Add safety phase to CoordinatorTests (#34241)

Today's CoordinatorTests have a limited amount of randomisation in how things
are scheduled. However, to be fully confident in Zen2's liveness we require the
system to stabilise after any permitted sequence of events. We can achieve
this by running the system in a much more random fashion for a while, with much
larger variation in when things are scheduled (simulating GC pressure and
network disruption) and then continuing to assert that the system stabilises as
we expect. When running randomly, we do not expect to make significant progress
and merely verify that no safety property is violated.

This change introduces the runRandomly() test method which implements this
idea. It also fixes a handful of liveness bugs that this first version of
runRandomly() exposed.

Author: DaveCTurner

server/src/main/java/org/elasticsearch/cluster/coordination/Coordinator.java

@@ -39,6 +39,7 @@
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
+import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.common.util.concurrent.ListenableFuture;
 import org.elasticsearch.discovery.Discovery;
 import org.elasticsearch.discovery.DiscoverySettings;
@@ -184,6 +185,13 @@ PublishWithJoinResponse handlePublishRequest(PublishRequest publishRequest) {
         synchronized (mutex) {
             final DiscoveryNode sourceNode = publishRequest.getAcceptedState().nodes().getMasterNode();
             logger.trace("handlePublishRequest: handling [{}] from [{}]", publishRequest, sourceNode);
+
+            if (sourceNode.equals(getLocalNode()) && mode != Mode.LEADER) {
+                // Rare case in which we stood down as leader between starting this publication and receiving it ourselves. The publication
+                // is already failed so there is no point in proceeding.
+                throw new CoordinationStateRejectedException("no longer leading this publication's term: " + publishRequest);
+            }
+
             ensureTermAtLeast(sourceNode, publishRequest.getAcceptedState().term());
             final PublishResponse publishResponse = coordinationState.get().handlePublishRequest(publishRequest);
 
@@ -438,8 +446,10 @@ public void invariant() {
                         = currentPublication.map(Publication::publishedState).orElse(coordinationState.get().getLastAcceptedState());
                     lastPublishedState.nodes().forEach(lastPublishedNodes::add);
                     assert lastPublishedNodes.remove(getLocalNode());
+                    assert lastPublishedNodes.equals(knownFollowers) : lastPublishedNodes + " != " + knownFollowers
+                        + " [becomingMaster=" + becomingMaster + ", publicationInProgress=" + publicationInProgress() + "]";
+                    // TODO instead assert that knownFollowers is updated appropriately at the end of each publication
                 }
-                assert lastPublishedNodes.equals(knownFollowers) : lastPublishedNodes + " != " + knownFollowers;
             } else if (mode == Mode.FOLLOWER) {
                 assert coordinationState.get().electionWon() == false : getLocalNode() + " is FOLLOWER so electionWon() should be false";
                 assert lastKnownLeader.isPresent() && (lastKnownLeader.get().equals(getLocalNode()) == false);
@@ -604,11 +614,6 @@ protected void onCompletion(boolean committed) {
                             @Override
                             public void onResponse(Void ignore) {
                                 assert Thread.holdsLock(mutex) : "Coordinator mutex not held";
-                                assert coordinationState.get().getLastAcceptedTerm() == publishRequest.getAcceptedState().term()
-                                    && coordinationState.get().getLastAcceptedVersion() == publishRequest.getAcceptedState().version()
-                                    : "onPossibleCompletion: term or version mismatch when publishing [" + this
-                                    + "]: current version is now [" + coordinationState.get().getLastAcceptedVersion()
-                                    + "] in term [" + coordinationState.get().getLastAcceptedTerm() + "]";
                                 assert committed;
 
                                 // TODO: send to applier
@@ -628,7 +633,7 @@ public void onFailure(Exception e) {
                                 ackListener.onNodeAck(getLocalNode(), exception); // other nodes have acked, but not the master.
                                 publishListener.onFailure(exception);
                             }
-                        }, transportService.getThreadPool().generic());
+                        }, EsExecutors.newDirectExecutorService());
                     }
 
                     @Override

server/src/main/java/org/elasticsearch/cluster/coordination/JoinHelper.java

@@ -30,11 +30,14 @@
 import org.elasticsearch.common.collect.Tuple;
 import org.elasticsearch.common.component.AbstractComponent;
 import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.util.concurrent.ConcurrentCollections;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.threadpool.ThreadPool.Names;
 import org.elasticsearch.transport.TransportException;
+import org.elasticsearch.transport.TransportRequestOptions;
 import org.elasticsearch.transport.TransportResponse;
 import org.elasticsearch.transport.TransportResponse.Empty;
 import org.elasticsearch.transport.TransportResponseHandler;
@@ -56,9 +59,15 @@ public class JoinHelper extends AbstractComponent {
     public static final String JOIN_ACTION_NAME = "internal:cluster/coordination/join";
     public static final String START_JOIN_ACTION_NAME = "internal:cluster/coordination/start_join";
 
+    // the timeout for each join attempt
+    public static final Setting<TimeValue> JOIN_TIMEOUT_SETTING =
+        Setting.timeSetting("cluster.join.timeout",
+            TimeValue.timeValueMillis(60000), TimeValue.timeValueMillis(1), Setting.Property.NodeScope);
+
     private final MasterService masterService;
     private final TransportService transportService;
     private final JoinTaskExecutor joinTaskExecutor;
+    private final TimeValue joinTimeout;
 
     final Set<Tuple<DiscoveryNode, JoinRequest>> pendingOutgoingJoins = ConcurrentCollections.newConcurrentSet();
 
@@ -68,6 +77,7 @@ public JoinHelper(Settings settings, AllocationService allocationService, Master
         super(settings);
         this.masterService = masterService;
         this.transportService = transportService;
+        this.joinTimeout = JOIN_TIMEOUT_SETTING.get(settings);
         this.joinTaskExecutor = new JoinTaskExecutor(allocationService, logger) {
 
             @Override
@@ -130,29 +140,31 @@ public void sendJoinRequest(DiscoveryNode destination, Optional<Join> optionalJo
         final Tuple<DiscoveryNode, JoinRequest> dedupKey = Tuple.tuple(destination, joinRequest);
         if (pendingOutgoingJoins.add(dedupKey)) {
             logger.debug("attempting to join {} with {}", destination, joinRequest);
-            transportService.sendRequest(destination, JOIN_ACTION_NAME, joinRequest, new TransportResponseHandler<Empty>() {
-                @Override
-                public Empty read(StreamInput in) {
-                    return Empty.INSTANCE;
-                }
+            transportService.sendRequest(destination, JOIN_ACTION_NAME, joinRequest,
+                TransportRequestOptions.builder().withTimeout(joinTimeout).build(),
+                new TransportResponseHandler<Empty>() {
+                    @Override
+                    public Empty read(StreamInput in) {
+                        return Empty.INSTANCE;
+                    }
 
-                @Override
-                public void handleResponse(Empty response) {
-                    pendingOutgoingJoins.remove(dedupKey);
-                    logger.debug("successfully joined {} with {}", destination, joinRequest);
-                }
+                    @Override
+                    public void handleResponse(Empty response) {
+                        pendingOutgoingJoins.remove(dedupKey);
+                        logger.debug("successfully joined {} with {}", destination, joinRequest);
+                    }
 
-                @Override
-                public void handleException(TransportException exp) {
-                    pendingOutgoingJoins.remove(dedupKey);
-                    logger.info(() -> new ParameterizedMessage("failed to join {} with {}", destination, joinRequest), exp);
-                }
+                    @Override
+                    public void handleException(TransportException exp) {
+                        pendingOutgoingJoins.remove(dedupKey);
+                        logger.info(() -> new ParameterizedMessage("failed to join {} with {}", destination, joinRequest), exp);
+                    }
 
-                @Override
-                public String executor() {
-                    return Names.SAME;
-                }
-            });
+                    @Override
+                    public String executor() {
+                        return Names.SAME;
+                    }
+                });
         } else {
             logger.debug("already attempting to join {} with request {}, not sending request", destination, joinRequest);
         }

server/src/main/java/org/elasticsearch/common/settings/ClusterSettings.java

@@ -33,6 +33,7 @@
 import org.elasticsearch.cluster.action.index.MappingUpdatedAction;
 import org.elasticsearch.cluster.coordination.Coordinator;
 import org.elasticsearch.cluster.coordination.ElectionSchedulerFactory;
+import org.elasticsearch.cluster.coordination.JoinHelper;
 import org.elasticsearch.cluster.metadata.IndexGraveyard;
 import org.elasticsearch.cluster.metadata.MetaData;
 import org.elasticsearch.cluster.routing.OperationRouting;
@@ -445,10 +446,12 @@ public void apply(Settings value, Settings current, Settings previous) {
                     IndexGraveyard.SETTING_MAX_TOMBSTONES,
                     EnableAssignmentDecider.CLUSTER_TASKS_ALLOCATION_ENABLE_SETTING,
                     PeerFinder.DISCOVERY_FIND_PEERS_INTERVAL_SETTING,
+                    PeerFinder.DISCOVERY_REQUEST_PEERS_TIMEOUT_SETTING,
                     ElectionSchedulerFactory.ELECTION_INITIAL_TIMEOUT_SETTING,
                     ElectionSchedulerFactory.ELECTION_BACK_OFF_TIME_SETTING,
                     ElectionSchedulerFactory.ELECTION_MAX_TIMEOUT_SETTING,
-                    Coordinator.PUBLISH_TIMEOUT_SETTING
+                    Coordinator.PUBLISH_TIMEOUT_SETTING,
+                    JoinHelper.JOIN_TIMEOUT_SETTING
             )));
 
     public static List<SettingUpgrader<?>> BUILT_IN_SETTING_UPGRADERS = Collections.unmodifiableList(Arrays.asList(

server/src/main/java/org/elasticsearch/common/util/concurrent/ListenableFuture.java

@@ -82,7 +82,7 @@ protected synchronized void done() {
 
     private void notifyListener(ActionListener<V> listener, ExecutorService executorService) {
         try {
-            executorService.submit(new Runnable() {
+            executorService.execute(new Runnable() {
                 @Override
                 public void run() {
                     try {

server/src/main/java/org/elasticsearch/discovery/PeerFinder.java

@@ -36,6 +36,7 @@
 import org.elasticsearch.common.util.concurrent.AbstractRunnable;
 import org.elasticsearch.threadpool.ThreadPool.Names;
 import org.elasticsearch.transport.TransportException;
+import org.elasticsearch.transport.TransportRequestOptions;
 import org.elasticsearch.transport.TransportResponseHandler;
 import org.elasticsearch.transport.TransportService;
 
@@ -59,7 +60,12 @@ public abstract class PeerFinder extends AbstractComponent {
         Setting.timeSetting("discovery.find_peers_interval",
             TimeValue.timeValueMillis(1000), TimeValue.timeValueMillis(1), Setting.Property.NodeScope);
 
-    private final TimeValue findPeersDelay;
+    public static final Setting<TimeValue> DISCOVERY_REQUEST_PEERS_TIMEOUT_SETTING =
+        Setting.timeSetting("discovery.request_peers_timeout",
+            TimeValue.timeValueMillis(3000), TimeValue.timeValueMillis(1), Setting.Property.NodeScope);
+
+    private final TimeValue findPeersInterval;
+    private final TimeValue requestPeersTimeout;
 
     private final Object mutex = new Object();
     private final TransportService transportService;
@@ -75,7 +81,8 @@ public abstract class PeerFinder extends AbstractComponent {
     public PeerFinder(Settings settings, TransportService transportService, TransportAddressConnector transportAddressConnector,
                       ConfiguredHostsResolver configuredHostsResolver) {
         super(settings);
-        findPeersDelay = DISCOVERY_FIND_PEERS_INTERVAL_SETTING.get(settings);
+        findPeersInterval = DISCOVERY_FIND_PEERS_INTERVAL_SETTING.get(settings);
+        requestPeersTimeout = DISCOVERY_REQUEST_PEERS_TIMEOUT_SETTING.get(settings);
         this.transportService = transportService;
         this.transportAddressConnector = transportAddressConnector;
         this.configuredHostsResolver = configuredHostsResolver;
@@ -241,7 +248,7 @@ private boolean handleWakeUp() {
             }
         });
 
-        transportService.getThreadPool().schedule(findPeersDelay, Names.GENERIC, new AbstractRunnable() {
+        transportService.getThreadPool().schedule(findPeersInterval, Names.GENERIC, new AbstractRunnable() {
             @Override
             public boolean isForceExecution() {
                 return true;
@@ -360,9 +367,11 @@ public void onFailure(Exception e) {
             });
         }
 
-        private void removePeer() {
+        void removePeer() {
             final Peer removed = peersByAddress.remove(transportAddress);
-            assert removed == Peer.this;
+            // assert removed == Peer.this : removed + " != " + Peer.this;
+            // ^ This assertion sometimes trips if we are deactivated and reactivated while a request is in flight.
+            // TODO be more careful about avoiding multiple active Peer objects for each address
         }
 
         private void requestPeers() {
@@ -380,6 +389,7 @@ private void requestPeers() {
 
             transportService.sendRequest(discoveryNode, REQUEST_PEERS_ACTION_NAME,
                 new PeersRequest(getLocalNode(), knownNodes),
+                TransportRequestOptions.builder().withTimeout(requestPeersTimeout).build(),
                 new TransportResponseHandler<PeersResponse>() {
 
                     @Override