Support for bootstrap segments

[abhishekrb19]

Problem

Currently, broadcast segments are assigned to data servers by the coordinator. This usual route alone can cause data correctness issues because if a process (either a task or server) is using broadcast segments for ingestion or to serve queries, the ingestion or query results can be invalid due to the asynchronous nature of segment assignment and loading.

Description

This PR builds on top of #16475.

To address this data correctness problem, a process when it starts up attempts to fetch and load any broadcast (bootstrap) segments from the coordinator first before it can proceed. If there are any errors in this bootstrapping process talking to the coordinator, the process just comes up in a "fail open" state and doesn't block start up.

Changes:

• Add a new API /v1/metadata/bootstrapSegments in the coordinator that returns bootstrap segments. Currently, the set of bootstrap segments only contains broadcast segments. In the future, we can expand on this mechanism to speed up historical upgrades as well.
• When a process starts up, it reaches out to the coordinator (if it can find one) to fetch the bootstrap segments. This is done in SegmentLoadDropHandler. The handler then loads any previously cached segments along with the bootstrap segments onto its storage location.

Misc changes:

• Remove @JacksonInject PruneSpecsHolder argument in the LoadableDataSegment constructor. It always defaults to PruneSpecsHolder.DEFAULT and doesn't depend on the injected value
• Remove an unused test in LocalDataSegmentPuller
• Fix a typo and remove white spaces in DruidException

Future changes

1. Add an optional fail close strategy for tasks via a task runtime config. By default, tasks will still fail open as implemented in this patch. Servers will only have the option to fail open.
2. Optimize the loading of bootstrap segments for tasks. For example, compaction and kill tasks can skip loading any bootstrap segments, while MSQ ingest and query tasks can selectively load the ones specified in the SQL. Real-time tasks, similar to servers, should always load all bootstrap segments.
3. Add more metrics in the existing bootstrapping flow for visibility. For example, count of cached segments loaded, how many have failed to load, total bootstrap load time, etc. Document all these metrics under a separate category in the user-facing docs.

Release note

Added a coordinator API POST /v1/metadata/bootstrapSegments that returns the set of bootstrap segments. Currently, the set only contains broadcast segments. When a process (either a server or task) comes up, it attempts to query the coordinator to fetch all bootstrap segments and loads them before the process can proceed doing its thing. This primarily addresses a data correctness issue where a process doesn't have broadcast segments assigned yet and starts processing data. In the event of any errors, the process just comes up in a fail open state and doesn't block start up.

To this effect, new metrics have been added in the bootstrap segments flow:

1. segment/bootstrap/time: Total time taken to fetch bootstrap segments from the coordinator
2. segment/bootstrap/count: Total count of bootstrap segments fetched from the coordinator

This PR has:

• been self-reviewed.
  • using the concurrency checklist (Remove this item if the PR doesn't have any relation to concurrency.)
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.

[kfaraz]

Thanks for the feature, @abhishekrb19 ! It would be very useful for task/historical startup.
The changes look good to me for the most part, but there are some concerns that need to be addressed.

[abhishekrb19]

Thanks for the review, @kfaraz! I've responded to the comments and added code comments/tests where applicable for further clarification. Could you take another look?

[kfaraz]

Final nitpicks, rest looks good.

[kfaraz]

Since this is going to block startup, should there be a timeout?

[abhishekrb19]

Yeah, this uses the CoordinatorClient injected here, which has a standard retry policy with a max of 6 retries (~3 seconds total wait time) on transient errors. So processes will come up after ~3 seconds if the failures are persistent. There's one test testLoadBootstrapSegmentsWhenExceptionThrown() in this PR that verifies this fail open strategy that the server just comes up when an error occurs talking to the coordinator during startup.

I plan to add an optional fail close strategy for tasks in a follow up, which will likely need a different retry policy than the standard retry policy in this patch. I will try adding some more scenarios to verify the different behaviors like startup doesn't block indefinitely, etc.

[kfaraz]

Sounds good. What about success scenarios, where a historical or task is busy loading a lot of segments and thus may not respond to liveness probes?

[abhishekrb19]

There is currently no overall startup timeout. If this is an issue, particularly for tasks, we may want to adjust the bootstrapper such that it can at least respond to liveness probes.

[kfaraz]

[Non blocker] It would be nice to add the dataSource dimension to this metric.

[abhishekrb19]

Good idea, I will save this for a future patch