[FLINK-24021][HA]Handle curator framework start error by register UnhandledErrorListener before start zk client

[Aitozi]

What is the purpose of the change

As described in issue , this PR is meant to fix the potential job unrecoverable due to network failure . This is done by add an unhandledErrorListener before start curator client

Tests:
ZookeeperUtilsTest#testStartCuratorFrameworkFailed

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): (no)
• The public API, i.e., is any changed class annotated with @Public(Evolving): (no)
• The serializers: (no)
• The runtime per-record code paths (performance sensitive): (no)
• Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: (yes)
• The S3 file system connector: (no)

[flinkbot]

Thanks a lot for your contribution to the Apache Flink project. I'm the @flinkbot. I help the community
to review your pull request. We will use this comment to track the progress of the review.

Automated Checks

Last check on commit 3e938a7 (Mon Aug 30 13:18:03 UTC 2021)

Warnings:

• No documentation files were touched! Remember to keep the Flink docs up to date!

_{Mention the bot in a comment to re-run the automated checks.}

Review Progress

• ❓ 1. The [description] looks good.
• ❓ 2. There is [consensus] that the contribution should go into to Flink.
• ❓ 3. Needs [attention] from.
• ❓ 4. The change fits into the overall [architecture].
• ❓ 5. Overall code [quality] is good.

Please see the Pull Request Review Guide for a full explanation of the review process.

The Bot is tracking the review progress through labels. Labels are applied according to the order of the review items. For consensus, approval by a Flink committer of PMC member is required

Bot commands

The @flinkbot bot supports the following commands:

• @flinkbot approve description to approve one or more aspects (aspects: description, consensus, architecture and quality)
• @flinkbot approve all to approve all aspects
• @flinkbot approve-until architecture to approve everything until architecture
• @flinkbot attention @username1 [@username2 ..] to require somebody's attention
• @flinkbot disapprove architecture to remove an approval you gave earlier

[flinkbot]

CI report:

• da1ab05 UNKNOWN
• cfe260b UNKNOWN
• 505c576 Azure: SUCCESS
• 03dc417 Azure: PENDING

Bot commands

The @flinkbot bot supports the following commands:

• @flinkbot run travis re-run the last Travis build
• @flinkbot run azure re-run the last Azure build

[tillrohrmann]

Thanks for creating this PR @Aitozi. I think you are right that we don't handle the case properly where the CuratorZookeeperClient.start fails. In order to do that we have to register an UnhandledErrorListener right away.

I left a couple of comments. Please take a look.

[tillrohrmann]

I am actually wondering whether we shouldn't only register this one handler and remove the listeners in the ZooKeeperLeaderElectionDriver and ZooKeeperLeaderRetrievalDriver because these two listeners would be called for every unhandled exception that occurs in Curator independent of the actual source. Moreover, the current UnhandledErrorListener always call the FatalExitExceptionHandler eventually.

[Aitozi]

I don't really get your meaning， may be it's should only ?

I think we could safely remove the listener in leaderElectionDriver and leaderRetrievalDriver like you said that，all the three handlers always exit the process now, after one execute other will not be executed. So there is no meaning to register other handlers.

[tillrohrmann]

Yes, I meant to only register this one failure handler and remove the listener in leaderElectionDriver and leaderRetrievalDriver.

[Aitozi]

Thanks for your review @tillrohrmann . I have addressed most of your comments. Regarding to whether to remove the listener in ZooKeeperLeaderElectionDriver and ZooKeeperLeaderRetrievalDriver, I think it's somehow out of this issue. Maybe I can open another PR to remove them.

[tillrohrmann]

Thanks for updating this PR @Aitozi. I think it is ok to remove the UnhandledErrorListener from the ZooKeeperLeaderElectionDriver and ZooKeeperLeaderRetrievalDriver as a follow-up step. What we probably should do is to pass in a FatalErrorHandler into the ZooKeeperUtils.startCuratorFramework. That way we can integrate the failure handling with the ClusterEntrypoint, TaskManagerRunner, etc.

[tillrohrmann]

Maybe it is actually better if we can pass in a FatalErrorHandler. That way we can integrate the failure handling with the general logic (e.g. in the ClusterEntrypoint we add additional information if there was a out of memory error).

[tillrohrmann]

Then we wouldn't have the problems of how to test for FlinkSecurityManager.forceProcessExit.

[Aitozi]

Get it, I will add the FatalErrorHandler

[Aitozi]

Passed FatalErrorHandler to ZookeeperUtils#startCuratorFramework. Please help review again.

[Aitozi]

@flinkbot run azure

[tillrohrmann]

Thanks for updating this PR @Aitozi. I think it looks almost mergeable. I left some suggestions for improvements and a comment how to set the FatalErrorHandler in the RestClusterClient. Please take a look.

[tillrohrmann]

This does not feel right. We are effectively copying the next constructor. I think there must be another solution. Maybe, if we don't specify a ClientHighAvailabilityServices, then we instantiate it with a handler that terminates the process in case of an unhandled exception.

[Aitozi]

But I think it's strange to directly terminate the client process. And the current webMonitorRetrievalService also just complete the future with exception. I have to copy the constructor mainly due to there is a constructor which accept the StandaloneClientHAServices.

[Aitozi]

Maybe I can use an ClientHighAvailabilityServicesFactory here to decouple the RestClusterClient with concrete ClientHighAvailabilityServices

[tillrohrmann]

Yes, this could be a good solution to decouple these two components a bit better.

[tillrohrmann]

Suggested change

	* error of {@link CuratorFramework}
	* errors of {@link CuratorFramework}

[tillrohrmann]

Which exception is thrown here?

[Aitozi]

I comment to draw attention to UnhandledErrorListener will catch all exception when executed. The FatalErrorHandler used here should be aware of this. If a handler just throw an exception may be eat by curator framework.

[Aitozi]

Thanks for your review , I have fixed all of your comments, plz take a look again. @tillrohrmann

[Aitozi]

@flinkbot run azure

[tillrohrmann]

Thanks for updating this PR @Aitozi. I think we are almost done. I only had a few minor comments left concerning the usage of anonymous classes. Once these comments are addressed and Azure gives green light, I will merge this PR.

There are also some merge conflicts. Maybe you can rebase this PR while resolving the last comments onto the latest master. Moreover, it would be awesome if you could create a backport against the release-1.14 branch so that we also run CI for this version before merging it back.

[tillrohrmann]

Let's create a DefaultClientHighAvailabilityServicesFactory that has a singleton INSTANCE that does exactly this here. Then we don't have to use anonymous classes.

[tillrohrmann]

Suggested change

	new FatalErrorHandler() {
	@Override
	public void onFatalError(Throwable exception) {
	webMonitorLeaderRetriever.handleError(
	new FlinkException(exception));
	}
	exception ->
	webMonitorLeaderRetriever.handleError(
	new FlinkException(exception))

A bit less boilerplate.

[Aitozi]

dose this means add more error msg?

[tillrohrmann]

I would move this into the factory because we don't know whether configuration won't be changed.

[Aitozi]

I made a wrong thought here, done!

[Aitozi]

Having addressed all your concerns, thanks for your review time @tillrohrmann

[Aitozi]

Created the backport PR

[Aitozi]

@flinkbot run azure

[tillrohrmann]

Thanks for the update. LGTM. Addressing my last comments while merging this PR.

[tillrohrmann]

Same here probably.