Reset replica engine before primary-replica resync

[dnhatn]

When a replica starts following a newly promoted primary, it may have
some operations which don't exist on the new primary. We need to reset
replicas to the global checkpoint before executing primary-replica
resync. These two steps will align replicas to the primary.

This change resets an engine of a replica to the safe commit when
detecting a new primary term, then reindex operations from the local
translog up to the global checkpoint.

[elasticmachine]

Pinging @elastic/es-distributed

[dnhatn]

/cc @not-napoleon

[s1monw]

I did an initial pass and left some comments

[s1monw]

is this necessary? can we just use the recoverFromTranslog(Long.MAX_VALUE) instead in the tests?

[s1monw]

To me having 2 AtomicReference in flight is very very confusing. I think we can simplify this by introducing an EngineReference class that we make final here and add some the reset logic internally. Or, alterantively keep the AtomicReference<EngineReference>.

it could look like this:

class EngineReference {
   private volatile Engine activeEngine;
   private volatile Engine pendingEngine;

  synchronized boolean hasPendingEngine() {
    return pendingEngine != null;
  } 

  synchronized void makeActiveReadOnly() {
     // do the lockdown thing...
  }

  synchronized void swapPendingEngine() {
    // do the swap... and close the current etc.
  }
}

this looks more contained and we can maybe test it in isolation?

[dnhatn]

+1

[s1monw]

I was wondering why you did that and I think I understand what you are trying to do. You try to make sure we always get the latest engine ie. the locked down one if we swap it. but there is still a race imo. inside applyIndexOperation you might have an engine that is already closed unless you put a lock around it. The swap might be atomic but the reference might still receive writes after you locked it down, is this ok?

[dnhatn]

Before swapping engines, we drain all IndexShardOperationPermits (backed by Semaphore) and a write operation requires an IndexShardPermit. I think we are okay here.

[ywelsch]

correct.

[s1monw]

++ maybe we add this as a comment somewhere or even as an assertion?

[ywelsch]

Don't we need to use getEngineForResync here? Assume that there are documents already replicated by the new primary before this replica has received all resync operations. Also wondering why there have been no test failures, maybe test coverage is not good? Also note that getEngineForResync is probably not the best name for this. I think there's a bigger issue here, let's sync about this tomorrow.

[s1monw]

ideally we would do this entirely outside of the engine and maybe just pass and engine to the ctor of ReadOnlyEngine? do we need to make sure we don't receive writes after we did this or why do we acquire a write lock?

[dnhatn]

I will move this to ctor of ReadOnlyEngine.

[ywelsch]

I've just given this an initial look.

[ywelsch]

AFAICS (correct me if I'm wrong) you had to it this way because we don't know on what node version the primary is (i.e. if it is going to send maxSeqNo or not), and the shard is reset when we acquire the replica operation permit (i.e. possibly before we receive the first resync request). It's a shame because it means we can't ensure consistency for older indices. The only other solution I can think of right now would be to always send the maximum sequence number with the replication request (same as we do for the global checkpoint). We could then pass this to acquireReplicaOperationPermit (same as the global checkpoint).

[dnhatn]

@ywelsch Yeah, you understood it correctly. I had the same thought but did not go with that option as I wasn't sure if it's a right trade-off. I am glad that you suggest it. Should we make that change into this PR or a separate prerequisite PR to reduce noise in this PR?

[ywelsch]

If I see this correctly, you're doing recoverFromTranslog under the mutex here? This can potentially block the cluster state update thread for minutes.

[ywelsch]

why move the state back to RECOVERING?

[ywelsch]

same comment as above. You can't do stuff that possibly blocks the mutex for minutes

[ywelsch]

refreshes should not be happening? If so, should we throw an UnsupportedOperationException here?

[ywelsch]

do we want to assert that all of these methods are never called?

[ywelsch]

I wonder if we should give this a different name, in particular because we might have something similar for frozen indices. There it might be a more complete version of readonly, with possibility to take a Translog.Snapshot. Maybe we could call this SearchOnlyEngine.

[ywelsch]

correct.

[dnhatn]

@s1monw and @ywelsch It's ready for another round. Can you please take a look? Thank you!

[s1monw]

I left some comments. looks good!

[s1monw]

I think you should protect this against double counting down the closeLatch by wrapping this entire try block in

if (isClosed.compareAndSet(false, true)) {

}

[s1monw]

can you leave a comment here that we keep a reference to the store implicitly through the searcher? I do wonder if we should make it explicit

[s1monw]

this searcher manager seems to be unclosed. I think you should close it as well in the closeNoLock method?

[s1monw]

can you try to exercise this method to make sure we open a new searcher and close / release everything

[dnhatn]

Ah, getDocIds method in SearchOnlyEngineTests#testSearchOnlyEngine acquires searchers.

[s1monw]

👍

[s1monw]

I do wonder if it would make more sense to open this entire thing off a store directly and maybe just pass and EngineConfig to this. it would make it more generic and less bound to an engine. WDYT?

[s1monw]

something like this:

 public SearchOnlyEngine(EngineConfig config) {
        super(config);
        try {
            Store store = config.getStore();
            store.incRef();
            DirectoryReader reader = null;
            boolean success = false;
            try {
                this.lastCommittedSegmentInfos = Lucene.readSegmentInfos(store.directory());
                this.translogStats = new TranslogStats(0, 0, 0, 0, 0);
                final SequenceNumbers.CommitInfo seqNoStats =
                    SequenceNumbers.loadSeqNoInfoFromLuceneCommit(lastCommittedSegmentInfos.userData.entrySet());
                long maxSeqNo = seqNoStats.maxSeqNo;
                long localCheckpoint = seqNoStats.localCheckpoint;
                this.seqNoStats = new SeqNoStats(maxSeqNo, localCheckpoint, localCheckpoint);
                reader = SeqIdGeneratingDirectoryReader.wrap(ElasticsearchDirectoryReader.wrap(DirectoryReader
                .open(store.directory()), config.getShardId()), config.getPrimaryTermSupplier().getAsLong());
                this.indexCommit = reader.getIndexCommit();
                this.searcherManager = new SearcherManager(reader, new SearcherFactory());
                success = true;
            } finally {
                if (success == false) {
                    IOUtils.close(reader, store::decRef);
                }
            }
        } catch (IOException e) {
            throw new UncheckedIOException(e); // this is stupid
        }
    }

I did something similar a while back so I had it ready... I am not sure it safe to use 💯

[dnhatn]

I adopted this, but I have to pass SeqNoStats from outside because we use a "reset" local checkpoint which may not equal to the value from an index commit.

[s1monw]

nit extra newline

[s1monw]

any reason we can't just run this the same way we do if we are not resetting?

[s1monw]

not sure, should we through IndexShardNotClosedException instead?

[dnhatn]

Yes, we should throw IndexShardClosedException. AlreadyClosedException was a left-over when we folded Engine to IndexShard.

[s1monw]

make this synchronized too. it's safer since you modify both references

[dnhatn]

good catch!

[s1monw]

maybe you just return snapshot if upToSeqNo is == Long.MAX_VALUE?

[dnhatn]

Done

[ywelsch]

can you restrict the mutex to the first two lines and call close outside the mutex?

[ywelsch]

should this be synchronized so we get a consistent snapshot of the two engines?
Also, again, please do the closing outside the lock.

[dnhatn]

+1

[dnhatn]

@s1monw and @ywelsch I've addressed your comments. Can you please give it another go? I will beef up integration tests as Yannick suggested.

[ywelsch]

This PR is too much to review in one sitting. Can you open a PR just for the recoverFromTranslog change where we can now specify an upper bound?

[ywelsch]

this log message does not contain the right "before" local checkpoint as you moved it to after the local checkpoint reset

[ywelsch]

I wonder if this is insufficient in the presence of cascading primary failures. Assume that you have a primary failover, which wants to index sequence number range 2 to 5 (because global checkpoint on new primary was 2, and resync trim-off is 5). Now, while resyncing, the global checkpoint moves from 2 to 3, and the new primary fails. Another primary is selected, which, for our purposes, has the global checkpoint 3. In that case the doc with sequence number 3 will only be in the translog and the pending Lucene index. By throwing the pending Lucene index away here, we now have to reset the local checkpoint and replay from sequence number 2 (to seq number 3).
What the implementation does here though is to not reset the local checkpoint to number 2, but leave it at 3, which, if this new IndexCommit is flushed, will lead to the situation where the local checkpoint info in the index commit is wrong (i.e. it might not contain the operation number 3).

[dnhatn]

I think this is okay because we start another engine after that in this case. Moreover, we stick with the "reset" local checkpoint (expose the local checkpoint of the active engine) while resetting the engine; thus the global checkpoint won't advance.

[ywelsch]

this trims unsafe commits, possibly cleaning up segments that are referenced by the active search only engine?

[dnhatn]

We open a directory reader in the constructor of a search-only engine and keeps that reader until we manually close the search-only engine. Holding that reader would prevent the segment files of the last commit from deleting during trimming unsafe commits.

[ywelsch]

why do you need to do this under the mutex?

[ywelsch]

How do we ensure that searches are not accessing acquireSearcher on the closed engine and switching to the new engine? Also, is there a test that checks that searches (with preference set to this node) continue to work during this transition.

[dnhatn]

There is a small interval in that callers might acquire searchers from the closed engine and hit AlreadClosedException. We can void this entirely by retrying on "AlreadClosedException" if the accessing engine is different than the current active engine. However, I am not sure if we should do it.

There is a test which continuously acquires searchers and makes sure that all acknowledged writes are maintained during the transition. https://github.com/elastic/elasticsearch/pull/32867/files#diff-b268f5fefa5837ece96b957e46f628cbR674 (getShardDocUIDs acquires a searcher and uses that searcher to collect document Ids).

[ywelsch]

However, I am not sure if we should do it.

why is that? We're building all this machinery to have search availability during the transition, except for this very short moment?

I had the same idea about retrying. An alternative would be to do refcounting for closing the engine, to ensure that we only actually close once all in-flight acquireSearcher calls have been completed.

[dnhatn]

Sorry, I did not think this carefully. I thought we have to implement the retry on all methods that we support in the search-only, but I was wrong. We only need to implement the retry for "get" and "acquire searcher". These two methods should be simple. Thanks for this great question.

[dnhatn]

@ywelsch I opened #33032 for the translog change.

[dnhatn]

Discussed this with @bleskes on another channel. We are going to split this PR into 3 smaller PRs so we can review.

• Reset replica engine to the global checkpoint on promotion (Reset replica engine to global checkpoint on promotion #33473)
• Restore local history on the new primary upon promotion (Restore local history from translog on promotion #33616). This is to deal with cascading fail-over.
• Support search on replicas during promotion (Exposed engine must include all operations below global checkpoint during rollback #36159).

[dnhatn]

All subtasks of this PR were done and merged. I am closing this.