raft: Use TransferLeadership to make leader demotion safer

[aaronlehmann]

When we demote the leader, we currently wait for all queued messages to be sent, as a best-effort approach to making sure the other nodes find out that the node removal has been committed, and stop treating the current leader as a cluster member. This doesn't work perfectly.

To make this more robust, use TransferLeadership when the leader is trying to remove itself. The new leader's reconcilation loop will kick in and remove the old leader.

cc @LK4D4 @cyli

[codecov-io]

Codecov Report

Merging #1939 into master will decrease coverage by -0.31%.
The diff coverage is 20.37%.

@@            Coverage Diff             @@
##           master    #1939      +/-   ##
==========================================
- Coverage   54.29%   53.99%   -0.31%     
==========================================
  Files         108      108              
  Lines       18586    18588       +2     
==========================================
- Hits        10092    10036      -56     
- Misses       7257     7324      +67     
+ Partials     1237     1228       -9

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 569defc...5470e07. Read the comment docs.

[aaronlehmann]

Note to self: need to confirm this won't cause any problems in mixed version swarms. I don't think it will but it's important to be sure.

[LK4D4]

replace 0 with raft.None.
Also shouldn't we wait for transferee to became leader? Or it's possible that other node became leader?

[aaronlehmann]

I was thinking that if a different node starts an election at the same time, that one might win.

[LK4D4]

Sounds good.

[LK4D4]

it might be not timeout I think, maybe better just errors.Wrap(err, "failed to transfer leadership")

[LK4D4]

I see that etcd uses TickInterval here. Do you think it make sense in this case?

[aaronlehmann]

Changed to TickInterval / 10 so we don't have to wait a full tick to recognize the leader has changed.

[LK4D4]

It looks little too hardcody. Maybe we should inherit it from ElectionTick as etcd does?

[aaronlehmann]

etcd seems to use this:

// ReqTimeout returns timeout for request to finish.
func (c *ServerConfig) ReqTimeout() time.Duration {
        // 5s for queue waiting, computation and disk IO delay
        // + 2 * election timeout for possible leader election
        return 5*time.Second + 2*time.Duration(c.ElectionTicks)*time.Duration(c.TickMs)*time.Millisecond
}

That seems reasonable, but I'm not sure it's that much better than a simple fixed timeout (it hardcodes 5 seconds, for example). I guess I'll switch to it anyway.

[cyli]

Non-blocking: would it make sense to duplicate the stopMu part of this comment up in removeSelfGracefully as well, since removeSelfGracefully doesn't hold stopMu either?

[cyli]

Should this be leader instead of transferee, in case some other node started leader election and then won?

[aaronlehmann]

Addressed comments, PTAL

[LK4D4]

@aaronlehmann I've tried TestDemoteToSingleManager and not a single transfer finished with success:

ERRO[0001] failed to leave raft cluster gracefully       error="failed to transfer leadership: context canceled"

[LK4D4]

This message duplicates in etcd/raft, not sure if we care.

[cyli]

TestDemoteToSingleManager passed 10 times in a row for me when running that test alone. I am often seeing this though when running the integration test suite with -race, though (although my machine may be haunted again and it may be time to restart again):

--- FAIL: TestDemotePromote (75.30s)
        Error Trace:    integration_test.go:254
			integration_test.go:278
	Error:  	Received unexpected error error stop worker z2dj61jsjefe8dbunf0twdlo1: context deadline exceeded

[LK4D4]

Tests is passing okay, but transfer leadership doesn't work.

[cyli]

@LK4D4 Ah sorry, yes, thanks for clarifying. I'm seeing the same.

[aaronlehmann]

Thanks for pointing out that TransferLeadership was not actually succeeding in the tests.

The first problem here was that the context would be cancelled when the old leader lost the leadership. This caused the function to return an error.

I fixed this, but afterwards it turned out that the node would get removed twice: once by the call to Leave, and another by the new leader's reconciliation loop kicking in and trying to remove the same node.

So I'm trying a new, simpler, approach. RemoveNode no longer supports removing the local node. If this is attempted, an error gets returned, and the node role reconciliation loop can invoke TransferLeadership. Once there is a new leader, that leader can remove the old leader without incident.

PTAL

[aaronlehmann]

...of course the tests consistently pass on my machine :/

[LK4D4]

Transfer finish is not logged by raft library :(

[aaronlehmann]

It's not, but raft does log when a new leader is elected, so I thought that would be enough.

[LK4D4]

Error above is using word Cannot, maybe better to keep it consistent.

[LK4D4]

I live in the USA for almost three years, and only vague know the meaning of the word ceding :) Let's use transferring or something more common.

[LK4D4]

have minor comments.
Looks good overall

[aaronlehmann]

I've made the cosmetic changes. I'm happy to add back the "transfered leadership" log message if you think it makes sense.

I had some test failures in CI with an earlier version of this, but I can't reproduce them locally. Can you try running the tests a few times to see if they are stable?

[LK4D4]

@aaronlehmann sure will run tests now.
Yeah, I liked transfer finished with times, it's kinda cool to see how fast raft is :)

[aaronlehmann]

Added back the transfer timing.

[aaronlehmann]

Adding back the n.asyncTasks.Wait() in applyRemoveNode seems to have stablized CI. I'm not sure why, because I expected this would only be necessary when the leader removes itself. Otherwise, this case should only be reached when a node finds out its removal has been committed, and then it shouldn't be necessary to communicate anymore.

[LK4D4]

Tests are quite stable for me, no leaks, no races.

[LK4D4]

LGTM

[aaronlehmann]

I'm rebuilding it a few more times in CI.

[aaronlehmann]

I can't get this to fail in CI anymore. Either the initial failures were a fluke, or adding back n.asyncTasks.Wait() made a difference for reasons I don't understand (maybe a timing issue?).

[cyli]

Non-blocking question: Does this need to be context.Background() if rm.raft.TransferLeadership uses a new context?

[cyli]

Should this test be modified to just fail with the expected error rather than removed entirely?

[cyli]

Actually even dumber question: does anything besides the tests call Leave on a raft member anymore? (I assume even if not, we'd have to leave it in for backwards compatibility, but it might be nice to comment)

[aaronlehmann]

Actually even dumber question: does anything besides the tests call Leave on a raft member anymore?

Nope. Maybe we should remove it.

[cyli]

Nice, I'm not getting any intermittent context exceeded errors in other integration tests anymore. Just have a few questions above, but other than that LGTM.

[aaronlehmann]

I've updated this to work slightly differently. If the leadership transfer times out, we fall back to self-demoting the old way. I've tested this with a 1.14-dev leader in a cluster with a 1.12.6 follower, and demoting the leader works properly (after the timeout elapses).

PTAL. Hoping to merge this soon if it looks good.

[cyli]

LGTM! Thank you for tracking down a different unrelated error!