server: Implement compaction hash checking

[serathius]

Signed-off-by: Marek Siarkowicz siarkowicz@google.com

cc @ptabor @ahrtr @spzala
Implements #14039

[serathius]

Remaining questions:

• Can we enable this by default? It's a risky change, maybe we should just encourage users to enable it. After corruption notification was sent there was a huge response in all etcd configuration management platforms adding corruption check flag.
• For cases where cluster was corrupted before upgrade should we also make initial hash check default? I will make transition better as it will not allow corrupted member to join the cluster instead of rising alarm and stopping writes.
• Should we leave an escape hatch to disable this check? A flag that changes period that can be used to disable.

[codecov-commenter]

Codecov Report

Merging #14120 (d44bbff) into main (4977877) will decrease coverage by 0.00%.
The diff coverage is 88.88%.

@@            Coverage Diff             @@
##             main   #14120      +/-   ##
==========================================
- Coverage   75.42%   75.41%   -0.01%     
==========================================
  Files         456      456              
  Lines       36919    37037     +118     
==========================================
+ Hits        27846    27933      +87     
- Misses       7340     7358      +18     
- Partials     1733     1746      +13     

Flag	Coverage Δ
all	75.41% <88.88%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
server/config/config.go	79.76% <ø> (ø)
server/embed/config.go	73.40% <50.00%> (-0.25%)	⬇️
server/storage/mvcc/testutil/hash.go	83.56% <61.53%> (-12.19%)	⬇️
server/embed/etcd.go	75.33% <80.00%> (+0.19%)	⬆️
server/etcdserver/server.go	84.49% <94.11%> (-0.90%)	⬇️
server/etcdmain/config.go	86.34% <100.00%> (+0.11%)	⬆️
server/etcdserver/corrupt.go	88.81% <100.00%> (+2.75%)	⬆️
server/storage/mvcc/hash.go	100.00% <100.00%> (ø)
client/v3/leasing/cache.go	87.22% <0.00%> (-4.45%)	⬇️
client/v3/leasing/txn.go	88.09% <0.00%> (-3.18%)	⬇️
... and 24 more

Help us with your feedback. Take ten seconds to tell us how you rate us.

[serathius]

cc @ahrtr

[serathius]

Based on experience on etcd data inconsistency announcement I think we can launch disabled by default with strong suggestion to enable this feature. I have added 2 flags one for enabling the feature and second that allows changing frequency.

[ahrtr]

Two comments here:

1. How do you know that which member's data is corrupted? I think we should depend on quorum. For example, for a cluster with 3 members, if two members' hashes are equal, but the third one is different, then we can say the third one's data is corrupted.
2. Probably we should add a metrics as well, so that users can leverage their monitoring system (such as prometheus) to generate alarm automatically.

[serathius]

Both improvements would be great, however I'm again little worried to backport too big of a feature. Previous consistency checking didn't identify corrupted member nor it had monitoring. I think those are great ideas for feature graduation, but are not needed to address etcd v3.5 supportability as proposed originally.

[ahrtr]

I agree that we can make any additional improvement on in the main branch. The point here is that it might not be correct to raise an alarm here (line 276), because we are not sure which member's data is corrupted.

[serathius]

You right, but this is true for all data inconsistency checks. We can only hope that it's not the leader.

[ahrtr]

I think probably we should also add an API & command to expose the compact hashes, so that users can check the values themselves, and take action accordingly. For example, for a cluster of 3 members, if two members have the same compact hashes, but the third one has a different value. Then the user may want to replace the third member.

I also suggested to add a metrics for this case, please see #14120 (comment)

[serathius]

I think probably we should also add an API & command to expose the compact hashes, so that users can check the values themselves, and take action accordingly. For example, for a cluster of 3 members, if two members have the same compact hashes, but the third one has a different value. Then the user may want to replace the third member.

This implementation was meant to be limited to ensure it doesn't require additional API thus is backportable. We compact hashes are exposed via normal hashKV API, however API doesn't expose which revisions hashes where calculated for. This is ok as we will take a different approach when implementing it for v3.6.

[serathius]

PTAL @ahrtr

[ahrtr]

Overall looks good to me. The benefit for release-3.5 (after backporting this and one previous related PR) is that data inconsistency/corruption detection is enhanced to leverage the side effect of compaction operation. But users can only know the result by checking the log and alarm, which may not be user-friendly.

I agree that we should try NOT to change the API in a stable release, so it's OK just to backport what we have done to 3.5, and try to do more enhancement in 3.6 (see #14120 (comment) ).

[ahrtr]

Since the hashes entries are ordered in descending order, so you are intentionally return here if the hash checking on the latest revision is successful?

Is it possible that the latest [compactionRev, rev] hashes match, but previous ones do NOT match?

[serathius]

Yes, it could as a corruption can technically self healed. Does it mean etcd is corrupted? In my opinion no.

For example imagine that there PUT requests that was not reflected on all members. It means that hashes between members will not match. However, sometime later comes a DELETE request on the same key and it is reflected. That would restore the hash between members and invalidate previous corruption. If we look through cached hashes, the latest one will match, even though the old ones don't.

[ahrtr]

I tried to intentionally create such situation in which previous hashes do not match and the latest hashes match, but one member's data is indeed corrupted, but eventually I failed to create such situation. The root cause is etcd scans the whole KEY space starting from 0x00 to the specified compactMainRev; Specifically, the last isn't set to the prevCompactRev.

So in summary, the case that the latest [compactionRev, rev] hashes match, but previous ones do NOT match will never happen. And I think it's more safe to scan the whole KEY space instead of starting from prevCompactRev.

[ahrtr]

Does it make sense to print the member IDs which are or aren't checked in this loop?

[serathius]

There is a log above that list all peers that were successfully checked. Writing both set of checked and it's complement is overkill

[serathius]

Fixed member id in #14272 and rebased this PR on it. This is ok as I expect we will want to backport MemberID fix.

[ahrtr]

I suggest not to return here; instead, we should continue to compare other peers' hash, and generate multiple alrams if needed.

[serathius]

What you are proposing is not consistent with periodic check which only raises one alarm even though there could be multiple members corrupted.

[ahrtr]

Should we at least finish comparing all peers' hashes and generate a info or error log? I think it's helpful for 3.5, at least we can tell the hashes from log.

[serathius]

This will heavily complicate implementation. There is nothing in those logs that users cannot get themselves.

[ahrtr]

Imagine a situation for 3.5, when the compact hash checker raises an alarm CORRUPT, then users must figure out manually which member's data is corrupted. If all member's revisions are exactly the same, and the corruption is just caused by some disk I/O bit flip or disk corruption. Then users must get all members' log, and find out all the log entries below, and compare the hashes themselves.

{"level":"info","ts":"2022-07-26T15:26:01.386+0800","caller":"mvcc/kvstore_compaction.go:65","msg":"finished scheduled compaction","compact-revision":9,"took":"40.078µs","hash":1087596250}

If we finish comparing all peers' hashes here and print a info or error log, then the users can easily figure out which member's data is corrupted.

Actually It just a minor code change, and I don't think it complicate the implementation.

For 3.6, we can do some additional enhancement, but for 3.5 the users can only use the log to do analysis themselves.

[ahrtr]

Of course, we can do it in a separate PR.

[ahrtr]

The ID is displayed as hex-decimal, but it's displayed as decimal in the ERRORS. I think we should fix this, of course in a separate PR.

$ etcdctl  endpoint status -w table --cluster  
+------------------------+------------------+---------------+-----------------+---------+----------------+-----------+------------+-----------+------------+--------------------+--------------------------------+
|        ENDPOINT        |        ID        |    VERSION    | STORAGE VERSION | DB SIZE | DB SIZE IN USE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX |             ERRORS             |
+------------------------+------------------+---------------+-----------------+---------+----------------+-----------+------------+-----------+------------+--------------------+--------------------------------+
|  http://127.0.0.1:2379 | 8211f1d0f64f3269 | 3.6.0-alpha.0 |           3.6.0 |   25 kB |          25 kB |      true |      false |         4 |         69 |                 69 |  memberID:10501334649042878790 |
|                        |                  |               |                 |         |                |           |            |           |            |                    |                 alarm:CORRUPT  |
| http://127.0.0.1:22379 | 91bc3c398fb3c146 | 3.6.0-alpha.0 |           3.6.0 |   25 kB |          25 kB |     false |      false |         4 |         69 |                 69 |  memberID:10501334649042878790 |
|                        |                  |               |                 |         |                |           |            |           |            |                    |                 alarm:CORRUPT  |
| http://127.0.0.1:32379 | fd422379fda50e48 | 3.6.0-alpha.0 |           3.6.0 |   25 kB |          25 kB |     false |      false |         4 |         69 |                 69 |  memberID:10501334649042878790 |
|                        |                  |               |                 |         |                |           |            |           |            |                    |                 alarm:CORRUPT  |
+------------------------+------------------+---------------+-----------------+---------+----------------+-----------+------------+-----------+------------+--------------------+--------------------------------+

[serathius]

ping @ahrtr

[ahrtr]

LGTM with a minor comment.