Avoid cluster.nodes load corruption due to shard-id generation

[stevelipinski]

PR #13428 doesn't fully resolve an issue where corruption errors can still occur on loading of cluster.nodes file - seen on upgrade where there was no shard_ids (from old Redis), 7.2.5 loading generated new random ones, and persisted them to the file before gossip/handshake could propagate the correct ones (or some other nodes unreachable).
This results in a primary/replica having differing shard_id in the cluster.nodes and then the server cannot startup - reports corruption.

This PR builds on #13428 by simply ignoring the replica's shard_id in cluster.nodes (if it exists), and uses the replica's primary's shard_id.
Additional handling was necessary to cover the case where the replica appears before the primary in cluster.nodes, where it will first use a generated shard_id for the primary, and then correct after it loads the primary cluster.nodes entry.

[sundb]

@stevelipinski i did it in propose, #13428 is a fix for generating corrupt files, but i'm not sure it makes sense to automatically fix an corrupted cluster config file, it might hide other issues that cause config corruption.

[stevelipinski]

#13428 - does not fully prevent a corrupt config file, specifically when other nodes are unreachable. So, it is not a complete solution for this. This is verified by simply taking an old 7.0 cluster.nodes file, and spinning up a single instance to use that file. It starts successfully, but if you run CLUSTER SAVECONFIG - it generates a corrupt file. If you SHUTDOWN and then start that instance again, it will not start.

It seems the logic in clusterLoadConfig() is a bit flawed in that it uses random shard-ids for nodes that have not yet been loaded from cluster.nodes. So, if a replica line is parsed first, then it's primary has a random shard-id.

[sundb]

@stevelipinski did you have the reproduce steps?

[stevelipinski]

Sure.

using /tmp/cluster.nodes:

10e7ffc21cc7a7b570f43691ae82b0494e69c913 10.234.140.250:6379@16379 master - 0 1722985884529 9 connected 3277-6553
f13c75ad62684ef01a2958d0d2d32c2a138d4232 10.234.129.133:6379@16379 master - 0 1722985884000 8 connected 6554-9829
e0975496e64a72915138f99adb322b31274be87a 10.234.156.181:6379@16379 myself,master - 0 1722985884000 1 connected 0-3276
0c3dfe612191e2b8c0011589835d24cf07054069 10.234.94.187:6379@16379 slave f13c75ad62684ef01a2958d0d2d32c2a138d4232 0 1722985884529 8 connected
e474e464c3c201ce7b6da55d7d5dc0d01bdfb0b9 10.234.136.80:6379@16379 slave fb9cb25641d9dee1047dbd86f894ab5a2ecca7ab 0 1722985884000 6 connected
c2badfb58c306208034ced68bd8261ddece95738 10.234.140.59:6379@16379 slave,fail 10e7ffc21cc7a7b570f43691ae82b0494e69c913 1722985882008 1722985880498 9 disconnected
09bd2139e57c80645b457840bc44dbbf72714a20 10.234.232.144:6379@16379 slave fd3417b6bfa9b422f9a13359e269e6d9ad462206 0 1722985885133 7 connected
dcb26d1b3d89b0e225ad36250fa6596151d33b9f 10.234.233.3:6379@16379 slave e0975496e64a72915138f99adb322b31274be87a 0 1722985884000 1 connected
fd3417b6bfa9b422f9a13359e269e6d9ad462206 10.234.187.11:6379@16379 master - 0 1722985884529 7 connected 9830-13106
vars currentEpoch 9 lastVoteEpoch 9

/tmp/redis.conf:

cluster-enabled yes
cluster-config-file /tmp/cluster.nodes
cluster-node-timeout 5000

Run single server instance:
# redis-server-7.2.5.patch /tmp/redis.conf

dump cluster config and shutdown:
# redis-cli CLUSTER SAVECONFIG
# redis-cli SHUTDOWN

Attempt to restart:
# redis-server-7.2.5.patch /tmp/redis.conf

Fails:

25117:M 09 Aug 2024 14:18:52.000 # Unrecoverable error: corrupted cluster config file "f13c75ad62684ef01a2958d0d2d32c2a138d4232 10.234.129.133:6379@16379,,tls-port=0,shard-id=182a927aed17e3c1bebd00f746ab3650d2e5d176 master,fail? - 1723213119306 1723213116776 8 connected 6554-9829

[sundb]

@stevelipinski thanks, you're right, but I still don't like automatically fixing it when loading corrupt config.

[stevelipinski]

arguably, that's no different from what is occurring once it re-establishes communication with the other nodes. The master shard_id takes precedence over the randomly generated one.

And, the config generated during upgrade from old, shard_id-less cluster.nodes is corrupt as well - because of the way it's again just randomly generating shard_ids

[sundb]

@stevelipinski but after this PR(exclude auto fix), we shouldn't generate corrupted config, but if we fix it automatically, if there are still potential bugs that can cause the corruption, we'll never know.

[stevelipinski]

agreed. However to fix it such that you still catch corruption and error on it would require a lot more refactoring and changing of code in cluster.c. This was a trade-off to keep the complexity of the change minimal.

What is more of an issue is when a slave entry is loaded from the cluster.nodes, if there is no master for that slave (master is in a subsequent line in the file), then a "temporary" master object is created with a random shard-id (not the one from the file). So, this is where some corruption is leaking in - the random shard-id generation during this cluster.nodes loading process.

Maybe there is a better solution, but what I put here is the least intrusive, and results in behavior very similar to what happens when the cluster is communicating anyways (e.g., master shard-id overrides whatever gets loaded from the file).
And, the slave shard-id is essentially ignored from the file (same as if the slave was communicating with its master).

[sundb]

@stevelipinski thanks, i agree with your solution, let's wait for the opinions of others.

[oranagra]

@sundb i don't presume to know that area good enough to give you an opinion.
i trust your judgement, and the only advise is a general one regarding risk of breaking something seriously for solving a rare or minor issue, but i don't think it applies here.

[sundb]

@oranagra thanks, i was worried about the possible side effects, let's leave it here more time.
@stevelipinski WDYT?

[stevelipinski]

There may be a better way to resolve this, but from the looks of it, that would take some major refactoring of clusterLoadConfig() - of which I'm not comfortable making.
I don't really know how shard-id is used across Redis, so my focus was on the loading and convergence of shard-id in the cluster.nodes.
Because of this, I have to defer to the more-experienced experts on here to point out any potential pitfalls or problems with this approach.

[tezc]

I'm not familiar with cluster code but conceptually looks good to me!

[sundb]

@oranagra not sure if it's a break change, before this PR we couldn't start server if the config was corrupted, but now we will fix it automatically.

[sundb]

@stevelipinski merged, thanks.

[oranagra]

if it wasn't working (or unusable) and now it does, then it's not a breaking change 😄 .
question is there are other side effects impacting cases that used to work for someone...

[sundb]

if it wasn't working (or unusable) and now it does, then it's not a breaking change 😄 . question is there are other side effects impacting cases that used to work for someone...

no other side effects.

[sundb]

not sure if this failure is related to this PR:
https://github.com/redis/redis/actions/runs/10866487920/job/30154082183