Merge pull request #27557 from vespa-engine/jonmv/misc-3

Short-cut re-acquiring ordered locks, avoid unnecessary tenant-host-lock during prepare [MERGEOK]

3 files changed, 16 insertions, 25 deletions

diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/Nodes.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/Nodes.java
index 490e7b9ac33..d3ea1a3def7 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/Nodes.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/Nodes.java
@@ -164,8 +164,7 @@ public class Nodes {
      * with the history of that node.
      */
     public List<Node> addNodes(List<Node> nodes, Agent agent) {
-        try (NodeMutexes existingNodesLocks = lockAndGetAll(nodes, Optional.empty()); // Locks for any existing nodes we may remove.
-             Mutex allocationLock = lockUnallocated()) {
+        try (Mutex allocationLock = lockUnallocated()) {
             List<Node> nodesToAdd =  new ArrayList<>();
             List<Node> nodesToRemove = new ArrayList<>();
             for (int i = 0; i < nodes.size(); i++) {
@@ -984,7 +983,8 @@ public class Nodes {
                 for (NodeMutex node : outOfOrder) unlocked.add(node.node());
                 outOfOrder.clear();
 
-                Mutex lock = lock(next, budget.timeLeftOrThrow());
+                boolean nextLockSameAsPrevious = ! locked.isEmpty() && applicationIdForLock(locked.last().node()).equals(applicationIdForLock(next));
+                Mutex lock = nextLockSameAsPrevious ? () -> { } : lock(next, budget.timeLeftOrThrow());
                 try {
                     Optional<Node> fresh = node(next.hostname());
                     if (fresh.isEmpty()) {
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/InfraDeployerImpl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/InfraDeployerImpl.java
index 35b2fef2c78..1f424a1e1d5 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/InfraDeployerImpl.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/provisioning/InfraDeployerImpl.java
@@ -89,23 +89,20 @@ public class InfraDeployerImpl implements InfraDeployer {
         public void prepare() {
             if (prepared) return;
 
-            try (Mutex lock = nodeRepository.applications().lock(application.getApplicationId())) {
-                NodeType nodeType = application.getCapacity().type();
-                Version targetVersion = infrastructureVersions.getTargetVersionFor(nodeType);
-                hostSpecs = provisioner.prepare(application.getApplicationId(),
-                                                application.getClusterSpecWithVersion(targetVersion),
-                                                application.getCapacity(),
-                                                logger::log);
-
-                prepared = true;
-            }
+            NodeType nodeType = application.getCapacity().type();
+            Version targetVersion = infrastructureVersions.getTargetVersionFor(nodeType);
+            hostSpecs = provisioner.prepare(application.getApplicationId(),
+                                            application.getClusterSpecWithVersion(targetVersion),
+                                            application.getCapacity(),
+                                            logger::log);
+
+            prepared = true;
         }
 
         @Override
         public long activate() {
+            prepare();
             try (var lock = provisioner.lock(application.getApplicationId())) {
-                prepare();
-
                 if (hostSpecs.isEmpty()) {
                     logger.log(Level.FINE, () -> "No nodes to provision for " + application.getCapacity().type() + ", removing application");
                     removeApplication(application.getApplicationId());
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java
index d0e1a33fcac..7c798eddab1 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java
@@ -58,16 +58,10 @@ public class PeerAuthorizer {
     }
 
     private static boolean matchesRequiredCredentials(RequiredPeerCredential requiredCredential, String cn, List<String> sans) {
-        switch (requiredCredential.field()) {
-            case CN:
-                return cn != null && requiredCredential.pattern().matches(cn);
-            case SAN_DNS:
-            case SAN_URI:
-                return sans.stream()
-                        .anyMatch(san -> requiredCredential.pattern().matches(san));
-            default:
-                throw new RuntimeException("Unknown field: " + requiredCredential.field());
-        }
+        return switch (requiredCredential.field()) {
+            case CN -> cn != null && requiredCredential.pattern().matches(cn);
+            case SAN_DNS, SAN_URI -> sans.stream().anyMatch(san -> requiredCredential.pattern().matches(san));
+        };
     }
 
     private static List<String> getSubjectAlternativeNames(X509Certificate peerCertificate) {