Soft-leader election mechanism for cc based on observed cluster state

[muhamadazmy]

Soft-leader election mechanism for cc based on observed cluster state

Fixes #2238

---

Stack created with Sapling. Best reviewed with ReviewStack.

• Handle stale metadata version when starting a CC leader #2325
• -> Soft-leader election mechanism for cc based on observed cluster state #2252

[muhamadazmy]

While this is not necessary because the cluster_state_watcher will eventually unlock this loop and hence new 'is_active_controller' will be in effect. But this might react faster to changes in nodes metadata.

What do you think?

[tillrohrmann]

Thanks for creating this PR @muhamadazmy. The PR is a good improvement. The one thing I'd like to discuss is how we learn about metadata updates when we are not the leader. Either when becoming the leader we need to refresh explicitly or we propagate these changes also when we are a follower. Otherwise we might miss some updates and work on stale information.

[tillrohrmann]

What are we doing when the NodesConfiguration changes? Right now, it looks like a no-op.

[muhamadazmy]

It's no-op/continue so "known" CC leader can be updated. Since active leader state depends on the nodes config metadata.

I think it's not important since this will be detected by the cluster state updates and hence can be removed

[tillrohrmann]

Instead of computing this repeatedly should we store it and only recompute if either the NodesConfiguration or the ObservedClusterState changes?

[muhamadazmy]

We can of course do that. I was thinking it's so cheap to compute based on the current observed cluster state and node config

[tillrohrmann]

Why not comparing against the generational node id? This would potentially guard against an outdated admin node thinking to be the leader.

[muhamadazmy]

Ah yes, good catch.

[tillrohrmann]

Maybe align active and leader. If we choose one term then there is only a single concept.

[tillrohrmann]

What happens in the following case: We are currently not the leader and therefore, ignore the logs updates. Now we become the leader. W/o explicitly updating the Logs configuration, we will operate on old data, right? And if there is no other update, then we won't learn about it.

[muhamadazmy]

You are right. I was under the wrong impression that once you are leader you use the latest metadata object. But that is not correct

[muhamadazmy]

thank you @tillrohrmann for your review. I will address your comments and get back to you

[muhamadazmy]

@tillrohrmann can you give this PR another look. I tried to address all of your comments. Let me know if I still missed other scenarios.

Right now, all CCs will only update their view of the world when either the cluster state or the metadata changes. Only active CC will take action.

[tillrohrmann]

Thanks for updating the PR @muhamadazmy. I left a few more comments.

[tillrohrmann]

Suggested change

	Ok(_) = partition_table_watcher.changed()=> {
	Ok(_) = partition_table_watcher.changed() => {

[tillrohrmann]

Suggested change

	if self.is_active_controller(nodes_config.live_load(), &observed_cluster_state) && !is_active_controller{
	if self.is_active_controller(nodes_config.live_load(), &observed_cluster_state) && !is_active_controller {

[tillrohrmann]

Here we are still talking about leaders.

[tillrohrmann]

Suggested change

	trace!("Acting like a cluster controller");
	trace!("Acting as the active cluster controller");

?

[tillrohrmann]

Not sure whether this log line is really helpful. Especially since we are logging the same on line 323.

[tillrohrmann]

I would log on debug if the active status changes but not unconditionally on every cluster state update.

[tillrohrmann]

Or make a field of a span. But changing this field seems to lead to multiple entries as seen with the is_leader field of the partition processor.

[tillrohrmann]

Should we also set is_active_controller to false if we lose leadership? Otherwise we might still act as the leader on subsequent loop iterations.

[tillrohrmann]

Side note, I am using naturally the term leadership when talking about active in active cluster controllers.

[tillrohrmann]

I think this works and I don't want to ask to do it differently now. What I am wondering, though, is whether making the leader state more explicit would help with cleaner code. If, for example, we would only create the Scheduler and LogsController when we are the leader this wouldn't be necessary. This would then also establish a clear lifecycle (e.g. when becoming the leader then we would take the current PartitionTable, LogsConfiguration and initialize the controllers) and makes clear which are the actions that a leader needs to do and what every follower. The downside would be if the init step when becoming the leader is expensive and there are many quick leader changes. In this case, the current way would probably behave more graceful.

[tillrohrmann]

I think I need to withdraw the correctness point. W/o the lower part, we wouldn't update the internal hold scheduling_plan. So if we now become leader, then we would start with a SchedulingPlan that is based on before this logs update. Differently said, with this if condition it would be equivalent to not call this method if we are not the leader.

[muhamadazmy]

My thinking was that if we become leader this will trigger a change in cluster state which will rebuild the scheduling plan based on latest known state.

I will definitely revise the code again taking that into account.

[muhamadazmy]

Maybe tracking the leader state in a state machine would be cleaner for reasoning and readability even if is a little bit slower to switch to leader mode?

[muhamadazmy]

I don't believe changes in logs and/or partition table can trigger a reconfiguration of leadership of the CC, what do you think?

[tillrohrmann]

Yes, they shouldn't.

[tillrohrmann]

Thanks a lot for updating this PR @muhamadazmy. I think this approach looks a lot more robust since it makes it very clear what are the leader and what are the follower responsibilities. I left a comment how we could deduplicate some shared logic between the leader and follower state. Let me know what you think about it.

[tillrohrmann]

Wondering whether we should call it leader and follower to align it with the leadership concept. That's something we already have somewhat established with the partition processor.

[tillrohrmann]

Suggested change

	// A Cluster Controller is active if the node holds the smallest plain Node ID
	// A Cluster Controller is active if the node holds the smallest plain Node ID.

[tillrohrmann]

Suggested change

	// it's sometimes possible to have the smallest node id but not the highest generation
	// It's sometimes possible to have the smallest node id but not the highest generation

[tillrohrmann]

Instead of modelling this as an explicit ClusterControllerState, would it also work to return it as a Shutdown error?

[muhamadazmy]

hmm, makes sense

[tillrohrmann]

I think that we can probably avoid this extra look-up the following way:

let maybe_active = nodes_config
            .get_admin_nodes()
            .filter_map(|node| {
                if self.observed_cluster_state
                    .is_node_alive(node.current_generation) {
                    Some(node.current_generation)
                } else {
                    None
                }
            })
            .sorted_by_key(|node_id| node_id.as_plain())
            .next();

Then we get the generational node id.

[tillrohrmann]

Yes, they shouldn't.

[tillrohrmann]

When initializing the Scheduler we probably need to call on_logs_update with the latest Logs from Metadata. This is currently missing in main as well.

[tillrohrmann]

Nit: The LogsController probably does not need to try to write an initial Logs configuration when being initialized. Instead it could issue a sync request and get the latest value from Metadata. Does not have to addressed here.

[muhamadazmy]

I see

[tillrohrmann]

passive and active share a bit of logic: The heartbeat_interval, cluste_state_watcher, command_rx, config_watcher and shutdown. Could we pull this logic up into the run method? That way we would share the common behavior and there is only a single place which needs to be kept in sync. The active method would then only run the parts that are specific to the leader state. What probably needs to happen for this is to make the ClusterControllerState an enum with fields:

enum ClusterControllerState {
    Active {
        scheduler: ...,
        logs_controller: ...,
        ...
    },
    Passive,
}

[muhamadazmy]

I think this can be happen on cluster_state change only since (imho) it is the only way the leadership state can change, correct?

[tillrohrmann]

Yes, I think so.

[tillrohrmann]

Thanks a lot for updating the PR @mohammedazmy. I think this makes a lot of sense to me. I left a few minor comments regarding how we could split the service.rs into smaller modules and left a few questions. I think we can merge this PR today :-)

[tillrohrmann]

Suggested change

	let maybe_active = nodes_config
	let maybe_leader = nodes_config

[tillrohrmann]

Suggested change

	// A Cluster Controller is active if the node holds the smallest PlainNodeID
	// A Cluster Controller is leader if the node holds the smallest PlainNodeID

[tillrohrmann]

Why using the plain node id and not the generational one?

[muhamadazmy]

GenerationalNodeId has derive Ord implementation. It means Ids with smaller generation id will show up first after sorting.

I did it then like this in case there is the same node is somehow still alive with 2 different generation. But now I am wondering if this can actually happen.

[tillrohrmann]

For what is the lifetime 'a used?

[muhamadazmy]

Ah sorry, leftover from some refactoring

[tillrohrmann]

Suggested change

	// it is still safe to handle cluster commands as a passive CC
	// it is still safe to handle cluster commands as a follower

[tillrohrmann]

Why did you introduce this change from Ok(()) to anyhow::bail!?

[muhamadazmy]

My fault. This part was moved to another function then back to run() without restoring the original behaviour.

[tillrohrmann]

Maybe move those types to a separate module to make the service.rs a bit smaller?

[tillrohrmann]

To make changing leaderships properly work we probably need to initialize the Scheduler with the latest logs configuration. Otherwise we might miss it and therefore won't take any actions because we haven't seen the latest logs configuration which controls which partitions needs to be scheduled. This bug already contained in main.

[tillrohrmann]

Thanks for updating the PR @muhamadazmy. The changes look really nice :-) I left two minor comments. +1 for merging then.

[tillrohrmann]

If cluster_controller_state were a module of service, then I believe you don't have to make these fields pub(crate).

[tillrohrmann]

That's a nice solution to the problem :-)