[Zope-Coders] MaintenanceMode of Proposals
Matthew T. Kromer
matt@zope.com
Thu, 12 Sep 2002 15:24:54 -0400
http://dev.zope.org/Wikis/DevSite/Proposals/MaintenanceMode
Rob Page and I have talked about puting a change into the proposed Zope
2.6 features list. Here is the proposal:
CONTACT
Matt Kromer
PROBLEM
Zope occasionally needs to be quiesced to perform some task, such as
rebuilding a catalog. If other users are using the Zope site, or are
writing to the database, this can have very negative impacts on the
maintenance. In a real-world situation, a catalog reindex that should
have taken 90 seconds to complete was never able to finish because of
conflicts with other catalog updates.
PROPOSED SOLUTION
The control panel will gain a new "Maintenance Activity" control, with
the following three positions: "Normal mode," "Concurrent (R/O)," and
"Exclusive" representing that the system is ether operating normally (no
maintenance), is allowing read-only connections from non-maintainers, or
is only allowing connections from the maintainer. The maintenance
activity state will be stored as an attribute on the application object,
and thus will be shared through a ZEO cluster.
A maintainer shall be the user who caused the system to go into
maintenance mode; this represents someone with Manager access to the
control panel. Once the system enters maintenance mode, only the the
maintainer or the emergency user can cause it to change state.
Any access to the system in "Concurrent (R/O)" maintenance by someone
other than the maintainer or the emergency user will be allowed to run,
but at transaction commit time any changes will be aborted; no write
activity will be allowed to the database.
Any access to the system in "Exclusive" maintenance by someone other
than the maintainer or the emergency user will be aborted immediately by
raising a System error.
The publisher, during initial invocation of a request, will determine
the maintenance mode and apply restrictions to the request, as
necessary. During the course of a retry of a transaction, the
maintenance state will be refetched.
FORSEEN RISKS
* Concurrent mode may inadvertently allow changes that are not
detectable at the time of transaction commit (ie changes that do
not participate with the transaction manager, such as invocation
of external methods, etc.)
* Long running transactions started before the maintenance state is
changed will not pick up the new state.
* The scope of the maintenance is system-wide. It would be
desireable in some instances to restrict it to certain paths only.
* It may be impossible to implement a reliable change detector for
some transactions in "concurrent" mode. The alternative of having
a transaction always vote "no" at commit time would raise an error
rather than allowing normal read activity to complete.
* It is unclear if maintenance should also implictly or explicitly
restrict the number of application threads, to prevent ANY other
application thread from running.
DELIVERABLES
Modifications to Zope's Publisher and Control Panel, which implement the
maintenance filter.