KAFKA-19648; Cluster metadata bootstrapping with kraft checkpoint

[mannoopj]

Previously, bootstrap metadata was stored in a separate
bootstrap.checkpoint file, while the zero checkpoint contained only
KRaft control records. This change unifies them by having the Formatter
append bootstrap metadata records into the zero checkpoint alongside the
existing KRaft control records, integrating with KRaft's bootstrapping
checkpoint mechanisms like RaftClient.Listener#handleLoadBootstrap and
KIP-630 snapshot lifecycle management.

QuorumController's handleLoadBootstrap now extracts bootstrap records
from the zero checkpoint and stores them as BootstrapMetadata, which is
later committed by ActivationRecordsGenerator when the controller
activates on an empty metadata log.

The BootstrapDirectory class is removed and its functionality
consolidated into static methods on BootstrapMetadata#fromDirectory
reads from the legacy bootstrap.checkpoint (falling back to defaults),
and fromCheckpointFile reads from a specific checkpoint path.
StorageTool now only writes the bootstrap snapshot when the node has the
Controller role. KafkaClusterTestKit is updated to pass non-feature
versions, non-SCRAM bootstrap records to the Formatter as additional
bootstrap records.

Reviewers: José Armando García Sancio jsancio@apache.org, Kevin Wu
kevin.wu2412@gmail.com

[kevin-wu24]

Thanks for the changes @mannoopj. Some high level comments:

[kevin-wu24]

There is a clearer way to make these changes. This method is what writes the 0-0.checkpoint currently. We should pass the bootstrap metadata object here and append the metadata records using writer.append.append(bootstrapMetadata.records()) before calling writer.freeze().

[kevin-wu24]

We should rename writeDynamicQuorumSnapshot to writeZeroSnapshot, and write it when formatting metadata directories. The semantics that change here are that we should not write the KRaft control records (KRaft version and voter set) when !isDynamicMetadataDirectory().

[kevin-wu24]

This code is confusing. Instead of doing this renaming and deleting. We should instead remove the call to write the bootstrap metadata to disk on Line 447, since we're no longer writing bootstrap.checkpoint anymore, and follow the other comments for writing metadata records to 0-0.checkpoint.

We can check if an old bootstrap.checkpoint exists and delete it, since IIRC that was part of the KIP.

[kevin-wu24]

Thanks for the changes @mannoopj. Left some more comments

[kevin-wu24]

Suggested change

	try (RecordsSnapshotWriter<ApiMessageAndVersion> writer = builder.build(new MetadataRecordSerde(), Optional.of(bootstrapMetadata.records()))) {
	writer.freeze();
	try (RecordsSnapshotWriter<ApiMessageAndVersion> writer = builder.build(new MetadataRecordSerde()))) {
	writer.append(bootstrapMetadata.records());
	writer.freeze();

[mannoopj]

Wouldn't this write the bootstrap records after the control records, since in RecordsSnapshotWriter.build() is where we append the kraft records and we would be calling that ahead of writer.append in this scenario? we want the bootstrap records ahead correct?

[kevin-wu24]

It doesn't matter what order we write them in because KRaft only reads the control records, and the metadata module will only read the "data" records. When we read the 0-0.checkpoint back into memory, we only deal with either its control records or its data records, not both in the same code.

[kevin-wu24]

We should be able to remove this. This applies to other instances where we build the RecordsSnapshotWriter.

[kevin-wu24]

We need to pass the optional for initialControllers here. We can only do a .get() if initialControllers.isPresent().

[kevin-wu24]

We should only construct the VoterSet object if initialControllers.isPresent().

[kevin-wu24]

The correct logic here is:
If the batch has records, read them into bootstrapMetadata (this means 0-0.checkpoint has bootstrap metadata records).
If the batch doesn't have records, try to read the bootstrapMetadata from bootstrap.checkpoint.

[kevin-wu24]

Thanks for the changes @mannoopj. Review of the metadata layer implementation:

[kevin-wu24]

This should not change. The default level of features is 0, and that is why we don't add a record for them when the level is 0.

[kevin-wu24]

If we are at L76, that means we do 0-0.checkpoint doesn't exist. This is where we should read from bootstrap.checkpoint. If that doesn't exist too, then we call readFromConfiguration().

[kevin-wu24]

Actually, if you look at how we're reading stuff in, we probably don't even need to change this file. We don't need to call BootstrapDirectory#read for the 0-0.checkpoint because we are using handleLoadSnapshot, which already puts the checkpoint in memory for us.

[kevin-wu24]

We should remove bootstrapMetadata here and in ControllerServer since it is just being passed down to QuorumController eventually. We initialize it in QuorumController.

[kevin-wu24]

Some background on how the KafkaClusterTestKit works:

Basically, tests that use this class are "integration tests" in the sense that we're trying to replicate a real cluster, just all within the same JVM. That means multiple brokerServers and controllerServers. This file shouldn't change outside of removing nodes.bootstrapMetadata() from the ControllerServer constructor.

[kevin-wu24]

Left a high level comment @mannoopj

[kevin-wu24]

To make this change more compatible for the existing test framework, we should instead pass down a BootstrapCheckpointFactory/Builder or something like that. Then have two separate implementations:

One for tests that specifies a BootstrapMetadata object all in-memory based on the factory.
In the actual implementation, we can point that factory to the actual files on disk we would be reading.

Either way, in QuorumController#handleLoadSnapshot, that is when we actually "resolve" this bootstrap metadata stuff by calling a method on the factory/builder object.\

EDIT: after looking at QuorumTestHarness and KafkaClusterTestKit, we shouldn't need to do this.

[kevin-wu24]

Left some more comments regarding the metadata layer implementation @mannoopj

[kevin-wu24]

Why are we changing this code?

We shouldn't change this code though, because when the log is non-empty, it means the bootstrap metadata records have already been written in the log before.

[kevin-wu24]

This is the wrong if condition. We should check !batch.records.isEmpty.

If the 0-0.checkpoint does not have metadata records, AND bootstrapMetadata == null at this point, we should throw an IllegalStateException, because we cannot construct bootstrapMetadata.

[kevin-wu24]

If we're not reading the 0-0.checkpoint, bootstrapMetadata is either:

1. read from bootstrap.checkpoint and passed down here, so it is non-null.
2. null, because it should have already been written to the log as part of the 0-0.checkpoint.

[kevin-wu24]

We should allow bootstrapMetadata to be null here because we can be in the case where we bootstrapped using 0-0.checkpoint, but that file no longer exists because it was cleaned up by KRaft. However, bootstrapMetadata cannot be null when we call recordsForEmptyLog. It can be null when we call recordsForNonEmptyLog

[kevin-wu24]

When we are reading in the 0-0.checkpoint, the ONLY thing we should be doing if !messages.isEmpty() in this method is using messages to construct a bootstrapMetadata object. It should not append an event even I think...

0-0.checkpoint is special because its records are uncommitted, unlike all other checkpoints this method handles, and need to be written to the log when a leader is determined.

This changed because previously, 0-0.checkpoint did not contain any metadata records, just KRaft control records potentially.

[mannoopj]

What are these other threads that read bootstrapMetadata?

Was working under the assumptions that the raft io thread was calling listener.handleLoadBootstrap. Didnt realize appendRaftEvent adds this to the controller event thread.

[jsancio]

Did you file an issue for this? If so can you link it here?

[jsancio]

Thanks for the feature @mannoopj . Just some minor comments.

[jsancio]

@mannoopj there are test failures please take a look.

[mannoopj]

@mannoopj there are test failures please take a look.

The integration tests failure can be mapped out this way:
`On trunk:

1. Test sets @ClusterFeature(feature = Feature.GROUP_VERSION, version = 0)
2. RaftClusterInvocationContext builds newFeatureLevels map with group.version=0
3. BootstrapMetadata.fromVersions() skips level 0 — nodes.bootstrapMetadata() has no GROUP_VERSION record (implicitly 0)
4. KafkaClusterTestKit.formatNode() loops through bootstrapMetadata.records() — no GROUP_VERSION record found, so formatter.setFeatureLevel("group.version") is never called
5. Formatter's calculateEffectiveFeatureLevels() sees GROUP_VERSION is missing, fills in default (e.g. 1) — writes bootstrap.checkpoint with GROUP_VERSION=1
6. bootstrap.checkpoint is never read — KafkaClusterTestKit doesn't use KafkaRaftServer.initializeLogDirs()
7. ControllerServer gets nodes.bootstrapMetadata() directly — no GROUP_VERSION record
8. ActivationRecordsGenerator writes bootstrapMetadata.records() to metadata log — no GROUP_VERSION record
9. Broker sees no GROUP_VERSION in metadata log — level 0 — API disabled — test passes

On this branch:

1. Test sets @ClusterFeature(feature = Feature.GROUP_VERSION, version = 0)
2. RaftClusterInvocationContext builds newFeatureLevels map with group.version=0
3. BootstrapMetadata.fromVersions() skips level 0 — nodes.bootstrapMetadata() has no GROUP_VERSION record (implicitly 0)
4. KafkaClusterTestKit.formatNode() loops through bootstrapMetadata.records() — no GROUP_VERSION record found, so formatter.setFeatureLevel("group.version") is never called
5. Formatter's calculateEffectiveFeatureLevels() sees GROUP_VERSION is missing, fills in default (e.g. 1) — writes the zero checkpoint with GROUP_VERSION=1
6. ControllerServer gets nodes.bootstrapMetadata() directly — no GROUP_VERSION record (still correct at this point)
7. handleLoadBootstrap reads the zero checkpoint — finds GROUP_VERSION=1 — overwrites bootstrapMetadata with GROUP_VERSION=1
8. ActivationRecordsGenerator writes the overwritten bootstrapMetadata.records() to metadata log — GROUP_VERSION=1
9. Broker sees GROUP_VERSION=1 in metadata log — level 1 — API enabled — test fails`

This seems like an existing bug that never manifested. The problem now is Formatter needs a way to know if a feature is 0 or not. Since not writing FeatureLevelRecords set to 0 is correct and wanted behavior i think we need to pass in some sort of explicit list of features so that calculateEffectiveFeatureLevels can set these to 0.

@jsancio @kevin-wu24

[jsancio]

This seems like an existing bug that never manifested. The problem now is Formatter needs a way to know if a feature is 0 or not. Since not writing FeatureLevelRecords set to 0 is correct and wanted behavior i think we need to pass in some sort of explicit list of features so that calculateEffectiveFeatureLevels can set these to 0.

Yes, looks like the issue is with how the test is constructed. Can we avoid using BootstrapMetadata for bootstrapping the the cluster nodes? For example, can the test be configured using the Formatter directly?

[kevin-wu24]

Hi @mannoopj,

To me, the issue seems to be in step 4. In the current code, KafkaClusterTestKit formatting logic is using the TestKitNodes.bootstrapMetadata as the source of truth for feature levels, which does not exactly mirror how the storage tool actually works. The storage tool takes the "defaults" from the supplied release-version, and then any manual feature overrides using --feature= take priority over that.

I think this test infra logic only differs when a builder of TestKitNodes explicitly sets a feature value to 0 but has a metadata version whose bootstrap version for said feature is not 0. If said feature's value was not set to 0, the feature record is present in bootstrapMetadata and therefore this test infra logic does behave just like the storage tool. Maybe the fix is to pass some additional state like disabledFeatures down to KafkaClusterTestKit. Then you are able to call Formatter.setFeatureLevel accordingly.

I think this difference is a consequence of the integration tests needing to generate BootstrapMetadata "earlier" than when the actual kafka would generate that object. In the integration tests, ControllerServer exists before Formatter (IMO it is out of scope to change that in this PR, but maybe that should not be the case...), which does not happen in the actual implementation.

[mannoopj]

I went with @kevin-wu24's suggestion here as it was the most straight forward solution. Restructuring the Test infra to avoid using BootstrapMetadata seems to me to be out of scope of this PR.

[jsancio]

LGTM. Thanks for the feature @mannoopj

[chia7712]

Should we keep the isDynamicMetadataDirectory() condition here? I noticed that the E2E tests fail in combined mode with multiple log directories because the pure data folders end up containing the unexpected __cluster_metadata-0 directory

kafka/core/src/main/scala/kafka/server/KafkaRaftServer.scala

Line 150 in 6bfa194

throw new KafkaException(s"Found unexpected metadata location in data directory `$clusterMetadataTopic` " +

[kevin-wu24]

Maybe we should change this check to isMetadataDirectory. We should still write a 0-0.checkpoint for static quorums. Basically:

boolean isMetadataDirectory() {
    return this != LOG_DIRECTORY;
}

[chia7712]

@kevin-wu24 Yes, your approach is much better and more precise. We will file a patch tomorrow if there is no objection.

[jsancio]

Thanks @chia7712 and @kevin-wu24 . Let's make sure we have a test that covers this case.

[majialoong]

Thanks for catching this and for the discussion. I opened a PR to address this issue: #22418