Remove race condition when accessing remote bulker map

[michel-laterman]

What is the problem this PR solves?

Remove a race condition/bug that may occur when remote ES outputs are used.

How does this PR solve the problem?

Use the remoteOutputMutex whenever accessing the bulkerMap.
Change GetBulkerMap to return a copy of the map so that remote output health will not conflict with adding/removing a bulker from the map.

Design Checklist

• I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
• I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
• I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool

Related issues

• Closes Test_Agent_Remote_ES_Output flaky due to race #4170

[mergify]

This pull request does not have a backport label. Could you fix it @michel-laterman? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit

[mergify]

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

[michel-laterman]

From what I can see, we had a flaky test because the policy self-monitor (internal/pkg/policy/self.go) was getting the bulker map in order to check remote output health; but we did not prevent our policy output preparation from creating a new bulker concurrently (internal/pkg/policy/policy_output.go).
I've changes our maps to sync.Map as we weren't properly using the mutex we had, and changed this func to return a copy instead

[kaanyalti]

Can this panic?

[michel-laterman]

it shouldn't, we are only adding Bulkers

[kaanyalti]

I'm assuming it is guaranteed that the sync.Map will only hold bulker type, is that the case?

[michel-laterman]

yes

[michel-laterman]

I added some benchmarks, and ran them against main for comparison.
Note that while main has a RWMutex, it's only used in the updateBulkerMap func, but not in GetBulker, CreateAndGetBulker.
This PR also uses a sync.Map for remoteOutputConfigMap, and main does not.

Benchmarks were ran with go test -bench=Benchmark_CreateAndGetBulker -count 10 .

goos: darwin
goarch: arm64
pkg: github.com/elastic/fleet-server/v7/internal/pkg/bulk
cpu: Apple M3 Pro
                                              │  main.txt   │              sync.txt               │
                                              │   sec/op    │    sec/op     vs base               │
_CreateAndGetBulker/new_remote_bulker-12        44.62µ ± 7%   45.56µ ± 10%       ~ (p=0.529 n=10)
_CreateAndGetBulker/existing_remote_bulker-12   658.5n ± 3%   710.3n ±  6%  +7.86% (p=0.000 n=10)
_CreateAndGetBulker/changed_remote_bulker-12    46.27µ ± 9%   47.56µ ±  5%       ~ (p=0.529 n=10)
geomean                                         11.08µ        11.55µ        +4.22%

                                              │   main.txt   │              sync.txt               │
                                              │     B/op     │     B/op      vs base               │
_CreateAndGetBulker/new_remote_bulker-12        39.30Ki ± 0%   38.79Ki ± 0%  -1.30% (p=0.000 n=10)
_CreateAndGetBulker/existing_remote_bulker-12     591.0 ± 0%     623.0 ± 0%  +5.41% (p=0.000 n=10)
_CreateAndGetBulker/changed_remote_bulker-12    38.78Ki ± 1%   38.78Ki ± 1%       ~ (p=0.896 n=10)
geomean                                         9.582Ki        9.709Ki       +1.32%

                                              │  main.txt   │              sync.txt               │
                                              │  allocs/op  │  allocs/op   vs base                │
_CreateAndGetBulker/new_remote_bulker-12        1.033k ± 0%   1.039k ± 0%   +0.58% (p=0.000 n=10)
_CreateAndGetBulker/existing_remote_bulker-12    11.00 ± 0%    13.00 ± 0%  +18.18% (p=0.000 n=10)
_CreateAndGetBulker/changed_remote_bulker-12    1.038k ± 0%   1.042k ± 0%   +0.39% (p=0.000 n=10)
geomean                                          227.6         241.4        +6.07%

[michel-laterman]

I'm not sure why, but this causes issues when make benchmark is ran, but these tests can be ran individually without this

[michel-laterman]

buildkite test this

[cmacknz]

My take on this is that this is a real bug, the GetBulkerMap() method introduced to support remote outputs isn't concurrency safe and really can't be unless you do something like this.

I don't like the use of sync.Map to solve this, primarily because it removes type safety in a codebase that I already find hard to follow with many levels of interface abstraction. I also don't see us satisfying the two criteria where sync.Map recommends its use: https://pkg.go.dev/sync#Map. I also don't like that it will encourage us to just randomly access the bulker everywhere but TBH that is kind of how it is designed to be used right now.

The Map type is optimized for two common use cases: (1) when the entry for a given key is only ever written once but read many times, as in caches that only grow, or (2) when multiple goroutines read, write, and overwrite entries for disjoint sets of keys. In these two cases, use of a Map may significantly reduce lock contention compared to a Go map paired with a separate Mutex or RWMutex.

We don't satisfy 1 because outputs can be changed, updated, and deleted. We don't satisfy 2 because the entire point of GetBulkerMap is to look at every key and not some non-overlapping set of keys.

It looks like we could solve this but just introducing a RWMutex for all the uses of bulkMap. There are several that are not mutex protected.

fleet-server/internal/pkg/bulk/engine.go

Lines 127 to 128 in 6b29ab4

	bulkerMap: make(map[string]Bulk),
	}

The GetBulkerMap method only has one use and it is to get the output name and client for each existing output. Rather than return a reference to the map, you can just hold a mutex to return a copy of those two things. Assuming the client is safe for concurrent access. GetBulkerMap shouldn't exist in its current form.

You could potentially rewrite the way the remote ES output healthcheck works to not need a concurrent map at all. The self monitor could listen on a channel for state updates from each attempt to interact with the remote ES update that could fail or something like that.

[cmacknz]

I'm not really worried about the performance implications of this after read the code involved. I think that was just a way to see if use of sync.Map was justified. I don't think it is for non-performance reasons (interfaces, ugh).

[michel-laterman]

I'll reimplement the mutex and create an issue to discuss remote output health

[michel-laterman]

Issue: #4185
I think we should remove remote health reporting from the policy self-monitor as it does nothing to the (fleet-server) status, but we can discuss it in the issue.

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
50.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube