this if anything outside tests wanted to read this value

[smklein]

I believe that this rendezvous task will grow significantly in complexity over time.

I understand the inclination to have "one generation representing the full completion of a sitrep", but I think the qualifier for "has a sitrep successfully executed" will get messier and more complex. There may be chunks of it, on an otherwise functioning system, that don't complete successfully for a long time!

In #10248, when I described generation numbers, I mentioned the following:

When updating a database row - like "fm_alert" - create an auxiliary table which is called something like "fm_alert_metadata". This table should contain the generation number of the sitrep (or an equivalent "only increasing" generation for the set of alerts emitted by that sitrep).

I understand that this PR is trying to do something similar, with a bit of a shortcut: instead of one-per-table generation numbers, it's trying to mash "everything in the sitrep together" and represent that via fm_rendezvous_progress. But I want to provide warning -- doing so introduces a fair bit of unnecessary coupling.

Here's an example: a customer has wired up the notification system for webhooks, telling them when something has gone wrong on the rack. If this is configured incorrectly - e.g., hits an endpoint we can't reach - the error means we'll be unable to do any garbage collection across any rows, because latest_processed_sitrep_version will be stuck and unable to move.

[smklein]

Also, because this table is generic, it seems really important to me that it fully encapsulates every step the sitrep rendezvous is doing. I think it's "technically correct" today, but adding a new step and forgetting to check for !new_step.details.errors.is_empty() would be a big problem - especially because the latest_processed_sitrep_version is generic enough to imply "everything completed".

[smklein]

"is still meaningful" in the case of GC'-ing the sitrep_history row has a bunch of asterisks here

If we remove the row from fm_sitrep_history, any tombstoned rows introduced in that sitrep would be hard-deleted immediately, because the NOT(EXISTS(...)) call in the sweep would be empty

[smklein]

Without this column, the old code assumed that "if a support_bundle row exists, it is not deleted". This change breaks that contract - and will require all "readers of support bundles" to check the new time_deleted column.

I found (at least) the following spots where we are reading support_bundles, but not using this field, which could result in "using support_bundles that should have been deleted":

• nexus/db-queries/src/db/datastore/support_bundle.rs: support_bundle_list
• nexus/db-queries/src/db/datastore/support_bundle.rs: support_bundle_list_assigned_to_nexus
• nexus/db-queries/src/db/datastore/support_bundle.rs: support_bundle_fail_expunged (when reading bundles_with_bad_nexuses)
• nexus/db-queries/src/db/datastore/support_bundle.rs: support_bundle_update
• nexus/db-queries/src/db/datastore/support_bundle.rs: support_bundle_update_user_comment
• nexus/db-lookup/src/lookup.rs: Uses lookup_resource!, but says soft_deletes = false for Support Bundles, which is wrong.

[smklein]

I mentioned this below, but I find the term "tracker" vague, and hard to parse here without knowing the precise context of this PR: Is it tracking the most recent sitrep? The sitrep we tried to execute? The sitrep which fully executed? That nuance matters, and "tracker" omits it

[smklein]

WDYT about making this deletion instead do:

• Read the row (return Ok() if it doesn't exist, or has been soft-deleted)
• Decide if it's FM managed
• Either UPDATE or DELETE, but not both?

I've tried to read through this current implementation as it stands, and I think it's correct (as long as case_id is immutable), but it just seemed odd to me to have the "two mutations" back-to-back. But maybe I'm over-indexing on this.

[smklein]

probably worth acknowledging somewhere: successful sweeping of tombstones is not actually necessary to advance latest_processed_sitrep_version, even though it does happen as a part of rendezvous?

[hawkw]

Overall, I think @smklein's review already hit the most important issues:

1. We should be paginating the deletion queries to avoid full table scans
2. We should probably be tracking execution progress on the basis of individual resource types (alerts, support bundles, etc), rather than across all tables that FM rendezvous might ever touch
3. I think we should definitely be using the CAST sentinel for failing the CTE, rather than the divide by zero sentinel, so that we can have some more confidence that we are not failing the CTE because we actually divided by zero or something.

Besides that, I left a handful of smaller suggestions, but I think Sean got all the most important ones.

[hawkw]

small note here: i notice that here we are printing the current sitrep's ID, and the version of the last fully executed sitrep...this is a bit unhelpful, as the reader cannot tell whether or not those refer to the same sitrep without having to run more commands to figure out which sitrep the latest executed version is. what do you think about maybe changing the FmRendezvousStatus type to include both the current sitrep's ID and version, so that we can print something like:

    current sitrep: f5391283-aa51-4abc-bee3-b4181a056ebc
      version: 69
      latest fully-processed sitrep version: 42

[hawkw]

i'm not totally sure what "skipped (stale sitrep)" means --- is this referring to the count of requested entities which were not created because they were already deleted in a future sitrep? it would be nice if this was a bit clearer about its meaning...

[hawkw]

I'm not convinced that this is true (or necessary?), since we don't really have any other code paths that delete alerts at this time. We might end up also having those code paths soft-delete alert records as well. I don't think it's necessarily worth designing for both soft- and hard-deletes depending on where the alert came from at this point?

[hawkw]

nit: I think this should probably be a Generation rather than an i64 --- this would allow the user to pass 0 or -69420, neither of which are valid sitrep versions?

[hawkw]

this is probably my fault for not doing an authz check in alert_create 😬

It's worth noting that alerts are authz resources:

omicron/nexus/auth/src/authz/api_resources.rs

Lines 1795 to 1801 in 61a6d60

	authz_resource! {
	name = "Alert",
	parent = "Fleet",
	primary_key = { uuid_kind = AlertKind },
	roles_allowed = false,
	polar_snippet = FleetChild,
	}

so we should be able to do authz checks for them. for instance, alert_delete() should probably take an authz::Alert rather than an AlertUuid...