kv: paused followers interacts poorly with leader-not-leaseholder state

[nvb]

In a cluster that was overloaded due to an index backfill, I saw a large number of ranges serving foreground traffic begin hitting circuit breaker errors. Digging in deeper, it became clear that all ranges in this state had split leaders and leaseholders, and the leaseholders were on an overloaded node. Earlier in the test, I had set admission.kv.pause_replication_io_threshold to 0.8 to avoid replicating to overloaded followers.

The combination of paused replicas and the leader-not-leaseholder split effectively caused unavailability. Even though the leaseholder could propose writes, it would never hear about their result, so it would never acknowledge the result of those writes to clients.

Should we allow the leaseholder to be paused?

---

On a related note, I noticed that while all nodes had a non-zero value for the admission.raft.paused_replicas, the overloaded node itself (purple) had a few spikes where it reported thousands of paused replicas. My understanding is that this metric is reported from leader side, not the follower side, so I don't understand this. Is there any reason why an overloaded node would start pausing other replicas?

Also, the description of this metric says: The count is emitted by the leaseholder of each range.

Should this instead say: The count is emitted by the leader of each range.

Jira issue: CRDB-17924

Epic CRDB-15069

[blathers-crl]

cc @cockroachdb/replication

[erikgrinaker]

The combination of paused replicas and the leader-not-leaseholder split effectively caused unavailability. Even though the leaseholder could propose writes, it would never hear about their result, so it would never acknowledge the result of those writes to clients.

Yeah, that's bad. Did this also prevent the lease from moving? If not, why didn't it move?

[nvb]

No, the leases did not move. The node was still able to heartbeat its liveness record, so there was nothing that would cause the leases to expire or for the leaseholders to decide to transfer their leases away.

[tbg]

Good catch. We should never pause the leaseholder, and I would extend that to say that we shouldn't pause anyone in a leader-not-valid-leaseholder situation. I'll send a PR.

the overloaded node itself (purple) had a few spikes where it reported thousands of paused replicas.

The metric is reported from the raft leader. Is it possible that the overloaded node had raft leadership for a number of ranges, and paused itself? The code currently allows for that and it should be somewhat inconsequential since we don't actually send any raft messages to the local instance, but it's confusing behavior that I will remove.