CEP-45: Incremental repair for mutation tracking

[aweisberg]

No description provided.

[maedhroz]

Trying to reason about the thread safety of shardStates here...

The assignment is clearly visible after the CAS above, but are the iterations inside the callbacks later guaranteed to see the results of the put()s here?

[aweisberg]

Register sync coordinator is a write barrier because it does a put in a ConcurrentHashMap? So any prior writes will be visible? As long shardStates is effectively immutable after that particular map should be OK.

This could be an ImmutableMap which might make it a little clearer so I'll make that change.

[maedhroz]

What happens if the try block above produces InterruptedException? Do we need to cancel the rest of the sync coordinators (that hadn't been processed yet)?

[aweisberg]

We should clean them up just so they don't have to wait for their timeout to elapse to clean up. I'll rework the exception handling here to catch Exception instead of RuntimeException.

[maedhroz]

Should an incremental repair request succeed after a successful full repair? It tried this, and it appears to hang, but I'm not sure why yet...

[maedhroz]

"node1_Repair#4:1" #270 daemon prio=5 os_prio=31 cpu=0.08ms elapsed=92.27s tid=0x000000013de75200 nid=0x2530b waiting on condition  [0x000000036944a000]
   java.lang.Thread.State: TIMED_WAITING (parking)
	at jdk.internal.misc.Unsafe.park(java.base@11.0.19/Native Method)
	at java.util.concurrent.locks.LockSupport.parkNanos(java.base@11.0.19/LockSupport.java:357)
	at org.apache.cassandra.utils.concurrent.AsyncFuture.awaitUntil(AsyncFuture.java:221)
	at org.apache.cassandra.utils.concurrent.Awaitable$Defaults.await(Awaitable.java:114)
	at org.apache.cassandra.utils.concurrent.AbstractFuture.await(AbstractFuture.java:482)
	at org.apache.cassandra.utils.concurrent.AbstractFuture.get(AbstractFuture.java:252)
	at org.apache.cassandra.replication.MutationTrackingSyncCoordinator.awaitCompletion(MutationTrackingSyncCoordinator.java:351)
	at org.apache.cassandra.repair.MutationTrackingIncrementalRepairTask.waitForSyncCompletion(MutationTrackingIncrementalRepairTask.java:127)

[maedhroz]

Anyway, I think the lack of background reconciliation still means that this won't work. The transfer IDs are only there to make sure read reconciliation works.

[aweisberg]

I misunderstood the test. I don't think IR should hang in this test because we aren't relying on background reconciliation. There aren't any down nodes at all.

[aweisberg]

Ah right now I remember. So the test inserts data using executeInternal which gives the mutation and id and applys it locally correclty, but because it's only applied locally it never propagates because there is no background reconciliation.

Mutations applied via execute/StorageProxy are given to ActiveLogReconciler which is basically in-memory hinted handoff for mutation tracking.

So this is working as intended for now in that we need to use full repair here instead of IR since IR can't complete until background reconciliation is done.

[maedhroz]

nit: Do we ever actually put MutationTrackingSyncResponse in a collection?

[aweisberg]

I'll remove hashCode and equals. I ran the tests and I don't think they get used anymore.

[aweisberg]

It's needed for RepairMessageSerializationsTest

[maedhroz]

nit: Coverage tooling indicates this might not be tested.

[aweisberg]

I'll add a test that allows the timeout to elapse.

[aweisberg]

Ah the test that is supposed to test timeouts blocks all verbs so you it times out on the prepare not doing the actual sync. I'll fix that test.

[maedhroz]

nit: Coverage tooling indicates this might not be tested.

[aweisberg]

I'll convert timeouts to exceptions so it can be exercised.

[maedhroz]

nit: Coverage tooling indicates this might not be tested.

[aweisberg]

The errors are put in resultPromise and don't get surfaced by allowing them to bubble up. To make this branch fire I could let exceptions bubble up and then get handled here. Would be less exception handling in general and then it would show up as tested.

I'll do that.

[maedhroz]

nit: Coverage tooling indicates this might not be tested.

[maedhroz]

nit: Coverage tooling indicates this might not be tested.

[aweisberg]

Converted to a checkState

[maedhroz]

nit: Coverage tooling indicates this might not be tested.

[aweisberg]

Added a test case that sends an exception through here

[maedhroz]

nit: Coverage tooling indicates this might not be tested.

[aweisberg]

Topology changes aren't supported yet https://issues.apache.org/jira/browse/CASSANDRA-20386

I'll take a look and see if I can at least induce one to exercise this failure path.

It might end up being more unit test then end to end test.

[aweisberg]

Added an end to end test. Seems like we don't error out on topology changes and more or less do it.

[maedhroz]

nit:

Suggested change

	*
	* <p>

[maedhroz]

nit: Could replace the above w/

KeyspaceMigrationInfo migrationInfo = ClusterMetadata.current().mutationTrackingMigrationState.getKeyspaceInfo(metadata().keyspace);
boolean inMigrationPendingRange = migrationInfo != null && migrationInfo.isRangeInPendingMigration(metadata().id, first.getToken(), last.getToken());

[maedhroz]

nit: Might be nice to have something like an isMigrating(String) on MTMS, but just a matter of taste I guess.

[aweisberg]

I'll update it to use a helper.

[maedhroz]

Does this mean that during migration to tracked, we'd expect these SSTables to have no coordinator log offsets then? Is that worth asserting?

[maedhroz]

It shouldn't matter for imports, since the keyspace being currently tracked means we'll avoid this method.

[aweisberg]

No we will actually hit this method during migration. The sstables might actually have offsets in them since tracked writes have already started and the incremental repair starts after.

[maedhroz]

nit: I guess the other option would be something like a handlesReadRepair() method that only ReadRepairVerbHandler overrides, but it's literally called ReadRepairVerbHandler, and we probably won't have something else handle RR mutations.

In any case, I'm remembering blocking RR is going to be reworked for migration anyway, so ignore me :D

[maedhroz]

nit: This is almost a case where null would be nice to indicate "all tables", in the sense that an empty collection might be more likely than null to indicate incorrect argument construction.

[aweisberg]

That is an artifact of how RepairOption treats the empty set as "all tables". I'll update this method to use null and then fix it at the caller to convert an empty set to null.

[maedhroz]

This block here is duplicated 3 more times below. The original code here avoided that by returning after the if/else stuff, but we could just delegate to a submitRepairTask() or something similar.

[aweisberg]

Added a helper.

[maedhroz]

MutationTrackingSyncCoordinator syncCoordinator =
    new MutationTrackingSyncCoordinator(coordinator.ctx, desc, commonRange.endpoints, metadata);

...might be a little easier on the eyes.

[maedhroz]

Do we need to handle partial failure here? (i.e. Do we just return the irPair result if the MT task partially fails?)

[aweisberg]

A failure at any step is a failure of the entire thing since we didn't complete the entire repair. That is what this should be doing which is return failure immediately once any step fails.

[maedhroz]

nit: Not strictly true if migrating to untracked?

[aweisberg]

I'll address that in the follow up where I am changing migration from tracked to untracked to be instant.

[maedhroz]

Table name is meaningless here, right?

[aweisberg]

Yes but I figured for debugging purposes it's clearer to not leave it empty.

[maedhroz]

nit: Might be nice to have a DEBUG level log message to indicate this happened.

[aweisberg]

Converted it a checkState

[maedhroz]

nit: If we just build the liveHostIds at construction time, could we make it final?

[aweisberg]

Yes I'll make it a final ImmutableSet

[maedhroz]

It looks like this is called from updateReplicatedOffsets(), but does that mean we keep expanding the targets after the initial round of sync requests? (i.e. If there are ongoing writes, can this cause the whole IR to time out?)

[aweisberg]

Yeah this shouldn't occur on offsets received. I missed this coming in from the original PR.

[maedhroz]

nit: remainingNanos can be negative if the whole budget has elapsed? Should we even attempt to await in that case?

[aweisberg]

If the timeout is elapsed it will throw timeout exception. I think it's cleaner to just go in with the elapsed timeout so you always exit through the same timeout exception error path.

[maedhroz]

nit: Is this going to be ExecutionException, and if so, do we have to unwrap the cause?

[aweisberg]

I don't think we need to/should? ExecutionException is part of the chain of exceptions? It's the caller that catches the exceptions that needs to analyze the chain and decide what to do. Reality here is that we don't care what errors happened and we aren't going to handle them individually we are just going to mark it as failed and log them.

[maedhroz]

nit: I think this silently swallows any exception that comes out of the cancel() calls.

[aweisberg]

Ah you are right. For some reason I thought Java would automatically add it as a suppressed exception. If one of the cancellations throws it will also skip the rest. I'll turn it into a loop that aggregates the exceptions and then rethrows with them as suppressed.

[maedhroz]

nit: Is this check redundant now, since MutationTrackingIncrementalRepairTask.isMutationTrackingMigrationInProgress() checks it above?

[aweisberg]

Yes I will restructure this.

[maedhroz]

Do we only need to explicitly cancel() all the coordinators if interrupted, or would we have to do it on timeouts as well?

[aweisberg]

You are right we need something to do the cleanup because the SyncCoordinator doesn't register a timeout check that does the cancellation.

I think for the timeout case what I actually want to do is schedule a task to do the cancellation rather then juggle it here.