kv/storage: requests need retries after a LeaseTransfer

[andreimatei]

Here's a nice one: node A executes a TransferLease, transferring to node B. Immediately after, if A receives a request, it will say NotLeaseHolderError and redirect to B (as the post-commit trigger for TransferLease has updated the lease).
B is not aware of this transfer, as it hasn't executed the respective trigger yet, so when it receives the request it will say NotLeaseHolderError and redirect back to A.
The DistSender.sendToReplicas runs through all the replicas and then returns a SendError, which the higher-level sendChunk takes to mean that the range descriptor in its cache is stale, and so it evicts it from the cache and tries again, with infinite retries. This hides the error from clients, but still this is not ideal.

I'm wondering what to do about it, if anything. I think options are:
a) We make the *Admin*TransferLease RPC (not the Raft TransferLease) block until B has applied the new lease. This is doable particularly since I'm currently introducing a command for reading the current lease. This only solves the problem for tests which explicitly do a transfer and then want to send more commands. And currently only tests use lease transfers... But then again, this is not really a problem for tests anyway.
b) We make the DistSender understand this situation and localize the retries in sendToReplicas. This can be done, for example, by having sendToReplicas keep track of the NotLeaseHolderErrors it gets and seeing if nodes contradict each other. This is helped by the fact that I'm currently working to include the current lease in these errors, so the DistSender could assert that this case is happening is the leases reported back by different nodes don't agree and the alleged lease holder by the most recent lease is itself reporting a stale lease.
c) We try to reduce the possibility of a node being oblivious to the fact that it has a lease coming its way by making a transferee aware of the incoming lease before Raft actually applies it, and have it block incoming requests for the respective range for a grace period, until the lease has been applied. Maybe there's a way to peak at the Raft commands a node votes on? And better yet, maybe there's a way to require that a particular node vote on a request before the Raft leader considers a proposal committed (so that a transferer can require the transferee to become aware of a transfer early)?
d) (suggested by @tschottdorf) We try to reduce the possibility of this happening by attempting to move Raft leadership before proposing a LeaseTransfer. This would increase the probability that the transferee applies the LeaseTransfer before the transferer returns control.
This proposal doesn't seem to have a downside, except that it's all best effort?

This would become a real problem in prod if we start using lease transfers on node shutdown and down-replication (which I think we should). It's not currently a problem because leases only move once the old one expires, in which case nodes decide to acquire a lease while serving some request, and that request is blocked until the lease is acquired. So there's never a situation in which a "lease holder" is not aware of the most recent lease. But of course this all has the bigger price of having to wait for a lease to expire until a new holder emerges.

One thing that became apparent while looking at this is that we don't have any visibility into DistSender retries.

@bdarnell any thoughts?

[bdarnell]

We should definitely be collecting metrics to decide whether action is necessary here as we roll out things like graceful shutdown. If we do something, I like option B, to mitigate the effects of these retries at the DistSender. I'm wary of going too deep into raft here as in option C (and that wouldn't be a perfect solution since there's no guarantee that we have the uncommitted log entry yet either).

One more option E: when the DistSender is retrying in response to a NotLeaseHolderError, it attaches the new lease (or maybe just its proposal timestamp) to the request header. This lets the recipient know that there's a new lease for it to wait on.

[andreimatei]

#8837 tried proactively moving Raft leadership before a TransferLease request is sent, but was rejected. From the discussion there:

@bdarnell:

This change deliberately moves raft leadership away from the lease holder. As such, it will always be at odds with changes like #12323, which try to more reliably bring the two together. I'm also concerned that by transferring raft leadership away before we propose our TransferLease command, we increase the total period of unavailability and the risk of something going wrong (the TransferLease command will sit in the pending queue and will have to be reproposed after the election resolves). There's a raft election and a TransferLease command to be committed. These cannot occur in parallel because commands can only be committed when there is a raft leader. When TransferLease is first, we have the problems in #8816. This change puts the raft election first, and I think that leads to at least one more round trip before everything resolves (I'm not sure whether it would slow things down, but it definitely wouldn't reduce the amount of work to be done here).

[petermattis]

@andreimatei We now periodically attempt to colocate Raft leadership and the leaseholder. Is there anything left to do here?

[andreimatei]

I've removed the 1.0 label. But otherwise, yeah, I think the scenario described is still possible, and it shows gaps in our redirection logic and so we should do something about it. Unclear what to do exactly, though :)

[bdarnell]

I don't think colocating raft leadership and the leaseholder makes much of a difference for this issue; we still have some sub-optimal retry behavior around lease transfers. I think responsive lease rebalancing will make this a bigger issue. I'm still not sure if it's going to be significant enough to be worth doing something about, though. We should try to measure the impact before we make any bigger changes here.