Reset relocation/allocation failure counter on node join/shutdown

[pxsalehi]

We prevent retries of allocations/relocations once they see index.allocation.max_retries failed attempts (default 5). In #108987, we added reseting the allocation failure counters when a node joins the cluster. As discussed in the linked discussion, it would make sense to extend this reset also to relocations AND also consider node shutdown events. With this change we reset both allocation/relocation failures if a new node joins the cluster or a shutdown metadata is applied. The subset of shutdown events that we consider and how we track them is more or less copied from what was done for #106998. To me the logic seemed to make sense here too.

Closes ES-10492

[pxsalehi]

In the PR allocation and relocation are kind of teated similarly and sometimes I've used "allocation" to mean both.

[pxsalehi]

In these tests, sometimes we need three nodes since when use a REPLACE shutdown type, NodeReplacementAllocationDecider can prevent the shard to be assigned to any available node.

[elasticsearchmachine]

Hi @pxsalehi, I've created a changelog YAML for you.

[elasticsearchmachine]

Pinging @elastic/es-distributed-coordination (Team:Distributed Coordination)

[ywangd]

Haven't read the tests. Left a few minor comments. Also, I think we want to add some logs when the failure counters are 5 (max) and are resetted. IIUC from the conversation, this reaching max failures might be an indication of issues in some part of the system. We reset the counters to ease support burden but in the meantime it sorta hides the problems and logs should be helpful to make them discoverable.

[ywangd]

Nit: can we short-circuit earlier when nodesAdd() is true which feels a bit easier to read to me?

[pxsalehi]

We'd need to do the book-keeping of the seen shutdowns any way. I can add a comment or break the return line into multiple lines maybe. Frankly, I found this more readable. Maybe a comment-equivalent of that helps?

[ywangd]

I wonder whether we can do away with the book-keeping? Can we compare the old and new cluster states and decide whether a shutdown record has been "added" or "removed but still in the cluster" and thus needing reset? It maybe helpful to enhance ClusterChangedEvent to provide some shutdownChanged() method similar to nodesChanged() so that it can be reused. This can be a separate PR. For the work here, a localized solution is fine.

[pxsalehi]

Unless you feel strongly about this, I'd rather not revisit that part in this PR. We have used this elsewhere and its edge cases have been reviewed (as mentioned in the PR description), and I think well-tested in this PR too. So reusing it makes sense. I can follow up with your suggestion and if it works out also simplify the similar code we have for auto-resetting the desired balance.

I can break off the return statement to something like

if (changeEvent.nodesAdded() || shutdownEventAffectsAllocation) {
  return hasAllocationFailures || hasRelocationFailures;
}
return false;

[ywangd]

Yeah for consistency purpose, I am ok with this PR to keep the part as is. We can have a follow-up to then potentially change both places.

To make sure we are not cross-talking, I am posting below the concrete code suggestion. To me the main simplicity comes from no need for tracking shutdown nodes locally. I tested it with AllocationFailuresResetOnShutdownIT and AllocationFailuresResetIT and they both pass though I likely have not exhausted all possible test varaints. Let's put it through its own review process if you agree it's worthwhile to follow.

    private boolean shouldResetAllocationFailures(ClusterChangedEvent changeEvent) {
        if (changeEvent.state().getRoutingNodes().hasAllocationFailures() == false
            && changeEvent.state().getRoutingNodes().hasRelocationFailures() == false) {
            return false;
        }
        if (changeEvent.nodesAdded()) {
            return true;
        }
        final var previous = nonRestartShutdownNodes(changeEvent.previousState());
        final var current = nonRestartShutdownNodes(changeEvent.state());
        if (previous.equals(current)) {
            return false;
        }
        return Sets.difference(current, previous).isEmpty() == false // new shutdown
            // removed shutdown but the node is still in cluster
            || Sets.difference(previous, current).stream().anyMatch(nodeId -> changeEvent.state().nodes().get(nodeId) != null);
    }

    // This can be a method on either ClusterState or NodesShutdownMetadata
    private static Set<String> nonRestartShutdownNodes(ClusterState clusterState) {
        return clusterState.metadata()
            .nodeShutdowns()
            .getAll()
            .values()
            .stream()
            .filter(m -> m.getType() != SingleNodeShutdownMetadata.Type.RESTART)
            .map(SingleNodeShutdownMetadata::getNodeId)
            .collect(Collectors.toUnmodifiableSet());
    }

[ywangd]

This will cover restarted nodes as well. I think it's ok since it is covered by nodesAdded anyway. It may lead to reset a few more times:

1. On shutdown metadata (either restart or sigterm for serverless azure cluster)
2. On node join after restart
3. On shutdown metadata removal (if in a later cluster state update)

Still might be ok. Just to be explicit.

[pxsalehi]

We explicitly avoid reset when the RESTART metadata is applied. When the node rejoins, yes, there will be a reset. We could explicitly prevent it, but not sure it is worth it. Removal of RESTART shouldn't cause a reset if the node is in the cluster. I think it is tested as well.

[ywangd]

I should have been clear, by "restart", I meant the Azure specific behaviour where the node still goes through the sigterm shutdown record lifecyle while restarted by the Azure "auto-repair" feature. When it happens, we will reset the counter a few more times which should be ok.

[pxsalehi]

add some logs when the failure counters are 5

Yeah, we could. You mean the same way that we log resetting desired balance or including details of which shards had failures? The latter seems a bit verbose, but some summary of it maybe.

[ywangd]

You mean the same way that we log resetting desired balance or including details of which shards had failures?

I was thinking more like the later otherwise it is hard to go back in the logs to find the actual shards. It would be great if the log message has a list of shards (potentially truncated if the list is too large) that have 5 failures. What do you think?

[pxsalehi]

I was thinking more like the later otherwise it is hard to go back in the logs to find the actual shards. It would be great if the log message has a list of shards (potentially truncated if the list is too large) that have 5 failures. What do you think?

Yes, I think that's helpful too. I'll add it in this PR.

[ywangd]

Probably for my knowledge: Why does this assert failedRelocations < maxAttemps instead of failedRelocations == 0?

[pxsalehi]

what we care about is the reset of the counter. so anything below max would do. I don't see a reason to be too strict here, since the test will be extra brittle if for whatever reason it takes more than one attempt to allocate/relocate.

[ywangd]

Yeah for consistency purpose, I am ok with this PR to keep the part as is. We can have a follow-up to then potentially change both places.

To make sure we are not cross-talking, I am posting below the concrete code suggestion. To me the main simplicity comes from no need for tracking shutdown nodes locally. I tested it with AllocationFailuresResetOnShutdownIT and AllocationFailuresResetIT and they both pass though I likely have not exhausted all possible test varaints. Let's put it through its own review process if you agree it's worthwhile to follow.

    private boolean shouldResetAllocationFailures(ClusterChangedEvent changeEvent) {
        if (changeEvent.state().getRoutingNodes().hasAllocationFailures() == false
            && changeEvent.state().getRoutingNodes().hasRelocationFailures() == false) {
            return false;
        }
        if (changeEvent.nodesAdded()) {
            return true;
        }
        final var previous = nonRestartShutdownNodes(changeEvent.previousState());
        final var current = nonRestartShutdownNodes(changeEvent.state());
        if (previous.equals(current)) {
            return false;
        }
        return Sets.difference(current, previous).isEmpty() == false // new shutdown
            // removed shutdown but the node is still in cluster
            || Sets.difference(previous, current).stream().anyMatch(nodeId -> changeEvent.state().nodes().get(nodeId) != null);
    }

    // This can be a method on either ClusterState or NodesShutdownMetadata
    private static Set<String> nonRestartShutdownNodes(ClusterState clusterState) {
        return clusterState.metadata()
            .nodeShutdowns()
            .getAll()
            .values()
            .stream()
            .filter(m -> m.getType() != SingleNodeShutdownMetadata.Type.RESTART)
            .map(SingleNodeShutdownMetadata::getNodeId)
            .collect(Collectors.toUnmodifiableSet());
    }

[ywangd]

The PR looks good to me. I have only minor comments. I'll review it again if you are adding logging to it. Alternatively, I am also ready to approve it if you prefer loggings to be a separate PR. Please let me know. Thanks!

[pxsalehi]

Thanks. Since we've already gotten into both points here, I'll just add it here and ping you. Didn't have time to get back to this.

[pxsalehi]

I've chosen to add the logging here, to be able to produce some reliable information and also it integrates with the existing code of going through the failures. SETTING_ALLOCATION_MAX_RETRY is an index scoped setting so I'm not referring to any value, just picking those reaching max. Anything under max is not mentioned, as was the case before.

[pxsalehi]

Simplified the prod code a bit in d4140e5 and added logging in f6918de. The simplification doesn't apply to #106998 since we don't have the ClusterChangedEvent like here.

[ywangd]

LGTM

Thanks for the iterations! Test cases look very solid 👍

[ywangd]

Nit: can we keep the old name of routingChangesObserver?

[pxsalehi]

I very much prefer the observer since it returns a RoutingChangesObserver.

[ywangd]

Nit: I think we can check the size along with failedAllocations > 0 to short-circuit a bit earlier and avoid resolving the setting value.

[pxsalehi]

I don't think so,shardsWithMaxFailedAllocations counts all of the ones that have reached max, while topShardIdsWithFailedAllocations stores only a portion of the shard IDs.

[ywangd]

Similar nit: checking size before resolving setting value would be my preference.

[ywangd]

Nit:

Suggested change

	"Resetting failure counter for %d shard(s) that have reached their max allocation retires (%s)";
	public static final String RESET_FAILED_RELOCATION_COUNTER_LOG_MSG =
	"Resetting failure counter for %d shard(s) that have reached their max relocation retries (%s)";
	"Resetting failure counter for [%d] shard(s) that have reached their max allocation retires (%s)";
	public static final String RESET_FAILED_RELOCATION_COUNTER_LOG_MSG =
	"Resetting failure counter for [%d] shard(s) that have reached their max relocation retries (%s)";

[pxsalehi]

@elasticmachine update branch