Persist zones

[ximon18]

WIP: Exploring an idea, learning how the new zone storage state works.

Status

Zone edits (e.g. via file edit and zone reload or due to changes received via XFR) are persisted both for loaded and signed zones. On application restart persisted zones are restored and cascade zone status and dig AXFR appear to work as they did prior to application shutdown.

The code has been initially reviewed and led to some wanted changes:

• @bal-e will extend the zonedata crate interface to enable moving some of the changes to Cascade itself.
• Invoke save_now() instead of mark_dirty(). This is because persisting zone data to disk not enough, as if there was a power outage between calling mark_dirty() and publication of the zone the paths to the persisted files (that are recorded in state) would not have been written to disk, thus save_now() should be invoked instead. We may actually want to invoke save_now() in the publication server itself to ensure all published zone related state is persisted, but that is out of scope for this PR.

tl;dr

• Extend Persister to write snapshots and deltas to disk (currently in DNS AXFR/IXFR wire format).
• Extend ZoneState with two vecs of paths to written snapshot and delta files.
• Introduce new storage state machine flows Uninitialized -> Passive and Uninitialized -> Restoring -> Passive
• Extend Loader::init() to invoke new Loader::restore() prior to invoking enqueue_refresh().
• Loader::restore() creates a Passive storage state populated from parsed snapshot and delta files as if the storage had moved through the pipeline being approved and signed (without actually invoking review hooks or doing signing).

PROs/CONs:

• PRO: Doesn't touch the existing pipeline flow.
• CON: Re-uses as much as it can but still has to emulate/copy some parts of the existing state machine logic to achieve the wanted end state.

Known issues:

• No/minimal logging, docs, tests, or proper error handling (there's a discussion to be had over whether or not failure to persist/restore should be fatal or not).
• No support (yet) for condensing/compacting/purging old persisted deltas.
• Binary snapshot/delta format is not inspectable by operators. Could add a `cascade debug subcommand to render a snapshot/delta in XFR presentation format.
• Will panic if snapshot/delta file is written then Cascade crashes before the vec of persisted file paths is updated/persisted, as on subsequent restart an attempt to persist to any existing file will be made which results in a panic.
• There's no "scheduling" or spreading out of zone restoration activity, like refreshing it happens as soon as possible on loader initialisation.
• The restoring state is not reflected in any status command output (yet).
• There are no metrics for the restoration process (yet).
• I have no idea if the unsafe { ... } blocks I had to add are "safe".
• I have no idea if the curr_/next_ loaded_/signed_ boolean flags are set correctly, though when they were wrong Cascade bailed out so I think they are now correct.
• Snapshots and deltas are loaded entirely into memory, while they could be processed in a streaming manner instead.
• The persistence location is hard-coded at the moment.
• Only tested (manually) on a small example.com zone so far.
• Clippy currently fails.

Alternative ideas

• Don't introduce new states, instead introduce a restoring flag that affects the behaviour of existing states so that a zone being restored can be moved through the pipeline without side effects (such as invoking review hooks or signing). This would however complicate the code/logic at multiple existing points in the pipeline for every update to every zone for a situation that only occurs once at startup, while the implemented approach leaves the existing pipeline flow untouched.
• Don't use the pipeline at all to restore, instead serialize the entire final zone state to disk and deserialize it back on restart.

Alternative snapshot/delta storage formats

A choice would need to be driven by requirements:

• Do we need to support IXFR out at the loaded review nameserver? If so, is just one delta enough? Actually do we even need to keep a loaded diff, a review hook would only need it for the next received zone update, not after restart.
• What do we tune for? Memory usage? Persistence speed? Restoration speed?

Some ideas:

• Presentation XFR format: was not done in this PR due to the pain of having to convert new base to old base to render in presentation format, and parsing DNS records in presentation format is only currently properly supported by domain/cascade for entire zones, though one could use the "treat a single RR line as a zonefile" hack that the Stelline code uses.
• (De)serialize cascade DiffData to JSON/CBOR/whatever. Would tie the format to the internal format, changing the internal format would require writing additional code to handle storage format migration or support parsing old as well as new format. A PRO of this approach is being able to storage additional meta data with the snapshot/delta, if needed.

Issues encountered

• State machine naming is quite confusing, e.g. transition() does not do a transition, in fact things happen after such calls prior to an actual move_to transition occurring.
• I found trying to understand what the correct values for the instance data "double buffer" boolean flags should be at any particular point in the flow hard.
• The zone builder / replacer / patcher didn't work as I expected they would, I initially tried to populate then repeatedly patch a single builder but that failed, instead I have to jump through extra steps, e.g. see switch_loaded_data() and switch_signed_data().
• LoadedZonePatcher and SignedZonePatcher being separate types with identical interfaces but no common trait required creating duplicate code to use them even though the logic in both implementations is identical. A macro could be used to work around this but feels a bit heavy...
• The Persister interface has no context to work with. I had to extend it to pass it a file path for example. Maybe it should take a closer so that the non-zonedata related code like file i/o can be specified at the call site?
• Using booleans to index into the "double buffer" is confusing, and they have to be converted to usize anyway before they can be used as indices.

---

• If you are changing Rust code or integration tests (Cargo.*, crates/, etc/, integration-tests/, src/):
  • Did you run the integration tests with act through the act-wrapper (as described in TESTING.md)?

[bal-e]

@ximon18 and I had a discussion while I was writing this review, and decided that I will add commits changing the PR to implement a new approach for the zone data storage state machine. I've left these comments here for us to come back once I'm done; I also didn't review everything, so there will be more to come.

[bal-e]

Are these fields necessary, if this state is only used at the very beginning (where they would both be 0/false)?

[bal-e]

This type (and RestoringPersistedStorage below) need documentation, similar to the other types in this file. I'm happy to write it by adding to the PR.

[bal-e]

{} vs:{} -> {} vs {}?

[bal-e]

I don't think the serial number should be extracted here. Perhaps we need methods on LoadedZoneBuilt and SignedZoneBuilt that give you readers so you can observe the data, or just getters for the serial?

[bal-e]

You should also check loaded_built. And the assert message should clarify which parameter it is referring to.

[bal-e]

I'd prefer the above commented-out initialize() function over this silent automatic conversion. Especially since it should only occur at startup and we can handle it outside this function.

[bal-e]

With the current setup, we might actually want to do this check in other places, but it is hard to tell.

[bal-e]

This code does not correctly handle the reviewer types. They should be passed back into the storage state machine, so it can guarantee that viewers only exist for the permitted 0/1 instances. We should discuss what the right adjustments to the storage state machine's flow are.

[bal-e]

It might be better to omit this state entirely and only have a Restoring state, which can then decide to proceed with or skip restoring. Restoring might already need that functionality, e.g. if the previously persisted instances could not be found.

[bal-e]

The enum variant name should match the underlying name, for consistency. I think the underlying type should be RestoringStorage.

[bal-e]

Perhaps we want to change this function so it no longer returns reviewers? That might be easier all around.