Adding a recovery mechanism for a split gossip cluster

[dani-docker]

Steps To Reproduce:

• 3 managers 3 workers cluster
• Stop all managers in the cluster (leave the workers running)
• Wait a minute and start all managers

Expected Results:

• All nodes converge into a single gossip cluster

Actual Results:

• The workers and the managers ended up on 2 different gossip clusters. This causes overlay and unpredicted networking issues between containers on the 2 different clusters.

Workaround:

• Restart "All" the workers to force re-joining the manager cluster
  or
• To avoid a restart, use the diagnostic tool with the /join endpoint

PR fix:
This PR adds a go routine that runs every minute and checks that at least one node from the bootStrap list (ie: managers nodes) is part of the cluster, if we couldn't find any, then we attempt a /join for 10 seconds .

Note:
While testing, I ran into an issue, that I couldn't reliably reproduce;
a leave event was followed by a false positive join event was received by a worker when the manager node was down, this caused an inconsistency in the nDB.nodes which caused the logic in this PR to fail.

@fcrisciani recommended the below change and he'll be looking into the problem in more details.

	// If the node is not known from memberlist we cannot process save any state of it else if it actually
	// dies we won't receive any notification and we will remain stuck with it
	if _, ok := nDB.nodes[nEvent.NodeName]; !ok {
		logrus.Error("node: %s is unknown to memberlist", nEvent.NodeName)
		return false
	}

Signed-off-by: Dani Louca dani.louca@docker.com

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (master@c15b372). Click here to learn what that means.
The diff coverage is 34.48%.

@@            Coverage Diff            @@
##             master    #2134   +/-   ##
=========================================
  Coverage          ?   40.49%           
=========================================
  Files             ?      139           
  Lines             ?    22467           
  Branches          ?        0           
=========================================
  Hits              ?     9097           
  Misses            ?    12031           
  Partials          ?     1339

Impacted Files	Coverage Δ
networkdb/networkdb.go	67.8% <ø> (ø)
networkdb/delegate.go	75% <100%> (ø)
networkdb/cluster.go	60.75% <26.92%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c15b372...744334d. Read the comment docs.

[fcrisciani]

extra space :D

[dani-docker]

How this happened... Fat finger :)
I'll fix it

[fcrisciani]

with this change I don't think launching this routine makes anymore sense. If there is a failure here, the next attempt will happen in 60s or less with the other codepath

[dani-docker]

Good point, clusterJoin is only called when agent is initialized to join the boot_strap nodes; unless it's time critical and we can't wait 60 seconds, it's now redundant.
Happy to take it out.

[fcrisciani]

extra new line

[fcrisciani]

we should put this time of 10s at the top

[dani-docker]

roger that

[ddebroy]

Is the nDB.findNode check necessary above [L28] given this check?

[fcrisciani]

only to filter based on the lamport clock

[ddebroy]

Will it make sense to also attempt to refresh nDB.bootStrapIP here through a call to something like GetRemoteAddressList in case the list has changed?

[dani-docker]

@fcrisciani and I had a discussion about other use cases that can lead us to the same "split cluster" and the possibility of re-checking/updating the bootStrap IPs (through GetRemoteAddressList)
1- Re-ip the managers .
2- Demote/Promote managers/workers .

The first one is not an issue as a re-ip to all managers will force all nodes in the cluster to restart .
As for 2), customers will only hit it if they demoted all managers in the cluster + restarting those managers without restarting the workers... We felt like this is a very edge case.

This has been said, If you guys think we should still refresh the bootStrapIP, then we can add the logic to the newly introduced rejoinClusterBootStrap

[fcrisciani]

I think the 2 problems can be handled separately. Memberist with this PR will honor the bootstrapIP that got passed at the beginning.
The second issue will need a periodic check of the GetRemoteAddressList and if the list change, the routine have to call the networkDB.Join with the new bootstrapIPs

[ddebroy]

LGTM

[ddebroy]

I think you mean None of the bootStrap nodes are in the cluster rather than Not all ... in the comment, right?

[dani-docker]

yep. I will reword it and push the update.
Thx

[fcrisciani]

LGTM, if you fix the comment that @ddebroy mentioned we can merge

[dani-docker]

Thx guys. PR is updated with latest change request.

[fcrisciani]

LGTM

[fcrisciani]

@dani-docker thinking more about this, I guess here it's missing the check that the IP is != from current node IP else this fix won't work for the managers. Every manager will see itself in the list and won't try to reconnect