Tighten sequence numbers recovery

[jasontedor]

This commit touches addresses issues related to recovery and sequence numbers:

• A sequence number can be assigned and a Lucene commit created with a
  maximum sequence number at least as large as that sequence number,
  yet the operation corresponding to that sequence number can be
  missing from both the Lucene commit and the translog. This means that
  upon recovery the local checkpoint will be stuck at or below this
  missing sequence number. To address this, we force the local
  checkpoint to the maximum sequence number in the Lucene commit when
  opening the engine. Note that there can still be gaps in the history
  in the translog but we do not address those here.
• The global checkpoint is transferred to the target shard at the end
  of peer recovery.
• Additionally, we reenable the relocation integration tests.

Lastly, this work uncovered some bugs in the assignment of sequence
numbers on replica operations:

• setting the sequence number on replica write requests was missing,
  very likely introduced as a result of resolving merge conflicts
• handling operations that arrive out of order on a replica and have a
  version conflict with a previous operation were never marked as
  processed

Relates #10708

[jasontedor]

retest this please

[jasontedor]

retest this please

[jasontedor]

retest this please

[bleskes]

Looks great. I left some suggestion. I do think there is something wrong with the inner delete method on the engine

[bleskes]

maybe assert at the end of this method that the seqNo is set on the replica request?

[jasontedor]

I pushed 1c71393.

[bleskes]

nit: "are in the lucene commit" -> "are in the lucene commit or the translog generation associated with it"

[jasontedor]

I pushed 1c71393.

[bleskes]

why do we do this twice now? I'm not sure this what you intended?

[bleskes]

Also - it feels like this can simplified based on the origin. I do wonder if the code reuse in checkVersionConflict is worth the extra complexity it brings to reading the code.

[jasontedor]

Oops. I pushed 1c71393.

[bleskes]

can you add a comment about when the current global checkpoint can be higher? here is what I wrote in #10708

Note that the global checkpoint is a local knowledge of that is update under the mandate of the primary. It may be that the primary information is lagging compared to a replica. This can happen when a replica is promoted to a primary (but still has stale info).

[jasontedor]

I pushed 1c71393.

[bleskes]

paranoia - can we flip this around and mark the target allocation as "in sync" before we give it the global checkpoint? it at least reads better as "we know you are in sync and therefore every global checkpoint advances will take you into account"

[jasontedor]

I pushed 1c71393.

[bleskes]

I don't think this is correct anymore - clean the translog files? (I know it was there before, it just caught my eye)

[bleskes]

I don't think this is correct anymore - clean the translog files? (I know it was there before, it just caught my eye)

[jasontedor]

You're right, it was already not correct. I pushed 1c71393.

[bleskes]

you evil person :)

[bleskes]

I wonder if we should do the test based on real world scenarios we know can happen. I think it will make things clearer?

For example, using a replica engine :

1. Index a doc, with seq#1
2. Delete the same doc with seq#3
3. Flush
4. index doc with seq#2

To do so on a primary takes something more evil - instead of skiping translog ops, make sure this come "out of order". So make the seq number service put a seq# aside but then serve it on a follow up request.

I think this also serve as documentation of when this can happen.

[jasontedor]

I have a plan here, but it's a work-in-progress.

[bleskes]

I presume this is still in progress? (which is fine)

[jasontedor]

I pushed f57eb99.

[bleskes]

++. Maybe also add a sanity check that a get on the doc at the end gives us what we expect? (deleted or found)

[jasontedor]

I pushed 1c71393.

[bleskes]

left some comments

[bleskes]

hmm... what happens if the last op is an index, but the previous op was a delete with a higher version?

[jasontedor]

This represents whether or not the last operation before shuffling, and hence the operation with the highest version, is an index or delete operation. I think that this is correct?

[bleskes]

yep. it's just before the shuffle. got confused. all good.

[bleskes]

What happens if this is a replica and we have a version conflict and throws an exception? I think we still end up not marking the seq no as completed?

[bleskes]

How about something like this?

diff --git a/core/src/main/java/org/elasticsearch/index/engine/InternalEngine.java b/core/src/main/java/org/elasticsearch/index/engine/InternalEngine.java
index e75dc47..d16c11e 100644
--- a/core/src/main/java/org/elasticsearch/index/engine/InternalEngine.java
+++ b/core/src/main/java/org/elasticsearch/index/engine/InternalEngine.java
@@ -86,6 +86,7 @@ import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.function.Function;
 import java.util.function.LongSupplier;
+import java.util.function.Supplier;
 
 public class InternalEngine extends Engine {
 
@@ -444,11 +445,18 @@ public class InternalEngine extends Engine {
         }
     }
 
-    private boolean checkVersionConflict(
+    /**
+     * checks for version conflicts and returns the right result object if conflict was detected. returns `null`
+     * if no conflicts was found and indexing should proceed as normal
+     */
+    private <T extends Result> T checkVersionConflict(
             final Operation op,
             final long currentVersion,
             final long expectedVersion,
-            final boolean deleted) {
+            final boolean deleted,
+            final Supplier<T> resultOnSuccess,
+            final Function<Exception, T> resultOnFailure) {
+        final T result;
         if (op.versionType() == VersionType.FORCE) {
             if (engineConfig.getIndexSettings().getIndexVersionCreated().onOrAfter(Version.V_6_0_0_alpha1_UNRELEASED)) {
                 // If index was created in 5.0 or later, 'force' is not allowed at all
@@ -461,15 +469,17 @@ public class InternalEngine extends Engine {
 
         if (op.versionType().isVersionConflictForWrites(currentVersion, expectedVersion, deleted)) {
             if (op.origin().isRecovery()) {
-                // version conflict, but okay
-                return true;
+                // version conflict, but okay, mark as success
+                result = resultOnSuccess.get();
             } else {
                 // fatal version conflict
-                throw new VersionConflictEngineException(shardId, op.type(), op.id(),
-                        op.versionType().explainConflictForWrites(currentVersion, expectedVersion, deleted));
+                result = resultOnFailure.apply(new VersionConflictEngineException(shardId, op.type(), op.id(),
+                    op.versionType().explainConflictForWrites(currentVersion, expectedVersion, deleted));
             }
+        } else {
+            result = null;
         }
-        return false;
+        return result;
     }
 
     private long checkDeletedAndGCed(VersionValue versionValue) {
@@ -584,6 +594,7 @@ public class InternalEngine extends Engine {
         final Translog.Location location;
         final long updatedVersion;
         IndexResult indexResult = null;
+        long seqNo = index.seqNo();
         try (Releasable ignored = acquireLock(index.uid())) {
             lastWriteNanos = index.startTime();
             /* if we have an autoGeneratedID that comes into the engine we can potentially optimize
@@ -648,23 +659,18 @@ public class InternalEngine extends Engine {
                 }
             }
             final long expectedVersion = index.version();
-            final boolean conflict = checkVersionConflict(index, currentVersion, expectedVersion, deleted);
+            IndexResult result = checkVersionConflict(index, currentVersion, expectedVersion, deleted,
+                () -> new IndexResult(currentVersion, index.seqNo(), false),
+                exception -> new IndexResult(exception, currentVersion, index.seqNo()));
 
-            final long seqNo;
-            if (index.origin() == Operation.Origin.PRIMARY) {
-                if (!conflict) {
+            if (result == null) {
+
+                if (index.origin() == Operation.Origin.PRIMARY) {
                     seqNo = seqNoService.generateSeqNo();
-                } else {
-                    seqNo = SequenceNumbersService.UNASSIGNED_SEQ_NO;
                 }
-            } else {
-                seqNo = index.seqNo();
-            }
 
-            if (conflict) {
-                // skip index operation because of version conflict on recovery
-                indexResult = new IndexResult(expectedVersion, seqNo, false);
-            } else {
+                index.parsedDoc().updateSeqID(seqNo, index.primaryTerm());
+
                 updatedVersion = index.versionType().updateVersion(currentVersion, expectedVersion);
                 index.parsedDoc().version().setLongValue(updatedVersion);
 
@@ -686,8 +692,8 @@ public class InternalEngine extends Engine {
                 }
                 indexResult = new IndexResult(updatedVersion, seqNo, deleted);
                 location = index.origin() != Operation.Origin.LOCAL_TRANSLOG_RECOVERY
-                        ? translog.add(new Translog.Index(index, indexResult))
-                        : null;
+                    ? translog.add(new Translog.Index(index, indexResult))
+                    : null;
                 versionMap.putUnderLock(index.uid().bytes(), new VersionValue(updatedVersion));
                 indexResult.setTranslogLocation(location);
             }
@@ -695,7 +701,7 @@ public class InternalEngine extends Engine {
             indexResult.freeze();
             return indexResult;
         } finally {
-            if (indexResult != null && indexResult.getSeqNo() != SequenceNumbersService.UNASSIGNED_SEQ_NO) {
+            if (seqNo != SequenceNumbersService.UNASSIGNED_SEQ_NO) {
                 seqNoService.markSeqNoAsCompleted(indexResult.getSeqNo());
             }
         }

[jasontedor]

I strengthened the test to include the replica case (it caught the issue), and incorporated your suggestion.

[jasontedor]

Thanks @bleskes, I've responded to your feedback.

[bleskes]

LGTM! that test qualifies for the brain olympics :) left some minor comments that don't require another review

[bleskes]

nit - this can be put in scope and next to where it's created and probably made final

[jasontedor]

I pushed b9f68d4.

[bleskes]

this should use the seqNo variable

[jasontedor]

I pushed b9f68d4.

[bleskes]

I presume this is still in progress? (which is fine)

[bleskes]

I think you meant one of this to be translog?

[jasontedor]

I pushed b9f68d4.

[bleskes]

this should use the seqNo variable

[jasontedor]

I pushed b9f68d4. Annoying I caught that in the innerIndex but not here 😞.

[jasontedor]

Thanks @bleskes. I'll let CI have a go at this before merging.

[jasontedor]

My CI passes, but the PR CI build here is struggling with the checkout problem that we've been seeing. I'm going to merge and will watch our regular CI.