storage: 4.5 seconds after a cluster creation is a bad time to run your transactions

[andreimatei]

A transaction running around 4.5s after cluster creation (think tests) can easily catch a TransactionAbortedError. This is because all ranges start up as having expiration-based leases (as a likely path dependency / accident - they all come from the first range, and splits maintain the original epoch-based lease on both sides). 4.5s later, these leases become eligible for a refresh. The new leases are generally epoch-based, and so it is not Equivalent() to the old one (and so it gets a new Sequence, which fact in turn causes the new lease acquisition to trigger this code which resets the timestamp cache.

After that ts cache wipe, a concurrent BeginTxn can fail its tscache check resulting in TransactionAbortedError(ABORT_REASON_TIMESTAMP_CACHE_REJECTED_POSSIBLE_REPLAY).
I believe we've seen this be a cause of flakiness for multiple tests.

Discussing with @bdarnell, it seems that we have a couple of options:

1. if the rhs of a split wants epoch-based leases, have it not inherit the expiration-based lease from the lhs. Exactly how to do that is yet unclear. Can a range not have a lease at all? Perhaps we can give the rhs an expired lease.
2. make Lease.Equivalent() understand this transition from exp to epo, and have it consider the two equivalent.

cc @tbg @benesch

[tbg]

I don't remember the details, but I think there was a reason to have the RHS of the split start out as leaseholder. I think at some point prior we didn't do that and it could lead to anomalies where another replica would get the first lease but didn't populate the tscache low water mark.

[petermattis]

If the primary concern is test flakiness, could we make the initial expiration lease on range 1 shorter and have the cluster initialization wait until the other ranges have converted to epoch-based leases?

[andreimatei]

@tbg are you perhaps thinking of the problems with node restarts addressed here?
9497a11

@petermattis how short would we make it? I'd like to not give up on a fix yet... A split should not trigger a tscache wipe.

[petermattis]

I was thinking of 1s.

[bdarnell]

@tbg Yeah, a completely uninitialized range would allow the new leaseholder to start without initializing the tscache. An expired lease or an invalid lease with a correct expiration time would work.

I think simply shortening the lease (giving the RHS a copy of the LHS lease with the expiration changed to now()) is a bit risky since the LHS has been allowed to serve reads at times between now() and the expiration. Copying the lease over with a correct timestamp but invalidating it somehow is not ideal because it forces a stall of that duration.

Maybe the right way to look at it is as a kind of lease transfer: as soon as we recognize that our lease is not the type we want, we "transfer" the lease to ourselves. That should ensure that all the timestamp boundary conditions are handled correctly.

[andreimatei]

Maybe the right way to look at it is as a kind of lease transfer: as soon as we recognize that our lease is not the type we want, we "transfer" the lease to ourselves. That should ensure that all the timestamp boundary conditions are handled correctly.

How do you envision a "kind of lease transfer" helping with the prevLease.Sequence != newLease.Sequence check in leasePostApply, which is what's causing the unnecessary tscache wipe?

[andreimatei]

How about if the RHS would simply start with a epoch-based lease, initialized by hand (so no leasePostApply() runs)?

[benesch]

I think simply shortening the lease (giving the RHS a copy of the LHS lease with the expiration changed to now()) is a bit risky since the LHS has been allowed to serve reads at times between now() and the expiration.

But this is all happening one node node where we can prove that the LHS has not served reads between now() and the expiration, no? Or are you worried about the case where the leaseholder crashes immediately after committing the split txn?

How about if the RHS would simply start with a epoch-based lease, initialized by hand (so no leasePostApply() runs)?

This seems like a good option.

[bdarnell]

How do you envision a "kind of lease transfer" helping with the prevLease.Sequence != newLease.Sequence check in leasePostApply, which is what's causing the unnecessary tscache wipe?

You'd still get one tscache wipe, but it would be earlier in the process: the first time we split past the exp/epo boundary one range would experience this wipe and then the rest would be fine.

How about if the RHS would simply start with a epoch-based lease, initialized by hand (so no leasePostApply() runs)?

Is that guaranteed to be possible? I think it's possible that these first splits are occurring before the first node liveness records have been written. As long as we're able to deal with the bootstrapping sequence, though, this seems like a good approach.

But this is all happening one node node where we can prove that the LHS has not served reads between now() and the expiration, no?

We could prove this today, but if we do something about #14992 (which @nvanbenschoten was recently looking at) it would become possible for the LHS to serve reads between now() and the expiration concurrent with the split.

[nvb]

We could prove this today, but if we do something about #14992 (which @nvanbenschoten was recently looking at) it would become possible for the LHS to serve reads between now() and the expiration concurrent with the split.

Which is an option I strongly think we should keep open. I think we're all in agreement that splits should be as minimally disruptive as possible to foreground traffic.