redpanda: cluster will not form without a node with an empty seed server list

[rkruze]

When setting up a cluster, you want to make sure all nodes have the same seed servers. This includes the initial node since if it was to come back with an empty data directory you would want it to be able to join the cluster automatically without user intervention. This does not work today. If you set up a three-node cluster with each node having all three nodes in its seeds list it will never form a cluster. You see the following from the node:

Dec 22 19:26:25 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:25,254 [shard 0] cluster - members_manager.cc:309 - Processing node '1' join reques
t
Dec 22 19:26:25 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:25,503 [shard 0] cluster - members_manager.cc:309 - Processing node '0' join reques
t
Dec 22 19:26:25 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:25,503 [shard 0] cluster - members_manager.cc:274 - Error joining cluster using 0 s
eed server
Dec 22 19:26:25 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:25,503 [shard 0] cluster - members_manager.cc:211 - Sending join request to 1 @ {ho
st: 172.31.53.238, port: 33145}
Dec 22 19:26:25 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:25,503 [shard 0] cluster - members_manager.cc:198 - Next cluster join attempt in 66
14 milliseconds
Dec 22 19:26:29 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:29,782 [shard 0] cluster - members_manager.cc:309 - Processing node '2' join reques
t
Dec 22 19:26:32 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:32,117 [shard 0] cluster - members_manager.cc:309 - Processing node '0' join reques
t
Dec 22 19:26:32 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:32,118 [shard 0] cluster - members_manager.cc:274 - Error joining cluster using 0 s
eed server
Dec 22 19:26:32 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:32,118 [shard 0] cluster - members_manager.cc:211 - Sending join request to 1 @ {ho
st: 172.31.53.238, port: 33145}
Dec 22 19:26:32 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:32,118 [shard 0] cluster - members_manager.cc:198 - Next cluster join attempt in 63
93 milliseconds
Dec 22 19:26:32 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:32,376 [shard 0] cluster - members_manager.cc:309 - Processing node '1' join reques
t
Dec 22 19:26:36 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:36,329 [shard 0] cluster - members_manager.cc:309 - Processing node '2' join reques
t
Dec 22 19:26:38 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:38,449 [shard 0] cluster - members_manager.cc:309 - Processing node '1' join reques
t
Dec 22 19:26:38 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:38,511 [shard 0] cluster - members_manager.cc:309 - Processing node '0' join reques
t
Dec 22 19:26:38 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:38,511 [shard 0] cluster - members_manager.cc:274 - Error joining cluster using 0 s
eed server
Dec 22 19:26:38 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:38,511 [shard 0] cluster - members_manager.cc:211 - Sending join request to 1 @ {ho
st: 172.31.53.238, port: 33145}
Dec 22 19:26:38 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:38,512 [shard 0] cluster - members_manager.cc:198 - Next cluster join attempt in 64
18 milliseconds
Dec 22 19:26:42 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:42,537 [shard 0] cluster - members_manager.cc:309 - Processing node '2' join reques
t
Dec 22 19:26:44 ip-172-31-61-36 rpk[17533]: INFO  2020-12-22 19:26:44,553 [shard 0] cluster - members_manager.cc:309 - Processing node '1' join reques
t

It seems no one knows who should be the bootstrap server and thus the cluster never forms.

[BenPope]

Probably related/prerequisite: #245

[emaxerrno]

i remember @mmaslankaprv mentioning we had a restriction to form the raft groups from one node, i.e.: to bootstrap from one node. we needed to differentiate node joining vs node bootstrap. i think we have more metadata tracking now we can make that distinction. basically if not in set.

[mmaslankaprv]

Currently we operate with the following assumptions:

• node without seed servers is designated as a cluster root, it is the only node that will initiate cluster formation, when no more
  nodes are present the node with empty seed server list will form a single node cluster
• node with seed server list will use the seed servers to communicate with the cluster to join

[BenPope]

How does one restart the cluster root? Should it have seeds? What if it lost its data dir?

Would it make sense to have a two-phase initialisation, where a tool, perhaps RPK, triggers cluster formation?

[mmaslankaprv]

Restarting node is not a problem. The problem is when it lose the data directory, then we have to change configuration to point it to different nodes to join the cluster. I am wondering how is this solved in CoackroachDB. They similar approach to seed servers.
We were targeting the easiest way of bootstrapping the cluster. Two phase approach is an option but certainly more complicated one. Maybe we can use incoming connection as a trigger to change node behavior ?

[BenPope]

I think CockroachDB does two-phase. The concern is that during a network partition, bootstrapping must form within the majority partition. An unusual situation for sure, but it comes up if the cluster root loses it's data and is restarted.

The context here is within Kubernetes. It's not so easy with StatefulSet, to have a node behave differently depending on whether it is the cluster root, and whether it has lost its data. It could be punted to an operator, but it might make sense to have Redpanda perform the magic.

[rkruze]

Yes, CockroachDB uses a two-phased init. Each server is brought up with the same "join" list. Once those nodes are up, if a cluster hasn't been formed in the past, they go into standby until a node gets an "init" command. https://www.cockroachlabs.com/docs/v20.2/cockroach-init.html

[mmaslankaprv]

I think we can make the operation to be two step without implementing the centralized configuration. We can introduce the centralized configuration as a follow up.

[jcsp]

I think the two-phase init makes sense -- that should probably be hidden behind an rpk setup command that runs it for the user after daemons start.

We should also retain the current behaviour that writing a config with seed_servers=[] causes a node to auto-init, so that a single node cluster init is still a trivial case of just running a binary.

[jcsp]

Related to #2793 -- once both are done, a cluster could realistically use the same redpanda.yml on all nodes.

[nicolaferraro]

Leaving this here as it may affect the solution to this issue.
I've been working on a two phase initialization in the operator and I was expecting that Redpanda node 0 could start alone if the seeds server list contained a single entry (i.e. the root node 0 itself).

It turns out this is the case, except when the cluster has TLS and mutual authentication on the Kafka API endpoint.
In that specific case, the cluster is never formed:

cluster-tls-0 redpanda DEBUG 2022-06-13 13:32:50,014 [shard 0] cluster - health_monitor_backend.cc:284 - unable to refresh health metadata, no leader controller
cluster-tls-0 redpanda INFO  2022-06-13 13:32:50,014 [shard 0] cluster - health_monitor_backend.cc:426 - error refreshing cluster health state - Currently there is no leader controller elected in the cluster
cluster-tls-0 redpanda INFO  2022-06-13 13:32:50,014 [shard 0] cluster - metadata_dissemination_service.cc:357 - unable to retrieve cluster health report - Currently there is no leader controller elected in the cluster
cluster-tls-0 redpanda DEBUG 2022-06-13 13:32:52,845 [shard 0] cluster - members_manager.cc:435 - Using current node as a seed server
cluster-tls-0 redpanda INFO  2022-06-13 13:32:52,845 [shard 0] cluster - members_manager.cc:499 - Processing node '0' join request (version 3)
cluster-tls-0 redpanda INFO  2022-06-13 13:32:52,845 [shard 0] cluster - members_manager.cc:370 - Next cluster join attempt in 5996 milliseconds
cluster-tls-0 redpanda DEBUG 2022-06-13 13:32:53,013 [shard 0] compaction_ctrl - backlog_controller.cc:129 - updating shares 10
cluster-tls-0 redpanda INFO  2022-06-13 13:32:53,014 [shard 0] group-metadata-migration - group_metadata_migration.cc:710 - kafka_internal/group topic does not exists, activating consumer_offsets feature
cluster-tls-0 redpanda DEBUG 2022-06-13 13:32:53,014 [shard 0] cluster - health_monitor_backend.cc:400 - requesing cluster state report with filter: {per_node_filter: {include_partitions: true, ntp_filters: {}}, nodes: {}}, force refresh: false

So, the seed server list needs to be completely empty for the initial cluster to be created.

[twmb]

@jcsp am I reading the thread above correctly, we need the code to exist in redpanda first, and once redpanda handles an empty seed servers, we can change rpk to emit no seed servers. I'll move this too our own "awaiting other team" queue. cc @piyushredpanda

[jcsp]

There will be a bit more to it than that. We haven't nailed this down yet, but probably:

• The default will still be to auto-form a cluster if one of the nodes has an empty seed_servers, as it does today
• A new configuration property called something like "cluster_await_initialize" (false by default)
• if cluster_await initialize is true, then redpanda will not form a cluster (i.e. will not write controller log or fully come up) until one of the nodes receives an admin API call asking it to initialize (and this call can have some limited set of parameters like an initial superuser account credentials or an initial license file).
• seed_servers can then be set to the same value on all nodes (e.g. leave it out if you have one node, or set it symmetrically to the full list of nodes on all the nodes).

Auto-selection node_id is a separate but complementary thing: that enables orchestators to avoid picking node Ids for redpanda nodes, just leave it out the config file and redpanda will make one up.