HDDS-4295. Add SCMServiceManager to SCM HA.

[GlenGeng-awx]

What changes were proposed in this pull request?

SCM ServiceManager is going to control all the SCM background service so that they are only serving as the leader.

Design doc: https://docs.google.com/document/d/1DbbqP0m3g_iEpY9qkSGOuQgcCN-QqlSNgWpvBOLv5h0/edit

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-4295

How was this patch tested?

CI

[bshashikant]

RaftCondition.FOLLOWER_TO_LEADER -> RaftCondition.LEADER_TO_FOLLOWER

[GlenGeng-awx]

Thanks for the catch.

[bshashikant]

I think the function name shoulld be changed to getTermOfLeader() or something like this to make it intuitive enough as this is supposed to be only a leader executed code

[GlenGeng-awx]

Agree.

[bshashikant]

newIsLeader doesn't make much sense here

[GlenGeng-awx]

Agree, will find a better name. Previously it is isLeader and term, but can not pass checkstyle.

[bshashikant]

updateIsLeaderAndTerm -> updateLeaderAndTerm

[bshashikant]

Can we add some more info here, regarding what would be one time transitional events and what would be recurring which needs to be notified ?

[GlenGeng-awx]

Sure.

[bshashikant]

Thanks @GlenGeng for working on this. I went through the patch once and given some comments inline. Still need to look through in more details.

I also want to know, how are we handling case of a stale leader here? I know there is an effort inside ratis to address/detect a case of stale leader., but don't we really need anything specific to handle such case here ?

Also, the transitional cases seem to be handled for LEADER_TO_FOLLOWER and FOLLOWER_TO_LEADER? How about transition to CANDIDATE state in general?

[amaliujia]

cc @amaliujia

[GlenGeng-awx]

@bshashikant Thanks for reviewing this patch!

I also want to know, how are we handling case of a stale leader here? I know there is an effort inside ratis to address/detect a case of stale leader., but don't we really need anything specific to handle such case here ?

The request inside SCM can be divided into two categories, read/write request and read only request.

The read/write request will go through ratis as a RaftClientRequest, so we don’t need to care about whether the underlying RaftServer is a still leader or has already stepped down. These read/write requests include add/remove/update pipeline/container/deleted block.

For the read only request, they will not go through ratis, a stale leader SCM might make a dangerous decision if it misses the latest committed writes, a.k.a the split-brain issues occurred, two leaders of different terms live together.

Nanda pointed out such a case:

Our major concern here is the DeleteContainerCommand sent by the stale leader. It is possible that the ICR of the recently created container is received by the stale leader which has no idea about the new container. The stale leader will end up sending DeleteContainerCommand to the datanode in this case.

See SCM HA Handling Stale Leader drafted by @nandakumar131 for more details.

With help of the lease solution, leader SCM can handle the read only request, then call isLeader/getTermOfLeader in SCMContext to confirm its leadership, ensuring that when it handles the read only request, it has seen the latest commit writes.

Also, the transitional cases seem to be handled for LEADER_TO_FOLLOWER and FOLLOWER_TO_LEADER? How about transition to CANDIDATE state in general?

The candidate state is not expose by Ratis, and SCM does not cares about this state either. SCM just treat candidate the same as follower: it should stop the work if not leader.

SCMServiceManager#leaderToFollower is called in StateMachine#notifyNotLeader and SCMServiceManager#followerToLeader is called in StateMachine#notifyLeaderChanged when groupMemberId.getPeerId().equals(newLeaderId)

We may have a offline talk to discuss more about the subtle cases in how we integrate SCM HA with ratis.

[GlenGeng-awx]

@bshashikant @amaliujia I've update according to your comments, please take one more look Thanks!

[bshashikant]

In case where SCM HA feature is not enabled (no Ratis), SCM context still seem to be relevant. In such cases, leader info and term info don't make sense. Can we add some constants to define leader state and term when ratis is not enabled?

[GlenGeng-awx]

Hey @bshashikant, this is a good point.

Due to PR #1744, integration test which is bases on MiniOzoneCluster has been running upon single-server raft cluster. But we still have cases that run without Ratis, e.g., UnitTest, Recon.

Here is the design decision of SCMContext:

The initial value of currentTerm in raft is 0. After RaftServer starts, they are all followers of term 0, then election timeout happens, one becomes candidate of term 1, finally the first leader will be elected, which is on a term that is greater or equal to 1.

SCMContext has two raft related field, term and isLeader.

• For the cases using Ratis (no matter single server or multi server), the initial value of term and isLeader for SCMContext is 0 and false, they will be updated by SCMStateMachine#notifyNotLeader and SCMStateMachine#notifyLeaderChanged.
• For the cases not using Ratis, the initial value of term and isLeader for SCMContext is 0 and true, means leader of term 0.

Since all the isLeader and getTermOfLeader check are going through SCMConext, and they are spreading across the whole SCM, for Ratis mode, it returns real raft info, for non Ratis mode, it behaviors as leader on term 0, so that we treat them in the same way.

What do you think ? We can discuss offline if needed.

[GlenGeng-awx]

cc @bshashikant Please take one more look !

[GlenGeng-awx]

@bshashikant Comments for SCMServiceManager has been addressed, Please take one more look. Thanks!

[bshashikant]

Thanks @GlenGeng for updating the patch.The changes look good to me. I need a clarification regarding replicationManager.

[bshashikant]

I think, we should add a status called STOPPED as well here. For example, if i want to suspend replication i can issue, ozone admin replicationManager stop. This state might need to be propagated over Ratis as well. Even after leader re-relection, the service should not auto start on the new leader.

[GlenGeng-awx]

Thanks for the insight.
I will handle bin/ozone admin replicationmanager start|stop|status in this PR.
I agree that the status of RM should also be replicated through ratis. I created a jira https://issues.apache.org/jira/browse/HDDS-4740 to track this issue, will schedule a discussion in this week's sync.

[GlenGeng-awx]

create jira for Add STOP state to SCMService.
https://issues.apache.org/jira/browse/HDDS-4744

[amaliujia]

I guess the JIRA link of adding STOP state to SCM service was not properly linked?

[GlenGeng-awx]

Thanks for the catch.

[amaliujia]

Instead of setting default value as ServiceStatus.PAUSING, will it make sense to initialize this variable as RUNNING during construction?

[GlenGeng-awx]

Actually not. BlockDeletingService should not run on follower SCMs.

[amaliujia]

O yes thanks!

[amaliujia]

I guess the JIRA link of adding STOP state to SCM service was not properly linked?

[amaliujia]

Question: Does notifyStatusChanged has to be a blocking call?

[GlenGeng-awx]

The execution of this method is quite quick. We may consider relax it if we meet performance issue in future.

[amaliujia]

SG!

[amaliujia]

I might have missed: is this class tested somehow?

[GlenGeng-awx]

BackgroundPipelineCreator is replaced by BackgroundPipelineCreatorV2, and it has been fully test in integration test and docker test.

[amaliujia]

LGTM!

[runzhiwang]

@GlenGeng Thanks the patch. @bshashikant @amaliujia Thanks for review. I have merged it.