Track Repository Gen. in BlobStoreRepository #48944
Conversation
This is intended as a stop-gap solution/improvement to elastic#38941 that prevents repo modifications without an intermittent master failover from causing inconsistent (outdated due to inconsistent listing of index-N blobs) `RepositoryData` to be written. Tracking the latest repository generation will move to the cluster state in a separate pull request. This is intended to be backported as far as possible and motived by the recently increased chance of elastic#38941 causing trouble via SLM.
original-brownbear
added
>enhancement
:Distributed Coordination/Snapshot/Restore
|
Pinging @elastic/es-distributed (:Distributed/Snapshot/Restore) |
|
Jenkins run elasticsearch-ci/packaging-sample-matrix (seems to hang on uploading build result) |
|
I adjusted this PR to gracefully/automatically hande concurrent repository modifications as discussed earlier today. See c540d39 (in particular the revert of test changes I initially added here to make the change work with tests clearing out repos that are now unnecessary) This also automatically resolves #47834 since gracefully retrying on an external delete of index-N blob is functionally equivalent to concurrent modification issues. |
|
As discussed with Yannick on another channel, adding a test for eventual consistent listing here as well. Will re-request reviews once that's in. |
| // It's always a possibility to not see the latest index-N in the listing here on an eventually consistent blob store, just | ||
| // debug log it. Any blobs leaked as a result of an inconsistent listing here will be cleaned up in a subsequent cleanup or | ||
| // snapshot delete run anyway. | ||
| logger.debug("Determined repository's generation from its contents to [" + generation + "] but " + |
There was a problem hiding this comment.
This may be a little controversial:
By tracking the latest gen in the field, we can now identify out of sync listings that we would have previous missed and that would just have failed in a subsequent step where the repo gen is compared. WIth this change, if we miss to list the latest index-N, we can still complete a delte or cleanup just fine (assuming the value in latestKnownRepoGen is correct).
I think it's better user experience to not do a perfect cleanup in this edge case but proceed with the delete/cleanup as if nothing happened. On an eventually consistent repo, the fact that we list out the correct index-N does not guarantee that we didn't miss any other root blobs in the listing anyway.
Also, apart from maybe missing some stale blobs, the delete will work out perfectly fine otherwise.
|
|
||
| // Randomly filter out the latest /index-N blob from a listing to test that tracking of it in latestKnownRepoGen | ||
| // overrides an inconsistent listing | ||
| private Map<String, BlobMetaData> maybeMissLatestIndexN(Map<String, BlobMetaData> listing) { |
There was a problem hiding this comment.
I am aware that this does not fully cover all possible inconsistent listing scenarios, but only the scenario of missing a known (in the latestKnownRepoGen field) index-N, but correctly handling this scenario is the only thing fixed here for now. It's the most likely scenario in practice though in my opinion (inconsistent listing after back-to-back operations without master failover).
|
This should be good for review now :) |
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Outdated
Show resolved
Hide resolved
| } | ||
| final long genToLoad = latestKnownRepoGen.updateAndGet(known -> Math.max(known, generation)); | ||
| if (genToLoad != generation) { | ||
| logger.warn("Determined repository generation [" + generation |
There was a problem hiding this comment.
should this be warn level? In safeRepositoryData you've just logged this as debug.
Also, this warning is confusing to a user. Perhaps we could talk about eventually consistent repositories here.
There was a problem hiding this comment.
You're right. Let's just make this debug. I wouldn't necessarily start talking about eventual consistency here. It's not the only thing that might lead to this warning, concurrent modifications of the repo will have the same result.
There was a problem hiding this comment.
In hindsight, I wonder if we should log this at info level, just so that we get some stats on how often this logic saves the day on Cloud
There was a problem hiding this comment.
Right now I'd assume/hope the answer here is "never" :D (with standard snapshotting ... other functionality/manual action/... may trigger this obviously) but yea. Let's do info and verify :)
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Outdated
Show resolved
Hide resolved
| } | ||
| final long genToLoad = latestKnownRepoGen.updateAndGet(known -> Math.max(known, generation)); | ||
| if (genToLoad != generation) { | ||
| logger.warn("Determined repository generation [" + generation |
There was a problem hiding this comment.
You're right. Let's just make this debug. I wouldn't necessarily start talking about eventual consistency here. It's not the only thing that might lead to this warning, concurrent modifications of the repo will have the same result.
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/repositories/blobstore/BlobStoreRepository.java
Outdated
Show resolved
Hide resolved
| @@ -920,6 +963,12 @@ private RepositoryData getRepositoryData(long indexGen) { | |||
| return RepositoryData.snapshotsFromXContent(parser, indexGen); | |||
| } | |||
| } catch (IOException ioe) { | |||
| // If we fail to load the generation we tracked in latestKnownRepoGen we reset it. | |||
There was a problem hiding this comment.
I'm wondering if resetting is the right thing to do here. If the content of the repo has been deleted (or bucket/folder moved, or permissions changed etc) maybe we should keep the last generation seen around, and let the user sort the issue and re-register the repository?
There was a problem hiding this comment.
We talked about that yesterday and I figured that we decided not to do that (yet). I'm of the same opinion but it's quite the change in behavior if we want to just do this as a short-term fix.
Maybe we should just move to that kind of stricter approach in 7.x once we start tracking the repo generation in the CS permanently but for now not do any big experiments? :)
There was a problem hiding this comment.
Rah, I've already forgot about this discussion, sorry. But I'm good with the plan.
|
Jenkins run elasticsearch-ci/2 (random X-pack failure) |
|
Thanks Yannick & Tanguy! |
This is intended as a stop-gap solution/improvement to elastic#38941 that prevents repo modifications without an intermittent master failover from causing inconsistent (outdated due to inconsistent listing of index-N blobs) `RepositoryData` to be written. Tracking the latest repository generation will move to the cluster state in a separate pull request. This is intended as a low-risk change to be backported as far as possible and motived by the recently increased chance of elastic#38941 causing trouble via SLM (see elastic#47520). Closes elastic#47834 Closes elastic#49048
This is intended as a stop-gap solution/improvement to elastic#38941 that prevents repo modifications without an intermittent master failover from causing inconsistent (outdated due to inconsistent listing of index-N blobs) `RepositoryData` to be written. Tracking the latest repository generation will move to the cluster state in a separate pull request. This is intended as a low-risk change to be backported as far as possible and motived by the recently increased chance of elastic#38941 causing trouble via SLM (see elastic#47520). Closes elastic#47834 Closes elastic#49048
This is intended as a stop-gap solution/improvement to #38941 that prevents repo modifications without an intermittent master failover from causing inconsistent (outdated due to inconsistent listing of index-N blobs) `RepositoryData` to be written. Tracking the latest repository generation will move to the cluster state in a separate pull request. This is intended as a low-risk change to be backported as far as possible and motived by the recently increased chance of #38941 causing trouble via SLM (see #47520). Closes #47834 Closes #49048
This is intended as a stop-gap solution/improvement to #38941 that prevents repo modifications without an intermittent master failover from causing inconsistent (outdated due to inconsistent listing of index-N blobs) `RepositoryData` to be written. Tracking the latest repository generation will move to the cluster state in a separate pull request. This is intended as a low-risk change to be backported as far as possible and motived by the recently increased chance of #38941 causing trouble via SLM (see #47520). Closes #47834 Closes #49048
This is intended as a stop-gap solution/improvement to #38941 that
prevents repo modifications without an intermittent master failover
from causing inconsistent (outdated due to inconsistent listing of index-N blobs)
RepositoryDatato be written.Tracking the latest repository generation will move to the cluster state in a
separate pull request. This is intended as a low-risk change to be backported as
far as possible and motived by the recently increased chance of #38941
causing trouble via SLM (see #47520).
Closes #47834
Closes #49048