HDDS-14498. Zero Downtime Upgrade Design (ZDU)

[sodonnel]

What changes were proposed in this pull request?

This is a design document for Ozone Zero Downtime Upgrade (ZDU).

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-14498

How was this patch tested?

N/A

[ptlrs]

These don't render correctly

[smengcl]

Thanks @sodonnel @errose28 @fapifta for the design.

[smengcl]

Could SCM or OM bootstrapping during Step 1 or Step 4 lead to any potential issue? e.g. in a busy cluster, a newly upgraded OM finds itself lagging behind (by a lot), and decides to bootstrap from an older-version OM.

At least DB schema won't be changed until finalization.

[errose28]

This should not cause an issue, because the apparent versions the components will remain the same in the Ratis ring even as the software is updated. That means the components with newer software version will still write data in a way that the older components bootstrapping can understand (and vice versa). Check out the table around line 107 and the appendix to see how the apparent version moves in lock step for a Ratis ring.

Finalization to move the apparent version forward can be done from a Ratis snapshot because the version is written to the DB as well as the version file. This is already handled in the current upgrade flow because finalization is an online operation.

[smengcl]

Suggested change

	DIsk and datanode balancing could be safely suspended if required. For disk balancing, the process is all within the same datanode process, so mixed component versions are not a concern. Cross node balancing uses the container replication mechanism internally, and we would not gain much by pausing it during upgrades either.
	Disk and datanode balancing could be safely suspended if required. For disk balancing, the process is all within the same datanode process, so mixed component versions are not a concern. Cross node balancing uses the container replication mechanism internally, and we would not gain much by pausing it during upgrades either.

[smengcl]

Is it correct to assume that decommissioned datanodes would be ignored during the upgrade in Step 3? If so, what if they are recommissioned later (say after Step 4)?

[errose28]

There upgrade/restart steps are done by an admin, possibly with an orchestration layer, so Ozone doesn't decide whether or not the decom nodes get upgraded. If they do, nothing about the decom/maintenace/recom process is expected to change though since ZDU means all existing operations are allowed throughout the upgrade and finalization process.

Starting on line 227 we spec out how datanodes are handled relative to SCM, which includes if they are offline and come back later. Let me know if there's more questions in that area. Note that once SCM is finalized, any datanodes that later appear with the old software version will be fenced out until the admin upgrades them.

The doc currently doesn't specify whether nodes undergoing decom or maintenance will be instructed to finalize by SCM. I think we should still send them the finalize commands so they don't block further upgrade steps unnecessarily. @sodonnel what do you think?

[smengcl]

ZDU can take several days

Then it would be nice to have a dashboard for this (not just in CM). It can show how much time has been taken for each component, how much overall progress has been made, estimated time remaining for each component and overall. New metrics can be added as needed.

[errose28]

Definitely. This was in my head but I realized there was no Jira. I filed HDDS-14825. We should be able to do this with just the software and apparent version metrics. Finalization status can be derived from that by the dashboard.

[github-actions]

This PR has been marked as stale due to 21 days of inactivity. Please comment or remove the stale label to keep it open. Otherwise, it will be automatically closed in 7 days.

[github-actions]

This PR has been marked as stale due to 21 days of inactivity. Please comment or remove the stale label to keep it open. Otherwise, it will be automatically closed in 7 days.

[github-actions]

This PR has been marked as stale due to 21 days of inactivity. Please comment or remove the stale label to keep it open. Otherwise, it will be automatically closed in 7 days.

[errose28]

I have updated the doc based on two design flaws that were exposed during development:

If the finalize command is sent only to SCM, OM cannot reliably learn when to finalize

There may be release which only increase the OM component version. In this case SCM will be automatically finalized on startup. If OM only polls SCM and finalizes automatically when SCM's software and apparent versions match, it would incorrectly finalize on startup without an admin command, preventing downgrade. Additionally the finalize and status commands cannot use one CLI to contact both OM and SCM since they are usually configured with different kerberos principals. The updated upgrade finalize and status commands now go to OM only and pass through to SCM. OM writes a marker to its DB to indicate that a finalize command was given and that it should start polling SCM for HDDS finalization status. The order of component finalization (SCM -> DNs -> OM) remains the same.

Missing handling of mixed software datanodes during container replication

The previous design only accounted for datanodes with different apparent versions but identical software versions. A Datanode client/source in the new software version pushing a container to a Datanode server/target with an old software version would still have compatibility issues. In the new design the lowest apparent version to use on the replication path is provided by SCM, similar to what is done on the write path. This negates the need for Datanodes to finalize automatically when contacted by a newer peer.