CORE-7000: Node ID/UUID Override

[oleiman]

Implements on-startup node UUID and ID override via CLI options or node config, as described in 2024-08-14 - RFC - Override Node UUID on Startup.

This PR was originally meant as a fully functional proof of concept, but given the mechanical simplicity of the approach (most of the code here is tests and serdes for the new config types), it has been promoted to PR.

Closes CORE-7000
Closes CORE-6830

TODO:

• determine whether this can be safely backported to at least v24.2.x, possibly farther
  • My experiments (described in https://redpandadata.atlassian.net/browse/CORE-7051) suggest that this should be safe to do.

Backports Required

• none - not a bug fix
• none - this is a backport
• none - issue does not exist in previous branches
• none - papercut/not impactful enough to backport
• v24.2.x
• v24.1.x
• v23.3.x

Release Notes

Improvements

• Adds the ability to configure Node UUID and ID overrides at broker startup.

[oleiman]

/ci-repeat 1

[vbotbuildovich]

ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/53293#019175d9-8ebf-41ec-acd5-31f4de51e6dd

ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/53720#01919bb1-fba1-44bd-86a9-7052d5c39c65

ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/53839#0191a50e-cce5-401b-b716-7e5fcc09da61

ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/54169#0191d3a1-b4c7-4d85-ac8e-5eaffffd80d6

ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/54331#0191e23c-3795-498f-bea1-c8d5609976d3

[oleiman]

/ci-repeat 1

[oleiman]

@michael-redpanda - leaving this in draft pending final RFC signoff, but this is probably worth a look whenever you're ready 🙏

[oleiman]

/ci-repeat 1

[michael-redpanda]

looks really nice so far!

[oleiman]

force push contents:

• various CR cleanups
• add a CLI options test to the multi-node dt case

[oleiman]

/ci-repeat 1

[oleiman]

CI Failures:

• CI Failure (TimeoutError: Node docker-rp-xx draining leaderships) in BasicAuthUpgradeTest.test_upgrade_and_enable_basic_auth #10136 (unrelated, known) build

[micheleRP]

LGTM from docs

[oleiman]

force push to improve integration tests somewhat:

• use RedpandaService.healthy
• remove unnecessary leadership transfer

[pgellert]

The core logic looks good to me. I've added some comments for code improvement.

[pgellert]

Based on the code this seems fine. This will hit the else branch below. Then inside cluster_discovery::dispatch_node_uuid_registration_to_seeds and members_manager::handle_join_request we will try to register the node with the node id config::node().node_id() and either succeed or fail to get that specific node id but we will never get any other node id. So there's no need to set the node_id again in the conditional below with the nullopt check.

[oleiman]

Yeah, that matches my reading, but I'm curious whether there's a reason for keeping it around if we know we're starting up clean. If that node ID had previously been registered against a different UUID, I think the (re)join request will always fail.

Feels like we're trading a small amount of one-shot work on startup for cyclomatic complexity downstream; possibly I'm overlooking some other bit of state that gives the distinction meaning.

[oleiman]

At any rate, the comment is just noise!

[oleiman]

force push contents:

• Use a regex for cli parsing
• remove some comments
• ducktape cleanup

[ztlpn]

nit: any reason for the "construct lambda then immediately call" pattern?

[oleiman]

personal preference. "initialize this optional with the result of from_string or, if it throws, nullptr" feels a bit neater than "initialize this optional to nullptr then assign the result of from_string, unless it throws". The ID in the outer scope receives a value at exactly one code point.

[ztlpn]

I think it makes sense to try to register with the cluster (next conditional branch) in this case as well. For two reasons:

• it will get us fresh features and cluster config snapshots from the controller leader
• it will allow us to reject erroneous configurations (e.g. if the UUID is already registered with a different id).

Not sure if all the code for this is there, but looks like at least the join RPC supports passing existing node ids.

[oleiman]

Makes sense. I'll refactor the conditionals a little bit.

[pgellert]

Won't we hit the problem of needing a controller leader if we try to register here? Or do we also want to change members_manager::handle_join_request to not require controller leadership when the node is trying to register with a known (node uuid, node id) pair?

redpanda/src/v/cluster/members_manager.cc

Lines 1240 to 1298 in 74223be

	members_manager::handle_join_request(join_node_request const req) {
	using ret_t = result<join_node_reply>;
	using status_t = join_node_reply::status_code;
	bool node_id_assignment_supported = _feature_table.local().is_active(
	features::feature::node_id_assignment);
	bool req_has_node_uuid = !req.node_uuid.empty();
	if (node_id_assignment_supported && !req_has_node_uuid) {
	vlog(
	clusterlog.warn,
	"Invalid join request for node ID {}, node UUID is required",
	req.node.id());
	co_return errc::invalid_request;
	}
	std::optional<model::node_id> req_node_id = std::nullopt;
	if (req.node.id() >= 0) {
	req_node_id = req.node.id();
	}
	if (!node_id_assignment_supported && !req_node_id) {
	vlog(
	clusterlog.warn,
	"Got request to assign node ID, but feature not active",
	req.node.id());
	co_return errc::invalid_request;
	}
	if (
	req_has_node_uuid
	&& req.node_uuid.size() != model::node_uuid::type::length) {
	vlog(
	clusterlog.warn,
	"Invalid join request, expected node UUID or empty; got {}-byte "
	"value",
	req.node_uuid.size());
	co_return errc::invalid_request;
	}
	model::node_uuid node_uuid;
	if (!req_node_id && !req_has_node_uuid) {
	vlog(clusterlog.warn, "Node ID assignment attempt had no node UUID");
	co_return errc::invalid_request;
	}
	ss::sstring node_uuid_str = "no node_uuid";
	if (req_has_node_uuid) {
	node_uuid = model::node_uuid(uuid_t(req.node_uuid));
	node_uuid_str = ssx::sformat("{}", node_uuid);
	}
	vlog(
	clusterlog.info,
	"Processing node '{} ({})' join request (version {}-{})",
	req.node.id(),
	node_uuid_str,
	req.earliest_logical_version,
	req.latest_logical_version);
	if (!_raft0->is_elected_leader()) {
	vlog(clusterlog.debug, "Not the leader; dispatching to leader node");
	// Current node is not the leader have to send an RPC to leader
	// controller
	co_return co_await dispatch_rpc_to_leader(

[ztlpn]

Hmm good point, maybe it won't work then.

[oleiman]

yeah, the exact requirement we're trying to circumvent. i was wondering whether the cluster layer might short circuit somewhere (or be made to short circuit) on previously known <ID,UUID>, but I suppose all the request routing is controller leadership based 🤷

[ztlpn]

nit: this won't actually wait for the decom to be successful.

[ztlpn]

Nit: we are already kind of testing that the nodes will only adopt overrides that match the current uuid, but maybe it will be more realistic to do what k8s will do and perform a full rolling restart.

[oleiman]

Fair point. Will do

[oleiman]

I'm beginning to think that "rolling restart" (I used this language in the RFC and the runbook) is not quite accurate. In DT, for example, we have a RollingRestarter that a) uses maintenance mode by default b) requires the cluster to be healthy before cycling each node. Presumably a k8s rolling restart looks somewhat similar.

Of course we can't meet either of those in this usage case. In DT we can fudge it with an unsafe param or something, but we may want to reconsider this framing with respect to support-facing docs.

[oleiman]

It's worse than that, I think - in this test case, I believe a rolling restart is straightforwardly impossible, since restarting one node (with overrides) gives us a total of 2 live brokers - not enough for to form a cluster due to the presence of ghost nodes.

My intuition is that we can start the nodes concurrently (as written) as long as the number of nodes we're restarting is <= (n_nodes + n_ghosts) / 2. What matters is that the empty nodes don't form a cluster among themselves, independent of any nodes containing a complete controller log, right?

[pgellert]

Yeah, that makes sense to me. We want to restart the minimum number of ghost nodes to form a healthy cluster and wait for them to form a healthy controller quorum before continuing to restart the remaining nodes.

It makes sense to call out in the support docs not to use decommissioning or maintenance mode during any of this.

Perhaps the most important thing here is to not restart the healthy nodes to make sure they are available throughout the whole process.

[oleiman]

most important thing here is to not restart the healthy nodes

yest exactly. in fact, if we restart those nodes, I think they will get stuck just the same.

call out in the support docs not to use decommissioning or maintenance mode

Yup, and that they are unavailable.

Generally, I think we're back to the point where we have a stack of assumptions that look right but would benefit from a ✅ from Alexey or @mmaslankaprv when he becomes available

[oleiman]

force push CR changes, mostly hardening tests

[pgellert]

Yeah, that makes sense to me. We want to restart the minimum number of ghost nodes to form a healthy cluster and wait for them to form a healthy controller quorum before continuing to restart the remaining nodes.

It makes sense to call out in the support docs not to use decommissioning or maintenance mode during any of this.

Perhaps the most important thing here is to not restart the healthy nodes to make sure they are available throughout the whole process.

[pgellert]

lgtm