Implement 'StoppableCheck' Flag to Ensure Maintenance Mode is Avoided After Stoppable Instances are Shutdown

[MarkGaox]

Issues

• My PR addresses the following Helix issues and references them in the PR description:
• Cross-zone Stoppable Check #2655

(#200 - Link your issue number here: You can write "Fixes #XXX". Please use the proper keyword so that the issue gets closed automatically. See https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue
Any of the following keywords can be used: close, closes, closed, fix, fixes, fixed, resolve, resolves, resolved)

Description

• Here are some details about my PR, including screenshots of any UI changes:
• This PR adds a new option in StoppableCheck API to allow users to choose whether allow the stoppable instances to exceed the maximum of offline instances allowed. If notExceedMaxOfflineInstances sets to true, the max Stoppable instances won't surpass the limit on the cluster configuration, which ensures the cluster won't enter the maintenance mode and do the emergency rebalance.

(Write a concise description including what, why, how)

Tests

• The following tests are written for this issue:
  mvn test -Dtest=TestInstancesAccessor,TestMaintenanceManagementService,TestInstanceValidationUtilInRest,TestPerInstanceAccessor -pl helix-rest && mvn test -Dtest=TestInstanceValidationUtil -pl helix-core

(List the names of added unit/integration tests)

• The following is the result of the "mvn test" command on the appropriate module:

(If CI test fails due to known issue, please specify the issue and test PR locally. Then copy & paste the result of "mvn test" to here.)

[INFO] Tests run: 52, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 91.416 s - in TestSuite
[INFO] 
[INFO] Results:
[INFO] 
[INFO] Tests run: 52, Failures: 0, Errors: 0, Skipped: 0
[INFO] 
[INFO] 
[INFO] --- jacoco:0.8.6:report (generate-code-coverage-report) @ helix-rest ---
[INFO] Loading execution data file /Users/xiaxgao/IdeaProjects/helix_ps/helix-rest/target/jacoco.exec
[INFO] Analyzed bundle 'Apache Helix :: Restful Interface' with 95 classes
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  01:35 min
[INFO] Finished at: 2024-01-30T14:40:47-08:00
[INFO] ------------------------------------------------------------------------

[INFO] Tests run: 24, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 1.94 s - in org.apache.helix.util.TestInstanceValidationUtil
[INFO] 
[INFO] Results:
[INFO] 
[INFO] Tests run: 24, Failures: 0, Errors: 0, Skipped: 0
[INFO] 
[INFO] 
[INFO] --- jacoco:0.8.6:report (generate-code-coverage-report) @ helix-core ---
[INFO] Loading execution data file /Users/xiaxgao/IdeaProjects/helix_ps/helix-core/target/jacoco.exec
[INFO] Analyzed bundle 'Apache Helix :: Core' with 947 classes
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  11.892 s
[INFO] Finished at: 2024-01-11T12:58:10-08:00
[INFO] ------------------------------------------------------------------------

Changes that Break Backward Compatibility (Optional)

• My PR contains changes that break backward compatibility or previous assumptions for certain methods or API. They include:

(Consider including all behavior changes for public methods or API. Also include these changes in merge description so that other developers are aware of these changes. This allows them to make relevant code changes in feature branches accounting for the new method/API behavior.)

Documentation (Optional)

• In case of new functionality, my PR adds documentation in the following wiki page:

(Link the GitHub wiki you added)

Commits

• My commits all reference appropriate Apache Helix GitHub issues in their subject lines. In addition, my commits follow the guidelines from "How to write a good git commit message":
  1. Subject is separated from body by a blank line
  2. Subject is limited to 50 characters (not including Jira issue reference)
  3. Subject does not end with a period
  4. Subject uses the imperative mood ("add", not "adding")
  5. Body wraps at 72 characters
  6. Body explains "what" and "why", not "how"

Code Quality

• My diff has been formatted using helix-style.xml
  (helix-style-intellij.xml if IntelliJ IDE is used)

[xyuanlu]

I feel like we should skip check when continueOnFailure is false as a perf improvement. Instead of filter it when consolidate result..?

[MarkGaox]

Say our maxAllowedOffline = 3, and there are 5 instances. The problem is when we do batchGetStoppable for these 5 instances, we would have to process all 5 in parallel. However, if we process them in parallel, then there is no easy way for the individual instance to know the stop of itself will violate the maxAllowedOffline = 3 constraint unless we put a lock on everything.

[MarkGaox]

Another way to handle this is to process instances by the amount of maxAllowedOffline. Say our maxAllowedOffline = 3, and there are 10 instances in the same zone. In the first iteration, we process instance1-3. If the cumulative stoppable instances count doesn't exceed maxAllowedOffline, we do the next iteration of instances4-6 and so on. But I'm worried about the performance in this design because now our API can only batchProcess maxAllowedOffline number of instances in parallel. If the instanceList is super long, our check could take many iteration to be finished.

[desaikomal]

My 2cents: first comes correctness and then comes performance optimization. i am not completely plugged into your work, but correctness is very important to focus on.

[xyuanlu]

Can we keep -1 and have special handling when MaxOfflineInstances <0?

[MarkGaox]

I think a even more reasonable solution is to not allow user do stoppableCheck if they didn't provide maxOfflineInstancesAllowed in their cluster config. What do you think?

[xyuanlu]

Why we want to create a new list?

[xyuanlu]

Thanks for addressing comments. I think the Max offline instance in cluster config also include disabled instances.

helix/helix-core/src/main/java/org/apache/helix/model/ClusterConfig.java

Line 74 in 054d77a

MAX_OFFLINE_INSTANCES_ALLOWED,

[MarkGaox]

This PR is approved by @xyuanlu, final commit message:
"Implement 'StoppableCheck' Flag to Ensure Maintenance Mode is Avoided After Stoppable Instances are offline"

[MarkGaox]

@xyuanlu the failed test is testEvacuationWithOfflineInstancesInCluster which is a known flaky test.