Add topology aware read

[MichelHollands]

What this PR does:
Add zone awareness to the read path. A MaxUnavailableZones field is added to the ReplicationSet struct. The value of that field is derived from the number of zones.

In ReplicationSet.Do() the zones of the of the failing requests is taken into account for zone aware requests. If too many zones have failures then the request fails.

Unit tests for the non-zone aware invocations of ReplicationSet.Do() are added as well.

Which issue(s) this PR fixes:
Fixes #

Checklist

• Tests updated
• Documentation added
• CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

[pracucci]

Good job @MichelHollands! I think we're on the good track. I left you many comments, but most are small, while GetAll() will need a bit more work.

That being said, I would be glad if you could add 1 integration test. I would test this scenario:

• Start a cortex cluster with 6 ingesters and zone-awareness enabled
• Push 100 series
• Query back 100 series > all good
• SIGKILL 1 ingester in 1 zone
• Query back 100 series > all good
• SIGKILL 1 more ingester in the same zone
• Query back 100 series > all good
• SIGKILL 1 more ingester in a different zone
• Query back 100 series > fail

[pracucci]

Thanks @MichelHollands for addressing my feedback! I left few more comments. Please make sure that any fix you do is also covered by a unit test to avoid any regression (either in this PR or future changes).

[pracucci]

I just realised that there are places where triggering the zone-awareness logic in the GetAll() is not correct, because it will filter out even healthy instances (eg. NewRingServiceDiscovery(), distributor.GetAll(), etc..). Let's talk offline about this.

[pstibrany]

First review pass. I need to get better understanding of the tests.

[pstibrany]

Some initial comments. I still need to review TestReplicationSet_Do and integration test.

[pstibrany]

If RF=2 and there are two zones, then minSuccessZones will end up being 2. I would expect that we can actually tolerate one failing zone in such case.

[MichelHollands]

Added a special case for rf=2 and nr of zones =2/

[pstibrany]

I'm actually not sure anymore if my previous statement is correct. Reason is that during write, we would accept it if we get single OK. But during read, we don't know which single zone has received the sample, so we need to ask both.

I'd check with @pracucci to be 100% sure. But now I think my previous comment here was incorrect.

[MichelHollands]

Changed

[pracucci]

What's the current status of this conversation?

DefaultReplicationStrategy.Filter() calculate minSuccess := (replicationFactor / 2) + 1. The minSuccess is the write quorum. If RF=2, then we need to write to both ingesters in order to succeed. Because of this, it's safe to have maxUnavailableZones=1 when RF=2.

I suggest changing the logic as follow:

maxUnavailableZones = minSuccessZones - 1

Tests should be updated accordingly.

[pstibrany]

What's the current status of this conversation?

I convinced myself that with RF=2, it is enough to write to single ingester. But that's not a majority 🤦

[pstibrany]

Thank you!

[pracucci]

What's the current status of this conversation?

DefaultReplicationStrategy.Filter() calculate minSuccess := (replicationFactor / 2) + 1. The minSuccess is the write quorum. If RF=2, then we need to write to both ingesters in order to succeed. Because of this, it's safe to have maxUnavailableZones=1 when RF=2.

I suggest changing the logic as follow:

maxUnavailableZones = minSuccessZones - 1

Tests should be updated accordingly.

[pracucci]

Thanks @MichelHollands for patiently addressing my feedback. Well done, LGTM! 👏

[ranton256]

Why is this changing from stop to kill?

[pracucci]

The Kill() function, used by end-to-end tests, is expected to send a SIGKILL. We were using docker stop --time=0, which is expected to send a SIGTERM and then a SIGKILL after time 0, but we wondered if there could be some timing issues and a graceful shutdown of the stopped process could actually happen (or at least start). To make it more obvious we're going to send a SIGKILL, we decided to just use docker kill.

[ranton256]

I don't follow the logic behind this.
If I have 1 failed replica in zone A, and 1 failed in zone B, and none failed in zone C, won't this cause an outage for some timeseries when there would have been none in some cases(i.e. the instance in A and the instance in B didn't host a replica of any of the same series). With this logic of removing everything from a zone if there is a failure, won't this make it more likely to have an outage in some cases?

[pracucci]

It depends.

Assuming RF=3, if -distributor.shard-by-all-labels is disabled, then this function is not used and we only query the 3 ingesters holding all the series for the queried metric (and we just need 2 success out of 3 queried ingesters).

However, if -distributor.shard-by-all-labels is enabled, we don't know which ingesters hold all the series for a given metric name, so we need to query all of them. When zone-awareness is disabled, we need to query all ingester minus 1, while when zone-awareness is enabled we need to query all ingesters in all zones minus 1 (thus tolerating all ingesters in 1 zone failing).

About shuffle sharding, this function is called after the subring has been selected.

Am I missing anything?

[ranton256]

Okay, I follow now, and am convinced the logic is correct, but maybe less enthusiastic about some of the implications, but since the value of all ingesters when -distributor.shard-by-all-labels is enabled is the subring seems more reasonable.