Self healing open

[cjen1-msft]

This PR is the reification of: #7003

The idea is that if a service has fully crashed, it should be able to heal itself so long as it isn't too damaged.
Specifically, the restarting nodes should gossip the knowledge they have locally to try and elect the replica with the best local state.

The result is that after the self-healing-open one replica is chosen to recover and open, while all others restart to then join it.

The protocol can be roughly surmised as:

• Start up.
• Gossip your state (claimed length of ledger) and authenticate other replicas attestation and identities.
• Once you have heard from everyone you expect to hear from, vote for the node with the longest ledger (ties broken by identity).
• If you receive votes from a majority of your expected cluster, transition_to_open and broadcast IAmOpen to the other nodes.
• If you receive IAmOpen from a trusted node, restart and join it.

This still requires the submission of ledger recovery shares, however if local sealing is available those can be used instead.

[eddyashton]

Sorry for the long review. The core logic looks sound as far as I've traced it, this is mostly about naming/coding style. I'll take another pass on the actual message flow logic tomorrow.

[eddyashton]

Suggest we call this failover_timeout, if that's the term for the fallback state?

[achamayou]

Definitely not unqualified timeout, is this when we stop waiting for new votes? If so something like ballot_timeout or recovery_ballot_timeout would be better.

[cjen1-msft]

@achamayou It is when we use the failover path to advance to the next phase rather than the election path.
I've tentatively renamed it to failover_retry.

[eddyashton]

We should make this more verbose - say who we did vote for. Even in plain-text, it'll save us debugging time somewhere down the line.

[achamayou]

Let's not introduce the term replica in the code, which is used nowhere at the moment. It's a node.

[eddyashton]

Why do we make everything InvalidQuote here? That seems wrong in the BAD_REQUEST path, we can add a new value to odata_error for this, or use an existing generic error.

[eddyashton]

I think we don't need these definitions any more? To access a table, you can have an instance:

struct Tables
{
   MyTableType my_table_instance = {MY_TABLE_NAME};
};

Tables& tables = ...;
auto handle = tx.rw(tables.my_table_instance);

Or you can just access it directly by type and name:

auto handle = tx.rw<MyTableType>(MY_TABLE_NAME);

The former helps use a consistent type+name, but at the cost of a lot of boiler-plate. We used to use it to auto-generate wrappers for built-in tables (in which case these instances also need to be returned from something like get_all_internal_tables()). But that's all vestigial and unused, and I think we should avoid this boilerplate for new tables.

[cjen1-msft]

Excellent can do! I had a mix of both at one point and converged it in the wrong direction seemingly :)

[cjen1-msft]

Now all updated.

[eddyashton]

I can't make a direct suggestion since some lines are untouched, but suggest we pair these comment lines directly:

# COULDNT_CONNECT
7,
# PEER_FAILED_VERIFICATION
35,
# SEND_ERROR
55,
# SSL_CONNECT_ERROR
60,

[eddyashton]

If we're not checking this stays fresh in any workflow, I don't think it should be checked into main. We can put a pointer to this spec, on a branch, in the GH Discussion.

[achamayou]

Agreed, there is surely a way to add this to one of the verification pipelines we already have.

[cjen1-msft]

In theory added now.