ZOOKEEPER-3781: Create snapshots on followers when snapshot.trust.emp…

[srdo]

…ty is true

snapshot.trust.empty is an escape hatch for users upgrading from 3.4.x to later Zookeeper
versions, allowing nodes to start with a non-empty transaction log but no snapshot.

The intent is for this setting to be enabled for a short while during the upgrade,
and then disabled again, as the check it disables is a safety feature.

Prior to this PR, a node would only write a snapshot locally if it became leader,
or if it had fallen so far behind the leader that the leader sent a SNAP message instead
of a DIFF. This made the upgrade process inconvenient, as not all nodes would create
a snapshot when snapshot.trust.empty was true, meaning that the safety check could
not be flipped back on.

This PR makes follower nodes write a local snapshot when they receive NEWLEADER,
if they have no local snapshot and snapshot.trust.empty is true.

[srdo]

Additional context here https://mail-archives.apache.org/mod_mbox/zookeeper-dev/202101.mbox/%3cpony-db78e81c2a8c7e7aa50468ebe248816470b8ee2f-8a8224758cb92c542b444f6af8884c82154cdaf2@dev.zookeeper.apache.org%3e

[srdo]

I think these test failures are on master as well, see e.g. https://github.com/apache/zookeeper/runs/1717919885. Seems to be tests trying to bind in-use ports.

[eolivelli]

well done.
@ztzg please consider adding this to 3.7.
it will help a lot users in getting rid of old EOL 3.4 zookeeper clusters

[eolivelli]

there is no need to add 'During34Migration', we can just leave a javadoc

[srdo]

Ok, will fix. How about shouldForceWriteInitialSnapshotAfterLeaderElection?

[eolivelli]

we are sure that the file exists, we can just use 'delete', correct ?

[srdo]

Yes, will fix

[srdo]

@eolivelli I addressed your comments (Sorry for pinging, I'm not sure Github sends messages when I push updates)

[eolivelli]

LGTM
@ztzg @hanm PTAL

[ztzg]

LGTM, but I have a small question/doubt regarding one section of the test. What do you think?

[ztzg]

This section creates transactions, ensuring a reasonable xzid, but might not result in a snapshot, as it doesn't lower the snapCount using SyncRequestProcessor.setSnapCount. (The other tests do, and might run before. Might be a good idea to be explicit if the goal of running N_TRANSACTIONS is to create one?)

This does not mean that the test is broken: a snapshot is present, but it is there because of the initialize file left behind by ClientBase.createTmpDir.

[srdo]

The goal here is not to make the nodes write a snapshot due to hitting the snapcount. I just want to put some data in Zookeeper, since if Zookeeper is empty, it will create a snapshot file on boot, even without this change.

The behavior this PR changes is that if Zookeeper is booted with the trust empty property set to true, and the cluster is not empty, then the follower nodes will write a snapshot file if they don't already have one.

The issue with the code as it is without this change is that if you have a 3.4 cluster with low traffic and you then enable ZOOKEEPER_SNAPSHOT_TRUST_EMPTY and upgrade to 3.5+, then it may take a very long time for follower nodes to write snapshots, since they only do it if they become leader, or if Zookeeper is empty, or if the snapcount is hit. That makes ZOOKEEPER_SNAPSHOT_TRUST_EMPTY pretty inconvenient, since you can't remove that property again until all nodes have at least one snapshot.

I have added a few lines to the test to assert that the data created here is still there once the followers come up, that seems like a healthy thing to check.

[srdo]

I guess I could use another number than N_TRANSACTIONS if it is misleading?

[ztzg]

The goal here is not to make the nodes write a snapshot due to hitting the snapcount. I just want to put some data in Zookeeper, since if Zookeeper is empty, it will create a snapshot file on boot, even without this change.

Okay.

(I understand the rest of the PR, and don't have any objections. I was just wondering if the N_TRANSACTIONS was because you were trying to hit snapCount, like other tests in that file seem to be doing.)

Thank you for the clarification!

[srdo]

Just to summarize what this test is intended to do:

It is supposed to set up a quorum with some data in it. It then deletes the snapshots on all follower nodes. This simulates what a low-traffic cluster being upgraded from 3.4 might look like. The cluster is restarted with ZOOKEEPER_SNAPSHOT_TRUST_EMPTY=true, and the test verifies that all nodes get a snapshot written. This will allow the operator to remove ZOOKEEPER_SNAPSHOT_TRUST_EMPTY again and reboot the cluster shortly after, easing migration.

[ztzg]

Right; we are on the same page :)

Would you mind rebasing this on top of the latest master, so that CI picks the new configuration and re-runs the test suite with a higher chance of success?

[srdo]

Sure. Rebased and squashed. FWIW I ran the two failing tests locally, and they passed, so am guessing it's just flakiness.

[srdo]

Also just a note on rebasing on top of master, since the behavior surprised me, and I thought I'd share: GH Actions' checkout action does not check out the PR branch, it instead creates a merge commit between the PR branch and the target branch, which it then runs the rest of the CI workflow on. So likely the previous run did run with the config from master.

[ztzg]

@ztzg please consider adding this to 3.7.

Okay, noted.

[srdo]

The failing test is a different one this time than last time. I think it's just flaky.

[srdo]

Turns out it was just a flaky test. I think this should be ready to go in now. I'm not sure what your backporting policy is like, but it would be nice to get on as many branches as possible :)

[ztzg]

Thank you, @srdo! This is now in master, branch-3.7, and branch-3.7.0.

[srdo]

Sounds good, thank you.