Clear topics orphan files

[ZeDRoman]

When node is restarted while it was executing partition delete operation, this operation may be not finished and we will have orphan files for that partition left on device.
On node restart we don't have that partition data in memory so we couldn't retry partition delete operation and won't clean up partition files on reconciliation.
This pr bring garbage collector mechanism that will force delete partition files after node bootstrap.
We gather all existing ntps and then go through all data directories and check if topic directory responsible for any exisitng ntp if it don't we delete it.

Fixes #7895

Backports Required

• none - not a bug fix
• none - issue does not exist in previous branches
• none - papercut/not impactful enough to backport
• v22.3.x
• v22.2.x
• v22.1.x

UX Changes

• Mechanism for cleaning partition orphan files

Release Notes

Bug Fixes

• Mechanism for cleaning partition orphan files

[bharathv]

last_applied_revision is updated as topic table applies the deltas. So by the time this cleanup runs, it may not have applied all the deltas, so we potentially may be operating on a not-yet-up-to-date snapshot of the topics, no?

[dotnwat]

similar question: what are the guarantees that a node has the correct information it needs to make this orphan file removal decision independently?

[ZeDRoman]

After controller backend bootstrap we must have reconcilied all messages in controller_log and topic_table deltas that were on node before restart.
Orphan files might be left only for topics that existed before we have restarted node. So all deltas for topics that may have orphan files must be reconcilied at this point.
If we running deletion of topic files while node is running we will retry it until success. So we cannot get orphan files in runtime.

[bharathv]

Orphan files might be left only for topics that existed before we have restarted node. So all deltas for topics that may have orphan files must be reconcilied at this point.

Ah yes, last_applied_revision is guaranteed to be atleast the dirty offset of the controller log at bootstrap.

[bharathv]

nit: revision_id is trivially copyable, pass by value.

[dotnwat]

nit: revision_id is trivially copyable, pass by value.

agree

[ZeDRoman]

fixed

[bharathv]

nit: pass revision by value.

[ZeDRoman]

fixed

[bharathv]

think this loop may affect startup time on nodes with a lot of topics * partitions. We are recursing through every ns/topic/partition on the node. wondering if this can work in the background.

[ZeDRoman]

fixed

[dotnwat]

is there a shard alias you can use instead of hard coding 0?

[ZeDRoman]

I didn't found any alias for that.
It seems like common approach for such things

[dotnwat]

use existing pre-defined constant for namespace name.

[ZeDRoman]

fixed

[dotnwat]

similar question: what are the guarantees that a node has the correct information it needs to make this orphan file removal decision independently?

[dotnwat]

nit: revision_id is trivially copyable, pass by value.

agree

[ZeDRoman]

Ci failure #8383

[bharathv]

lgtm, just a clarifying question and some nits.

[bharathv]

think Noah meant cluster::controller_stm_shard instead of 0.

[ZeDRoman]

fixed

[bharathv]

Orphan files might be left only for topics that existed before we have restarted node. So all deltas for topics that may have orphan files must be reconcilied at this point.

Ah yes, last_applied_revision is guaranteed to be atleast the dirty offset of the controller log at bootstrap.

[bharathv]

nit: we can add a check if (_gate.closed()) break; for each topic iteration to abort early if needed.

Also can you inverse the check to reduce indents

if (!meta) {
continue;
}

[bharathv]

q: This is a map of ntp -> revision of all the ntps in the system, can be potentially big. What is the use of constructing this up front? When recursing through the topic/partition directories can't we just lookup the topic table? Something like..

ntp foo = partition_path::parse_partition_directory()

if (foo.revision_id < last_applied_id_snapshot && !topic_table.contains() && !topic_table.previous_replicas.contains())  {
  cleanup();
}

Just trying to understand the use of creating a snapshot of all the ntps in the system.

[ZeDRoman]

Previously I was thinking about creating this map to get snapshot of topictable right after bootstrap.
But I agree that we don't need it now

[VladLazar]

+1 on using the topic table directly.

[ZeDRoman]

fixed

[ZeDRoman]

Rebase dev

[VladLazar]

Largely makes sense to me. The snapshotting of the topic table and the begging of the operation makes me a bit uneasy.

Also, I found myself wondering if this couldn't be done while replaying the controller log. Perhaps we could write a new message type to the controller log (something like delete_complete) once deletion is complete. When looking for the starting point for the replay we could look for that instead of the deletion. If we don't find delete_complete it means we might have left around orphaned files.

[VladLazar]

clear_topic_orphan_files can throw std::filesystem::filesystem_error. It would be nice to log something in that case. Also, if I recall correctly, seastar doesn't like background failed futures.

[ZeDRoman]

fixed

[VladLazar]

+1 on using the topic table directly.

[ZeDRoman]

Largely makes sense to me. The snapshotting of the topic table and the begging of the operation makes me a bit uneasy.

Also, I found myself wondering if this couldn't be done while replaying the controller log. Perhaps we could write a new message type to the controller log (something like delete_complete) once deletion is complete. When looking for the starting point for the replay we could look for that instead of the deletion. If we don't find delete_complete it means we might have left around orphaned files.

We have discussed this multiple times with Michal and John.

1. This delete_complete message will be replicated on all nodes, but we don't want to replicate messages that related only for one node.
2. We will need to save delete topic message in controller snapshot if there is no topic_deleted message from every node. We don't want to bring that additional logic

[VladLazar]

Largely makes sense to me. The snapshotting of the topic table and the begging of the operation makes me a bit uneasy.
Also, I found myself wondering if this couldn't be done while replaying the controller log. Perhaps we could write a new message type to the controller log (something like delete_complete) once deletion is complete. When looking for the starting point for the replay we could look for that instead of the deletion. If we don't find delete_complete it means we might have left around orphaned files.

We have discussed this multiple times with Michal and John.

1. This delete_complete message will be replicated on all nodes, but we don't want to replicate messages that related only for one node.

2. We will need to save delete topic message in controller snapshot if there is no topic_deleted message from every node. We don't want to bring that additional logic

Thanks for the context. The reasoning makes sense to me. I think this approach is fine.

[bharathv]

Don't think we should make storage depend on cluster, that creates a circular dependency.

I believe you added it to pass _topic_table into storage. To avoid this, how about making the function definition into

ss::future<> log_manager::remove_orphan_files(
  ss::sstring data_directory_path,
  absl::flat_hash_set<model::ns> namespaces,
  ss::noncopyable_function<bool(model::ntp, partition_path::metadata)> orphan_filter
 )

and then pass the filter as lambda from controller backend that captures all the needed context, something like.. (need to move some code around)

ss::future<> controller_backend::clear_orphan_topic_files(
  model::revision_id bootstrap_revision) {
    // Init with default namespace to clean if there is no topics
    absl::flat_hash_set<model::ns> namespaces = {{model::kafka_namespace}};
    for (const auto& t : _topics.local().all_topics()) {
        namespaces.emplace(t.ns);
    }

    return _storage.local().log_mgr().remove_orphan_files(
      _data_directory,
      std::move(namespaces),
      [&, bootstrap_revision](
        model::ntp ntp, storage::partition_path::metadata p) {
          return topic_files_are_orphan(
            ntp, p, _topics, bootstrap_revision, _self);
      });
}

[ZeDRoman]

Great idea!
Thank you

[ZeDRoman]

/ci-repeat 3
skip-units

[bharathv]

/ci-repeat 5

[bharathv]

@ZeDRoman Can you confirm if the following failures are related/unrelated to this patch? (check debug builds in the last repeat run, failed more than once). Release build failures are #8679

test_id:    rptest.tests.partition_balancer_test.PartitionBalancerTest.test_rack_awareness
status:     FAIL
run time:   6 minutes 35.753 seconds

test_id:    rptest.tests.topic_delete_test.TopicDeleteCloudStorageTest.topic_delete_unavailable_test
status:     FAIL
run time:   3 minutes 53.274 seconds

[ZeDRoman]

/ci-repeat 5

[ZeDRoman]

@ZeDRoman Can you confirm if the following failures are related/unrelated to this patch? (check debug builds in the last repeat run, failed more than once). Release build failures are #8679

test_id:    rptest.tests.partition_balancer_test.PartitionBalancerTest.test_rack_awareness
status:     FAIL
run time:   6 minutes 35.753 seconds

test_id:    rptest.tests.topic_delete_test.TopicDeleteCloudStorageTest.topic_delete_unavailable_test
status:     FAIL
run time:   3 minutes 53.274 seconds

I have checked the logs. It doesn't seem that tests are related to changes in this pr.
But it is strage that test have failed multiple times. Want to restart CI

[ZeDRoman]

/ci-repeat 5

[ZeDRoman]

ci failures:
#8745
#8291
ShadowIndexingCompactedTopicTest.test_upload - new, but not result of this pr