raft: fix bug in unbounded log growth prevention mechanism

[tbg]

The previous code was using the proto-generated Size() method to
track the size of an incoming proposal at the leader. This includes
the Index and Term, which were mutated after the call to Size()
when appending to the log. Additionally, it was not taking into
account that an ignored configuration change would ignore the
original proposal and append an empty entry instead.

As a result, a fully committed Raft group could end up with a non-
zero tracked uncommitted Raft log counter that would eventually hit
the ceiling and drop all future proposals indiscriminately. It would
also immediately imply that proposals exceeding the threshold alone
would get refused (as the "first uncommitted proposal" gets special
treatment and is always allowed in).

Track only the size of the payload actually appended to the Raft log
instead.

For context, see:
cockroachdb/cockroach#31618 (comment)

[gyuho-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approvers:

If they are not already assigned, you can assign the PR to them by writing /assign in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gyuho]

Please ignore above comments, while we are experimenting Prow integration.

/ok-to-test

[gyuho]

Looks good to me. Defer to @xiang90 and @bdarnell.

[nvanbenschoten]

Looks good to me as well, although it' kind of strange that the size limit imposed by raftLog.maxSize and Storage.Entries use the proto's size, while this size limit uses the entry.Data size.

An alternative you could explore is pushing this uncommitted size limit into appendEntry, after Term and Index are assigned, and use the proto size. This is what I did at first in #10167, but changed my approach because I didn't want the empty proposal from becomeLeader to be counted towards the limit in case the very first real proposal was above the uncommitted size limit. In hindsight, that would have avoided the issue we saw in cockroachdb/cockroach#31618.

[codecov-io]

Codecov Report

Merging #10199 into master will increase coverage by 0.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master   #10199      +/-   ##
==========================================
+ Coverage   71.85%   71.87%   +0.01%     
==========================================
  Files         390      390              
  Lines       36346    36348       +2     
==========================================
+ Hits        26116    26124       +8     
+ Misses       8424     8417       -7     
- Partials     1806     1807       +1

Impacted Files	Coverage Δ
raft/util.go	56.52% <100%> (+1.29%)	⬆️
raft/raft.go	92.29% <100%> (ø)	⬆️
proxy/grpcproxy/register.go	80.55% <0%> (-13.89%)	⬇️
pkg/adt/interval_tree.go	86.48% <0%> (-6.91%)	⬇️
pkg/tlsutil/tlsutil.go	86.2% <0%> (-6.9%)	⬇️
etcdctl/ctlv3/command/printer_simple.go	72.48% <0%> (-1.35%)	⬇️
etcdserver/api/rafthttp/peer.go	78.77% <0%> (-1.12%)	⬇️
etcdserver/cluster_util.go	58.74% <0%> (-0.9%)	⬇️
etcdserver/api/rafthttp/stream.go	79.39% <0%> (-0.86%)	⬇️
etcdserver/api/membership/cluster.go	77.44% <0%> (-0.46%)	⬇️
... and 16 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8c80efb...ea5ff8a. Read the comment docs.

[tbg]

I pushed the computation down into appendEntries and had changed it to use .Size(), but I actually ended up reintroducing PayloadSize. It's pretty awkward to have to guess all the assigned terms and indexes during the tests, to the point where the tests become a mess (or you have to introduce additional tools).

[tbg]

Various tests failed, but I'm not sure that's really caused by this PR. @gyuho what do you think?

[tbg]

(I'm going to re-run just to get an idea of whether they're flakes or not)

[tbg]

@gyuho I re-triggered the build but it's still red. master looks pretty red as well. Could you help me push this over the finish line?

[gyuho]

@tschottdorf

https://status.github.com/messages

11:26 PDT
We have resumed webhook delivery and will continue to monitor as we process the backlog of events.

Seems like github is just back. Will retrigger manually.

[tbg]

@gyuho I re-triggered the build but it's still red

I actually meant that it failed again :-) I triggered directly on travis-ci. Let's see what the next run brings.

[gyuho]

LGTM. etcd is experiencing some flaky tests not related to this change. Should be good to merge. /cc @xiang90

[tbg]

Thanks @gyuho, appreciate the heads up.