This document describes the high-level design of the leader election library.
Term |
Description |
|---|---|
Nominee |
Nominee is a potential leader. Each client nominates itself. One will become Leader, the others will become Candidates. |
Candidate |
See Nominee. |
Client |
Client is the customer, or client, of the Library (see below). The Client uses the Library to negotiate leadership for a given resource. |
Election Node |
ElectionNode is the base Zookeeper node that leader candidates will place their nominations for leadership.
For the leader election examples in this package this node is called |
Resource |
Resource is the target of the leadership request. If leadership is granted the leader is free to manage the resource in whatever way is appropriate to the application without worrying that other clients are concurrently managing that resource. *Resource* is a more general name for *Election Node*. |
Follower |
Follower is an entity that is not the leader for a Resource, but is actively monitoring the resource in the event the Leader is removed from its leadership position. If this happens, a Follower becomes a candidate for Leader which will be decided via an automatic, asynchronous, process. |
Leader |
Leader is the entity that has exclusive ownership for a given Resource. |
Library |
Library is this component - i.e., the Leader Election library. |
ZK |
Zookeeper. |
These scenarios cover interactions between leader candidates and the library.
- ZK not available at startup
- The client will be responsible for providing the ZK connection to the library.
- Rationale - The client should be in control of the connection so that it can decide whether connections should be reused or not, and what to do if the connection fails in any way.
- Rationale - The client will need to interact directly with Zookeeper (ZK) to create the election root path and the full path of the resource which needs a leader.
- If the connection is not usable the Library initialization will fail.
- The client will be responsible for providing the ZK connection to the library.
- Start up with no "election" node
- The client is now responsible for creating the root of the election path (e.g., /recon)
- The client will be responsible for creating the full election node path. E.g., For the Recon Agent this means that the RA will have to monitor the /recon node directly for IRIDs being added. Only when it has the /recon/IRID can it use the Library for leadership election. An ABEER instance will create the /recon/IRID node when a request is made to reconstitute a recording.
- The client is now responsible for creating the root of the election path (e.g., /recon)
- ZK dies/connection lost
- ZK notifies the Client via connection channel
- As per #1 above, the Client owns the connection, not the library.
- The Library Client is itself monitoring the ZK connection it provided to the Library and as a result of the error
Resigns its leadership (or leadership request) and closes the Library. - The connection to ZK can be lost for several reasons including:
- The network connection between ZK and the client process (e.g., RA) is lost
- The ZK instance that the client is connected to becomes partitioned from the other ZKs in the cluster and it's on the minority side of the partition (ie., no quorum).
- ZK notifies the Client via connection channel
- ZK recovers/connection established
- This is the Client's responsibility to implement a strategy appropriate to the client.
- Initialization
- Client creates ZK connection.
- Client creates the ZK election resource (e.g., /some-election-id)
- Client initializes the Library with a ZK connection and the election resource.
- The result will be a new instance of the Election.
- Request leadership for a Resource.
- The Client requests leadership of the resource separately from initialization. In fact, it may be that the client creating the election is separate from the client(s) that compete for the election.
- The library will write an ephemeral, sequenced, znode to ZK representing the leadership request.
- The library performs a Get on the resource children.
- If this client's request has the lowest sequence number then this client has leadership for the resource.
- If this client's request does not have the lowest sequence number then it is not leader.
- The Client then places a watch on the client with the next lowest sequence number.
- The Library will place a watch on the request with the next lowest sequence number to avoid the "herd effect" if the leader exits unexpectedly.
- The Library returns the following to the Client:
- A boolean indicating true if the Client is the leader, false otherwise.
- An error reflecting whatever error may have occurred, nil otherwise.
- The Library instance struct includes a channel to monitor for changes in leadership status.
- This channel will be used when a Client is transitioned from follower to leader for the Resource.
- The channel will be nil for leaders.
- Leadership change - This occurs when a Leader is removed from it's leadership position. This can happen via an explicit resignation or via a failure of the Leader (e.g., network partition)
- Library detects change via the channel returned as part of registering a ZK watch
- Library initiates leader election process outlined in #2 above, starting at step #2.
- The key difference between an initial leader election and one triggered via a leadership change is that the the election process doesn't start with writing a znode for the client, it will already exist.
- A naive implementation of leader election may not include going through leader election again, preferring to use the knowledge that a given client has the lowest sequence number in a local cache to determine the leader. That approach has a problem though in that a follower will not know a priori how many prior nodes have failed. It may be that it could be the leader even though it was several places down in the follower sequence. E.g., for candidates 1, 2, 3, and 4 where the leader is 1 and the follower we're interested in is 4, if 3 fails it's possible that 1 and 2 also failed. If 4 doesn't refresh the list of children then it will miss that not only 3 failed, but 1 & 2 also. In this scenario it won't become leader unless it completely refreshes its cache.
- There are 2 scenarios for leadership change:
- The Candidate receiving the notification is watching the current leader
- In this case the Candidate receiving the notification will become the leader.
- The Candidate is not watching the current leader. In this case the Candidate will not receive any notification as the Candidate that it is following did not exit or otherwise cause its associated Candidate ZK node to be removed.
- The Candidate receiving the notification is watching the current leader
- Resign leadership or nomination
- The Client explicitly requests leadership resignation via the API
- The Library will remove the associated znode from ZK
- A new leader will be chosen as described by #3 above.
- The Library will release any resources it holds, reset all fields to their zero values, and be generally unusable (ie., will throw an error if the instance is attempted to be reused). At this point, depending on the context it was created in, this Library instance is eligible for garbage collection.
- The election is deleted via the API
- All Candidates, including the Leader, are notified that the election has ended.
- At this point the election instance is unusable. All resources are released, all fields are reset to their zero values, and further attempts to use the instance will result in an error being returned to the client.
- Query Library state
- The client can query the library to determine its leadership role, and the its associated Candidate information.
- Since the Client owns the ZK connection, it can control how many ZK connections it has active. One ZK connection can support multiple Client leadership nominations.
- There will be an Election instance for each Resource the Client is interested in leading/owning. There will be one ZK child watch per Election instance (i.e., the Client this client is following).
- How to handle connection lost then recovered
- TEST: Recovers to another server in the cluster
- Just need to make sure that it reconnects successfully
- Leaders maintain leadership
- Followers are still following
- Subsequent leadership election works
- DOCUMENT: Resign not reflected in ZK due to connection loss
- On reconnect the work doesn't have an active leader since ZK still reflects that the previous owner, which didn't resign properly, is no longer active but the leader re-election wasn't triggered because the resignee's node is still in ZK. If the zombie zk node for the failed resignee is deleted the leadership election is triggered.
- The approach will be to check for zkConn.Delete() error and return error to client
- TODO: Resign worked, but leader election didn't happen before the connection was lost (or it didn't work). Ideas for fixing include:
- Check if there was a leader re-election failure talking to ZK (or did the election notification get lost altogether?)
- Periodically re-run leader election?
- DOCUMENT: Reconnection continues endlessly
- There doesn't seem to be a way to limit the number of retries the go-zk library performs to reconnect to ZK.
- Ask a question on the issues list. Otherwise:
- Fail everything on the first disconnect and close the connection
- Let it continue until it succeeds. But what to do about notifying current leaders that they are no longer leaders (because it's been too long)?
- Implement custom reconnect code at the application level.
- In any case, do I need to keep track of outstanding ephemeral nodes to perhaps delete? I.e., resign candidacy and then go through a new election for every candidate.
- Ask a question on the issues list. Otherwise:
- The Client will be responsible for implementing the retry strategy (see Connectivity Loss section below for more details).
- There doesn't seem to be a way to limit the number of retries the go-zk library performs to reconnect to ZK.
- TEST: Recovers to another server in the cluster