Seeds Driven Cluster Bootstrap #6744
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dlex
force-pushed
the
333_cluster-bootstrap
branch
from
e816ecc
to
402bf3a
Compare
|
Force-push update:
|
|
Can you explaing what SDCB and ESCB mean ? Maybe adding this to cover letter would help |
dlex
force-pushed
the
333_cluster-bootstrap
branch
from
402bf3a
to
423e510
Compare
|
force-push: rebased onto |
cluster_test_fixure now supports the empty_seed_starts_cluster parameter
dlex
force-pushed
the
333_cluster-bootstrap
branch
from
525596e
to
609ebda
Compare
|
force push: review comments addressed, |
bootstrap_backend operates on credentail_storage for that. In security_frontend, maybe_create_bootstrap_user() is changed into get_bootstrap_user_creds_from_env(), and the actual bootstrap user creation is not done anymore.
Client: parallel querying of all seed_servers w/o timeout, until results are obtained from all peer seed servers. Verify that both versions and configurations match Server: supply data initial_seed_brokers() now returns a future
cluster_discovery caches if cluster_uuid is present is_cluster_founder() to determine if the node should be starting a cluster
Cluster founders need to be able to elect a leader so they can decide which node replicates the cluster_bootstrap_cmd, and do that before controller starts.
This commit adds options to the RedpandaService class to: - change the set of seed servers - change whether or not node idx 1 is deemed the root node
Peer seed nodes discovered throught cluster_discovery before the cluster is bootstrapped are required to be at the same latest logical versions as the local. Therefore as the cluster is initialized, versions of seed nodes can safely be assumed to be at the latest. That enables the auto node_id feature that is essential for cluster bootstrap.
dlex
force-pushed
the
333_cluster-bootstrap
branch
from
609ebda
to
50840ed
Compare
|
force push: fix a linter error |
| cluster_discovery::get_cluster_founder_node_id() { | ||
| if (config::node().empty_seed_starts_cluster()) { | ||
| if (config::node().seed_servers().empty()) { | ||
| return node_id{0}; | ||
| co_return node_id{0}; |
There was a problem hiding this comment.
do we validate that in this case node_id configured in redpanda.yml matches the one returned from here ?
There was a problem hiding this comment.
nope, I agree that it should be added
mmaslankaprv
approved these changes
Oct 19, 2022
6 tasks
andrwng
added a commit
to andrwng/redpanda
that referenced
this pull request
Oct 21, 2022
The original implementation of seeds-driven bootstrap had pieces of the various validation required for bootstrap strewn about startup. Because of this, I found it difficult to reason about what validations are done when, and what work may be duplicated, while reading through the code. This commit puts all validations up front so we determine whether we are a founder immediately and use a cached value thereafter. This is mostly addressing review comments on redpanda-data#6744.
6 tasks
andrwng
added a commit
to andrwng/redpanda
that referenced
this pull request
Oct 21, 2022
The original implementation of seeds-driven bootstrap had pieces of the various validation required for bootstrap strewn about startup. Because of this, I found it difficult to reason about what validations are done when, and what work may be duplicated, while reading through the code. This commit puts all validations up front so we determine whether we are a founder immediately and use a cached value thereafter. This is mostly addressing review comments on redpanda-data#6744.
andrwng
added a commit
to andrwng/redpanda
that referenced
this pull request
Oct 24, 2022
The original implementation of seeds-driven bootstrap had pieces of the various validation required for bootstrap strewn about startup. Because of this, I found it difficult to reason about what validations are done when, and what work may be duplicated, while reading through the code. This commit puts all validations up front so we determine whether we are a founder immediately and use a cached value thereafter. This is mostly addressing review comments on redpanda-data#6744.
andrwng
added a commit
to andrwng/redpanda
that referenced
this pull request
Oct 24, 2022
The original implementation of seeds-driven bootstrap had pieces of the various validation required for bootstrap strewn about startup. Because of this, I found it difficult to reason about what validations are done when, and what work may be duplicated, while reading through the code. This commit puts all validations up front so we determine whether we are a founder immediately and use a cached value thereafter. This is mostly addressing review comments on redpanda-data#6744.
andrwng
added a commit
to andrwng/redpanda
that referenced
this pull request
Oct 24, 2022
The original implementation of seeds-driven bootstrap had pieces of the various validation required for bootstrap strewn about startup. Because of this, I found it difficult to reason about what validations are done when, and what work may be duplicated, while reading through the code. This commit puts all validations up front so we determine whether we are a founder immediately and use a cached value thereafter. This is mostly addressing review comments on redpanda-data#6744.
andrwng
added a commit
to andrwng/redpanda
that referenced
this pull request
Oct 25, 2022
The original implementation of seeds-driven bootstrap had pieces of the various validation required for bootstrap strewn about startup. Because of this, I found it difficult to reason about what validations are done when, and what work may be duplicated, while reading through the code. This commit puts all validations up front so we determine whether we are a founder immediately and use a cached value thereafter. This is mostly addressing review comments on redpanda-data#6744.
andrwng
added a commit
to andrwng/redpanda
that referenced
this pull request
Oct 25, 2022
The original implementation of seeds-driven bootstrap had pieces of the various validation required for bootstrap strewn about startup. Because of this, I found it difficult to reason about what validations are done when, and what work may be duplicated, while reading through the code. This commit puts all validations up front so we determine whether we are a founder immediately and use a cached value thereafter. This is mostly addressing review comments on redpanda-data#6744.
andrwng
added a commit
to andrwng/redpanda
that referenced
this pull request
Oct 25, 2022
The original implementation of seeds-driven bootstrap had pieces of the various validation required for bootstrap strewn about startup. Because of this, I found it difficult to reason about what validations are done when, and what work may be duplicated, while reading through the code. This commit puts all validations up front so we determine whether we are a founder immediately and use a cached value thereafter. This is mostly addressing review comments on redpanda-data#6744.
andrwng
added a commit
to andrwng/redpanda
that referenced
this pull request
Oct 25, 2022
The original implementation of seeds-driven bootstrap had pieces of the various validation required for bootstrap strewn about startup. Because of this, I found it difficult to reason about what validations are done when, and what work may be duplicated, while reading through the code. This commit puts all validations up front so we determine whether we are a founder immediately and use a cached value thereafter. This is mostly addressing review comments on redpanda-data#6744.
dotnwat
reviewed
Oct 26, 2022
| @@ -73,7 +73,8 @@ feature_manager::feature_manager( | |||
|
|
|||
| ) {} | |||
|
|
|||
| ss::future<> feature_manager::start() { | |||
| ss::future<> | |||
| feature_manager::start(std::vector<model::node_id>&& cluster_founder_nodes) { | |||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cover letter
This PR addresses the second part of the scope of the "Cluster Bootstrap" project. The first part was addressed by #6659.
This PR introduces a new node configuration parameter
empty_seed_starts_clusterthat can disable the Empty Seed Cluster Bootstrap AKA Root Driven Cluster Bootstrap (legacy) mode of bootstrapping a cluster, and allows the set of servers listed as seeds in each node configuration to start a cluster together, as soon as they form a raft group and elect a leader. The new bootstrapping mode is referred as Seeds Driven Cluster Bootstrap.In either mode, cluster now gets cluster UUID reflected by a new controller log message, which lands second in the controller log right after the initial raft configuration message. Cluster UUID is also stored in kvstore of shard0 in every node.
In the new Seeds Driven bootstrap mode, all seed servers must be available for a cluster to be created, with identical node configurations. Afterwards, none of seed servers should try to form another new cluster ("split-brain") if their local storage is wiped out, unless all seed nodes are wiped together at the same time.
Fixes #333
Backport Required
UX changes
Node Configuration in redpanda.yaml
empty_seed_starts_cluster(default: true) to switch between the Empty Seed Cluster Bootstrap (legacy) mode, and the Seeds Driven Cluster Bootstrap mode. When disabled, it is required to be disabled in all seed nodes.seed_serversare required to be identical in every seed node when in the Seeds Driven Cluster Bootstrap mode.Release notes
Features
empty_seed_starts_clusterto use it. That will allow the set of servers listed as seeds to start a cluster together. All seed servers must be available for a cluster to be created, with identical node configurations. Afterwards, none of seed servers will try to form another new cluster if their local storage is wiped out, unless all seed nodes are wiped together at the same time. Cluster now gets cluster UUID reflected by a new controller log message, and stored in kvstore.Improvements