object store metastore

[igalshilman]

Object store backed Metadata store

This PR introduces a new type of a metastore that uses S3 (any similar) object stores that support conditional updates.

end result

running the following:

export AWS_REGION=eu-central-1
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_SESSION_TOKEN="

export AWS_ENDPOINT=https://s3.eu-central-1.amazonaws.com

export AWS_PROVIDER_NAME=Static
export RESTATE_METADATA_STORE_CLIENT__TYPE="object-store"
export RESTATE_METADATA_STORE_CLIENT__BUCKET="XXXXXXXX"
export RESTATE_METADATA_STORE_CLIENT__CREDENTIALS__TYPE="aws-env"

cargo run --example three_nodes_and_metadata -- --nocapture

starts a 3 node cluster that uses an s3 bucket for a metadata storage:

[nix-shell:~/work/restate]$ ./source.s3.sh 
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.73s
     Running `target/debug/examples/three_nodes_and_metadata --nocapture`
2024-11-27T14:38:34.545666Z  INFO restate_local_cluster_runner::cluster: Starting cluster test-cluster in /home/igal/work/restate/restate-data
2024-11-27T14:38:34.549226Z  INFO restate_local_cluster_runner::node: Started node metadata-node in /home/igal/work/restate/restate-data/metadata-node (pid 233735)
2024-11-27T14:38:35.825120Z  INFO three_nodes_and_metadata: admin node started: 2024-11-27T14:38:35.824212Z  INFO restate_node: Restate server is ready
2024-11-27T14:38:35.984871Z  INFO restate_local_cluster_runner::node: Node metadata-node admin check is healthy after 6 attempts
2024-11-27T14:38:35.989555Z  INFO restate_local_cluster_runner::node: Started node node-1 in /home/igal/work/restate/restate-data/node-1 (pid 233916)
2024-11-27T14:38:35.994266Z  INFO restate_local_cluster_runner::node: Started node node-2 in /home/igal/work/restate/restate-data/node-2 (pid 233917)
2024-11-27T14:38:35.998782Z  INFO restate_local_cluster_runner::node: Started node node-3 in /home/igal/work/restate/restate-data/node-3 (pid 233918)

listing the bucket yields the possible keys

[nix-shell:~]$ aws s3 ls s3://XXXX
2024-11-27 15:38:40       1221 bifrost_config
2024-11-27 15:38:38        950 nodes_config
2024-11-27 15:35:54        385 partition_table
2024-11-27 15:38:41        112 pp_epoch_0
2024-11-27 15:38:41        112 pp_epoch_1
2024-11-27 15:38:41        112 pp_epoch_2
2024-11-27 15:38:41        112 pp_epoch_3
2024-11-27 15:38:40        519 scheduling_plan

Additional configuration keys

[metadata-store-client]    
type = "object-store"    
bucket = "restate-metadata"    
    
[metadata-store-client.credentials]    
type = "aws-env"  

How does this work?

This is basically a client, each node runs an instance of this client, and the clients are using S3's optimistic concurrency control to move forward the different keys.

currently the only support cred type are AWS_X env variables, a followup referenced here in the conversation would be to plug in additional cred providers (unify the work done by @pcholakov )

[tillrohrmann]

Thanks for creating our object store based metadata store @igalshilman :-) It looks really nice! The implementation looks correct to me :-)

I left a few minor comments and questions. The one thing that is not fully clear to me is whether we want to clean up older versions or not. If not, would this be problematic for the get_latest_version which needs to list more and more versions?

[tillrohrmann]

Can this await take a long time? If yes, then maybe select over the shutdown to also support shutdowns during this time.

[igalshilman]

Can this await take a long time?

not any more.

[tillrohrmann]

Probably something we want to make configurable at some point.

[igalshilman]

outdated, it doesn't exists any more.

[tillrohrmann]

Would a bounded sender also work?

[tillrohrmann]

The error messages seem to be copied from the get call.

[tillrohrmann]

I guess the json encoding would be more helpful if the values were also encoded in json?

[tillrohrmann]

Why does the OptimisticLockingMetadataStore implements the MetadataStore?

[igalshilman]

fixed, it is not any more.

[tillrohrmann]

Can this also be a CachedStore (w/o ArcSwap<Option<>>) and change the methods to take a mutable borrow?

[igalshilman]

If it won't implement the metastore trait then I can do that.
Let me try this out.

[igalshilman]

worked out beautifully 🧑‍🍳

[tillrohrmann]

We might be able to replace this with a RetryPolicy.

[tillrohrmann]

The correctness of the implementation relies on the fact that our version space won't have any wholes, right? I guess this makes cleaning older versions up a bit more tricky.

[tillrohrmann]

Maybe assert that new_store.current_version() == cached_store.store.version().next() to state that there mustn't be any wholes.

[pcholakov]

I think we might have a better path to implement this, using Object Versioning. A quick search shows that this is supported across MinIO / Azure / GCP, here's the S3 documentation: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html.

Here's a sketch of the conditional PUT path:

async fn put(
    &self,
    key: ByteString,
    value: VersionedValue,
    precondition: Precondition,
) -> Result<(), WriteError> {
    let key = object_store::path::Path::from(key.to_string());

    match precondition {
        Precondition::MatchesVersion(version) => {
            // If we have a cached version, we can also add an if-modified-since condition to the GET.
            // Unfortunately we can't set the version explicitly, and a HEAD request doesn't return enough
            // information to determine our own metadata value version.
            let get_result = self.object_store.get(&key).await.map_err(|e| {
                WriteError::Internal(format!("Failed to check precondition: {}", e))
            })?;

            if extract_object_version(&get_result.payload) != version {
                return Err(WriteError::FailedPrecondition(
                    "Version mismatch".to_string(),
                ));
            }

            self.object_store
                .put_opts(
                    &key,
                    PutPayload::from_bytes(serialize_versioned_value(value)),
                    PutOptions::from(PutMode::Update(UpdateVersion::from(&get_result))),
                )
                .await
                .map_err(|e| WriteError::Internal(format!("Failed to update value: {}", e)))?;

            Ok(())
        }
        _ => todo!(),
    }
}

Unfortunately we don't control the versions; in S3 they are a monotonic numbered sequence but we don't get to set them directly - rather, S3 will set them for us. Our own API relies on explicit versions so I'm assuming we'll just serialize them along with the rest of the payload as the object body.

A normal GET request implicitly returns the latest version, no further tricks required. It's also possible to request a particular previous version, but that's not needed for our API. Might be useful for troubleshooting though! (And I'd seriously consider serializing the values as JSON for operations friendliness.)

The only requirement for this all to work is that we must use a bucket with object versioning enabled, which is not the default but is trivial to set. S3 and other stores also support automatic cleanup of old versions using object lifecycle policies, so we don't need to implement that ourselves.

[pcholakov]

I prefer the !is_some_and(...) version personally.

[pcholakov]

I think we can do this without LIST operations but rather using object versioning.

[tillrohrmann]

I think we might have a better path to implement this, using Object Versioning. A quick search shows that this is supported across MinIO / Azure / GCP, here's the S3 documentation: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html.

Here's a sketch of the conditional PUT path:

async fn put(
    &self,
    key: ByteString,
    value: VersionedValue,
    precondition: Precondition,
) -> Result<(), WriteError> {
    let key = object_store::path::Path::from(key.to_string());

    match precondition {
        Precondition::MatchesVersion(version) => {
            // If we have a cached version, we can also add an if-modified-since condition to the GET.
            // Unfortunately we can't set the version explicitly, and a HEAD request doesn't return enough
            // information to determine our own metadata value version.
            let get_result = self.object_store.get(&key).await.map_err(|e| {
                WriteError::Internal(format!("Failed to check precondition: {}", e))
            })?;

            if extract_object_version(&get_result.payload) != version {
                return Err(WriteError::FailedPrecondition(
                    "Version mismatch".to_string(),
                ));
            }

            self.object_store
                .put_opts(
                    &key,
                    PutPayload::from_bytes(serialize_versioned_value(value)),
                    PutOptions::from(PutMode::Update(UpdateVersion::from(&get_result))),
                )
                .await
                .map_err(|e| WriteError::Internal(format!("Failed to update value: {}", e)))?;

            Ok(())
        }
        _ => todo!(),
    }
}

Unfortunately we don't control the versions; in S3 they are a monotonic numbered sequence but we don't get to set them directly - rather, S3 will set them for us. Our own API relies on explicit versions so I'm assuming we'll just serialize them along with the rest of the payload as the object body.

A normal GET request implicitly returns the latest version, no further tricks required. It's also possible to request a particular previous version, but that's not needed for our API. Might be useful for troubleshooting though! (And I'd seriously consider serializing the values as JSON for operations friendliness.)

The only requirement for this all to work is that we must use a bucket with object versioning enabled, which is not the default but is trivial to set. S3 and other stores also support automatic cleanup of old versions using object lifecycle policies, so we don't need to implement that ourselves.

Wouldn't the PutMode::Update require an If-Match header support from S3? I thought that it currently only supports If-None-Match natively and for PutMode::Update one would have to use DynamoDB? Or is this different when using versioned buckets?

[pcholakov]

@tillrohrmann you are right, I was wrong; this should work on Minio and Cloudflare R2, but not with S3. I got excited when I saw how elegant the object versioning API looked but it requires If-Match support by the underlying object store, which is a no-go.

[pcholakov]

Added a couple more minor questions I had while unpacking this :-)

[pcholakov]

I'm wondering if approaching this as a into_builder() / build_next_version() might not be a safer API. Chaining multiple update_map calls will create gaps in the version sequence, which we want to avoid.

[igalshilman]

not sure what do you mean, it is an internal impl detail, the only way to get a new version is by using an update_map.
A builder would be implemented exactly like that and kept internal.

[pcholakov]

Would we not be better off doing this per metadata store key, rather than as a monolithic blob? We don't have a global linearizability requirement and writing key-value pairs as individual objects would reduce conflicts. Not too worried about the value sizes but there's still some nontrivial write amplification going on with the current implementation.

[igalshilman]

The blob is tiny ~ kb , mutations are rare. with that we can amortize API calls like listing etc'

[ScmTble]

@tillrohrmann you are right, I was wrong; this should work on Minio and Cloudflare R2, but not with S3. I got excited when I saw how elegant the object versioning API looked but it requires If-Match support by the underlying object store, which is a no-go.

https://aws.amazon.com/about-aws/whats-new/2024/11/amazon-s3-functionality-conditional-writes/ It seems support has been added

[tillrohrmann]

https://aws.amazon.com/about-aws/whats-new/2024/11/amazon-s3-functionality-conditional-writes/ It seems support has been added

Nice, this was quick 😄

[pcholakov]

Finally! 🎉😆

[tillrohrmann]

Thanks for updating this PR to use S3's new conditional put functionality @igalshilman :-) The changes look really nice :-) I left a few minor comments and suggestions. Did you try it out with a S3 bucket? +1 for merging.

I gues you could switch this PR from draft to normal.

[tillrohrmann]

Suggested change

	select! {
	tokio::select! {

to make it a tad bit clearer that we using Tokio's select statement.

[tillrohrmann]

I think this else branch will never be executed because the first branch will never be disabled. If you want to break out of the loop when receiver closes, then I would suggest to do have a result = receiver.recv() => {} and do the pattern matching in the body of this arm.

[tillrohrmann]

To link single brackets are enough [object_store]. Those are, however, only respected in rust doc and not normal comments.

[tillrohrmann]

Why is object_store behind an Arc? It seems that ObjectStoreVersionRepository won't be cloned. Then it could also be a simple Box.

[tillrohrmann]

Do we want to align the credentials configuration with https://github.com/restatedev/restate/pull/2310/files#diff-8fa554ac7edde3f870ebeeac919f0ae4109d0c3f6bbacc89847ec99aac7060e7R103-R128?

[igalshilman]

we talked about this with @pcholakov and agreed that we do this alignment as a followup once both of these prs are in, otherwise we'll be copy pasting code between PRs right now.

[tillrohrmann]

We could also spawn a multi threaded runtime via tokio::test(flavor = "multi-thread"). That way we also test parallelism. This is probably not super important, though.

[igalshilman]

that is very good idea, i'm going to change that.
my original intention was to see how it behaves with parallelism

[tillrohrmann]

If we pass in this buffer (using a BytesMut), then it could live in the OptimisticLockingMetadataStore and be reused across multiple serializations.

[tillrohrmann]

Suggested change

	/// configure the object store by setting the standard AWS env variables (prefixed with AWS_)
	/// Configure the object store by setting the standard AWS env variables (prefixed with AWS_)

[tillrohrmann]

This part will be added to our docs once we generate the config docs. Is this something we want to keep or is it for internal testing purposes?

[tillrohrmann]

You probably don't have to add this given that it's an identity function (String -> String).

[igalshilman]

Thanks for updating this PR to use S3's new conditional put functionality @igalshilman :-) The changes look really nice :-) I left a few minor comments and suggestions. Did you try it out with a S3 bucket? +1 for merging.

I gues you could switch this PR from draft to normal.

@tillrohrmann yes, the PR description shows a real AWS S3 interaction.