https://authzed.com logo
Join Discord
Powered by
Hey all,
# spicedb
t
Hey all, Not sure if it's our specific setup, but I wanted to flag that spicedb v1.45.4 has been breaking our builds. Pinning spicedb to v1.45.3 fixes the issue, but I couldn't see anything suspicious in the release notes. I am also running 
authzed/spicedb:v1.45.4
in my local docker-compose setup without any issues. For reference I attached the startup log output. When my application is trying to establish a grpc connection with spicedb all I see is timeouts. https://cdn.discordapp.com/attachments/844600078948630559/1417869914521206794/message.txt?ex=68ccb682&is=68cb6502&hm=365eecfb402485e6aa5a373a79a1d260b7b107885780f6034fefaad6bcc954fc&
y
how are y'all running spicedb? are you using the operator?
t
Ah sorry, I meant to attach the github actions file. This is happening in our github testing pipeline.
Copy code
jobs:
    build:
      steps:
        - uses: actions/checkout@v4
        - name: Install Native dependencies
          run: apt update && apt install -y build-essential curl
        - name: Install SpiceDB
          run: |
            curl -sS https://pkg.authzed.com/apt/gpg.key | gpg --dearmor --yes -o /etc/apt/keyrings/spicedb.gpg
            echo "deb [signed-by=/etc/apt/keyrings/spicedb.gpg] https://pkg.authzed.com/apt/ * *"  | tee /etc/apt/sources.list.d/authzed.list
            chmod 644 /etc/apt/sources.list.d/authzed.list
            apt update
            apt install spicedb
        - name: Start SpiceDB
          run: spicedb serve-testing &
In our staging and production environments we run the official docker spicedb image in ECS. We do pin an older versions though, so I can't tell you if they'd be affected yet. I only noticed all our test pipelines failing since we just pull the latest version there.
y
ah, gotcha. just out of curiosity, have you seen/tried the action-spicedb action? https://github.com/authzed/action-spicedb
and is it specific calls that are failing or all of them?
t
I have not, but this looks like it could've saved me an afternoon on the initial setup haha 🙂 I think the first test still manages to connect, but all subsequent calls fail to connect, so that first call might actually crash the server? Here's the relevant log entries (we're running Elixir using [authzed_ex](https://github.com/goodhamgupta/authzed_ex) as client)
Copy code
[warning] Received unexpected response when fetching SpiceDB schema diff: {:error, %GRPC.RPCError{status: 13, message: ":stream_error: :closed"}}
[error] My.App.Server #PID<0.638.0> received unexpected message in handle_info/2: {:gun_down, #PID<0.639.0>, :http2, :closed,
[#Reference<0.4109527196.2503213057.89019>]}
y
that helps. do you know what that first call is, or is it dependent on the ordering of tests etc?
t
It's a 
DiffSchemaRequest
. Basically when starting up our server fetches a diff against the currently deployed schema and then figures out based on that which relations need to be deleted before writing the new schema and which entities to sync after the new schema has been written. This is the sequence:
Copy code
with {:continue, state, diffs} <- diff_schema(state),
         {:continue, state} <- purge_relationships(state, diffs),
         {:continue, state} <- migrate(state),
         {:continue, state} <- sync_relationships(state, diffs) do
From the error message it sounds like the first step fails. All subsequent calls fail while creating the client already, which implies that the grpc connection couldn't be established
Turns out I did see the action back when I [first implemented](https://linen.authzed.com/t/26945764/run-spicedb-as-github-action-service#4e06720b-8135-4de0-98fc-bcedb8294e6e) this, but since it doesn't work if the action isn't running on the host I had to go a different route 🙂
y
ahhh yeah. i've run into the same, but it seemed like a limitation of github actions
t
Just checked on my mac and the latest release is running without issues there. Trying to get some more logs out of my github action now
y
let me know what you find!
t
Ok, when running the 
spicedb serve-testing &
command in the same step/shell as the test process everything works as expected (but I'd have to disable spicedb logs). If I start the spicedb instance in the step before starting the tests I see the same issue I described again.
y
that's bizarre
maybe a gh actions change?
t
I do see a couple tests that managed to get past the schema migration though (and fail a bit later on when trying to write relationships)
I though so too, but pinning v1.45.3 fixes the issues and everything runs through as expected
y
wait yeah
hmm. we updated a couple of actions and versions around the way things are built, including going to golang v1.25, but i'm not sure how those would have a bearing on this...
yeah i wonder if there's something about the way that it's built that changes the way the binary behaves
that's not exactly reassuring though...
i'm running linux x64, so lemme pull down the new version and see about running some tests locally
and you said that it appears that the grpc connection isn't working?
i installed spicedb v1.45.4 via apt and ran the authzed-dotnet tests against it, which make live calls (albeit no diffschema calls) and they were successful
t
Well it seems like it initially manages to connect as expected and run a couple commands against spicedb, but pretty quickly after that it seems like spicedb stops responding.
y
hmm
t
I tested again using 
JarvusInnovations/background-action@v1
and this time it worked with v1.45.4.
Copy code
- name: Start SpiceDB
        uses: JarvusInnovations/background-action@v1
        with:
          run: spicedb serve-testing --http-enabled &
          wait-on: http-get://localhost:8443/healthz
I'm out of ideas. will try to take another look tomorrow 🙃 Lemme know if you would like me to test anything else!
j
maybe its prematurely closing the binary
or something with mem?
t
Could be, but I do wonder what caused the behavior to change 🙃 Anyway, using some ideas I took from the background-action I came up with the following github-script which seems to work 🤷‍♂️
Copy code
- name: Start SpiceDB
        uses: actions/github-script@v8
        with:
          script: |
            const spawn = require('child_process').spawn;
            const spawnOpts = { detached: true, stdio: 'ignore' };
            const run = 'spicedb serve-testing &';

            const child = spawn('bash', ['--noprofile', '--norc', '-eo', 'pipefail', '-c', run], spawnOpts);
            console.log('SpiceDB started');
y
that's bizarre 🤔
and yeah i'm wondering the same
would you mind opening an issue on the spicedb repo to track this?
t
y
thank you!
t
Seems like adding 
--log-level=warn
fixes the issue as well and I can go back to a plain shell command :tada https://github.com/authzed/spicedb/issues/2573#issuecomment-3311738554
3 Views
PreviousNext
Powered by