KAFKA-12520: Ensure log loading does not truncate producer state unless required

[ccding]

When we find a .swap file on startup, we typically want to rename and replace it as .log, .index, .timeindex, etc. as a way to complete any ongoing replace operations. These swap files are usually known to have been flushed to disk before the replace operation begins.

One flaw in the current logic is that we recover these swap files on startup and as part of that, end up truncating the producer state and rebuild it from scratch. This is unneeded as the replace operation does not mutate the producer state by itself. It is only meant to replace the .log file along with corresponding indices. Because of this unneeded producer state rebuild operation, we have seen multi-hour startup times for clusters that have large compacted topics.

This patch fixes the issue. With ext4 ordered mode, the metadata are ordered and no matter it is a clean/unclean shutdown. As a result, we rework the recovery workflow as follows.

1. If there are any .cleaned files, we delete all .swap files with higher/equal offsets due to KAFKA-6264. We also delete the .cleaned files. If no .cleaned file, do nothing for this step.
2. If there are any .log.swap files left after step 1, they, together with their index files, must be renamed from .cleaned and are complete (renaming from .cleaned to .swap is in reverse offset order). We rename these .log.swap files and their corresponding index files to regular files, while deleting the original files from compaction or segment split if they haven't been deleted.
3. Do log splitting for legacy log segments with offset overflow (KAFKA-6264)
4. If there are any other index swap files left, they must come from partial renaming from .swap files to regular files. We can simply rename them to regular files.

credit: some code is copied from @dhruvilshah3 's PR: #10388

Committer Checklist (excluded from commit message)

• Verify design and implementation
• Verify test coverage and CI build status
• Verify documentation (including upgrade notes)

[ccding]

Is it possible to write something like the following in Scala?

Vector(Log.offsetIndexFile, Log.timeIndexFile, Log.transactionIndexFile).foreach{
    fn => {
        swapIndexFile = fn(swapFile.getParentFile, baseOffset, Log.SwapFileSuffix)
        if (!swapIndexFile.exists()) {
            // ...
        }
        // other things
    }
}

[dhruvilshah3]

You could perhaps define a method like this:

      def maybeCompleteInterruptedSwap(fn: (File, Long, String) => File): Boolean = {
        val swapIndexFile = fn(swapFile.getParentFile, baseOffset, Log.SwapFileSuffix)
        if (!swapIndexFile.exists()) {
          val cleanedIndexFile = fn(swapFile.getParentFile, baseOffset, Log.CleanedFileSuffix)
          if (cleanedIndexFile.exists()) {
            cleanedIndexFile.renameTo(swapIndexFile)
            true
          } else {
            false
          }
        }
      }

and then invoke it as

      var recoverable = true
      recoverable = maybeCompleteInterruptedSwap(Log.offsetIndexFile)
      if (recoverable)
        recoverable = maybeCompleteInterruptedSwap(Log.timeIndexFile)
      if (recoverable)
        recoverable = maybeCompleteInterruptedSwap(Log.transactionIndexFile)

[dhruvilshah3]

The main thing we want to avoid is running this recovery logic for scenarios where the rename operation was interrupted, as it rebuilds the producer state from scratch. Could we make this recovery conditional on whether we have all the relevant log files and indices?

[dhruvilshah3]

Could you elaborate a bit on what this block of code is doing?

[ccding]

The whole logic is that, if the segment.swap file exists, then all index files should exist as .cleaned or .swap. We find them and rename them to .swap [before this block of code]. Then do a sanity check and rename all the .swap files to non-suffix log files [within this block of code].

This could fix the issue caused by the compaction as we discussed before.

For all other cases, I think it is in an inconsistent state and we will have to do the original recovery.

Does this make sense to you?

[ccding]

return might be wrong. Didn't realize it was within a for loop. Maybe continue instead.

[dhruvilshah3]

Would be good to avoid return or continue and instead make the call to recoverSegment conditional so that the code is easier to read.

[dhruvilshah3]

recoverable sounds a bit incorrect in this context, given that we actually end up calling recoverSegment when recoverable == false.

Perhaps we could call this something like needsRecovery which is set to true if we do not find the relevant index files or when the sanity check fails.

[dhruvilshah3]

Would be good to avoid return or continue and instead make the call to recoverSegment conditional so that the code is easier to read.

[dhruvilshah3]

Would be good to enumerate different cases that we could run into during recovery and ensure we have coverage for them. eg.

1. All .swap files are present. We should validate that producer state is not rebuilt in this case.
2. Some .swap and some .clean files are present.
3. All .clean files are present.
4. One of the index files was not found when completing the swap operation, which triggers a full recovery and rebuild of producer state.

[ccding]

@dhruvilshah3 addressed your comments. Will work on the tests later today. Please take a look

[ccding]

@dhruvilshah3 @junrao This PR is ready for review. Please take a look

kafka/core/src/test/scala/unit/kafka/log/LogCleanerTest.scala

Line 1407 in f914ed7

def testRecoveryAfterCrash(): Unit = {

The above function tests all the possible cases, thus we don't need additional tests.

One thing I am not sure about is how to test whether certain recovery goes the renaming path or recovery path. Current test cases only validate the results are correct. If you have any ideas, please let me know.

[ccding]

added two tests: they should cover all the cases around file renaming during compaction

[junrao]

@ccding : Thanks for the PR. A few comments below.

[junrao]

Hmm, I am not sure why we need this step. We have processed all .swap files before and no new .swap files should be introduced if we get to here.

[ccding]

you are right if we don't need to do sanity checks. Removed this

[junrao]

The PR descriptions says "as a result, if at least one .swap file exists for a segment, all other files for the segment must exist as .cleaned files or .swap files. Therefore, we rename the .cleaned files to .swap files, then make them normal segment files.". Are we implementing the renaming of .clean files to .swap files?

[ccding]

No, we are not renaming .cleaned files to .swap files due to KAFKA-6264. I forgot to update the description of the PR. Just updated it: please see the updated one.

[junrao]

It seems that those swap files could be the result of segment split too?

[ccding]

are you concerned about the logic or the comment? If comment only, I fixed it.

[junrao]

It doesn't seem we need this since we call segment.sanityCheck() on all segments later in loadSegmentFiles().

[ccding]

fixed.

[ccding]

@junrao Thanks for the review. Addressed your comments.

[junrao]

@ccding : Thanks for the updated PR. A few more comments.

[junrao]

This is an existing problem. Calculating the end offset that a segment covers can be tricky. The problem is that in compaction, we remove records in the .clean and .swap files. So, the offset of the last record in a segment doesn't tell us the true end offset of the original segment.

One possibility is to use the base offset of the next segment if present.

[ccding]

How can we get the next segment before finishing the recovery process?

[ccding]

I could be wrong, but I think if it is compaction, the last record will never be removed. The reason is that compaction always removes earlier records of each key, and the last record will never be an earlier one.

Split should be similar.

[junrao]

I could be wrong, but I think if it is compaction, the last record will never be removed. The reason is that compaction always removes earlier records of each key, and the last record will never be an earlier one.

Split should be similar.

It's true that we generally don't remove the last record during compaction. However, during a round of cleaning, we clean segments in groups and each group generates a single .clean file. The group is formed to make sure that offsets are still within 2 billion in offset gap and the .clean file won't exceed 2GB in size. If multiple groups are formed, it's possible that a group that's not the last doesn't preserve the last record.

How can we get the next segment before finishing the recovery process?

We could potentially scan all .log files and sort them in offset order.

[junrao]

segment.offsetIndex.lastOffset doesn't give the exact last offset in a segment since the index is sparse. We need to use segment.nextOffset().

[junrao]

The swap files can also be created during splitting.

[ccding]

fixed the comment

[junrao]

Hmm, not sure why we still have swap files at the point. We have renamed all existing swap files and no new swap files are created.

[ccding]

We have renamed all .log.swap files and their corresponding index swap files. If there is a single .index.swap file, it is not renamed previously in the recovery process. A single .index.swap file could happen if it crashed in the middle of this line:

kafka/core/src/main/scala/kafka/log/Log.scala

Line 2381 in bd668e9

sortedNewSegments.foreach(_.changeFileSuffixes(Log.SwapFileSuffix, ""))

[ccding]

Should we rename all .swap files in https://github.com/apache/kafka/pull/10763/files#diff-54b3df71b1e0697a211d23a9018a91aef773fca0b9cbd1abafbdca6c79664930R138 no matter the file is in toRenameSwapFiles or not? I am not sure if we have to put the retryOnOffsetOverflow call between renaming files in toRenameSwapFiles and renaming the rest .swap files.

[ccding]

I guess we don't need to put retryOnOffsetOverflow call in between. Removed the toRenameSwapFiles variable and combined the renaming in 76c197c

[junrao]

@ccding : Thanks for the updated PR. A few more comments.

[junrao]

segment.offsetIndex.lastOffset doesn't give the exact last offset in a segment since the index is sparse. We need to use segment.nextOffset().

[junrao]

If we use segment.nextOffset() to calculate maxSwapFileOffset, it's exclusive.

[ccding]

fixed

[junrao]

"which segments are compacted": .swap files are also generated from splitting.

[ccding]

fixed

[junrao]

It's possible that during renaming, we have only renamed the .log file to .swap, but not the corresponding index files. Should we find those .clean files with the same offset and rename them to .swap?

[ccding]

Due to KAFKA-6264, if there are any .cleaned files (no matter they are .index.cleaned or .log.cleaned), we delete all .cleaned files and .swap files that have larger/equal base offsets. Basically, this reverts ongoing compaction/split operations. Therefore, we don't have any additional .index.cleaned files.

Is that fair?

[junrao]

Thanks for the explanation. Make sense.

[ccding]

@junrao Thanks for the review. I have addressed the comments. Please take a look

[junrao]

@ccding : Thanks for the updated PR. Just a minor comment below.

[junrao]

Is this still needed?

[ccding]

My bad. Forgot to delete this line.

[junrao]

@ccding : Thanks for the latest PR. LGTM