feat(registry): enable REGISTRY_FF_ENFORCE_LOCKFILES by default

Hayley Swimelarrequested to merge
1786/enable-flag into master

What does this MR do?

Enables REGISTRY_FF_ENFORCE_LOCKFILES by default as part of the planned rollout timeline for lockfile enforcement in the container registry.

Background

This feature flag has had a fraught history spanning multiple milestones:

Milestone Action MR
17.9 First enabled by default !2046 (merged)
17.10 Feature flag removed entirely !2106 (merged)
17.10 Reverted due to issues with new Omnibus installations (#1523 (closed)) !2118 (merged)
18.5 Re-enabled by default !2538 (merged)
18.7 Reverted again due to lockfile state inconsistencies (#1776 (closed)) !2647 (merged)
18.7-18.8 Bug fixes for importer and app startup lockfile handling !2648 (merged), !2649 (merged)
18.8 Lockfile data repair functionality added !2673 (merged)
18.9 This MR - Re-enable by default

Why now?

The previous attempts to enable this flag by default failed because the feature flag was incorrectly implemented in multiple code paths. Instead of controlling whether lockfiles are enforced, it controlled whether lockfiles were managed at all. This caused:

  1. Importer bug: After successful import, the filesystem-in-use lockfile wasn't removed and database-in-use wasn't created
  2. App startup bug: Lockfiles weren't managed during registry initialization
  3. New installation bug: Fresh Omnibus installs would lock the filesystem before any data existed, blocking later database enablement

All of these issues have now been addressed:

The 18.8 release includes the lockfile repair functionality, giving instances one full milestone to self-heal before enforcement becomes the default.

Rollout Timeline

Milestone Action
18.8 Lockfile data repair deployed (#1783 (closed))
18.9 This MR - Enable enforcement by default
18.10 Remove feature flag entirely (#1439 (closed))
19.0 Implement database.enabled: prefer mode

Risk Mitigation

  • Instances can disable the feature flag if issues arise: REGISTRY_FF_ENFORCE_LOCKFILES=false
  • The 18.8 repair functionality runs automatically on upgrade

Related to Enable the `REGISTRY_FF_ENFORCE_LOCKFILES` feat... (#1786 - closed) • Hayley Swimelar • 18.9 • At risk

Author checklist

  • CODEOWNERS Review: This MR requires approval from at least one CODEOWNER per category/file.
    • If codeowners are absent or the change is urgent, any registry maintainer can temporarily disable CODEOWNERS reviews in the project settings. When doing so:
      • Add a comment on the MR justifying the bypass
      • Mention/CC the designated codeowners in the MR for async review
      • Re-enable CODEOWNERS reviews in project settings once the MR is merged
    • If you lack permissions to disable CODEOWNERS reviews, reach out to the Engineering Manager (@jaime) or Senior Engineering Manager (@crystalpoole) for assistance.
  • Assign one of conventional-commit prefixes to the MR.
    • fix: Indicates a bug fix, triggers a patch release.
    • feat: Signals the introduction of a new feature, triggers a minor release.
    • perf: Focuses on performance improvements that don't introduce new features or fix bugs, triggers a patch release.
    • docs: Updates or changes to documentation. Does not trigger a release.
    • style: Changes that do not affect the code's functionality. Does not trigger a release.
    • refactor: Modifications to the code that do not fix bugs or add features but improve code structure or readability. Does not trigger a release.
    • test: Changes related to adding or modifying tests. Does not trigger a release.
    • chore: Routine tasks that don't affect the application, such as updating build processes, package manager configs, etc. Does not trigger a release.
    • build: Changes that affect the build system or external dependencies. May trigger a release.
    • ci: Modifications to continuous integration configuration files and scripts. Does not trigger a release.
    • revert: Reverts a previous commit. It could result in a patch, minor, or major release.
  • MR contains database changes including schema/background migrations:
    • Do not include code that depends on the schema migrations in the same commit. Split the MR into two or more.
    • Do not include code that depends on background migrations in the same release.
    • Manually run up and down migrations in a postgres.ai production database clone and add a link for the query plan(s) to the MR.
    • If adding new schema migrations make sure the REGISTRY_SELF_MANAGED_RELEASE_VERSION CI variable in migrate.yml is pointing to the latest GitLab self-managed released registry version. Find the correct registry version here. Make sure to select the branch of the latest GitLab release.
    • If adding new queries, extract a query plan from postgres.ai and post the link here. If changing existing queries, also extract a query plan for the current version for comparison.
      • I do not have access to postgres.ai and have made a comment on this MR asking for these to be run on my behalf.
    • If adding new background migration, follow the guide for performance testing new background migrations and add a report/summary to the MR with your analysis.
  • Change contains a breaking change - apply the breaking change label.
  • Change is considered high risk - apply the label high-risk-change
  • I created or linked to an existing issue for every added or updated TODO, BUG, FIXME or OPTIMIZE prefixed comment
  • Changes cannot be rolled back
    • Apply the label cannot-rollback.
    • Add a section to the MR description that includes the following details:
      • The reasoning behind why a release containing the presented MR can not be rolled back (e.g. schema migrations or changes to the FS structure)
      • Detailed steps to revert/disable a feature introduced by the same change where a migration cannot be rolled back. (note: ideally MRs containing schema migrations should not contain feature changes.)
      • Ensure this MR does not add code that depends on these changes that cannot be rolled back.
Documentation/resources

Code review guidelines

Go Style guidelines

Feature flags

When documentation is required

Documentation workflow

Reviewer checklist

  • Ensure the commit and MR tittle are still accurate.
  • If the change contains a breaking change, verify the breaking change label.
  • If the change is considered high risk, verify the label high-risk-change
  • Identify if the change can be rolled back safely. (note: all other reasons for not being able to rollback will be sufficiently captured by major version changes).
Edited by Hayley Swimelar

Merge request reports