adamjm
diff --git a/‎CHANGELOG
Lines changed: 8 additions & 0 deletions b/‎CHANGELOG
Lines changed: 8 additions & 0 deletions
diff --git a/‎arangod/Agency/MoveShard.cpp
Lines changed: 42 additions & 30 deletions b/‎arangod/Agency/MoveShard.cpp
Lines changed: 42 additions & 30 deletions
diff --git a/‎arangod/Agency/PathComponent.h
Lines changed: 7 additions & 3 deletions b/‎arangod/Agency/PathComponent.h
Lines changed: 7 additions & 3 deletions
diff --git a/‎arangod/Cluster/Maintenance.cpp
Lines changed: 76 additions & 69 deletions b/‎arangod/Cluster/Maintenance.cpp
Lines changed: 76 additions & 69 deletions
@@ -1,6 +1,14 @@
 devel
 -----
 
+* Fixed: During a move-shard job which moves the leader there is a
+  situation in which the old owner of a shard can reclaim ownership
+  (after having resigned already), with a small race where it allows to
+  write documents only locally, but then continue the move-shard to a
+  server without those documents. An additional bug in the MoveShard
+  Supervision job would then leave the shard in a bad configuration
+  with a resigned leader permanently in charge.
+
 * Fixed issue #12304: insert in transaction causing com.arangodb.ArangoDBException: 
   Response: 500, Error: 4 - Builder value not yet sealed. 
 
 
@@ -308,11 +308,19 @@ bool MoveShard::start(bool&) {
     return false;
   }
 
-  if (!_isLeader && _remainsFollower) {
-    moveShardFinish(false,  false, "remainsFollower is invalid without isLeader");
-    return false;
+  if (!_isLeader) {
+    if (_remainsFollower) {
+      moveShardFinish(false,  false, "remainsFollower is invalid without isLeader");
+      return false;
+    }
+  } else {
+    if (_toServerIsFollower && !_remainsFollower) {
+      moveShardFinish(false, false, "remainsFollower must be true if the toServer is a follower");
+      return false;
+    }
   }
 
+
   // Compute group to move shards together:
   std::vector<Job::shard_t> shardsLikeMe =
       clones(_snapshot, _database, _collection, _shard);
@@ -557,7 +565,12 @@ JOB_STATUS MoveShard::pendingLeader() {
 
     // We need to switch leaders:
     {
-      // Abort in to server no longer among replica for any shards like me
+      // First make sure that the server we want to go to is still in Current
+      // for all shards. This is important, since some transaction which the leader
+      // has still executed before its resignation might have dropped a follower
+      // for some shard, and this could have been our new leader. In this case we
+      // must abort and go back to the original leader, which is still perfectly
+      // safe.
       for (auto const& sh : shardsLikeMe) {
         auto const shardPath = curColPrefix + _database + "/" + sh.collection + "/" + sh.shard;
         auto const tmp = _snapshot.hasAsArray(shardPath + "/servers");
@@ -866,20 +879,20 @@ arangodb::Result MoveShard::abort(std::string const& reason) {
   std::vector<Job::shard_t> shardsLikeMe =
       clones(_snapshot, _database, _collection, _shard);
 
+  // If we move the leader: Once the toServer has been put into the Plan
+  // as leader, we always abort by moving forwards:
   // We can no longer abort by reverting to where we started, if any of the
   // shards of the distributeShardsLike group has already gone to new leader
   if (_isLeader) {
-    for (auto const& i : shardsLikeMe) {
-      auto const& cur = _snapshot.hasAsArray(curColPrefix + _database + "/" + i.collection +
-                                             "/" + i.shard + "/" + "servers");
-      if (cur.second && cur.first[0].copyString() == _to) {
-        LOG_TOPIC("72a82", INFO, Logger::SUPERVISION)
-            << "MoveShard can no longer abort through reversion to where it "
-               "started. Flight forward";
-        moveShardFinish(true, true,
-                        "job aborted (2) - new leader already in place: " + reason);
-        return result;
-      }
+    auto const& plan = _snapshot.hasAsArray(planColPrefix + _database + "/" + _collection + "/shards/" + _shard);
+    if (plan.second && plan.first[0].co
F438
pyString() == _to) {
+      LOG_TOPIC("72a82", INFO, Logger::SUPERVISION)
+      << "MoveShard can no longer abort through reversion to where it "
+         "started. Flight forward, leaving Plan as it is now.";
+      moveShardFinish(true, false,
+                      "job aborted (2) - new leader already in place: " + reason);
+      return result;
+
     }
   }
 
@@ -922,7 +935,7 @@ arangodb::Result MoveShard::abort(std::string const& reason) {
                          {
                            VPackArrayBuilder guard(&trx);
                            for (VPackSlice srv : VPackArrayIterator(plan)) {
-                             if (false == srv.isEqualString(_to)) {
+                             if (!srv.isEqualString(_to)) {
                                trx.add(srv);
                              }
                            }
@@ -940,18 +953,10 @@ arangodb::Result MoveShard::abort(std::string const& reason) {
     }
     {
       VPackObjectBuilder preconditionObj(&trx);
-      if (_isLeader) {  // Precondition, that current is still as in snapshot
-        // Current preconditions for all shards
-        doForAllShards(_snapshot, _database, shardsLikeMe,
-                       [&trx](Slice plan, Slice current, std::string& planPath,
-                              std::string& curPath) {
-                         // Current still as is
-                         trx.add(curPath, current);
-                       });
-        addPreconditionJobStillInPending(trx, _jobId);
-      }
       addMoveShardToServerCanUnLock(trx);
       addMoveShardFromServerCanUnLock(trx);
+      // If the collection is gone in the meantime, we do nothing here, but the
+      // round will move the job to Finished anyway:
       addPreconditionCollectionStillThere(trx, _database, _collection);
     }
   }
@@ -963,14 +968,21 @@ arangodb::Result MoveShard::abort(std::string const& reason) {
                     std::string("Lost leadership"));
     return result;
   } else if (res.indices[0] == 0) {
+    // Precondition failed
     if (_isLeader) {
       // Tough luck. Things have changed. We'll move on
       LOG_TOPIC("513e6", INFO, Logger::SUPERVISION)
-          << "MoveShard can no longer abort through reversion to where it "
-             "started. Flight forward";
-      moveShardFinish(true, true,
-                      "job aborted (4) - new leader already in place: " + reason);
+          << "Precondition failed on MoveShard::abort() for shard " << _shard << " of collection " << _collection
+          << ", if the collection has been deleted in the meantime, the job will be finished soon, if this message repeats, tell us.";
+      result = Result(
+          TRI_ERROR_SUPERVISION_GENERAL_FAILURE,
+          std::string("Precondition failed while aborting moveShard job ") + _jobId);
       return result;
+      // We intentionally do not move the job object to Failed or Finished here! The failed
+      // precondition can either be one of the read locks, which suggests a fundamental problem,
+      // and in which case we will log this message in every round of the supervision.
+      // Or the collection has been dropped since we took the snapshot, in this case we
+      // will move the job to Finished in the next round.
     }
     result = Result(
         TRI_ERROR_SUPERVISION_GENERAL_FAILURE,
 
@@ -52,10 +52,14 @@ class Path {
     return stream;
   }
 
-  std::vector<std::string> vec() const {
+  std::vector<std::string> vec(size_t skip = 0) const {
     std::vector<std::string> res;
-    forEach([&res](const char* component) {
-      res.emplace_back(std::string{component});
+    forEach([&res, &skip](const char* component) {
+      if (skip == 0) {
+        res.emplace_back(std::string{component});
+      } else {
+        skip--;
+      }
     });
     return res;
   }
@@ -38,6 +38,8 @@
 #include "VocBase/LogicalCollection.h"
 #include "VocBase/Methods/Databases.h"
 
+#include "Cluster/ResignShardLeadership.h"
+
 #include <velocypack/Collection.h>
 #include <velocypack/Compare.h>
 #include <velocypack/Iterator.h>
@@ -184,6 +186,17 @@ static VPackBuilder compareIndexes(std::string const& dbname, std::string const&
   return builder;
 }
 
+static std::string CreateLeaderString(std::string const& leaderId, bool shouldBeLeading) {
+  if (shouldBeLeading) {
+    return std::string();
+  }
+  TRI_ASSERT(!leaderId.empty());
+  if (leaderId.front() == UNDERSCORE[0]) {
+    return leaderId.substr(1);
+  }
+  return leaderId;
+}
+
 void handlePlanShard(uint64_t planIndex, VPackSlice const& cprops, VPackSlice const& ldb,
                      std::string const& dbname, std::string const& colname,
                      std::string const& shname, std::string const& serverId,
@@ -192,15 +205,13 @@ void handlePlanShard(uint64_t planIndex, VPackSlice const& cprops, VPackSlice co
                      MaintenanceFeature::errors_t& errors, MaintenanceFeature& feature,
                      std::vector<std::shared_ptr<ActionDescription>>& actions) {
   bool shouldBeLeading = serverId == leaderId;
-  bool shouldResign = UNDERSCORE + serverId == leaderId;
 
   commonShrds.emplace(shname);
 
   auto const lcol = ldb.get(shname);
   if (lcol.isObject()) {  // Have local collection with that name
 
     std::string_view const localLeader = lcol.get(THE_LEADER).stringView();
-    bool const leaderTouched = localLeader != LEADER_NOT_YET_KNOWN;
     bool leading = localLeader.empty();
     auto const properties = compareRelevantProps(cprops, lcol);
 
@@ -258,37 +269,20 @@ void handlePlanShard(uint64_t planIndex, VPackSlice const& cprops, VPackSlice co
             << "for central " << dbname << "/" << colname << "- skipping";
       }
     }
-
-    // Handle leadership change, this is mostly about taking over leadership,
-    // but it also handles the case that in a failover scenario we used to
-    // be the leader and now somebody else is the leader. However, it does
-    // not handle the case of a controlled leadership resignation, see below
-    // in handleLocalShard for this.
-    if (shouldResign && !leading) {
-      // This case is a special one which is triggered if a server
-      // restarts, has `NOT_YET_TOUCHED` in its local shard as theLeader
-      // and finds a resignation sign. In that case, it should first officially
-      // take over leadership. In the following round it will then resign.
-      // This enables cleanOutServer jobs to continue to work in case of
-      // a leader restart.
-      shouldBeLeading = true;
-      shouldResign = false;
-    }
-    if ((leading != shouldBeLeading && !shouldResign) || !leaderTouched) {
+    if (!leading && shouldBeLeading) {
       LOG_TOPIC("52412", DEBUG, Logger::MAINTENANCE)
           << "Triggering TakeoverShardLeadership job for shard " << dbname
           << "/" << colname << "/" << shname
           << ", local leader: " << lcol.get(THE_LEADER).copyString()
           << ", leader id: " << leaderId << ", my id: " << serverId
-          << ", should be leader: " << (shouldBeLeading ? std::string() : leaderId)
-          << ", leaderTouched = " << (leaderTouched ? "yes" : "no");
+          << ", should be leader: ";
       actions.emplace_back(std::make_shared<ActionDescription>(
           std::map<std::string, std::string>{
               {NAME, TAKEOVER_SHARD_LEADERSHIP},
               {DATABASE, dbname},
               {COLLECTION, colname},
               {SHARD, shname},
-              {THE_LEADER, shouldBeLeading ? std::string() : leaderId},
+              {THE_LEADER, std::string()},
               {LOCAL_LEADER, std::string(localLeader)},
               {OLD_CURRENT_COUNTER, "0"},   // legacy, no longer used
               {PLAN_RAFT_INDEX, std::to_string(planIndex)}},
@@ -318,7 +312,7 @@ void handlePlanShard(uint64_t planIndex, VPackSlice const& cprops, VPackSlice co
         }
       }
     }
-  } else {  // Create the sucker, if not a previous error stops us
+  } else {  // Create the collection, if not a previous error stops us
     if (errors.shards.find(dbname + "/" + colname + "/" + shname) ==
         errors.shards.end()) {
       auto props = createProps(cprops);  // Only once might need often!
@@ -328,7 +322,7 @@ void handlePlanShard(uint64_t planIndex, VPackSlice const& cprops, VPackSlice co
              {SHARD, shname},
              {DATABASE, dbname},
              {SERVER_ID, serverId},
-             {THE_LEADER, shouldBeLeading ? std::string() : leaderId}},
+             {THE_LEADER, CreateLeaderString(leaderId, shouldBeLeading)}},
             shouldBeLeading ? LEADER_PRIORITY : FOLLOWER_PRIORITY, std::move(props)));
     } else {
       LOG_TOPIC("c1d8e", DEBUG, Logger::MAINTENANCE)
@@ -343,58 +337,71 @@ void handleLocalShard(std::string const& dbname, std::string const& colname,
                       std::unordered_set<std::string>& commonShrds,
                       std::unordered_set<std::string>& indis, std::string const& serverId,
                       std::vector<std::shared_ptr<ActionDescription>>& actions) {
-  std::unordered_set<std::string>::const_iterator it;
+
+  std::unordered_set<std::string>::const_iterator it =
+      std::find(commonShrds.begin(), commonShrds.end(), colname);
+
+  auto localLeader = cprops.get(THE_LEADER).stringRef();
+  bool const isLeading = localLeader.empty();
+  if (it == commonShrds.end()) {
+    // This collection is not planned anymore, can drop it
+    actions.emplace_back(std::make_shared<ActionDescription>(
+        std::map<std::string, std::string>{{NAME, DROP_COLLECTION},
+                                           {DATABASE, dbname},
+                                           {COLLECTION, colname}},
+        isLeading ? LEADER_PRIORITY : FOLLOWER_PRIORITY));
+    return;
+  }
+  // We dropped out before
+  TRI_ASSERT(it != commonShrds.end());
+  // The shard exists in both Plan and Local
+  commonShrds.erase(it);  // it not a common shard?
 
   std::string plannedLeader;
   if (shardMap.get(colname).isArray()) {
     plannedLeader = shardMap.get(colname)[0].copyString();
   }
-  bool const localLeader = cprops.get(THE_LEADER).stringRef().empty();
-  if (localLeader && plannedLeader == UNDERSCORE + serverId) {
+
+  bool const activeResign = isLeading && plannedLeader != serverId;
+  bool const adjustResignState =
+      (plannedLeader == UNDERSCORE + serverId &&
+       localLeader != ResignShardLeadership::LeaderNotYetKnownString) ||
+      (plannedLeader != serverId && localLeader == LEADER_NOT_YET_KNOWN);
+  /*
+  * We need to resign in the following cases:
+  * 1) (activeResign) We think we are the leader locally, but the plan says we are not. (including, we are resigned)
+  * 2) (adjustResignState) We are not leading, and not in resigned state, but the plan says we should be resigend.
+  *    - This triggers on rebooted servers, that were in resign process
+  *    - This triggers if the shard is moved from the server, before it actually took ownership. 
+  */
+
+  if (activeResign || adjustResignState) {
     actions.emplace_back(std::make_shared<ActionDescription>(
-          std::map<std::string, std::string>{{NAME, RESIGN_SHARD_LEADERSHIP}, {DATABASE, dbname}, {SHARD, colname}},
-          RESIGN_PRIORITY));
-  } else {
-    bool drop = false;
-    // check if shard is in plan, if not drop it
-    if (commonShrds.empty()) {
-      drop = true;
-    } else {
-      it = std::find(commonShrds.begin(), commonShrds.end(), colname);
-      if (it == commonShrds.end()) {
-        drop = true;
-      }
-    }
+        std::map<std::string, std::string>{{NAME, RESIGN_SHARD_LEADERSHIP},
+                                           {DATABASE, dbname},
+                                           {SHARD, colname}},
+        RESIGN_PRIORITY));
+  }
 
-    if (drop) {
-      actions.emplace_back(std::make_shared<ActionDescription>(
-            std::map<std::string, std::string>{{NAME, DROP_COLLECTION}, {DATABASE, dbname}, {COLLECTION, colname}},
-            localLeader ? LEADER_PRIORITY : FOLLOWER_PRIORITY));
-    } else {
-      // The shard exists in both Plan and Local
-      commonShrds.erase(it);  // it not a common shard?
-
-      // We only drop indexes, when collection is not being dropped already
-      if (cprops.hasKey(INDEXES)) {
-        if (cprops.get(INDEXES).isArray()) {
-          for (auto const& index : VPackArrayIterator(cprops.get(INDEXES))) {
-            VPackStringRef type = index.get(StaticStrings::IndexType).stringRef();
-            if (type != PRIMARY && type != EDGE) {
-              std::string const id = index.get(ID).copyString();
-
-              // check if index is in plan
-              if (indis.find(colname + "/" + id) != indis.end() ||
-                  indis.find(id) != indis.end()) {
-                indis.erase(id);
-              } else {
-                actions.emplace_back(std::make_shared<ActionDescription>(
-                      std::map<std::string, std::string>{{NAME, DROP_INDEX},
-                       {DATABASE, dbname},
-                       {COLLECTION, colname},
-                       {"index", id}},
-                      INDEX_PRIORITY));
-              }
-            }
+  // We only drop indexes, when collection is not being dropped already
+  if (cprops.hasKey(INDEXES)) {
+    if (cprops.get(INDEXES).isArray()) {
+      for (auto const& index : VPackArrayIterator(cprops.get(INDEXES))) {
+        VPackStringRef type = index.get(StaticStrings::IndexType).stringRef();
+        if (type != PRIMARY && type != EDGE) {
+          std::string const id = index.get(ID).copyString();
+
+          // check if index is in plan
+          if (indis.find(colname + "/" + id) != indis.end() ||
+              indis.find(id) != indis.end()) {
+            indis.erase(id);
+          } else {
+            actions.emplace_back(std::make_shared<ActionDescription>(
+                std::map<std::string, std::string>{{NAME, DROP_INDEX},
+                                                   {DATABASE, dbname},
+                                                   {COLLECTION, colname},
+                                                   {"index", id}},
+                INDEX_PRIORITY));
           }
         }
       }