archival: Improve archival STM concurrency control #16774
Conversation
| config::shard_local_cfg() | ||
| .cloud_storage_disable_metadata_consistency_checks.set_value(false); |
There was a problem hiding this comment.
Consider using a scoped_config for this so it gets reset when the test exits
There was a problem hiding this comment.
I totally forgot about the problem. Thanks!
| vassert( | ||
| !_lock.try_get_units().has_value(), | ||
| "Attempt to replicate STM command while not under lock"); | ||
| vassert( | ||
| _active_operation_res.has_value() == false, "Concurrency violation"); |
There was a problem hiding this comment.
I think this needs to be cleared if there is an error (e.g. timeout). Otherwise it seems like the next attempt to replicate will hit this assertion
| } | ||
|
|
||
| co_return synced; | ||
| } |
There was a problem hiding this comment.
I'm wondering if it makes sense to add an assert that _active_operation_res here. In theory we should be guaranteed it has completed, right?
There was a problem hiding this comment.
it makes sense, we don't want it to be carried over from previous operation
| @@ -190,9 +190,13 @@ struct archival_metadata_stm::update_highest_producer_id_cmd { | |||
| using value = model::producer_id; | |||
| }; | |||
|
|
|||
| // Serde format description | |||
| // v4 | |||
| @@ -1367,6 +1402,21 @@ void archival_metadata_stm::apply_reset_metadata() { | |||
| _manifest->unsafe_reset(); | |||
| } | |||
|
|
|||
| bool archival_metadata_stm::apply_read_write_fence( | |||
| const archival_metadata_stm::read_write_fence_cmd& cmd) noexcept { | |||
| if (_manifest->get_applied_offset() > cmd.last_applied_offset) { | |||
There was a problem hiding this comment.
Is it possible/expected to be able to have get_applied_offset() < cmd.last_applied_offset? Does it imply some kind of gap in the log or something?
There was a problem hiding this comment.
I don't think it's possible in our use case.
| /// Add update_highest_producer_id_cmd command | ||
| command_batch_builder& | ||
| update_highest_producer_id(model::producer_id highest_pid); |
There was a problem hiding this comment.
nit: meant for a different PR? Or is this just added for completeness?
Lazin
force-pushed
the
feature/propagate-archival-stm-apply-error
branch
2 times, most recently
from
8862052
to
58532ac
Compare
Lazin
force-pushed
the
feature/propagate-archival-stm-apply-error
branch
from
98c431f
to
74676d8
Compare
|
new failures in https://buildkite.com/redpanda/redpanda/builds/45948#018e27ee-8983-4da8-b311-b41c519c7422: new failures in https://buildkite.com/redpanda/redpanda/builds/45948#018e27ee-898d-4b17-b8ec-dfed2cb4417e: new failures in https://buildkite.com/redpanda/redpanda/builds/45948#018e27ee-898a-45a1-969d-c07471959f74: new failures in https://buildkite.com/redpanda/redpanda/builds/45948#018e27ee-8986-43f4-8202-bf582bb41e0f: new failures in https://buildkite.com/redpanda/redpanda/builds/45948#018e2800-a3c0-43b7-a728-77227dd03eda: new failures in https://buildkite.com/redpanda/redpanda/builds/45948#018e2800-a3c3-4d59-a5f5-c392cff998d7: new failures in https://buildkite.com/redpanda/redpanda/builds/45948#018e2800-a3bd-4922-8f51-dc28a7f27975: new failures in https://buildkite.com/redpanda/redpanda/builds/45948#018e2800-a3c6-4ce0-b872-f2ae6fffd81f: new failures in https://buildkite.com/redpanda/redpanda/builds/45949#018e28d8-a2c4-4e04-b951-0733e8752b4a: new failures in https://buildkite.com/redpanda/redpanda/builds/45949#018e28d8-a2ce-444e-9c71-81cc326fe89f: new failures in https://buildkite.com/redpanda/redpanda/builds/45949#018e28d8-a2cb-4783-8b3b-5ca346402b56: new failures in https://buildkite.com/redpanda/redpanda/builds/45949#018e28d8-a2c8-4d51-bce2-771b47b8c9d7: new failures in https://buildkite.com/redpanda/redpanda/builds/45949#018e28ea-2690-42de-b463-6a0d02aad556: new failures in https://buildkite.com/redpanda/redpanda/builds/45949#018e28ea-2686-4091-a9bb-8e85a9c60cf9: new failures in https://buildkite.com/redpanda/redpanda/builds/46565#018e61a6-786d-4753-b052-bebcb9e55ebe: |
Lazin
force-pushed
the
feature/propagate-archival-stm-apply-error
branch
from
74676d8
to
c119bac
Compare
|
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45949#018e28d8-a2c8-4d51-bce2-771b47b8c9d7 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45966#018e2d25-f9f9-45e9-b06a-3dffc42519d5 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45966#018e2d38-5972-4722-98bc-c637303a430e ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45966#018e2d38-5969-4a9d-be22-de195923ce28 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45974#018e2de0-9b13-40d1-a7d5-4927eb1a7b84 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46617#018e668e-c90a-40db-bcf3-bc70dd3c4370 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46617#018e66a0-cec3-454a-b130-8903464eff81 |
Lazin
force-pushed
the
feature/propagate-archival-stm-apply-error
branch
3 times, most recently
from
aaf9295
to
e35b079
Compare
| const bool synced = co_await persisted_stm::sync(timeout); | ||
| ss::future<bool> archival_metadata_stm::do_sync( | ||
| model::timeout_clock::duration timeout, ss::abort_source* as) { | ||
| co_await raft::persisted_stm<>::sync(timeout); |
There was a problem hiding this comment.
Shouldn't we handle the result here? Persisted stm sync will return false in couple of cases like not a leader or timeout
| @@ -1311,6 +1265,7 @@ void archival_metadata_stm::apply_add_segment(const segment& segment) { | |||
| "Can't add segment: {}, previous segment: {}", | |||
| meta, | |||
| last); | |||
| maybe_notify_waiter(errc::inconsistent_stm_update); | |||
There was a problem hiding this comment.
Shouldn't we throw here instead and let the try-catch bock in apply propagate the error?
There was a problem hiding this comment.
it will be registered and propagated as an exception and we need an error code
this can be done of cause but will require more code and separate code path to call maybe_notify_waiter with the error code
There was a problem hiding this comment.
Can't then we have a case where the STM is a bit behind, we call replicate (we even include the fence command) and set _active_operation_res but then ... maybe_notify_waiter is called for an older command? What's preventing this?
There was a problem hiding this comment.
the protocol is to call sync first and only after that call replicate
so basically, you're calling sync, getting read-write-fence value and then replicating data
There was a problem hiding this comment.
do you think some external failsafe mechanism should be added to prevent incorrect usage?
There was a problem hiding this comment.
Yeah, I believe this implementation is still problematic. Anything that prevents the caller to call sync then do some other async thing and then call replicate? The correctness of the STM still relies on assumptions which is not better than what we had from what I understand.
There was a problem hiding this comment.
I guess one way to fix this is to returns some value from the sync method and then require user to pass this value to the replicate method. I didn't went for it because for now I want to keep original ntp_archiver mostly intact and this will require a lot of changes there.
Another idea that I had (and I also had an implementation which I removed later because it only got more confusing) is to have some sort of cursor that can be used to write to the STM. You can only obtain such object using sync call and if such object exists nothing else can write to the STM.
I'll think about something that can be done here, maybe we can rely on retry-chain-node instance to check the identity of the waiter.
There was a problem hiding this comment.
I think I solved this problem by forcing sync in case if the STM is catching up. So we're only setting the promise when the STM is up to date and we're holding the lock so it's guaranteed that the promise will get the correct result.
| // All keys other than mark clean make the manifest dirty | ||
| _last_dirty_at = base_offset + model::offset{r.offset_delta()}; | ||
| } | ||
| auto on_exit = ss::defer( |
There was a problem hiding this comment.
Remind me please, Is the STM re-created on leadership change?
There was a problem hiding this comment.
Follow up question in wrong thread: #16774 (comment)
|
/cdt |
Lazin
force-pushed
the
feature/propagate-archival-stm-apply-error
branch
from
e35b079
to
25e0cd3
Compare
Currently, the 'ntp_archiver' calls 'sync' method in every iteration to avoid inconsistencies. It uses custom implementation that takes into account the in-flight replication operation, current state of the raft group (term, committed offset), and state of the manifest. This commit changes this custom 'sync' implementation. Instead of storing the in-flight operation we're just holding a lock and waiting for the data in the log to be applied to the in-memory state of the STM.
The field contains an offset of the last applied command. It's advanced by the 'archival_metadata_stm' every time the command is applied to the in-memory state of the STM. The commit contains a unit-test that checks that the field is serialized correctly. The field is not added to the json manifest on purpose. The json compatibility is tricky and it's OK for this field to be default initialized after the manfiest reset.
The command is supposed to be used as a concurrency control mechanism. The user of the archival STM (ntp-archiver) should read the applied_offset from the manifest before making any changes. Then, before the segments are addded to the command builder (or any other changes) the user should add `read_write_fence` command using the applied offset. When the command is replicated the user will get an error if there was any change to the in-memory state of the STM between the moment when the applied_offset was acquired and the moment when the commands generated by the user are applied. In other words, the read-write-fence guarantees that the changes to the in-memory state are not made based on the stale state. It guarantees that there is only one active writer. The 'concurrent_modification_error' is returned if the property of the read-write-fence is violated. The fence commmand is only applied to the current batch. It can only abort commands which are added to the record batch after it. If the read-write-fence command is added to the record batch first it will abort the entire batch. If the command is added to the record batch last it will not have any effect.
Add new method to command_batch_builder. The method adds 'update_highest_producer_id_cmd' command to the record batch.
Add wait_for_apply method that waits until all messages in the log are applied. Invoke this method in tests to guarantee graceful shutdown.
Lazin
force-pushed
the
feature/propagate-archival-stm-apply-error
branch
from
25e0cd3
to
2dc4dbc
Compare
| @@ -1314,6 +1269,7 @@ void archival_metadata_stm::apply_add_segment(const segment& segment) { | |||
| "Can't add segment: {}, previous segment: {}", | |||
| meta, | |||
| last); | |||
| maybe_notify_waiter(errc::inconsistent_stm_update); | |||
There was a problem hiding this comment.
Maybe not a part of this change, but should we be doing this for most/every apply_* function that logs an error?
There was a problem hiding this comment.
The idea is that this method is called explicitly in few places when we have the error code only to return inconsistency or concurrency violation error. The remaining errors are exceptions and handled in the try/catch in one place.
There was a problem hiding this comment.
The remaining errors are exceptions and handled in the try/catch in one place.
if you threw, could the error handling be unified in one place?
| on_exit.cancel(); | ||
| maybe_notify_waiter(std::current_exception()); |
There was a problem hiding this comment.
Just noting down some of the remaining odd semantics that are maybe possible? Though not 100% sure.
- wait_no_throw() returns after replicating, even though the op that was being replicated didn't get applied, because we're a stale follower that previously thought we were leader. I don't think this is problematic, since things downstream of the wait_no_throw() will likely detect we're no longer leader. Still a rough edge IMO.
- sync() returns success but nothing is preventing more data from coming in and being applied before the call to replicate(). Not necessarily a bug, but is error prone. Perhaps
sync()should return a token that can be passed to replicate() that's only valid while nothing else is applied to archival. - some ops succeed, while others fail in the same batch. As written, it seems like we'll notify waiters on first failure, but again, probably no practical impact since we also wait_no_throw() before awaiting on the future
There was a problem hiding this comment.
The assumption is that the caller of the sync is the only caller. It's not enforced now because I want to keep existing ntp_archiver as is. Also, I'll try to make a change and return fence offset from the sync method.
In the future PR I'll try to enforce one caller invariant at compile time (thinking about acquire/release semantics for it, so the archiver will acquire the STM and then call sync). This PR adds the mechanism (fence and error propagation) without changing the interface.
There was a problem hiding this comment.
Thinking about this a bit more I think that we don't even need to do this. When we replicating config batch we're acquiring the lock. Then, while holding the lock we're setting the promise, replicating the batch and calling wait_no_throw and then waiting for the promise to be set. The entire lifecycle of the promise is done under the lock so such violation is not possible. Concurrent fiber may try to replicate something when the promise is created but not yet set but it will get stuck waiting for the lock.
| last); | ||
| maybe_notify_waiter(errc::inconsistent_stm_update); |
There was a problem hiding this comment.
If there are multiple ops to apply in the batch, and we fail on the first one, it seems like we will notify waiters immediately without waiting for the rest of the batch to be applied. Is this intentional?
There was a problem hiding this comment.
yes, the fence should be the first in the batch and supposed to abort the batch on failure
| /// applied to the in-memory state of the STM if the 'applied_offset' is | ||
| /// greater than the 'offset'. This mechanism is supposed to be used as a | ||
| /// concurrency-control mechanism. | ||
| command_batch_builder& read_write_fence(model::offset offset); |
There was a problem hiding this comment.
Just curious, is the only reason to allow an input offset for testing? It may be less error prone to just call into the stm for the last applied offset, and have tests explicitly interleave construction of the builders (don't feel strongly about it though)
There was a problem hiding this comment.
It's not for testing. The STM doesn't know when you accessed the manifest so it can't start building the batch at the right moment. The user is supposed to read the fence offset manually and then use this method to add it to the batch.
There was a problem hiding this comment.
You're also allowed not to use it. For instance, in the unsafe manifest reset you should just avoid using it and let possible concurrent operation to be interrupted.
There was a problem hiding this comment.
Ah that makes sense. Thanks for explaining
| /// applied to the in-memory state of the STM if the 'applied_offset' is | ||
| /// greater than the 'offset'. This mechanism is supposed to be used as a |
There was a problem hiding this comment.
This isn't quite true though, right? It should exactly match the offset?
Also maybe it makes sense to mention this should always be the first record written to an archival batch? Perhaps we could even assert that to be the case.
There was a problem hiding this comment.
I think the suggestion to have an explicit ordering requirement between sync() and replicate() makes sense, but I don't think it should block this change.
The questions I have aren't blocking if the behaviors pointed out are intentional.
Would be great to correct the fence comment though
| }; | ||
| }); | ||
| switch (key) { | ||
| case add_segment_cmd::key: |
There was a problem hiding this comment.
formatting in a separate commit?
There was a problem hiding this comment.
Formatting changed due to extra indent level from try-catch bock. I don't understand why this need to be a separate commit. It's part of the change. All this code uses different exception handling approach now and it's visible in the commit history.
There was a problem hiding this comment.
I don't understand why this need to be a separate commit. It's part of the change.
It doesn't have to be, but the importance of making commits easy to review increases with the size/complexity of the commit itself. You could add that try-catch block as a commit before this one as a mechanical change. Then it would lower the cognitive complexity of the next commit. It'd be a silly commit, but it would lower complexity.
It could be but the PR is moderately sized (only 500 lines) and all changes are related. Error propagation is needed so the caller could see the error from read-write fence. |
The "sync" method returns optional<offset> value which contains last applied offset from the manifest on success or nullopt on failure. The caller is supposed to use this offset to add a read_write_fence command to the archival configuration batch.
The 'replicate' method of the archival_metadata_stm using the following algorithm: 1. Acquire the lock. 2. Create the promise. 3. Replicate the configuration batch and get its offset. 4. Wait until the offset is applied. 5. Wait until the future associated with the created promise is set. 6. Return the result and release the lock. The background fiber of the archival STM is applying every record batch to the in-memory state. If the promise is created the background loop will - set it to 'errc::success' when the batch is applied and reset it - set it to error value if the batch can't be applied Note that the promise is used as a one time mailbox. The replicate method creates a promise and replicates the batch and then the background fiber applies this record batch and sends result to the mailbox (our promise). This is correct under assumption that the in-memory state of the STM is up to date (sync method was called before calling repliate). This assumption is not always correct. IF between the 'sync' and 'replciate' calls another fiber invoked 'replicate' there is no error because the 'replicate' is waiting until all changes are applied to the STM. The only problem that we may have is when the caller invokes 'replicate' without calling 'sync' first. In this case some old batch may trigger the promise and we will get incorrect error code in the 'replicate' method. To avoid this this commit adds extra step to the 'replicate' method. If 'insync' offset of the manifest is lower than 'committed' offset of the Raft group it will call 'do_sync'. After that it will proceed to step 2 in the algorithm described above. The final algorithm looks like this: 1. Acquire the lock. 2. Call sync if in-sync offset is less than committed offset. 3. Create the promise. 4. Replicate the configuration batch and get its offset. 5. Wait until the offset is applied. 6. Wait until the future associated with the created promise is set. 7. Return the result and release the lock.
PR "size" is unrelated to LOC. Size is measured IMO as the amount of accidental complexity. |
| ss::future<std::optional<model::offset>> | ||
| sync(model::timeout_clock::duration timeout); |
There was a problem hiding this comment.
nit: could you please add comments about how users are supposed to use/think about the returned offset?
| @@ -730,17 +730,29 @@ ss::future<std::error_code> archival_metadata_stm::process_anomalies( | |||
| co_return co_await builder.replicate(); | |||
| } | |||
|
|
|||
| ss::future<bool> | |||
| ss::future<std::optional<model::offset>> | |||
There was a problem hiding this comment.
The caller is supposed to use this offset to add a read_write_fence
command to the archival configuration batch.
This will be in a follow-up change, right?
| // If the caller didn't invoke `sync` before calling `replicate` we | ||
| // might have some batches which are not applied to the STM yet. These |
There was a problem hiding this comment.
Thinking generally about how to make it clearer that this behavior is correct via tests.. it's tough because instantiating the archival stm in isolation and stressing it to exercise these code paths is so tough.
The only problem that we may have is when the caller invokes 'replicate' without calling 'sync' first. In this case some old batch may trigger the promise and we will get incorrect error code in the 'replicate' method.
Thinking about this specifically, I wonder if there's a way we could artificially/randomly delay the apply fiber and artificially replicate()/sync() from many different fibers in a test. Then the invariant we want to uphold is that all replicate() calls that succeeded are reflected in the manifest, and all that failed are not.
I guess it'd be tough to test with the archival stm's current interface because there are so many rules baked into archival operations, but just thinking out loud. It'd be great if this logic were encapsulated in the persisted stm -- then we could implement a dummy stm that's just a kvstore to tests the concurrency mechanics without also having to work around the stm's logical invariants.
There was a problem hiding this comment.
When the command is replicated the user will get an error if there was
any change to the in-memory state of the STM between the moment when the
applied_offset was acquired and the moment when the commands generated
by the user are applied. In other words, the read-write-fence guarantees
that the changes to the in-memory state are not made based on the stale
state. It guarantees that there is only one active writer.
Makes sense. Is the manifest applied offset updated in lock step with actually applying offsets and also backed up into s3? that's the part i don't quite understand.
| if (res || _last_replicate->term < _raft->term()) { | ||
| _last_replicate = std::nullopt; |
There was a problem hiding this comment.
is it possible for the result to have been 'success' but the term also changed? if so, what would that mean?
| @@ -1314,6 +1269,7 @@ void archival_metadata_stm::apply_add_segment(const segment& segment) { | |||
| "Can't add segment: {}, previous segment: {}", | |||
| meta, | |||
| last); | |||
| maybe_notify_waiter(errc::inconsistent_stm_update); | |||
There was a problem hiding this comment.
The remaining errors are exceptions and handled in the try/catch in one place.
if you threw, could the error handling be unified in one place?
| "Unexpected error while applying changes to " | ||
| "archival_metadata_stm: {}", | ||
| std::current_exception()); | ||
| on_exit.cancel(); |
There was a problem hiding this comment.
the raii thing is nice, but catch-all handler here deals with it correctly in that you could move the notification for success down below the catch handler, right? or is there a control flow there im missing? maybe just conservative / safety?
|
|
||
| /// Advance last applied STM command offset | ||
| void advance_applied_offset(model::offset o) noexcept { | ||
| _applied_offset = std::max(_applied_offset, o); |
There was a problem hiding this comment.
please document what race is occurring to require the max here.
| @@ -582,6 +589,7 @@ ss::future<> archival_metadata_stm::make_snapshot( | |||
| .start_kafka_offset = m.get_start_kafka_offset_override(), | |||
| .spillover_manifests = std::move(spillover), | |||
| .highest_producer_id = m.highest_producer_id(), | |||
| .applied_offset = m.get_applied_offset(), | |||
There was a problem hiding this comment.
is the behavior change of the system and dependence on get applied offset going to necessitate a feature flag?
There was a problem hiding this comment.
cloud_storage: Add 'applied_offset' to the manifest
The field contains an offset of the last applied command. It's advanced
by the 'archival_metadata_stm' every time the command is applied to the
in-memory state of the STM.
This commit message is missing the critical component of why this is being added. An STM always knows its last applied offset because its the one applying it. So the commit message needs to explain why that information should be durable. Presumably that is because the STM has external effects?
How does concurrency work? For example, are we creating a new manifest for every command applied? If so, does the manifest get uploaded too before the next command is applied. If a new manifest isn't created for every command then what does the field really mean?
| if (apply_read_write_fence( | ||
| serde::from_iobuf<read_write_fence_cmd>( | ||
| r.release_value()))) { | ||
| // This means that there is a concurrency violation. The | ||
| // fence was created before some other command was | ||
| // applied. We can't apply the commands from this batch. | ||
| return ss::stop_iteration::yes; |
There was a problem hiding this comment.
nice. so is this resumable? you skip the batch, or this indicates a terrible situation?
| /// applied to the in-memory state of the STM if the 'applied_offset' is | ||
| /// greater than the 'offset'. This mechanism is supposed to be used as a |
| @@ -730,17 +730,29 @@ ss::future<std::error_code> archival_metadata_stm::process_anomalies( | |||
| co_return co_await builder.replicate(); | |||
| } | |||
|
|
|||
| ss::future<bool> | |||
| ss::future<std::optional<model::offset>> | |||
| auto is_synced = co_await _parent.archival_meta_stm()->sync( | ||
| sync_timeout); | ||
| if (!is_synced) { | ||
| if (!is_synced.has_value()) { |
There was a problem hiding this comment.
is_synced isn't really a good name now, right? it's also odd to have a optional engaged check, but ignore the stored value. per Andrew's comment, is that changing in a subsequent PR?
There was a problem hiding this comment.
Note that the promise is used as a one time mailbox. The replicate
method creates a promise and replicates the batch and then the
background fiber applies this record batch and sends result to the
mailbox (our promise).
This is correct under assumption that the in-memory state of the STM is
up to date (sync method was called before calling repliate). This
assumption is not always correct.
IF between the 'sync' and 'replciate' calls another fiber invoked
'replicate'
Ok, but I thought the point of the mutex was to deal with this?
Currently, the archival STM doesn't propagate errors from the background loop to the caller. The background loop applies record batches to the in-memory state of the STM. Recently, the admission control mechanism was introduced. The background loop checks if the batch can be safely applied and only after that it can apply any changes to the in-memory state of the STM. This is needed to avoid metadata inconsistencies. If the batch can't be safely applied it gets discarded. The problem is that the caller is not receiving the error code.
This PR fixes error propagation. The caller now receives an
inconsistent_stm_updateerror in case if metadata inconsistency have been detected.Apart from this the PR changes the
syncmethod implementation. Thesyncmethod of thepersisted_stmassumes that it will be called once in the beginning of the term. If the STM is responsible for creating its own commands (provides the write interface) it guarantees that no commands were replicated in the current term sosyncguarantees that the in-memory state of the STM is up to date.The archival STM maintains a complex data structure (the manifest) and the
ntp_archivermakes decisions based on this state. Because of that it's crucial to guarantee that the state is up to date. Otherwise thentp_archivermay try to replicate inconsistent metadata. Previously, we calledsyncin the beginning of the upload loop which was started in the beginning of the term.Since then the mid-term restart was added to the
ntp_archiver. In some cases we can restart the archiver which may lead to the metadata inconsistencies (theysynccall doesn't help in this case because it only guarantees that all batches from previous terms are applied). We modified thesyncso it would work as expected after mid-term restart. The archival STM stored the currentreplicatefuture (implemented as shared future). In thesynccall we would check if there is an ongoingreplicatecall and wait for the future to be ready and apply some other logic based on current term/offset of the raft group.This PR changes the implementation of the
sync. It removes cachedshared_futurefrom the archival STM. To guarantee that there is no in-flight replication request the code acquires the lock (all replication operations related to the STM are performed under the lock). Then it waits until currentcommitted_offsetof the Raft group is applied to the in-memory state of the STM.There is another concurrency control improvement in this PR. To guarantee that we can't apply inconsistent metadata even if it passes the check for some reason the
read-write-fencecommand was added. First, the manifest is now tracking the offset of the last applied STM command in theapplied_offsetfield. Theread-write-fencecommand contains the applied offset from the manifest. When the background loop processes this command it compares the offset in the manifest to the offset in the command and if it's different it skips the batch. The idea is that thentp_archivershould cache the applied offset before upload is created. When the upload is completed it should addread-write-fencecommand to the batch that contains archival metadata. This will guarantee that the metadata update will happen only if the manifest didn't change concurrently during the upload operation.Updates
Force push - rebase with dev
Force push - make
syncmethod returnoptional<offset>that containsnullopton failure or read-write-fence offset on success. The offset is supposed to be used to add a fence to the command batch.Force push - avoid triggering the per-operation promise when STM is catching up (commit has detailed description)
Backports Required
Release Notes
Improvements