Add elasticsearch-node detach-cluster tool

[andrershov]

This commit adds the second part of elasticsearch-node tool -
detach-cluster command in addition to unsafe-bootstrap command.
Also, this commit changes the semantics of unsafe-bootstrap, now
unsafe-bootstrap changes clusterUUID.
So the algorithm of running elasticsearch-node tool is the following:

1. Stop all nodes in the cluster.
2. Pick master-eligible node with the highest (term, version) pair and
   run the unsafe-bootstrap command on it. If there are no survived
   master-eligible nodes - skip this step.
3. Run detach-cluster command on the remaining survived nodes.

Detach cluster makes the following changes to the node metadata:

1. Sets clusterUUID commited to false.
2. Sets currentTerm and term to 0.
3. Removes voting tombstones and sets voting configurations to special
   constant MUST_JOIN_ELECTED_MASTER, that prevents initial cluster
   bootstrap.

ElasticsearchNodeCommand base abstract class is introduced, because
UnsafeBootstrapMasterCommand and DetachClusterCommand have a lot in
common.
Also, this commit adds "ordinal" parameter to both commands, because it's
impossible to write IT otherwise.
For MUST_JOIN_ELECTED_MASTER case special handling is introduced in
ClusterFormationFailureHelper.
Tests for both commands reside in ElasticsearchNodeCommandIT (renamed
from UnsafeBootstrapMasterIT).

[elasticmachine]

Pinging @elastic/es-distributed

[ywelsch]

Thanks for the PR @andrershov. I've left some initial comments. Can we also have a test where we have a data node rejoin a freshly bootstrapped cluster (i.e. when all master-eligible nodes were lost).
Also, can you adapt the existing tests (testDanglingIndices + ???) to show that this allows us to port them to Zen2?

[ywelsch]

we also recommend to use it when having lost a majority of master-eligible nodes, no?

[andrershov]

See below "or you have already run elasticsearch-node unsafe-bootstrap ...". Probably @DaveCTurner will have to come up with better wording.

[DaveCTurner]

Looks ok to me.

[ywelsch]

perhaps: Usage of this tool can result in data loss and should be a means of last resort.

[andrershov]

This sentence is just copied from unsafe-bootstrap command

[ywelsch]

sure, that still doesn't make it great :)

[DaveCTurner]

I think the original is ok, but suggest this as an alternative:

This tool can cause arbitrary data loss and its use should be your last resort.

[ywelsch]

we can keep the cluster uuid, and just set clusterUUIDCommitted to false

[ywelsch]

Is incrementing the term necessary given that we changed the cluster uuid? The node will anyway bump its term when electing itself. Let's only do the minimum changes required to the state.

[ywelsch]

why set this to 0? Is this necessary?

[ywelsch]

we can keep the cluster state version, and just set the term to 0.

[andrershov]

@ywelsch Thank you for the review!
I've addressed your comments, except wording.
Regarding tests, the two tests that you meant are testDanglingIndices and testIndexImportedFromDataOnlyNodesIfMasterLostDataFolder in my opinion they are the same and one of them should be removed.
Taking this into account, I've implemented ElasticsearchNodeCommandIT.testAllMasterEligibleNodesFailedDanglingIndexImport which replaces both testDanglingIndices and testIndexImportedFromDataOnlyNodesIfMasterLostDataFolder.
I think, ElasticsearchNodeCommandIT is a better place for this test because it requires detachCluster invocation and ElasticsearchNodeCommandIT is specifically designed for this case and makes detachCluster command execution one-liner.
Please let me know what do you think.

[DaveCTurner]

I suggested some small changes to wording

[DaveCTurner]

I think this deserves a special case in ClusterFormationFailureHelper (and its tests) as it will yield a somewhat strange message as it is:

master not discovered or elected yet, an election requires a node with id [_must_join_elected_master_], have discovered [] which is not a quorum; discovery will continue using [] from hosts providers and [...] from last-known cluster state; node term 0, last-accepted version 0 in term 0

I suggest:

master not discovered yet and this node was detached from its previous cluster, have discovered []; discovery will continue using [] from hosts providers and [...] from last-known cluster state; node term 0, last-accepted version 0 in term 0

[DaveCTurner]

I think the original is ok, but suggest this as an alternative:

This tool can cause arbitrary data loss and its use should be your last resort.

[DaveCTurner]

Looks ok to me.

[DaveCTurner]

Suggested change

	"on master-eligible node that formed cluster with this node.\n" +
	"on a master-eligible node that formed a cluster with this node.\n" +

[DaveCTurner]

Suggested change

	super("Detaches this node from the cluster with old UUID, allowing it to join new cluster");
	super("Detaches this node from its cluster, allowing it to unsafely join a new cluster");

[andrershov]

@DaveCTurner thanks for your review! I've addressed ClusterFormationFailureHelper message in a122221 and all wording in 80ad224.
@DaveCTurner and @ywelsch it's ready for the next pass.

[ywelsch]

LGTM. Can you also address the TODO in testCannotJoinClusterWithDifferentUUID with this?

[DaveCTurner]

LGTM2

[andrershov]

run elasticsearch-ci/2

[andrershov]

run elasticsearch-ci/2

[andrershov]

run elasticsearch-ci/2

[colings86]

Please remember to add all relevant labels (area label, version label(s) and change type label) on all PRs and please look for this as part of reviews. The release note generation process is made much harder when PRs are not labelled correctly.