Merge #156938 #156999

156938: mmaprototype: introduce store status r=tbg a=tbg

This introduces the `Status` struct and hooks it up to the `TestClusterState` test.
It doesn't yet attach any actual semantics to the new member of `storeStatus`
that is being added as part of doing so. This will happen in follow-up commits,
loosely replacing the integration points removed in #156933.

Touches #156776.

Epic: CRDB-55052

156999: kvserver: deflake TestPromoteNonVoterInAddVoter r=tbg a=pav-kv

Fixes #156701

Co-authored-by: Tobias Grieger <[email protected]>
Co-authored-by: Pavel Kalinnikov <[email protected]>

Author: 3 people

pkg/kv/kvserver/allocator/mmaprototype/BUILD.bazel

@@ -15,6 +15,7 @@ go_library(
         "rebalance_advisor.go",
         "store_load_summary.go",
         "store_set.go",
+        "store_status.go",
         "top_k_replicas.go",
     ],
     importpath = "github.com/cockroachdb/cockroach/pkg/kv/kvserver/allocator/mmaprototype",

pkg/kv/kvserver/allocator/mmaprototype/cluster_state.go

@@ -600,6 +600,7 @@ type pendingReplicaChange struct {
 // storeState maintains the complete state about a store as known to the
 // allocator.
 type storeState struct {
+	status Status
 	storeLoad
 	StoreAttributesAndLocality
 	adjusted struct {
@@ -1822,6 +1823,11 @@ func (cs *clusterState) setStore(sal StoreAttributesAndLocality) {
 	if !ok {
 		// This is the first time seeing this store.
 		ss := newStoreState()
+		// At this point, the store's health is unknown. It will need to be marked
+		// as healthy separately. Until we know more, we won't place leases or
+		// replicas on it (nor will we try to shed any that are already reported to
+		// have replicas on it).
+		ss.status = MakeStatus(HealthUnknown, LeaseDispositionRefusing, ReplicaDispositionRefusing)
 		ss.localityTiers = cs.localityTierInterner.intern(sal.locality())
 		ss.overloadStartTime = cs.ts.Now()
 		ss.overloadEndTime = cs.ts.Now()

pkg/kv/kvserver/allocator/mmaprototype/cluster_state_test.go

@@ -63,6 +63,53 @@ func parseSecondaryLoadVector(t *testing.T, in string) SecondaryLoadVector {
 	return vec
 }
 
+func parseStatusFromArgs(t *testing.T, d *datadriven.TestData) Status {
+	var status Status
+	if d.HasArg("health") {
+		healthStr := dd.ScanArg[string](t, d, "health")
+		found := false
+		for i := Health(0); i < healthCount; i++ {
+			if i.String() == healthStr {
+				status.Health = i
+				found = true
+				break
+			}
+		}
+		if !found {
+			t.Fatalf("unknown health: %s", healthStr)
+		}
+	}
+	if d.HasArg("leases") {
+		leaseStr := dd.ScanArg[string](t, d, "leases")
+		found := false
+		for i := LeaseDisposition(0); i < leaseDispositionCount; i++ {
+			if i.String() == leaseStr {
+				status.Disposition.Lease = i
+				found = true
+				break
+			}
+		}
+		if !found {
+			t.Fatalf("unknown lease disposition: %s", leaseStr)
+		}
+	}
+	if d.HasArg("replicas") {
+		replicaStr := dd.ScanArg[string](t, d, "replicas")
+		found := false
+		for i := ReplicaDisposition(0); i < replicaDispositionCount; i++ {
+			if i.String() == replicaStr {
+				status.Disposition.Replica = i
+				found = true
+				break
+			}
+		}
+		if !found {
+			t.Fatalf("unknown replica disposition: %s", replicaStr)
+		}
+	}
+	return status
+}
+
 func parseStoreLoadMsg(t *testing.T, in string) StoreLoadMsg {
 	var msg StoreLoadMsg
 	for _, v := range strings.Fields(in) {
@@ -333,8 +380,10 @@ func TestClusterState(t *testing.T) {
 						ss := cs.stores[storeID]
 						ns := cs.nodes[ss.NodeID]
 						fmt.Fprintf(&buf,
-							"store-id=%v node-id=%v reported=%v adjusted=%v node-reported-cpu=%v node-adjusted-cpu=%v seq=%d\n",
-							ss.StoreID, ss.NodeID, ss.reportedLoad, ss.adjusted.load, ns.ReportedCPU, ns.adjustedCPU, ss.loadSeqNum,
+							"store-id=%v node-id=%v status=%s reported=%v adjusted=%v node-reported-cpu=%v node-adjusted-cpu=%v seq"+
+								"=%d\n",
+							ss.StoreID, ss.NodeID, ss.status, ss.reportedLoad, ss.adjusted.load, ns.ReportedCPU, ns.adjustedCPU,
+							ss.loadSeqNum,
 						)
 						for ls, topk := range ss.adjusted.topKRanges {
 							n := topk.len()
@@ -354,9 +403,22 @@ func TestClusterState(t *testing.T) {
 					for _, next := range strings.Split(d.Input, "\n") {
 						sal := parseStoreAttributedAndLocality(t, next)
 						cs.setStore(sal)
+						// For convenience, in these tests, stores start out
+						// healthy.
+						cs.stores[sal.StoreID].status = Status{Health: HealthOK}
 					}
 					return printNodeListMeta()
 
+				case "set-store-status":
+					storeID := dd.ScanArg[roachpb.StoreID](t, d, "store-id")
+					ss, ok := cs.stores[storeID]
+					if !ok {
+						t.Fatalf("store %d not found", storeID)
+					}
+					status := parseStatusFromArgs(t, d)
+					ss.status = MakeStatus(status.Health, status.Disposition.Lease, status.Disposition.Replica)
+					return ss.status.String()
+
 				case "store-load-msg":
 					msg := parseStoreLoadMsg(t, d.Input)
 					cs.processStoreLoadMsg(context.Background(), &msg)

pkg/kv/kvserver/allocator/mmaprototype/store_status.go

@@ -0,0 +1,256 @@
+// Copyright 2025 The Cockroach Authors.
+//
+// Use of this software is governed by the CockroachDB Software License
+// included in the /LICENSE file.
+
+package mmaprototype
+
+import (
+	"github.com/cockroachdb/errors"
+	"github.com/cockroachdb/redact"
+)
+
+type (
+	// Health represents whether the store "is around", i.e. able to participate
+	// in replication. What this means exactly is left to the outside world. MMA
+	// relies on the Disposition as much as possible without consulting the health
+	// status, aided by the invariant described on Status (only healthy nodes can
+	// have "green" dispositions). Its only (envisioned) use for explicit health
+	// tracking are sanity checks and preferring unhealthy candidates when picking
+	// sources (for example, when rebalancing, it may make sense to rebalance off
+	// an unhealthy or dead node over a healthy one as this actually improves
+	// availability).
+	Health             byte
+	LeaseDisposition   byte
+	ReplicaDisposition byte
+)
+
+const (
+	// HealthUnknown is the initial state for health. It's treated as an unhealthy
+	// state, distinguished from HealthUnhealthy to tailor logging and metrics.
+	HealthUnknown Health = iota
+	// HealthOK describes a store that has been determined to be alive and well.
+	HealthOK
+	// HealthUnhealthy describes a store that has recently become unhealthy, but
+	// which has not been unhealthy for "extended periods of time" and is expected
+	// to return (as determined by a higher layer)
+	HealthUnhealthy
+	// HealthDead describes a store that is unhealthy and has been in that state
+	// for what is considered a "long time" or which may not return.
+	HealthDead
+	healthCount // sentinel
+)
+
+const (
+	// LeaseDispositionOK denotes that the store is in principle willing to
+	// receive leases.
+	LeaseDispositionOK LeaseDisposition = iota
+	// LeaseDispositionRefusing denotes that the store should not be considered
+	// as a target for leases.
+	LeaseDispositionRefusing
+	// LeaseDispositionShedding denotes that the store should actively be
+	// considered for removal of leases.
+	LeaseDispositionShedding
+	leaseDispositionCount // sentinel
+)
+
+const (
+	// ReplicaDispositionRefusing denotes that the store can receive replicas.
+	ReplicaDispositionOK ReplicaDisposition = iota
+	// ReplicaDispositionRefusing denotes that the store should not be considered as
+	// a target for replica placement.
+	ReplicaDispositionRefusing
+	// ReplicaDispositionShedding denotes that the store should actively be
+	// considered for removal of replicas.
+	ReplicaDispositionShedding
+	replicaDispositionCount // sentinel
+)
+
+// Disposition represents the interest a store has in accepting or
+// shedding leases or replicas.
+type Disposition struct {
+	Lease   LeaseDisposition
+	Replica ReplicaDisposition
+}
+
+// Status represents the health and disposition of a store. It serves as a
+// translation layer between the "messy" outside world in which we may have
+// multiple possibly conflicting health signals, and various lifecycle states.
+// The Status is never derived internally in mma, but is always passed in and
+// kept up to date through the Allocator interface.
+//
+// The contained Health primarily plays a role when looking for (lease or
+// replicas) sources: all other things being equal, we want to be able to
+// identify suspect or dead stores as more beneficial sources for, say, a
+// replica removal. We also want to be able to tell when a range has lost quorum
+// so that we don't even try to make changes in that case. On the flip side, due
+// to the INVARIANT below, when looking for targets, health does not typically
+// need to be considered as we prohibit "non-healthy" stores from claiming to
+// accept replicas or leases.
+//
+// The wrapped Disposition is important when looking for both targets and
+// sources. In principle, stores can reject leases but accept replicas and vice
+// versa, though not all combinations may be used in practice (because they do
+// not all make sense).
+//
+// The multi-metric allocator is not currently responsible for establishing
+// constraint conformance or for shedding, so not all aspects discussed above
+// are necessarily used by it yet.
+//
+// INVARIANT: if Health != HealthOK, Disposition.{Lease,Replica} = Shedding.
+type Status struct {
+	Health      Health
+	Disposition Disposition
+}
+
+func MakeStatus(h Health, l LeaseDisposition, r ReplicaDisposition) Status {
+	s := Status{
+		Health:      h,
+		Disposition: Disposition{Lease: l, Replica: r},
+	}
+	s.assertOrPanic()
+	return s
+}
+
+func (ss *Status) assert() error {
+	// NB: byte values can't be negative, so we don't have to check.
+
+	if ss.Health >= healthCount {
+		return errors.AssertionFailedf("invalid health status %d", ss.Health)
+	}
+	d := ss.Disposition
+	if d.Lease >= leaseDispositionCount {
+		return errors.AssertionFailedf("invalid lease disposition %d", d.Lease)
+	}
+	if d.Replica >= replicaDispositionCount {
+		return errors.AssertionFailedf("invalid replica disposition %d", d.Replica)
+	}
+	if ss.Health != HealthOK && (ss.Disposition.Replica == ReplicaDispositionOK || ss.Disposition.Lease == LeaseDispositionOK) {
+		return errors.AssertionFailedf("non-healthy status must not accept leases or replicas: %+v", ss)
+	}
+	return nil
+}
+
+func (ss *Status) assertOrPanic() {
+	if err := ss.assert(); err != nil {
+		panic(err)
+	}
+}
+
+func (h Health) String() string {
+	return redact.StringWithoutMarkers(h)
+}
+
+// SafeFormat implements the redact.SafeFormatter interface.
+func (h Health) SafeFormat(w redact.SafePrinter, _ rune) {
+	switch h {
+	case HealthUnknown:
+		w.Print("unknown")
+	case HealthOK:
+		w.Print("ok")
+	case HealthUnhealthy:
+		w.Print("unhealthy")
+	case HealthDead:
+		w.Print("dead")
+	default:
+		w.Print("unknown")
+	}
+}
+
+func (l LeaseDisposition) String() string {
+	return redact.StringWithoutMarkers(l)
+}
+
+// SafeFormat implements the redact.SafeFormatter interface.
+func (l LeaseDisposition) SafeFormat(w redact.SafePrinter, _ rune) {
+	switch l {
+	case LeaseDispositionOK:
+		w.Print("ok")
+	case LeaseDispositionRefusing:
+		w.Print("refusing")
+	case LeaseDispositionShedding:
+		w.Print("shedding")
+	default:
+		w.Print("unknown")
+	}
+}
+
+func (r ReplicaDisposition) String() string {
+	return redact.StringWithoutMarkers(r)
+}
+
+// SafeFormat implements the redact.SafeFormatter interface.
+func (r ReplicaDisposition) SafeFormat(w redact.SafePrinter, _ rune) {
+	switch r {
+	case ReplicaDispositionOK:
+		w.Print("ok")
+	case ReplicaDispositionRefusing:
+		w.Print("refusing")
+	case ReplicaDispositionShedding:
+		w.Print("shedding")
+	default:
+		w.Print("unknown")
+	}
+}
+
+func (d Disposition) String() string {
+	return redact.StringWithoutMarkers(d)
+}
+
+// SafeFormat implements the redact.SafeFormatter interface.
+func (d Disposition) SafeFormat(w redact.SafePrinter, _ rune) {
+	if d.Lease == LeaseDispositionOK && d.Replica == ReplicaDispositionOK {
+		w.Print("accepting all")
+		return
+	}
+
+	var refusing []redact.SafeString
+	var shedding []redact.SafeString
+
+	if d.Lease == LeaseDispositionRefusing {
+		refusing = append(refusing, redact.SafeString("leases"))
+	} else if d.Lease == LeaseDispositionShedding {
+		shedding = append(shedding, redact.SafeString("leases"))
+	}
+
+	if d.Replica == ReplicaDispositionRefusing {
+		refusing = append(refusing, redact.SafeString("replicas"))
+	} else if d.Replica == ReplicaDispositionShedding {
+		shedding = append(shedding, redact.SafeString("replicas"))
+	}
+
+	first := true
+	if len(refusing) > 0 {
+		w.Print("refusing=")
+		for i, s := range refusing {
+			if i > 0 {
+				w.Print(",")
+			}
+			w.Print(s)
+		}
+		first = false
+	}
+	if len(shedding) > 0 {
+		if !first {
+			w.Print(" ")
+		}
+		w.Print("shedding=")
+		for i, s := range shedding {
+			if i > 0 {
+				w.Print(",")
+			}
+			w.Print(s)
+		}
+	}
+}
+
+func (ss Status) String() string {
+	return redact.StringWithoutMarkers(ss)
+}
+
+// SafeFormat implements the redact.SafeFormatter interface.
+func (ss Status) SafeFormat(w redact.SafePrinter, _ rune) {
+	ss.Health.SafeFormat(w, 's')
+	w.Print(" ")
+	ss.Disposition.SafeFormat(w, 's')
+}