Range replica removal

[bdarnell]

We don't currently do anything special when a replica is removed from a range; this issue tracks changes we need to make.

• We don't actually inform the removed node that a change has occurred. (If it was online at the time of its removal then it may have gotten the event in its log, but if the entry didn't make it through on the first attempt it will not be retried once it has been committed on a quorum). The removed replica will come back online in follower mode still believing it is a part of the group. It may try to start elections because it is no longer receiving heartbeats from any leader (although coalesced heartbeats may (incorrectly) suppress elections if the node still has groups in common with its former leader; see storage: Coalesced Heartbeats Corner Cases #315). For a short time after its removal, its elections might actually succeed (see raft thesis.pdf page 41). We need some way to inform the node that it has been removed from the group (while still allowing for the node to be re-added in the future).
• If the node being removed was the leader at the time of its removal, all followers must "forget" their knowledge of this leader so they will stop fanning out coalesced heartbeats and trigger elections. Ideally we would implement a more orderly leadership handoff for this case instead of relying on followers timing out and triggering elections as if the leader had died.
• Stale messages may arrive after the range has been removed; these will try to recreate the group. If we cannot tell the difference between messages that predate the removal and future messages that re-add this replica, we have to let them through and ensure that all necessary cleanup happens in an asynchronous GC process instead of a trigger on the original replica removal.
• After removing the raft group, we also need to remove the data that belonged to the range (while being mindful of NodeID reuse: Raft NodeID reuse #756). If the node is later re-added, we need to be careful that the population of the new incarnation of the range does not overlap with the deletion of the old incarnation.

[bdarnell]

A node that has been offline for a time cannot even be assured that it can talk to any of the current members of the range (the range could have been rebalanced onto a completely disjoint set of nodes). In fact, if it tried, it could create a fork of the range, since the former members who had deleted their local state would grant the returning node's call for votes. (We need to do a conditional put in the ChangeReplicas transaction to ensure that a stale node cannot hijack the range descriptor).

Since a removed node may not be able to get accurate information from its peers, we need to use an external source of truth to determine whether we have been removed. I think we should add a last-update timestamp to the range descriptor, and have each range periodically scan the descriptors for all its ranges to see if there is a newer version of the descriptor that does not include this node.

[bdarnell]

@tschottdorf and I think we have a solution to the problem of former nodes reviving ranges. The crux of the problem is that groups are automatically created on demand, so a node that thinks it is a leader can cause some real damage. We fix this by moving to two-phase membership change: a node must be added as a non-voting replica before it can be converted to voting status. We then make the following changes:

• Every raft message indicates whether the sender believes it is talking to a voting or non-voting member.
• When a non-voting member has caught up (acked the log entry that added it to the group), the leader starts a command to convert it to voting status.
• Ranges are automatically created only in response to non-voting messages.
• If a node gets a message for a range it doesn't know anything about that indicates it should be a voter, the message is silently dropped without creating the group.

Non-voting status is something we have talked about in the past to improve availability (right now a new node counts towards the denominator for quorums even before it has received its initial snapshot), so this is a good change even apart from this issue. The trickiest part will be that the EntryConfChange to convert to voting status will be generated deep inside raft.

[tbg]

good write-up, nothing substantial to add.

When a non-voting member has caught up (acked the log entry that added it to the group), the leader starts a command to convert it to voting status.

This has to be foolproof: If the leader dies before managing to commit the entry that converts the member to voting status, the new leader needs to realize that there's still a non-voting member in the config, and try to convert it to voting once it has proven to be up to date.

Also, stating the obvious, while a new config continues to take an effect immediately on nodes that receive (not necessarily commit) it, non-voting members are not taken into account for quorum considerations. That means that the "real" config change happens as the voting rights are received by the various replicas.

[bdarnell]

Merged ranges present a similar issue. I think the same solution will apply, but we should be sure to test both replication changes and merges.

Garbage collection will have to be aware of the distinction: when a range is subsumed in a merge we keep its data (until the subsuming range is moved away) but remove its range-specific metadata.

[bdarnell]

The proposed non-voting member change is very invasive and only indirectly solves the problem; is there a simpler solution? I think we may be able to just keep a tombstone for every removed range (including, roughly, the HardState (to address #756) plus the last known log index). This would allow us to reject votes for any node coming back from the "past". The storage required for these tombstones is theoretically unbounded but they would be pretty small and it would eventually be safe to garbage collect them. This feels like a more direct solution than subtly relying on the fact that we cannot become a voting member without first transitioning through non-voting status.

[tbg]

#702 seems related.

[bdarnell]

Tombstones are trickier than I thought; I've been wrestling with the race conditions for a while. The key issue is that raft groups are created automatically on demand, but we cannot make the removal of the raft group atomic with the deletion of on-disk state, so there is a risk of the group being recreated as it is being deleted (and in fact for various reasons this happens fairly reliably in my tests).

I originally wanted to use "last known raft log index" in the tombstone, but this doesn't work: the removed node may have been out of date at the time of its removal, so its last known log index may still leave it vulnerable to stale messages from less out-of-date replicas. Instead, the tombstone should record a (logical) time at which the replica was known to be removed, i.e. the time when the range descriptor was last modified. Unfortunately we can't do this in raft terms because we can't know what log index the EndTransaction call will receive when we write the range descriptor. We can use the transaction's DB timestamp, but this means we need to either move all group creation out of multiraft and into storage (which requires an overhaul of the multiraft.Transport abstraction) or introduce some opaque-to-raft "epoch" values to be passed with every command, and new methods on the multiraft.Storage interface to validate them.

Once we have the right time in the tombstone, actually setting the tombstone and deleting the data is racy. I added a new Mutex to Store, which partially solved this problem, but it doesn't help when the range is being created by raft itself. Again, we can either move all of this out of raft by overhauling the Transport abstraction, introduce new methods to Storage (although exposing a lock like this feels like way too much coupling between the layers), or maybe use separate atomic operations instead of a lock (i.e. write the tombstone before deleting the rest of the data. This seems like it would have its own issues, though).

All of this seems complicated and subtle; I feel like there ought to be a better way to think about this but I haven't found it yet. Maybe it's better to go back to the voting/non-voting idea from earlier.