rpc/conn_cache: eager cleanup of connection cache on shutdown

[bharathv]

At shutdown, eager cleanup of connection cache entries can result in faster termination of RPCs/connections to suspended nodes. This patch includes two main changes.

• Hooks up an app level abort source with connection cache that triggers the cleanup function on notification
• Removes the use of naked transport pointers in protocol and elsewhere as it is prone to UAF bugs.

Fixes #7981

Backports Required

• none - not a bug fix
• none - issue does not exist in previous branches
• none - papercut/not impactful enough to backport
• v22.3.x
• v22.2.x
• v22.1.x

UX Changes

Release Notes

• none

[bharathv]

A couple of alternate approaches I prototyped but didn't like

• Hooking up a client supplied abort_source via client_opts. This is tricky to implement because the client typically resides on a different shard than the transport. So the abort source notifications potentially involve cross shard communication and that is prone to bugs and not easy to reason about.
• Hooking up a (shard local) abort source to the transport. This boils down to passing an abort source reference in transport c'tor but that didn't seem natural to me (and the code turned out to be ugly).

Rather cleaning up at the cache layer seemed less complicated and easy to reason about. wdyt.

[bharathv]

/ci-repeat 10

[dotnwat]

@bharathv got a merge conflict

[bharathv]

@bharathv got a merge conflict

Rebased.

[andrwng]

I like the idea of having a sharded top-level abort source that we can plumb down starting at the application layer. Curious if you have thoughts on how much or little we should extend this to other subsystems

LGTM pending CI

[andrwng]

Just curious if you tried coroutinizing this as some unsharded template method, and if you did but opted for this what the snag was? the inferred signature? the convert() calls?

[bharathv]

I didn't try coro-ing this, just playing safe, didn't want to introduce new bugs.

[dotnwat]

we were holding the lock before so wouldn't the concurrent accesses have been waiting (or maybe the cache was checked without acquiring the lock)?

[bharathv]

or maybe the cache was checked without acquiring the lock

This .. via connection_cache::contains() & get().

[dotnwat]

the cache is now going to go out of scope on the next line and cleared in any case

[dotnwat]

there is an abort_source in app_signal already. can we use (or expand and use) that?

[bharathv]

I did begin with that thought but I ran into an issue. Invoking this new sharded abort_source via invoke_all() returns a future but I can't block on it in app_signal's abort_source call back. To workaround it, I have to gate on it in an async fiber and that seemed unnecessarily complex.

[bharathv]

Thanks for the reviews, I forgot about this one, addressing comments, will shortly rebase to fix conflicts.

[bharathv]

or maybe the cache was checked without acquiring the lock

This .. via connection_cache::contains() & get().

[bharathv]

I didn't try coro-ing this, just playing safe, didn't want to introduce new bugs.

[bharathv]

I did begin with that thought but I ran into an issue. Invoking this new sharded abort_source via invoke_all() returns a future but I can't block on it in app_signal's abort_source call back. To workaround it, I have to gate on it in an async fiber and that seemed unnecessarily complex.

[bharathv]

Last force-push is a rebase to fix conflicts.

[bharathv]

Last force-push is a rebase.

[dotnwat]

/ci-repeat

[andrwng]

LGTM, the CI failures look like known flakes

[andrwng]

/ci-repeat

[bharathv]

Test failure: #9315 (unrelated, known issue).