Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve "SENTINEL FAILOVER" by using the "FAILOVER" command #1292

Open
wants to merge 5 commits into
base: unstable
Choose a base branch
from

Commits on Nov 23, 2024

  1. sentinel-tests: Clean up config after config set tests

    Signed-off-by: Simon Baatz <[email protected]>
    gmbnomis committed Nov 23, 2024
    Configuration menu
    Copy the full SHA
    672fb7d View commit details
    Browse the repository at this point in the history
  2. Wait for all Sentinels to be connected before starting tests

    Up to now the sentinel test initialization verified that all sentinels detect each other.
    However, detection does not imply connection, which led to intermittent failures in the
    coordinated failover tests (no leader elected since disconnected sentinels do not take part in a
    vote).
    
    Fix this by waiting until no sentinel reports being "disconnected".
    
    Signed-off-by: Simon Baatz <[email protected]>
    gmbnomis committed Nov 23, 2024
    Configuration menu
    Copy the full SHA
    8455e10 View commit details
    Browse the repository at this point in the history
  3. Add option for coordinated failover to Sentinel

    Valkey supports the "FAILOVER" command to switch primary and replica
    roles in a coordinated fashion. Add a "COORDINATED" option to "SENTINEL
    FAILOVER". When given, use "FAILOVER" in the Sentinel forced failover
    procedure. Since we force the failover, i.e. we don't elect a leader,
    the failover must succeed quickly before other Sentinels will regard
    the primary as down.
    
    Signed-off-by: Simon Baatz <[email protected]>
    gmbnomis committed Nov 23, 2024
    Configuration menu
    Copy the full SHA
    bddceb5 View commit details
    Browse the repository at this point in the history
  4. Allow Sentinel to recover from a stuck FAILOVER

    The FAILOVER command may ["encounter some scenarios it can not automatically remediate from and
    may get stuck."](https://valkey.io/commands/failover/#failover-abort). The supervision of the
    Sentinels is used to handle these situations:
    
    1. "REPLICAOF" is not accepted during a failover. Thus, send a "FAILOVER ABORT" before sending a
       "REPLICAOF" to a node in `sentinelSendReplicaOf()`. (If there is no ongoing failover, the
       resulting error will just be ignored)
    2. Sentinel monitors nodes for deviations from the expected state (wrong role or replication).
       Add a check for replicas that are in a failover state for too long and reconfigure them.
    
    In addition, monitoring the failover state is used to find out whether the FAILOVER command
    is supported by the Valkey instance. If not, don't use "FAILOVER" or "FAILOVER ABORT".
    
    Signed-off-by: Simon Baatz <[email protected]>
    gmbnomis committed Nov 23, 2024
    Configuration menu
    Copy the full SHA
    439f367 View commit details
    Browse the repository at this point in the history

Commits on Dec 1, 2024

  1. SENTINEL FAILOVER COORDINATED actually does a leader election

    Doing a proper leader election allows to increase the time available
    for the actual FAILOVER command, as other Sentinels will not attempt
    to initiate another failover during the failover timeout.
    
    Interestingly, Sentinel does not take the reported primary up/down
    status into account when counting replies to leader election. Thus,
    Sentinel will simply proceed with the failover once we reach the
    quorum even if we don't are in O_DOWN state.
    
    Signed-off-by: Simon Baatz <[email protected]>
    gmbnomis committed Dec 1, 2024
    Configuration menu
    Copy the full SHA
    55473d8 View commit details
    Browse the repository at this point in the history