[MDSAL-158] EntityOwnershipService does not specify what it provides mutual exclusion over Created: 12/Apr/16  Updated: 16/Mar/19

Status: Confirmed
Project: mdsal
Component/s: EOS
Affects Version/s: None
Fix Version/s: None

Type: Bug
Reporter: Colin Dixon Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

Issue Links:
Blocks
blocks CONTROLLER-1491 Entity Ownership Service: support gra... Resolved
blocks MDSAL-390 Entity Ownership Service: need to exc... Confirmed
is blocked by CONTROLLER-1488 EntityOwnershipListener missing owner... Resolved
External issue ID: 5711

 Description   

The current EntityOwnershipService API simply provides getOwnershipState(), but doesn't provide a notion of how long that state will be valid for or to only take certain actions assuming the ownership state is a certain value.

This makes using the EntityOwnershipService for applications somewhat complex. The high-level behavior I think applications are looking for from EntityOwnershipService is mutual exclusion, that is that only one instance of OpenDaylight will be the owner at any given point in time.

The problem is that that with the RAFT (or really any other distributed system) backing of the EntityOwnershipService doesn't provide a single view of the ownership state at a given point in wall-clock time, but only in terms of logical time (that is transactions on the shard keeping ownership state date).

The result is that it is entirely possible for two different instances of OpenDaylight to be at different logical times and both believe that they are the owner for a given entity at the same wall-clock time. As a concrete example:

  • Assume we have 3 instances, A, B, and C
  • Assume A starts as the owner for entity X
  • At some point, B tries to become the owner for X
  • When B writes it, we get a quorum from B and C, so A still doesn't know about the change
  • From when B hears that transaction committed until A hears about it, both A and B believe they are the owner for X

To solve this, you need some way for applications to say, "Assuming I am still the owner of X, please do the following things." This is effectively an atomic test-and-set: https://en.wikipedia.org/wiki/Test-and-set

 Comments   
Comment by Colin Dixon [ 12/Apr/16 ]

I can see two obvious ways to approach this problem:

1.) Expose a notion of logical time explicitly so that applications can ask if they are the owner of X at logical time t. Then when they go to do something, they can say, assuming logical time is <= t do this.

2.) Expose the notion of logical time implicitly through a test-and-set method, e.g., assuming the value of leaf Y is Z at the shard leader, then do this.

Because the only things we currently provide strong ordering over are data store operations, this will only apply to data store operations. (Apparently in YANG 1.1, you order notifications and and RPCs with respect to data operations, so that will likely come later.)

In effect, both 1.) and 2.) would have to do the same thing, which is to send a transaction to the leader where the leader can check if logical time is <= t or if leaf Y is Z and then either process the transaction or fail it.

This would at least give the correct behavior which is that an application wouldn't be able to accidentally take actions while it erroneously believed it was the leader. It has the disadvantage of involving an interaction with the leader of the shard storing the entity ownership state every time you want to do something that assumes you are the owner of a given entity.

You can fix some of that by issuing leases on ownership of entities and promising not to violate those leases even if the owner becomes inactive. You need to be careful to account for clock skew and drift when deciding if a lease is still active though.

Comment by Robert Varga [ 13/Apr/16 ]

Linking bugs which are essentially feature requests on the EOS API.

Comment by Colin Dixon [ 13/Apr/16 ]

The other thing we need to think through is how this interacts with shards.

A logical call to "assuming I'm the owner for entity X, do Y" would likely need to first go to the shard leader for the entity ownership shard and then be forwarded to the shard leader(s) for the various edits to Y. As long as call calls corresponded to the same pair of shards (call them shard(X) and shard(Y))

I think this would work assuming that the logic at the leader for shard(X) made sure to keep the ordering between incoming conditional writes and outgoing unconditional writes.

Comment by Colin Dixon [ 10/May/16 ]

The fundamental problem here is that this API implies that it provides mutual exclusion, but that is meaningless without a definition of time. Most people would assume that the time would be wall-clock time, but this API clearly does not provide mutual exclusion over wall-clock time.

Instead, if we want this to provide mutual exclusion, we need to adopt a definition of (logical) time for which it provides mutual exclusion.

I will try to drive the API definition done by M4.

Comment by Colin Dixon [ 10/May/16 ]

The fix for BUG-5414 makes it less likely that you violate mutual exclusion as defined by wall-clock time, but it's still possible.

Generated at Wed Feb 07 20:08:47 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.