-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kvserver: fail stale ConfChange when rejected by raft #106104
Conversation
Replace a code snippet with a drop-in solution that exists now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great with the targeted fix!
ProposeConfChange just calls MarshalConfChange followed by Step, and by inlining this in our codebase we gain the ability to figure out if raft rejected our ConfChange. We will need this in a follow-up commit.
Because etcd/raft activates configuration changes when they are applied, but checks new proposed configs before they are considered for adding to the log (or forwarding to the leader), the following can happen: - conf change 1 gets evaluated on a leaseholder n1 - lease changes - new leaseholder evaluates and commits conf change 2 - n1 receives and applies conf change 2 - conf change 1 gets added to the proposal buffer and flushed; RawNode rejects it because conf change 1 is not compatible on top of conf change 2 Prior to this commit, because raft silently replaces the conf change with an empty entry, we would never see the proposal below raft (where it would be rejected due to the lease change). In effect, this caused replica unavailability because the proposal and the associated latch would stick around forever, and the replica circuit breaker would trip. This commit provides a targeted fix: when the proposal buffer flushes a conf change to raft, we check if it got replaced with an empty entry. If so, we properly finish the proposal. To be conservative, we signal it with an ambiguous result: it seems conceivable that the rejection would only occur on a reproposal, while the original proposal made it into raft before the lease change, and the local replica is in fact behind on conf changes rather than ahead (which can happen if it's a follower). The only "customer" here is the replicate queue (and scatter, etc) so this is acceptable; any choice here would necessarily be a "hard error" anyway. Epic: CRDB-25287 Release note (bug fix): under rare circumstances, a replication change could get stuck when proposed near lease/leadership changes (and likely under overload), and the replica circuit breakers could trip. This problem has been addressed. Fixes cockroachdb#105797. Closes cockroachdb#104709.
TFTR! bors r=erikgrinaker |
Build succeeded: |
Encountered an error creating backports. Some common things that can go wrong:
You might need to create your backport manually using the backport tool. error creating merge commit from 3d1760f to blathers/backport-release-22.2-106104: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict [] you may need to manually resolve merge conflicts with the backport tool. Backport to branch 22.2.x failed. See errors above. error creating merge commit from 3d1760f to blathers/backport-release-23.1-106104: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict [] you may need to manually resolve merge conflicts with the backport tool. Backport to branch 23.1.x failed. See errors above. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
I just saw kvnemesis run into this new |
Yep let me look at it, thanks for the heads up! |
Reopening, since we had to revert the fix: #106267 |
Because etcd/raft activates configuration changes when they are applied, but checks new proposed configs before they are considered for adding to the log (or forwarding to the leader), the following can happen:
it because conf change 1 is not compatible on top of conf change 2
Prior to this commit, because raft silently replaces the conf change with an
empty entry, we would never see the proposal below raft (where it would be
rejected due to the lease change). In effect, this caused replica unavailability
because the proposal and the associated latch would stick around forever, and the
replica circuit breaker would trip.
This commit provides a targeted fix: when the proposal buffer flushes a conf
change to raft, we check if it got replaced with an empty entry. If so, we
properly finish the proposal. To be conservative, we signal it with an ambiguous
result: it seems conceivable that the rejection would only occur on a
reproposal, while the original proposal made it into raft before the lease
change, and the local replica is in fact behind on conf changes rather than
ahead (which can happen if it's a follower). The only "customer" here is the
replicate queue (and scatter, etc) so this is acceptable; any choice here would
necessarily be a "hard error" anyway.
Epic: CRDB-25287
Release note (bug fix): under rare circumstances, a replication change could get
stuck when proposed near lease/leadership changes (and likely under overload),
and the replica circuit breakers could trip. This problem has been addressed.
Fixes #105797.
Closes #104709.