Add an end-to-end test for trim gap handling using snapshots

[pcholakov]

This test simulates a trim gap and verifies the behavior with and without a suitable snapshot present to enable fast-forward over the gap.

This is a follow-up to #2456 adding an e2e test for snapshot-based fast-forward over a log trim gap.

There are several to-dos here that require deeper changes - I'd like to do those as separate PRs to avoid delaying merging of trim-gap support itself. At a minimum this includes:

• the create-snapshot admin API should return the min captured LSN of snapshots
• the trim admin API should include the effective new trim point; currently BifrostAdmin can decide to no-op the request if the trim point is greater than the global tail it knows about, which makes it hard to test
• [optional] we don't have a good way (that I'm aware of) to externally ask a specific partition processor to become leader; this would be useful for testing and potentially manual operations

Primary reviewer: @tillrohrmann

cc: @jackkleeman as an optional reviewer since I modified some test cluster infra and a test you previously added but feel free to ignore!

[github-actions]

Test Results

  7 files  ±0    7 suites  ±0   4m 29s ⏱️ +8s
 47 tests ±0   46 ✅ ±0  1 💤 ±0  0 ❌ ±0 
182 runs  ±0  179 ✅ ±0  3 💤 ±0  0 ❌ ±0 

Results for commit 9592d6a. ± Comparison against base commit d55eee4.

♻️ This comment has been updated with latest results.

[pcholakov]

I added this to avoid leaking restate-server processes from tests.

[pcholakov]

I am using this rather than test(restate_core::test) because that macro just exits the process on panic, which prevents unwinding from running - and can lead to leaked spawned processes on test failure.

[tillrohrmann]

I think the reason we have this panic hook is to ensure that if a panic occurs within a spawned task, the tests will fail. Otherwise, the panic might just be swallowed by the task.

[pcholakov]

Ah! Of course; I recall the discussion now - switched to #[test_log::test(tokio::test)] as a middle ground to ensure that the Drop callback works.

[pcholakov]

The new trim gap fast-forward test covers the same paths as this one.

[pcholakov]

With this PR, the mock service handler is now usable from other packages - this is handy for e2e testing.

[pcholakov]

I removed passing the cluster to the test routine as it is easy to accidentally drop it, and kill the cluster in the process. We can reintroduce it as a reference if it's needed in the future.

[tillrohrmann]

Thanks for creating the end-to-end test for our snapshots @pcholakov. The changes look good to me.

The one aspect that makes me a bit uneasy is that it seems that we cannot reliably guarantee that a trim has happened. If this is correct, then we might add a test which is unstable in our CI environment. Maybe because of this, it's worth to first add the functionality to report back which lsn was trimmed so that we can make the trim_log function reliable?

[tillrohrmann]

Is this try_into infallible or why is unwrap ok here?

[tillrohrmann]

Why is it ok to unwrap here?

[pcholakov]

I never answered you this - I blindly duplicated the kill implementation above without looking too closely; it appears this is completely safe. Tokio's Child::id() just passes through std::sys::pal::unix::process::Process::id's return type which is u32 but Process internally holds the pid as a pid_t = i32 and does a blind cast to u32 when returning:

https://doc.rust-lang.org/nightly/src/std/sys/pal/unix/process/process_unix.rs.html#943-945

I couldn't find any background on why, other than other people asking essentially the same question (https://users.rust-lang.org/t/std-id-vs-libc-pid-t-how-to-handle/78281/3).

Two interesting factoids I learned in the process 😀

• Linux PIDs max out to 2^22 (https://web.archive.org/web/20111209081734/http://research.cs.wisc.edu/condor/condorg/linux_scalability.html)
• macOS PIDs are limited to 99998 (https://apple.stackexchange.com/questions/51119/whats-the-maximum-pid-for-mac-os-x)

I'll update this to use expect() with a comment before merging.

[tillrohrmann]

I think the reason we have this panic hook is to ensure that if a panic occurs within a spawned task, the tests will fail. Otherwise, the panic might just be swallowed by the task.

[tillrohrmann]

If you use test_log::test(tokio::test), then you don't have to set these things up yourself.

[pcholakov]

TY!

[tillrohrmann]

You could do this by manually changing the SchedulingPlan.

[pcholakov]

I didn't think it would be this easy... and it seems like it isn't. I added a step to manually set the SchedulingPlan but it only works intermittently - Scheduler::update_scheduling_plan nukes the changes as soon as it picks them up. I think this is important, let's do definitely do it but maybe as a follow-up task to provide a leadership hint to the scheduler?

[pcholakov]

Good news! With a bit of effort, I got this to work reliably - still a draft but will get it ready for review soon: #2471

[tillrohrmann]

I think it is clearer if you compared against RunMode instead of the ordinal value which is harder to remember.

[pcholakov]

The magic of try_from! Thanks for the tip :-)

[tillrohrmann]

How did you come up with the magic number of 3 attempts?

[pcholakov]

Empirically! I think Azmy suggested it may be related to the heartbeat interval and updating the global tail. Moot now; I've converted this to a retry until the desired effective trim is reached.

[tillrohrmann]

If this method does not do anything because the admin node didn't have the up to date log tail, then I the remaining test will be stuck. This might be a problem for the stability of the test. Something to observe on our CI infra where timings can be quite skewed.

[pcholakov]

Sorry, I created the wrong impression with the todo comment - I've rebased on #2468 which allows this to be deterministic :-)

[tillrohrmann]

This looks quite similar to create_tonic_channel_from_advertised_address. Could this be reused?

[pcholakov]

I copied it nearly verbatim from restatectl's grpc_connect utility - which looks like it may have been the origin of create_tonic_channel_from_advertised_address, too. I've done this under its own PR here:

#2469

[pcholakov]

The one aspect that makes me a bit uneasy is that it seems that we cannot reliably guarantee that a trim has happened. If this is correct, then we might add a test which is unstable in our CI environment. Maybe because of this, it's worth to first add the functionality to report back which lsn was trimmed so that we can make the trim_log function reliable?

Yes, definitely! I was already working on that - I realize my todo might have created the wrong impression :-) Here is the change, on which this PR is now rebased: #2468.

I wasn't able to get the leadership change to work reliably but I'm pretty keen to do that too. However, I believe that the test as it stands should be reasonably robust to merge and won't cause undue noise in CI.

[tillrohrmann]

Thanks for adding this end-to-end test for testing snapshots and trim gap handling @pcholakov. The changes look good to me :-) +1 for merging.

[tillrohrmann]

Why is it ok to unwrap here?

[tillrohrmann]

Nit: The timeout handling could also happen at the call site via tokio::time::timeout(timeout, trim_log(client, trim_point) if you want to keep the inner logic of this function a tad bit simpler and make it more compositional. The same applies to applied_lsn_converged.

[pcholakov]

Good point, I'll refactor all the helpers where we don't need to track timeouts internally.