Add Bifrost trim gap handling support by fast-forwarding to the latest partition snapshot

[pcholakov]

Closes: #2247

[github-actions]

Test Results

  7 files  ±0    7 suites  ±0   4m 26s ⏱️ -13s
 47 tests ±0   46 ✅ ±0  1 💤 ±0  0 ❌ ±0 
182 runs  ±0  179 ✅ ±0  3 💤 ±0  0 ❌ ±0 

Results for commit 0111eec. ± Comparison against base commit 1ac1f70.

♻️ This comment has been updated with latest results.

[pcholakov]

At the moment, LogEntry.record is not public, and neither are bifrost::{MaybeRecord, TrimGap} - would we prefer to make those public and use pattern-matching directly?

[AhmedSoliman]

We can, but it doesn't sound like you need that. See my comments below.

[pcholakov]

We can optimize this by not downloading a snapshot that's older than the target LSN; I'll tackle this as a separate follow-up PR.

[pcholakov]

This seems reasonable to me. I chose to rather delay and try start again, just in case something has changed in the log - but at this point we're unlikely to get this processor going again by following the log. What's a good way to post a metric that we're spinning?

[AhmedSoliman]

Tip: You can remove one level of nesting:

Ok(ProcessorStopReason::LogTrimGap { to_lsn }) => ....
Ok(_) => warn...
Err(err) => warn...

[pcholakov]

Much better, thank you! <3

[AhmedSoliman]

We can, but it doesn't sound like you need that. See my comments below.

[AhmedSoliman]

Would it make sense to stop the read stream at the first gap and return Err instead?

[pcholakov]

I understand this to mean the map_ok function translates a trim-gap into an Err(TrimGap {..}) instead? Maybe! The way we use anyhow::Result pervasively makes this a deeper change than I wanted to tackle right away; but it also makes more sense to treat trim gaps as just another record in the stream, with errors reserved for actual failure conditions.

Zooming out a bit, modeling the Partition Processor overall outcome as Result<Canceled | StoppedAtTrimGap, ProcessingError> seems accurate: the Ok / left path is an expected if rare reason to halt; the Err / right path is an exceptional failure condition.

If you have a few minutes, I'd love to hear more about how you'd solve this? I'm certain I am also missing some subtlety around properly consuming the log stream!

[AhmedSoliman]

We discussed offline and agreed that it's best to represent this case as an error case.

[AhmedSoliman]

To me, it seems more than you want to have control over the error type rather than make the runtime behave like an async task with a return value.

In that case, your PartitionProcessorStopReason becomes the error type.

[pcholakov]

Maybe! We use anyhow::Error quite a bit in the PP now, so it would be difficult to disentangle the errors I care about, from other failure conditions. That aside, I still like modeling this as an outcome of either a known stop reason, or some other failure condition. I am treating PartitionProcessorStopReason as a normal return since both canceling the PP, or encountering a trim gap, are expected over a long enough timeline.

[AhmedSoliman]

tip: remove return

[pcholakov]

Without the return statement, I need to pull the rest of the method body into an else arm - and I specifically wanted to keep it this way. I find it easier to read without the extra nesting. Open to change it back if you feel about using the if expression as the returned value of course :-)

[AhmedSoliman]

would RetryPolicy and its internal jitter logic work for you here?

[pcholakov]

Definitely! I didn't want to plumb a retry count through just yet but maybe even without it, we can leverage the retry policy already.

[pcholakov]

I remembered why I didn't want to tackle this just yet - right now the way to get consecutive retry decisions is to get an iterator. I want to introduce an alternative API to RetryPolicy which will make this more suitable for use cases like this one, but let me rather do that as a follow up PR!

[AhmedSoliman]

let's try and avoid using Debug values in log messages higher than debug!

[pcholakov]

Very insightful rule of thumb to keep in mind, thank you!

[pcholakov]

One bit of offline feedback from @AhmedSoliman was to think edge cases around partition leadership, when an active leader encounters a trim gap.

Pushed an updated version which addresses the trim gap stop-reason as an explicit error, rather than an "ok" variant. This is because we really want to minimize the chances of misinterpreting a trim-gap record and accidentally consuming past it.

One deviation from the previous behavior with this latest revision is that read_commands (and by extension PartitionProcessor::run) immediately returns an error when a trim-gap is encountered, rather than trying to apply all the valid envelopes seen prior to it. This is acceptable: generally we would have stopped anyway; the only way to continue applying more records is to find a snapshot to fast-forward beyond the gap. Applying records from before the gap is technically not wrong but is wasteful.

Also addressed most of the remaining smaller comments, with the major exception of not using retry policy just yet - I plan to, but let's do it as a follow-up as I want to make some changes to make it easier to use here.

[pcholakov]

The Envelope handling logic is unchanged, this block is just indented due to the match expression needed to handle gaps.

[tillrohrmann]

Thanks a lot for creating this PR @pcholakov. The changes look really good to me. Well done 👏. The one question I had was how bulletproof is the logic in open_partition_store when to import a snapshot w/o dropping the partition cf based on the passed in fast_forward_lsn parameter. It seems possible that we don't fail with a trim gap error (e.g. PP being stopped) and then restart later with a partition store that has an initialized cf and an existing snapshot.

[tillrohrmann]

? calls ProcessorError::from automatically. So map_err can be removed. I stop flagging this here but there are a few other occurrences further down.

[pcholakov]

Thank you for flagging this! I distinctly recall compilation failures without these but I never investigated why - I think the return type might have been different at the time. All cleaned up now!

[tillrohrmann]

Why is it ok to import a snapshot w/o dropping the partition cf? Is it really safe that if fast_forward_lsn == None, then we guarantee that the corresponding partition cf does not exist?

[pcholakov]

This is safe, though it's very unclear in the local context why this is :-) At the very top of open_partition_store, we immediately go down a different path if we already have a store (i.e. a column family exists for the partition) and there's no fast-forward target LSN:

if partition_store_manager
    .has_partition_store(partition_id)
    .await
    && fast_forward_lsn.is_none()
{
    return Ok(partition_store_manager
        .open_partition_store(
            partition_id,
            key_range,
            OpenMode::OpenExisting,
            &options.storage.rocksdb,
        )
        .await?);
}

If we didn't go down that path, and fast_forward_lsn is unset, that means that the CF for partition_id does NOT exist.

I'll try refactor the code to make this more obvious, or failing that, at least add a comment to highlight this. Suggestions for how to make this better are welcome!

PS. import_snapshot is paranoid and will refuse to import if a CF already exists, so a potential bug here will cause a PP startup failure but not corrupt a data store.

[pcholakov]

Thanks a lot for the feedback, @tillrohrmann! 🙏 Cleaned up per your suggestions.

The one question I had was how bulletproof is the logic in open_partition_store when to import a snapshot w/o dropping the partition cf based on the passed in fast_forward_lsn parameter. It seems possible that we don't fail with a trim gap error (e.g. PP being stopped) and then restart later with a partition store that has an initialized cf and an existing snapshot.

I believe this case covered handled by the early-return here:

restate/crates/worker/src/partition_processor_manager/spawn_processor_task.rs

Lines 188 to 202 in 1baff85

	if partition_store_manager
	.has_partition_store(partition_id)
	.await
	&& fast_forward_lsn.is_none()
	{
	// We have an initialized partition store, and no fast-forward target - go on and open it.
	return Ok(partition_store_manager
	.open_partition_store(
	partition_id,
	key_range,
	OpenMode::OpenExisting,
	&options.storage.rocksdb,
	)
	.await?);
	}

- it's the common path taken when we are starting up with an existing partition store and the previous stop-reason is trim-gap encountered. We only continue on the special cases below if (re-)bootstrap is required.

If the PP previously stopped for some reason other than a trim-gap, then it's just a clean startup with an existing store. In the case of either a fresh start, or a restart after some other error, we don't have a fast-forward LSN target and will take the early return.

I tried to refactor the code to make it a bit more obvious and readable - plus added some comments. Let me know if this helps, and if you have a better idea! :-)

[tillrohrmann]

Thanks for the clarification of how the partition store is initialized from a snapshot. It makes sense to me now :-) Really nice work. LGTM. +1 for merging.

[tillrohrmann]

The comment in the parenthesis seems to be no longer correct.

[pcholakov]

Ah! Will update before I merge 👍