Delete model

[SimonRichardson]

As we can't drop a database when a migration fails, we have to
delete the contents of the database. This includes all the schema
that was added to the database. The rationale for deleting the schema
is that, if you migrate src:A to dst:A, but that fails, and then you
perform an upgrade to dst via a patch release, there isn't a guarantee
that dst:A schema is completely updated. So removing everything leaves
us with a blank slate.

There have been thoughts around aliasing tables instead of a clean
slate, but this is fraught with danger if you accidentally write to
the wrong DB (i.e. the alias one).

In addition to this, we also can't clear the DB in one query, as we
get a segfault. The code batches up the statements, so we're not running
a query for every statement, but should be enough to prevent a
segfault.

The way that we drop everything from the db needs to happen in this
order to prevent constraint violations. In addition, we ensure that
the foreign key param is set to false to also prevent any issues
in ordering of deletions.

We currently do not delete the model during a destroy-model
command, as that completely locks up the model. That will
have to be tackled later.

Checklist

• Code style: imports ordered, good names, simple structure, etc
• Comments saying why design decisions were made
• Go unit tests, with comments saying what you're testing

QA steps

Apply patch

We need to apply this patch to ensure that the migration will fail:

diff --git a/domain/modelconfig/modelmigration/import.go b/domain/modelconfig/modelmigration/import.go
index 1cea5efeb4..13667a3481 100644
--- a/domain/modelconfig/modelmigration/import.go
+++ b/domain/modelconfig/modelmigration/import.go
@@ -5,6 +5,7 @@ package modelmigration

 import (
        "context"
+       "fmt"

        "github.com/juju/description/v5"
        "github.com/juju/errors"
@@ -61,6 +62,8 @@ func (i *importOperation) Setup(scope modelmigration.Scope) error {
 func (i *importOperation) Execute(ctx context.Context, model description.Model) error {
        attrs := model.Config()

+       return fmt.Errorf("BOOM")
+
        // If we don't have any model config, then there is something seriously
        // wrong. In this case, we should return an error.
        if len(attrs) == 0 {

Create the src:

$ juju bootstrap lxd src
$ juju add-model default

Create the dst:

$ juju bootstrap lxd dst
$ juju switch src
$ juju migrate src:default dst

This should fail (check the logs).
Using the juju models command, find the default model-uuid, we'll need it later.

$ make repl-install

Login to dqlite

Ensure to replace <model-uuid> with the valid one.

$ juju ssh -m dst:controller 0
$ sudo snap install yq
# Note we need to pipe indirection because of snap confinement.
$ sudo cat /var/lib/juju/agents/machine-0/agent.conf | yq '.controllercert' | xargs -I% echo % > dqlite.cert
$ sudo cat /var/lib/juju/agents/machine-0/agent.conf | yq '.controllerkey' | xargs -I% echo % > dqlite.key
$ sudo dqlite -s file:///var/lib/juju/dqlite/cluster.yaml -c ./dqlite.cert -k ./dqlite.key <model-uuid>
> SELECT * FROM sqlite_master WHERE name NOT LIKE 'sqlite_%';

The result should be empty.

Revert patch

Revert the patch and upgrade the src and dst controllers.

$ juju migrate src:default dst

Should succeed.

Links

Jira card: JUJU-5877

[SimonRichardson]

/build

[manadart]

This comment doesn't make sense. In any case, could we not in this instance delete and recreate the table? I don't think anything has RI to it...

[SimonRichardson]

This is because we need to implement the life cycle for a model. We're currently going from Alive -> Dead in the model manager, instead of Alive -> Dying -> Dead

[manadart]

So this says that if we kill the worker with ErrDBDead, the worker is not restarted and it is not fatal to us, the parent, right?

[SimonRichardson]

Correct.

[SimonRichardson]

The intermittent test failures are fixed by #17341

[SimonRichardson]

/build

[manadart]

This is good as a progression. All QA is solid.

We do however have to be very careful regarding the proper progression of model life-cycle, and cleanup/teardown when we come to it.

A note in the risk register wouldn't hurt - we don't ever want this path recruited by accident or prematurely.

[manadart]

I'd like a comment here regarding the fact that it ultimately only ends up in a migration context, and is under no circumstances to have expanded availability.

[manadart]

Comment this. Say exactly what it does, which DB(s) it acts on.

[SimonRichardson]

/merge

[tlm]

Do we really need logging in here? Surely this would be better from the callers side and also updating the comment of the function to explain expected default behaviour.

My reason for asking is I am really not a fan of logging in the services layer. The services layer has nice well defined behaviour that is documented and strong errors. Logging can get pushed up a layer with all of that done I think.

[SimonRichardson]

So this only exists because we can't delete a model outside of model migration in its current state. The key part we're missing is going from alive -> dying -> dead. We should delete these options when models are correctly progressing through the life states.