fix cluster not able to spin up issue when disk usage exceeds threshold

[zane-neo]

Description

root cause:

1. Observability plugin creates system index during cluster startup: link, and if cluster has index block state persisted, during the node startup this block will be applied to cluster state and index creation fails, then this exception is been thrown.
2. OpenSearch starts cluster in this method and the error will be thrown again util the OpenSearch startup command execution finished.
3. At the moment of the startup command complete, the JVM only has daemon threads without any non-daemon threads, and thus JVM exits, then cluster been shut down.

Changing the code of cluster start part to first start the keepAliveThread which is a non-daemon thread to make sure at least one non-daemon thread is running thus the JVM won't exit.

Related Issues

#14791

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

❌ Gradle check result for d9096b2: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[dblock]

Thanks for opening this! Would like someone who understands the code, maybe @andrross or @mch2 to take a look please?

In the meantime @zane-neo you should get this PR to green, with a CHANGELOG, etc.

[zane-neo]

Thanks for opening this! Would like someone who understands the code, maybe @andrross or @mch2 to take a look please?

In the meantime @zane-neo you should get this PR to green, with a CHANGELOG, etc.

Sure, this is a draft PR to prove this can fix the issue, but this fix has drawbacks, e.g. it changes the ClusterBlocks.java's field modifier, I'll figure out a better approach to fix this and make the checks green.

[github-actions]

❌ Gradle check result for 7ce9886: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 3e8df68: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[zane-neo]

❌ Gradle check result for c81fbc1: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

java.lang.AssertionError: expected:<11001+ hits> but was:<11000 hits>
	at __randomizedtesting.SeedInfo.seed([10BFA3E8E0AFB2EA:5976454878AC632A]:0)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:120)
	at org.junit.Assert.assertEquals(Assert.java:146)
	at org.opensearch.search.approximate.ApproximatePointRangeQueryTests.testApproximateRangeWithSizeOverDefault(ApproximatePointRangeQueryTests.java:191)

This seems a flaky test not related to the change.

[github-actions]

✅ Gradle check result for c81fbc1: SUCCESS

[andrross]

Naively speaking, if node.start() doesn't succeeded, then there is nothing to keep alive and the JVM shutting down seems like the right thing to do. It seems like this change could lead to a partially-started or not-at-all-started node running indefinitely because the keepAliveThread will just keep it alive in some sort of zombie state after node.start() failed. What am I missing?

[dbwiddis]

Naively responding, I've no objection to the JVM shutting down, but having spent way too many hours trying to figure out why the JVM shut down in various situations, I'd be really happy to have at least one thread faithfully logging whatever issues caused it to shut down, before shutting itself down.

[zane-neo]

Not all node.start() failing means the JVM should quit, like the case in the corresponding issue, if we're able to keep JVM running, user can fix this issue simply by changing the cluster settings. So the fix is to provide user the capability to interact with the running cluster(even partially-started).
And for those cases node.start() failing and the cluster is not available at all case, this fix doesn't have real impact because in the end user needs to check error/fatal logs to fix the root cause. This change doesn't add any blocking to user but w/o this change, the first case users are blocked.
So in all I think this is a positive enhancement to user.

[andrross]

like the case in the corresponding issue, if we're able to keep JVM running, user can fix this issue simply by changing the cluster settings.

This seems like a really blunt change for an extremely specific case. In general, quitting the JVM and letting it restart is preferable to continuing to run in a partially-started state. Prior to this change, a transient failure in node.start() might automatically recover because the JVM would quit and whatever is monitoring the process would restart it. Now there is a risk (in my opinion) that the process will continue running in a non-functional partially-started state that will require human intervention to resolve. How do we know that is not a risk here?

The assumption that anything useful can be done with a partially started node was true in the specific case mentioned but is not true in general.

[andrross]

but having spent way too many hours trying to figure out why the JVM shut down in various situations, I'd be really happy to have at least one thread faithfully logging whatever issues caused it to shut down, before shutting itself down.

@dbwiddis Not logging why the JVM shutdown is clearly a problem. However, I'd argue this change might make things considerably worse. Instead of knowing there's a problem (because the process restarted) we'll instead have a partially-started node running in a crippled state with no indication that something went wrong during startup.

[zane-neo]

I agree in some real edge case a half-started node are healthy from monitor might be true, but it's more convincible if you can provide examples on this. Let's discuss on other possible solutions first:

1. Confirm with observability if it's possible to not throw exception to block the cluster startup, I have created an issue: [BUG] Observability plugin's system index creating is impacting on OpenSearch node starts observability#1872
2. Change the node start code to add disk usage check and update the state when cluster manager is elected, this needs much more efforts since the state transition during startup is complicated and the disk usage check code might need refactor. This also adds a lot of code review effort, I hope you can help on this if this works out.

I believe the second one would be the long term solution, and the first one could be short term. If either one works out, I don't have objection to rollback this change. WDYT?

[dbwiddis]

Solution (1) definitely needs to be fixed, particularly in light of #16340, and not just in the short term. (And I just realized now that bug is more serious than I thought it was because of this.)

I agree (2) is the right direction to go generally, but don't see much detail there.

[dbwiddis]

If either one works out, I don't have objection to rollback this change.

Can we roll it back sooner rather than later? The unmerged backport/lack of changelog will make every backport PR creation fail until the main and 2.x changelogs sync up.

[zane-neo]

I can create the revert PR now, and I'll look into the solution 2 for a long term solution.

[dbwiddis]

Thanks @zane-neo . Please also consider solution 1 and/or the bug I reported. One of the two of those issues should be fixed ASAP.

[github-actions]

❌ Gradle check result for af9d70d: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 7f24452: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for 7f24452: SUCCESS

[dblock]

I'm going to merge this as it has been sitting here for a while and is a visible bug fix, but @andrross do let @zane-neo know if you want more changes on top of it.

[dblock]

Thanks @zane-neo for hanging in here with us and @dbwiddis and @andrross for your thoughtful comments and help with moving forward!