raft: fix election deadlock when nodes have election_mode off

[philippeboyd]

Closes #12018

When instances with election_mode=off exist in a replicaset, they continue to broadcast is_leader_seen=true even after the leader dies. (Their death detection timers never start since RAFT is disabled for them). This causes the leader_witness_map bits for these hosts to remain set indefinitely on candidate nodes, blocking elections since the pre-vote protection check requires leader_witness_map==0.

The root cause is that election_mode=off nodes cannot be distinguished from active voters in RAFT messages. Both report state follower with is_leader_seen based on local state, but election_mode=off nodes never update their view since heartbeat processing exits early when raft is disabled.

This fix forces nodes with election_mode=off to always broadcast is_leader_seen=false. This allows candidate nodes to immediately clear witness map bits for non-participating nodes, enabling elections to proceed with only active participants.

Is this the right approach or have I missed anything?

[coveralls]

coverage: 87.678% (+0.03%) from 87.649%
when pulling a9e7820 on philippeboyd:bugfix/raft-disabled-nodes-should-not-report-leader-seen
into ec05cb1
on tarantool:master.

[sergepetrenko]

Hi, Philippe!

Sorry for the long delay in review and thank you for your patch!

Your approach looks good to me, I have only a couple of comments regarding the changelog wording and commit style.

It's good that you've found and fixed this issue. Could you tell me how you stumbled upon it?

[Serpentian]

Thank you for finding and fixing such a critical bug! This could have caused a cluster downtime if it had been found in production. The solution is nice and elegant, I have no significant comments regarding it

[philippeboyd]

Hi @sergepetrenko thanks for reviewing. To answer your question:

Could you tell me how you stumbled upon it?

We were testing a setup with one replicaset spread in two datacenters with one datacenter being active and the other being passive.

With a synchro_quorum: 2 to keep the writes fast in the active datacenter while still having data replication in the passive datacenter and protecting us from a split-brain situation.

Having a replicaset storage with intances:

dc1-storage-1 (raft candidate)
dc1-storage-2 (raft candidate)
dc1-storage-3 (raft candidate)
dc2-storage-1 (raft off)
dc2-storage-2 (raft off)
dc2-storage-3 (raft off)

Say dc1-storage-1 was the leader and it died, no election was triggered.

[sergepetrenko]

Philippe, thanks for the fixes!
LGTM.

[sergepetrenko]

@philippeboyd, thanks for the answer, got it.

Just be aware that a replication conflict might still happen with such a setup (although it's rather unlikely).

With a synchro_quorum: 2 to keep the writes fast in the active datacenter while still having data replication in the passive datacenter and protecting us from a split-brain situation.

Having a replicaset storage with intances:

dc1-storage-1 (raft candidate)
dc1-storage-2 (raft candidate)
dc1-storage-3 (raft candidate)
dc2-storage-1 (raft off)
dc2-storage-2 (raft off)
dc2-storage-3 (raft off)

While you won't get 2 leaders in the same term (obviously only 3 nodes participate in elections, 2 votes out of 3 give you a single leader), it's possible that the elected leader won't have all the committed transactions of the prevous leader, because the nodes with election_mode = 'off' are still counted in quorum for synchronous transaction commits.

So, imagine dc1-storage-1 is the leader, it writes some transaction A replicates it only to dc2-storage-1. The leader commits A, as it has gathered quorum. Then dc1-storage-1 dies before replicating A to anyone else, and the elections are triggered. Neither dc1-storage-2 nor dc1-storage-3 have the transaction, but one of them will be elected the next leader, which will cause a replication conflict once the already-committed transaction A reaches one of them (by Raft only the node having all the previously committed transactions may be elected leader).

That's unlikely, because all the candidates are in the same datacenter, so replication between them should be much faster than to the nodes of the other DC. But still possible.

[TarantoolBot]

Successfully created backport PR for release/3.2:

• [backport 3.2] raft: fix election deadlock when nodes have election_mode off #12020

[TarantoolBot]

Successfully created backport PR for release/3.3:

• [backport 3.3] raft: fix election deadlock when nodes have election_mode off #12021

[TarantoolBot]

Successfully created backport PR for release/3.4:

• [backport 3.4] raft: fix election deadlock when nodes have election_mode off #12022

[TarantoolBot]

Successfully created backport PR for release/3.5:

• [backport 3.5] raft: fix election deadlock when nodes have election_mode off #12023

[TarantoolBot]

Backport summary

• Created [backport 3.3] raft: fix election deadlock when nodes have election_mode off #12021 to release/3.3 to a future 3.3.4 release
• Created [backport 3.5] raft: fix election deadlock when nodes have election_mode off #12023 to release/3.5 to a future 3.5.1 release
• Created [backport 3.4] raft: fix election deadlock when nodes have election_mode off #12022 to release/3.4 to a future 3.4.2 release
• Created [backport 3.2] raft: fix election deadlock when nodes have election_mode off #12020 to release/3.2 to a future 3.2.3 release