Add CcrRestoreSourceService to track sessions

[Tim-Brooks]

This commit is related to #36127. It adds a CcrRestoreSourceService to
track Engine.IndexCommitRef need for in-process file restores. When a
follower starts restoring a shard through the CcrRepository it opens a
session with the leader through the PutCcrRestoreSessionAction. The
leader responds to the request by telling the follower what files it
needs to fetch for a restore. This is not yet implemented.

Once, the restore is complete, the follower closes the session with the
DeleteCcrRestoreSessionAction action.

[elasticmachine]

Pinging @elastic/es-distributed

[Tim-Brooks]

The CcrRestoreSourceService implements IndexEventListener, however it is not currently registered with the IndicesClusterStateService. It looks like there is not a way to register listeners with that. They are just created:

        this.buildInIndexListener =
                Arrays.asList(
                        peerRecoverySourceService,
                        recoveryTargetService,
                        searchService,
                        syncedFlushService,
                        snapshotShardsService);

You can register listeners in an ad-hoc manner with indexes. But there might be some catches with that (like it looks like it has to be registered when the IndexService is created). So I guess I'm saying, we might need to talk about how to get the CcrRestoreSourceService into the IndicesClusterStateService.

[ywelsch]

The CcrRestoreSourceService implements IndexEventListener, however it is not currently registered with the IndicesClusterStateService. It looks like there is not a way to register listeners with that

The Plugin class offers a hook to register IndexEventListeners on index creation, using the following method:

@Override
public void onIndexModule(IndexModule indexModule) {
  indexModule.addIndexEventListener(yourSingletonListenerInstance);
}

The MockIndexEventListener.TestPlugin class should provide a good example.

[ywelsch]

I've added some initial thoughts.

[ywelsch]

perhaps it's nicer to have CcrRestoreSourceService have a reference to IndicesService instead of having it here in the TransportAction class.

[Tim-Brooks]

I'm not sure how to do this? CcrRestoreSourceService is created in createComponents. And we do not have IndicesService there.

[ywelsch]

I see two other options to the current one:

1. Pass IndicesService to createComponents.
2. Create CcrRestoreSourceService using Guice, by overriding Collection<Module> createGuiceModules().

Neither sounds really great so let's keep the current model for now.

[ywelsch]

should we have timeouts on these calls (similar as we do for peer recovery within a cluster)? Perhaps something to mark as a follow-up item?

[Tim-Brooks]

I added a todo. I will also add timeout tasks to the meta issue.

[ywelsch]

we can derive the correct remote shard id by using indexShard.indexSettings().getIndexMetaData().getCustomData(Ccr.CCR_CUSTOM_METADATA_KEY)

[Tim-Brooks]

Done. Thanks.

[ywelsch]

should we be so lenient here, or rather reject opening a session which is already supposed to exist? It depends on how we want to handle failures / retries

[Tim-Brooks]

I would kind of prefer the put be idempotent. This is also why I have the session uuid is generated on the follower node. I'll explain more about my design in a top-level comment. Maybe we should add validation to prevent (unlikely) uuid conflicts (ensure that the put session request comes from the same follower node)?

[ywelsch]

if anything goes wrong in this method later, should we release the index commit?

[Tim-Brooks]

Made some changes to release. However, I think local timeouts for the index commit being held should also be a future meta task to also help here.

[Tim-Brooks]

Thanks @ywelsch I've made changes. Here are my high-level design thoughts:

1. A put session request opens a session using a uuid generated on the follower node. It includes the follower's store metadata. This is a transport shard request so it is on the node with the shard.
2. When it is opened the leader node initiates a local timeout for the index commit ref. (To prevent it from leaking due to disruption of this process).
3. The leader responds with the identical files (follower to keep) and recovery files (follower to fetch).
4. The follower starts fetching files using a TransportNodesAction type of request.
5. If the index commit times out on the leader side or the afterIndexShardClosed is called the leader will respond to the file chunk request with something like SESSION_NOT_FOUND.
6. If the follower's local timeout (not yet implemented) has not yet expired, it can go back to step 1.
7. Once the follower has recovered all of the files through file chunk requests it will ClearCcrRestoreSessionAction.

In this model the CcrRestoreSourceService is kind of like a cache for the Engine.IndexCommitRef. Obviously if a new Engine.IndexCommitRef is acquired (because the "cache" timed out on the leader) there might be new files the follower needs to recover or delete. But the leader sends this information in the response to the put session request. New put session requests can be made as long as the follower wants to. The process will continue until the follower locally times out. Or some other type of error is encountered.

[ywelsch]

I've left mostly smaller comments. Thanks for the high-level design description? Can you also outline how you want to handle (temporary) network disconnects?

[ywelsch]

TransportNodesAction is only truly useful if you intend on sending something to multiple nodes. I think it might be simpler here to directly use HandledTransportAction?

[Tim-Brooks]

I think I would like to implement a specific node request for the file chunks and delete session in a follow-up? I added a meta task.

[ywelsch]

can this be made final? I see that you both implemented a constructor with StreamInput and the readFrom method?

[Tim-Brooks]

I don't think so. Unfortunately you must implement this:

        @Override
        protected PutCcrRestoreSessionResponse newResponse() {
            return new PutCcrRestoreSessionResponse();
        }

on TransportSingleShardAction.

[ywelsch]

do we need to get the leader index name from Ccr.CCR_CUSTOM_METADATA_LEADER_INDEX_NAME_KEY?

[Tim-Brooks]

No. We don't need that because the index name provided by the args to restoreShard is correct. It is only the uuid that is not.

[ywelsch]

by not making this a BaseNodesResponse, we will not need this weird unwrapping.

[Tim-Brooks]

I think I would like to implement a specific node request for the file chunks and delete session in a follow-up? I added a meta task.

[Tim-Brooks]

@ywelsch - I think I would like to implement the mechanism to direct a request to a specific node on the remote cluster in a follow-up. I added a task for that on the meta issue.

[ywelsch]

IndexShard does not have a toString implementation AFAICS

[ywelsch]

preferably throw IndexShardClosedException