HDDS-10376. Add a Datanode API to supply a merkle tree for a given container.

[aswinshakil]

What changes were proposed in this pull request?

Add an API to the datanode server that can be called to retrieve the merkle tree of a given container. Added DNContainerOperationClient which can be further used during the reconciliation process to readChunk, readBlock and other operations that we might require later.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-10376

How was this patch tested?

This patch was tested with integration test.

[errose28]

Thanks for working on this @aswinshakil. Adding a summary of what we discussed:

• Zero-copy is not required in phase 1 and is deferred to HDDS-11217.
• We plan to merge the clients for reconciliation and EC reconstruction after merging to master. Doing it here will create too many merge conflicts. HDDS-11218
• We are currently seeing if there's a way to implement this without making the modifications to KeyValueHandler that are causing widespread changes here.

[errose28]

I left a few comments on the existing implementation, but I have some more guidance that I think would help on this PR.

I think the end vision is that reconciliation will work similarly to EC reconstruction. This means that our ReconcileContainerCommandHandler would be given the client from the DatanodeStateMachine constructor. The implementation would not go to KeyValueHandler at all and that (currently placeholder) code will be removed. Instead the ReconcileContainerCommandHandler will submit to the ReplicationSupervisor for scheduling reconciliation the same way that replication and reconstruction are.

However, all of the above are out of scope for this PR. Those will be implemented as part of the actual reconciliation in HDDS-10928. For this PR we just need:

• A new API
• A client to call it
• Tests for the client and the API.

For now the KeyValueHandler implementation is just a placeholder anyways so we don't need to touch it here. This should remove the sweeping KeyValueHandler changes in this PR and reduce it's size quite a bit.

[errose28]

Thanks for the updates @aswinshakil I have a few more comments on the new changes. Additionally:

• It would be good to test the container tokens on this new API by adding a test similar to this
• After the last set of changes there's some extra files like ContainerCommands that have only whitespace diff. It would be good to revert those to give this PR a more accurate file count.
• It looks like some tests are failing due to duplicate metrics registration. On first glance I'm not sure how it relates to this change exactly.

[errose28]

Thanks for the updates. Looks good, we are just missing the secure testing I mentioned in my previous comment. It would be good to do the following secure tests to TestOzoneContainerWithTLS or somewhere similar to make sure this PR does not have problems with the container token:

• Read works in secure env
• Read fails in secure env with invalid token

[kerneltime]

We should not build it here, also this can be a WARN as post upgrade all containers won't have a checksum tree file

[errose28]

Right, building the tree would be handled in the layer above based on the result of this method. We can update the comment. I'm actually thinking we should debug log here because this will get printed for every container the scanner encounters in the first run.

[kerneltime]

Suggested change

	public class DNContainerOperationClient implements AutoCloseable {
	public class DNContainerReconciliationOperationClient implements AutoCloseable {

[aswinshakil]

We want to keep this generic so that we can merge this with ECContainerOperationClient

[kerneltime]

We can rename it then.

[kerneltime]

What is the expected behavior to cache clients ? Is the client per Datanode? We do not expect much concurrency on the client, so should the threshold be longer ?

[errose28]

Thanks for adding the test @aswinshakil. The current test is called testDNContainerOperationClient, but in addition to testing the client's token generation, it is also testing the server side token validation. The existing test names in this class also don't reflect exactly what they test which doesn't help. For this test I think we should split this into more specific tests:

• testDNContainerOperationClient would use DNContainerOperationClient to test that it generates correct tokens. The server should validate them and the call would succeed.
• testGetContainerMerkleTree would use XceiverClientManager directly to test that the server side API accepts valid tokens and rejects invalid ones.

I don't think we need a test of the underlying TLS connection while calling the API, similar to downloadContainer. This is a layer below any code that was changed in this PR so downloadContainer should already cover it.

[errose28]

We should specifically test for StorageContainerException with result code BLOCK_TOKEN_VERIFICATION_FAILED. Also there's some info missing from the exception message which shows up as null:

org.apache.hadoop.hdds.scm.container.common.helpers.StorageContainerException: BLOCK_TOKEN_VERIFICATION_FAILED for null: Failed to decode token : invalidContainerToken

[aswinshakil]

null here is the dispatcherContext. We don't have it for getContainerMerkleTree() operation.

[errose28]

Thanks for the continued updates @aswinshakil. Just needs a rebase then I think we are good to go.

[errose28]

@aswinshakil Why was the checksum manager added as a parameter to the key value handler after the branch update? This is not in the branch, and was not in the PR at commit 7e57538 prior to the merge commit. The implementation I have in HDDS-11254 does not pass this through the constructor either so it is a sweeping change we would just have to undo.

[errose28]

Thanks for the updates @aswinshakil