Consider AbstractJoiner's permanent blacklist in split-brain handling [HZ-2065] #24830
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For context: Hazelcast uses a `Joiner` implementation that handles the joining of Nodes to Clusters; all current Joiners extend `AbstractJoiner` which features a map of blacklisted addresses, `blacklistedAddresses`. The key of the map is the address, and the value is a boolean, which shows whether the blacklist is "permanent" (true) or not. A blacklist is applied in 2 situations: after failing a connection while not joined to a cluster (non-permanent), or during a `ClusterMismatchOp` (permanent). The latter is only fired when a Node tries to join a cluster, but is not compatible with the cluster, and so is rejected. The `TcpIpJoiner` joiner employs the blacklist quite heavily, however it currently does not use it in the `searchForOtherClusters` method. This method is only called by the `SplitBrainHandler` task, which runs on loop (default of 5m delay, 2m interval). Due to this, when running multiple clusters sharing the same member list, it is possible to encounter a situation such as this: ``` Member list is defined as "127.0.0.1" for all Nodes. Node A1 starts and forms cluster "cluster_A" as master Node B1 starts and forms cluster "cluster_B" as master Node A2 starts and joins cluster "cluster_A" Node B1, as master, runs `SplitBrainHandler` every 2 minutes. This finds A2's address; B1 sends a merge validation op A2 is not master, so offloads to ClusterJoinManager#answerWhoisMasterQuestion This calls #ensureValidConfiguration, results in ClusterMismatchOp ClusterMismatchOp blacklists A2's address on the first encounter ``` In this scenario, even though the first attempt from B1's split brain handler blacklists A2's address, because there are no blacklist checks within `TcpIpJoiner#searchForOtherClusters`, the attempts continue with every execution of the `SplitBrainHandler` - this results in numerous unnecessary warnings in the logs for members B1 and A2. This commit resolves scenarios like this by removing permanently blacklisted addresses from the collection of `possibleAddresses` output by `TcpIpJoiner#searchForOtherClusters`. Now master nodes will not attempt to send `SplitBrainJoinMessage`s to other cluster nodes after blacklisting its address on the first encounter. However, introducing this blacklist check for `SplitBrainHandler` adds some further considerations, such as what would happen in this scenario: ``` Member list is defined as "127.0.0.1" for all Nodes. Node A1 starts on port 5701 and forms cluster "cluster_A" as master Node A2 starts on port 5702 and joins cluster "cluster_A" Node B1 starts on port 5703 and forms cluster "cluster_B" as master Node B2 starts on port 5704 and joins cluster "cluster_B" *Some time elapses, both A1/B2 have run SplitBrainHandler tasks* Node A2 is shutdown. Node B3 starts on port 5702 and joins cluster "cluster_B" B1 (master) has B3's address blacklisted from when A2 was on port 5702 B1 will now never send SplitBrainJoinMessages to B3 due to this ``` In this scenario, B3 is able to join "cluster_B" successfully as it seeks the master itself and so the blacklist is not applied. This commit resolves the situation by removing Node addresses from the permanent blacklist within the `TcpIpJoiner#onMemberAdded` method. As stated above, addresses are only permanently blacklisted in a `ClusterMismatchOp`, so if a Node has successfully triggered `onMemberAdded`, there has clearly been a topology change meaning this address is no longer incompatible. Therefore it should be safe to add this permanent blacklist removal functionality. Fixes https://hazelcast.atlassian.net/browse/HZ-2065
JamesHazelcast
added
Type: Defect
Team: Core
Source: Internal
kwart
reviewed
Jun 20, 2023
To conduct this test thoroughly, it was necessary to extract part of the `TcpIpJoiner#searchForOtherClusters` function into a separate function `TcpIpJoiner#getFilteredPossibleAddresses` - this function reduces the results of `AbstractJoiner#getPossibleAddresses` (applying filters such as removing known and blacklisted addresses), and does not change any functionality, it just exposes this list more easily.
Good point Josef thank you, I forgot about that! Added: 9d9dc2a |
|
run-lab-run |
vbekiaris
approved these changes
Jun 21, 2023
hazelcast/src/test/java/com/hazelcast/cluster/SplitBrainHandlerTest.java
Outdated
Show resolved
Hide resolved
kwart
approved these changes
Jun 22, 2023
JamesHazelcast
added a commit
that referenced
this pull request
Jun 23, 2023
…HZ-2065] [5.3.z] (#24830) (#24888) Backport of: #24830 For context: Hazelcast uses a `Joiner` implementation that handles the joining of Nodes to Clusters; all current Joiners extend `AbstractJoiner` which features a map of blacklisted addresses, `blacklistedAddresses`. The key of the map is the address, and the value is a boolean, which shows whether the blacklist is "permanent" (true) or not. A blacklist is applied in 2 situations: after failing a connection while not joined to a cluster (non-permanent), or during a `ClusterMismatchOp` (permanent). The latter is only fired when a Node tries to join a cluster, but is not compatible with the cluster, and so is rejected. The `TcpIpJoiner` joiner employs the blacklist quite heavily, however it currently does not use it in the `searchForOtherClusters` method. This method is only called by the `SplitBrainHandler` task, which runs on loop (default of 5m delay, 2m interval). Due to this, when running multiple clusters sharing the same member list, it is possible to encounter a situation such as this: ``` Member list is defined as "127.0.0.1" for all Nodes. Node A1 starts and forms cluster "cluster_A" as master Node B1 starts and forms cluster "cluster_B" as master Node A2 starts and joins cluster "cluster_A" Node B1, as master, runs `SplitBrainHandler` every 2 minutes. This finds A2's address; B1 sends a merge validation op A2 is not master, so offloads to ClusterJoinManager#answerWhoisMasterQuestion This calls #ensureValidConfiguration, results in ClusterMismatchOp ClusterMismatchOp blacklists A2's address on the first encounter ``` In this scenario, even though the first attempt from B1's split brain handler blacklists A2's address, because there are no blacklist checks within `TcpIpJoiner#searchForOtherClusters`, the attempts continue with every execution of the `SplitBrainHandler` - this results in numerous unnecessary warnings in the logs for members B1 and A2. This commit resolves scenarios like this by removing permanently blacklisted addresses from the collection of `possibleAddresses` output by `TcpIpJoiner#searchForOtherClusters`. Now master nodes will not attempt to send `SplitBrainJoinMessage`s to other cluster nodes after blacklisting its address on the first encounter. However, introducing this blacklist check for `SplitBrainHandler` adds some further considerations, such as what would happen in this scenario: ``` Member list is defined as "127.0.0.1" for all Nodes. Node A1 starts on port 5701 and forms cluster "cluster_A" as master Node A2 starts on port 5702 and joins cluster "cluster_A" Node B1 starts on port 5703 and forms cluster "cluster_B" as master Node B2 starts on port 5704 and joins cluster "cluster_B" *Some time elapses, both A1/B2 have run SplitBrainHandler tasks* Node A2 is shutdown. Node B3 starts on port 5702 and joins cluster "cluster_B" B1 (master) has B3's address blacklisted from when A2 was on port 5702 B1 will now never send SplitBrainJoinMessages to B3 due to this ``` In this scenario, B3 is able to join "cluster_B" successfully as it seeks the master itself and so the blacklist is not applied. This commit resolves the situation by removing Node addresses from the permanent blacklist within the `TcpIpJoiner#onMemberAdded` method. As stated above, addresses are only permanently blacklisted in a `ClusterMismatchOp`, so if a Node has successfully triggered `onMemberAdded`, there has clearly been a topology change meaning this address is no longer incompatible. Therefore it should be safe to add this permanent blacklist removal functionality. Fixes https://hazelcast.atlassian.net/browse/HZ-2065
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For context: Hazelcast uses a
Joinerimplementation that handles the joining of Nodes to Clusters; all current Joiners extendAbstractJoinerwhich features a map of blacklisted addresses,blacklistedAddresses. The key of the map is the address, and the value is a boolean, which shows whether the blacklist is "permanent" (true) or not. A blacklist is applied in 2 situations: after failing a connection while not joined to a cluster (non-permanent), or during aClusterMismatchOp(permanent). The latter is only fired when a Node tries to join a cluster, but is not compatible with the cluster, and so is rejected.The
TcpIpJoinerjoiner employs the blacklist quite heavily, however it currently does not use it in thesearchForOtherClustersmethod. This method is only called by theSplitBrainHandlertask, which runs on loop (default of 5m delay, 2m interval). Due to this, when running multiple clusters sharing the same member list, it is possible to encounter a situation such as this:In this scenario, even though the first attempt from B1's split brain handler blacklists A2's address, because there are no blacklist checks within
TcpIpJoiner#searchForOtherClusters, the attempts continue with every execution of theSplitBrainHandler- this results in numerous unnecessary warnings in the logs for members B1 and A2.This commit resolves scenarios like this by removing permanently blacklisted addresses from the collection of
possibleAddressesoutput byTcpIpJoiner#searchForOtherClusters. Now master nodes will not attempt to sendSplitBrainJoinMessages to other cluster nodes after blacklisting its address on the first encounter.However, introducing this blacklist check for
SplitBrainHandleradds some further considerations, such as what would happen in this scenario:In this scenario, B3 is able to join "cluster_B" successfully as it seeks the master itself and so the blacklist is not applied. This commit resolves the situation by removing Node addresses from the permanent blacklist within the
TcpIpJoiner#onMemberAddedmethod.As stated above, addresses are only permanently blacklisted in a
ClusterMismatchOp, so if a Node has successfully triggeredonMemberAdded, there has clearly been a topology change meaning this address is no longer incompatible. Therefore it should be safe to add this permanent blacklist removal functionality.Fixes https://hazelcast.atlassian.net/browse/HZ-2065