kvserver: introduce ProbeRequest

[tbg]

This commit introduces a new KV request type ProbeRequest. This
request performs a mutationless round-trip through the replication
layer. The proximate reason to add this request is #33007, where we want
to fail-fast requests on a Replica until a ProbeRequest succeeds.

The alternative to introducing a new request type is using a a Put on
keys.RangeProbeKey (a key introduced for kvprober). However, when
the Replica circuit breakers perform a probe, they have to make sure
that this probe doesn't get caught up in the circuit breakers
themselves. In particular, the circuit breaker's request needs special
casing with respect to lease requests (which would otherwise also bounce
on the circuit breaker), and in particular we would also like the probe
to be proposed (via the local raft instance) when the local replica is
not the leaseholder, as this allows the circuit breakers to cover more
ground and ascertain that the Replica has access to the replication
layer regardless of its status.

ProbeRequest bypasses lease checks and can thus be processed by any
Replica. Upon application, they are guaranteed to result in a forced
error, and we suppress this error above the replication layer (i.e. at
the waiting request). This means that receiving a nil error from the
probe implies that the probe successfully made it through latching,
evaluation, and application.

While no concrete plans exist for adoption of ProbeRequest elsewhere,
this might be of interest for kvprober and as a general building block
for quickly assessing overall KV health; for example we may extend #72732
to facilitate sending a probe to the leaseholders of all Ranges in the
system.

ProbeRequest is a point request. A ranged version is possible but
since DistSender will not return partial responses, it is not
introduced at this point. This can be done when a concrete need
arises.

ProbeRequest by default will be routed to the leaseholder, but it
can also be used with the NEAREST routing policy.

Release note: None

[cockroach-teamcity]

This change is 

[erikgrinaker]

Reviewed 20 of 20 files at r1, all commit messages.
Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @tbg)

---

-- commits, line 9 at r1:
"a a"

---

-- commits, line 23 at r1:
It might be useful to, in the future, extend this with a variant that also respects the lease (e.g. with a request parameter). This might make sense e.g. for kvprober, which I suppose would ultimately want to know that the lease is also valid and able to propose and apply a command. I don't think there should be anything preventing this, right?

---

-- commits, line 50 at r1:
Fitler → Filter

---

pkg/kv/kvserver/replica_application_state_machine.go, line 175 at r1 (raw file):

// corresponding to a ProbeRequest is handled.
//
// This error is used with `errors.Is`, so don't change it or mixed-version

I don't think this is accurate. The error is instantiated on the local node during command application, and the errors.Is() check is also done on the local node after passing it via local memory, so it shouldn't be possible to get an error from a different version here.

---

pkg/kv/kvserver/replica_application_state_machine.go, line 204 at r1 (raw file):

	replicaState *kvserverpb.ReplicaState,
) (uint64, proposalReevaluationReason, *roachpb.Error) {
	if raftCmd.ReplicatedEvalResult.IsProbe {

Update the function comment to describe this condition as well.

---

pkg/kv/kvserver/replica_application_state_machine.go, line 1278 at r1 (raw file):

	// NB: we intentionally never zero out rResult.IsProbe because probes are
	// implemented by always catching a forced error and thus never show up in
	// this method.

Consider adding a sentence saying that this effectively asserts that IsProbe returned a forced error.

---

pkg/kv/kvserver/replica_probe_test.go, line 33 at r1 (raw file):

// TestReplicaProbeRequest verifies that all Replicas can serve a ProbeRequest,
// and that it applies downstream of raft via a forced error.
func TestReplicaProbeRequest(t *testing.T) {

Consider adding a test-case when there is no leader as well, to make sure it actually fails/times out when the Raft group can't make progress. It's arguably a bit overkill, but that is the crucial property that we want from these requests.

---

pkg/kv/kvserver/replica_probe_test.go, line 52 at r1 (raw file):

		}
		if args.ForcedError == nil {
			t.Error("probe has no forcedError") // avoid Fatal on goroutine

I believe you could do if !assert.NotNil { return 0, args.ForcedError } here as well.

---

pkg/kv/kvserver/replica_probe_test.go, line 116 at r1 (raw file):

			return errors.Errorf("waiting for stores to apply command: %d/%d", act, exp)
		}
		n := 2 * len(tc.Servers) // sent two probes per server

Do we want to assert the routing policies here, or is that out of scope?

---

pkg/kv/kvserver/replica_probe_test.go, line 152 at r1 (raw file):

		ba.Add(probeReq)
		_, pErr := repl.Send(ctx, ba)
		require.True(t, errors.Is(pErr.GoError(), injErr.GoError()), "%+v", pErr.GoError())

require.ErrorIs()

---

pkg/kv/kvserver/replica_raft.go, line 184 at r1 (raw file):

		// to mutate state.
		var seq roachpb.LeaseSequence
		switch t := ba.Requests[0].GetInner().(type) {

I'd prefer to keep this in GetPrevLeaseForLeaseRequest() and return a zero-valued lease (or separate ok boolean) for irrelevant request types, to keep this sort of request logic in one place.

---

pkg/kv/kvserver/replica_write.go, line 276 at r1 (raw file):

				propResult.Err = roachpb.NewError(applicationErr)
			}
			if propResult.Err != nil && ba.IsSingleProbeRequest() && errors.Is(propResult.Err.GoError(), noopOnProbeCommandErr.GoError()) {

Wrap at 100.

---

pkg/kv/kvserver/testing_knobs.go, line 72 at r1 (raw file):

	// *Error replace the existing proposalReevaluationReason (if initially zero
	// only) and forced error.
	TestingApplyForcedErrFilter kvserverbase.ReplicaApplyFilter

It's unclear to me why TestingApplyFilter couldn't handle this case as well.

---

pkg/kv/kvserver/batcheval/cmd_probe.go, line 28 at r1 (raw file):

// Probe causes an effectless round-trip through the replication layer,
// i.e. it is a write that does not change any kv pair. It declares a
// read on the targeted key.

It declares read/write on the targeted key, but only with a latch (no lock).

---

pkg/roachpb/api.proto, line 178 at r1 (raw file):

// latches, and declare key access, but it will not check locks (i.e.
// if an intent exists on the key that is being probed, the probe will
// not observe it). ProbeRequest can be served by any Replica including

Consider being explicit about bypassing the lease here, i.e. it checks that the Raft group can make progress but not that the leaseholder (and thus the range) can make progress.

[tbg]

TFTR! I addressed all the small fry, didn't touch the test yet since I had a question about whether we even want to acquire any latch here, let's discuss that and then I will address the remaining open comments.
I "dismissed" you from all comments that were 100% trivial (I think your default disposition is different from most reviewers', might be something to look into for you, may not be intentional)

Dismissed @erikgrinaker from 9 discussions.
Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @erikgrinaker and @tbg)

---

-- commits, line 9 at r1:

Previously, erikgrinaker (Erik Grinaker) wrote…

"a a"

Done.

---

-- commits, line 23 at r1:

Previously, erikgrinaker (Erik Grinaker) wrote…

It might be useful to, in the future, extend this with a variant that also respects the lease (e.g. with a request parameter). This might make sense e.g. for kvprober, which I suppose would ultimately want to know that the lease is also valid and able to propose and apply a command. I don't think there should be anything preventing this, right?

Yeah, should be possible, but doesn't seem necessary and I'm also not sure there is a strong case for a lease-respecting probe for kvprober since it can do the same thing using the existing KV API (it's doing that now) and I'd rather not complicate our KV API.

---

-- commits, line 50 at r1:

Previously, erikgrinaker (Erik Grinaker) wrote…

Fitler → Filter

Done.

---

pkg/kv/kvserver/replica_application_state_machine.go, line 175 at r1 (raw file):

Previously, erikgrinaker (Erik Grinaker) wrote…

I don't think this is accurate. The error is instantiated on the local node during command application, and the errors.Is() check is also done on the local node after passing it via local memory, so it shouldn't be possible to get an error from a different version here.

Done.

---

pkg/kv/kvserver/replica_application_state_machine.go, line 204 at r1 (raw file):

Previously, erikgrinaker (Erik Grinaker) wrote…

Update the function comment to describe this condition as well.

Done.

---

pkg/kv/kvserver/replica_application_state_machine.go, line 1278 at r1 (raw file):

Previously, erikgrinaker (Erik Grinaker) wrote…

Consider adding a sentence saying that this effectively asserts that IsProbe returned a forced error.

Done.

---

pkg/kv/kvserver/replica_probe_test.go, line 52 at r1 (raw file):

Previously, erikgrinaker (Erik Grinaker) wrote…

I believe you could do if !assert.NotNil { return 0, args.ForcedError } here as well.

That would work, but we don't use assert much and I want to be extra clear here.

---

pkg/kv/kvserver/replica_probe_test.go, line 152 at r1 (raw file):

Previously, erikgrinaker (Erik Grinaker) wrote…

require.ErrorIs()

No, we need cockroachdb/errors.Is here. I think this is because we are round-tripping through (roachpb.Error).EncodedErr:

        	Error:      	Target error should be in err chain:
        	            	expected: "kv/kvserver/replica_probe_test.go:139: bang"
        	            	in chain: "kv/kvserver/replica_probe_test.go:139: bang"
        	            		"kv/kvserver/replica_probe_test.go:139: bang"
        	            		"bang"
        	            		"bang"

---

pkg/kv/kvserver/replica_raft.go, line 184 at r1 (raw file):

Previously, erikgrinaker (Erik Grinaker) wrote…

I'd prefer to keep this in GetPrevLeaseForLeaseRequest() and return a zero-valued lease (or separate ok boolean) for irrelevant request types, to keep this sort of request logic in one place.

This is bespoke logic for these requests that is part of how they evaluate, which is not something I like to see tucked far away in roachpb, which is why I inlined this code. I think the previous abstraction was premature and made me anxious about what exactly the contracts were.

---

pkg/kv/kvserver/replica_write.go, line 276 at r1 (raw file):

Previously, erikgrinaker (Erik Grinaker) wrote…

Wrap at 100.

Done.

---

pkg/kv/kvserver/testing_knobs.go, line 72 at r1 (raw file):

Previously, erikgrinaker (Erik Grinaker) wrote…

It's unclear to me why TestingApplyFilter couldn't handle this case as well.

All existing users of this filter would need to address the special case of getting a forced error. This would incur a large diff in this PR but also add a subtle condition that would need to be handled to all future users of this filter, which would likely be forgotten and lead to weird flakes in some cases.

---

pkg/kv/kvserver/batcheval/cmd_probe.go, line 28 at r1 (raw file):

Previously, erikgrinaker (Erik Grinaker) wrote…

It declares read/write on the targeted key, but only with a latch (no lock).

Oh, you're right, thanks.

I have been a little torn over whether to declare keys at all. From a purity-based point of view it would be nice for this request to really only check the replication layer, i.e. completely bypass latching. From the POV of the circuit breaker though, you want to make sure that you trip if the replication layer is ok but something doesn't release the latch. I think I lean towards the pure approach and to solve the rest in the circuit breaker probe? So the probe would

• check replication layer via ProbeRequest
• check lease (which is now up to date thanks to having seen the probe pop up from below raft)
• if leaseholder is elsewhere & lease is valid, declare success
• send ScanRequest(desc.Start, desc.End, limit=1) (with special-cased ctx that bypasses circuit breaker, and also code that translates that ctx into the lease request which has its own ctx to prevent that from bouncing on the breaker)
• success

We want some of that lease stuff anyway, so baking a latch into ProbeRequest isn't really giving us a single-step circuit breaker probe, and the latch makes a failing probe just a little difficult to interpret since now there are more things that could block it.

WDYT?

---

pkg/roachpb/api.proto, line 178 at r1 (raw file):

Previously, erikgrinaker (Erik Grinaker) wrote…

Consider being explicit about bypassing the lease here, i.e. it checks that the Raft group can make progress but not that the leaseholder (and thus the range) can make progress.

Done.

[erikgrinaker]

modulo the latch tweak and test improvements.

I "dismissed" you from all comments that were 100% trivial (I think your default disposition is different from most reviewers', might be something to look into for you, may not be intentional)

Ah, yeah, it was set to blocking by default. I don't really use the disposition that actively, so changed it to discussing. Thanks for the heads-up.

Reviewed 9 of 9 files at r2, all commit messages.
Reviewable status: complete! 1 of 0 LGTMs obtained (waiting on @tbg)

---

-- commits, line 23 at r1:

Previously, tbg (Tobias Grieger) wrote…

Yeah, should be possible, but doesn't seem necessary and I'm also not sure there is a strong case for a lease-respecting probe for kvprober since it can do the same thing using the existing KV API (it's doing that now) and I'd rather not complicate our KV API.

Suppose that's true.

---

pkg/kv/kvserver/replica_probe_test.go, line 52 at r1 (raw file):

Previously, tbg (Tobias Grieger) wrote…

That would work, but we don't use assert much and I want to be extra clear here.

Sure, nbd.

---

pkg/kv/kvserver/replica_probe_test.go, line 152 at r1 (raw file):

Previously, tbg (Tobias Grieger) wrote…

No, we need cockroachdb/errors.Is here. I think this is because we are round-tripping through (roachpb.Error).EncodedErr:

        	Error:      	Target error should be in err chain:
        	            	expected: "kv/kvserver/replica_probe_test.go:139: bang"
        	            	in chain: "kv/kvserver/replica_probe_test.go:139: bang"
        	            		"kv/kvserver/replica_probe_test.go:139: bang"
        	            		"bang"
        	            		"bang"

Ah, you're right, forgot about that part.

---

pkg/kv/kvserver/batcheval/cmd_probe.go, line 28 at r1 (raw file):

Previously, tbg (Tobias Grieger) wrote…

Oh, you're right, thanks.

I have been a little torn over whether to declare keys at all. From a purity-based point of view it would be nice for this request to really only check the replication layer, i.e. completely bypass latching. From the POV of the circuit breaker though, you want to make sure that you trip if the replication layer is ok but something doesn't release the latch. I think I lean towards the pure approach and to solve the rest in the circuit breaker probe? So the probe would

• check replication layer via ProbeRequest
• check lease (which is now up to date thanks to having seen the probe pop up from below raft)
• if leaseholder is elsewhere & lease is valid, declare success
• send ScanRequest(desc.Start, desc.End, limit=1) (with special-cased ctx that bypasses circuit breaker, and also code that translates that ctx into the lease request which has its own ctx to prevent that from bouncing on the breaker)
• success

We want some of that lease stuff anyway, so baking a latch into ProbeRequest isn't really giving us a single-step circuit breaker probe, and the latch makes a failing probe just a little difficult to interpret since now there are more things that could block it.

WDYT?

I agree, I don't think latching adds anything here -- let's check that elsewhere in the circuit breaker.

[tbg]

bors r=erikgrinaker

[craig]

Build succeeded:

• GitHub CI (Cockroach)