Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-9144

Early expiration of producer state can cause coordinator epoch to regress

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.0.1, 2.1.1, 2.2.2, 2.4.0, 2.3.1
    • 2.2.3, 2.3.2, 2.4.1
    • None
    • None

    Description

      Transaction markers are written by the transaction coordinator. In order to fence zombie coordinators, we use the leader epoch associated with the coordinator partition. Partition leaders verify the epoch in the WriteTxnMarker request and ensure that it can only increase. However, when producer state expires, we stop tracking the epoch and it is possible for monotonicity to be violated. Generally we expect expiration to be on the order of days, so it should be unlikely for this to be a problem.

      At least that is the theory. We observed a case where a coordinator epoch decreased between nearly consecutive writes within a couple minutes of each other. Upon investigation, we found that producer state had been incorrectly expired. We believe the sequence of events is the following:

      1. Producer writes transactional data and fails before committing
      2. Coordinator times out the transaction and writes ABORT markers
      3. Upon seeing the ABORT and the bumped epoch, the partition leader deletes state from the last epoch, which effectively resets the last timestamp for the producer to -1.
      4. The coordinator becomes a zombie before getting a successful response and continues trying to send
      5. The new coordinator notices the incomplete transaction and also sends markers
      6. The partition leader accepts the write from the new coordinator
      7. The producer state is expired because the last timestamp was -1
      8. The partition leader accepts the write from the old coordinator

      Basically it takes an alignment of planets to hit this bug, but it is possible. If you hit it, then the broker may be unable to start because we validate epoch monotonicity during log recovery. The problem is in 3 when the timestamp gets reset. We should use the timestamp from the marker instead.

       

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            hachikuji Jason Gustafson
            hachikuji Jason Gustafson
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment