raft: improve the availability related to member change

[hhkbp2]

Hi,

Current member change implementation requires at least two nodes works for a cluster. If one node fails in a three nodes cluster, there is a short time gap that the availability risks on another node failure, after the previously failed node is removed, before the new node is added.

Another availability issue arises when balancing the nodes among racks/data centers. It's an usual way to add a new node and then remove one old node among different racks/data centers to do the balancing. After adding a node into a three nodes cluster in one of the three racks/data centers, there will two nodes in one same rack/data center. If this rack/data center fails, the cluster is unavailable. The elaboration for this issue is in tikv/tikv#1468

Both availability issues are related to the member change implementation. To fix them, I suggest to add a "ReplaceNode" primitive in member change. It requires to write and then commit one log entry to achieve the target "remove one existing node and add a new node".

[siddontang]

/cc @xiang90

[heyitsanthony]

I don't understand what the atomicity buys over remove/add?

For the first case, if the node failed, then removing it from membership doesn't seem to make the fault tolerance worse-- the cluster will lose availability if another node fails regardless. The window is slightly shorter with ReplaceNode since there's only one a commit instead of two, but window is still there.

The rack case is more convincing, but I'm not sure if there's an advantage over remove/add at the moment. There's still the risk that the replacement node will be misconfigured and will fail to join with raft, so it loses add/remove's advantage that ensures the new node is participating in raft before shutting off the old node. There would have to be non-voting member support before ReplaceNode can be safe.

[siddontang]

Hi @heyitsanthony

For TiKV or Cockroachdb, which needs to schedule multi raft groups in different DCs, If one DC fails when scheduler is working (moving one replica from a host to another host in same DC), the corresponding raft group can not work unless DC is up again, regardless of whether using add + remove or remove + add.

Of course, we can use 5 replicas to solve the problem in 3 DCs, but I think this may hurt the performance and is not necessary. A better way is to implement atomic Replace operation or joint consensus, both are mentioned in Raft Paper. Supporting joint consensus will change a lot codes in etcd raft, Replace may be more simple here.

[heyitsanthony]

@siddontang sure, I understand that. I'm asking if ReplaceNode will be effective enough at maintaining availability without non-voting member support. The new node could turn out to be incapable of participating in raft but there's no way of knowing until after it's added, so there's still a risk of going from 3 to 2. Non-voting would at least establish that the new node can contact the raft group and accept commits. Or is this not a problem?

ReplaceNode would be useful on its own provided the new node can be guaranteed to catch up with the cluster quickly (which is better than nothing, as it is now), just saying that it seems like it solves only half of it...

[hhkbp2]

@heyitsanthony Yeah, it needs some time to catch up with the leader for a blank new node which is just added into the cluster. And there's still a risk of node failure during this "ReplaceNode" procedure. A better way to perform the member change in this situation would be:

1. Initialize a non-voting node in the target rack/data center. Replicate snapshot/log to this non-voting node until it's close enough (until the log gap could be covered within one election timeout as described in Raft Thesis 4.2.1)
2. Perform the "ReplaceNode" action to remove one node and add this prepared one

Each of 1, 2 could be implemented once at a time and then together to solve the issue. We could get 2 as the first step.

[xiang90]

@hhkbp2 @siddontang

Yeah, it needs some time to catch up with the leader for a blank new node which is just added into the cluster.

There are cases where you can add a bad member (too slow to catch up, unreachable IP). I think @heyitsanthony feels those risks outperform the risk of allowing the small window between add/remove. If we really care about safety, we should fix the most significant problem first.

The right way to do the replacement is probably:

1. start non-voting member
2. non-voting member is sync
3. replace the old member with non-voting member

[heyitsanthony]

Starting with ReplaceNode seems fine... it's still one less way the cluster can break (even without non-voting) and it needs to be done anyway.

[xiang90]

no one is actively working on this. i am going to move it to unplanned.