atomr-cluster 0.6.0

Membership, gossip, reachability, vector clocks, and split-brain resolvers for atomr clusters.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313

//! Leader election.
//!
//! The leader is the lowest-address `Up`/`Leaving` member that's reachable
//! from the current node — deterministic given the gossip-converged
//! membership state. This module implements that pure function plus the
//! transition rules that fire on each gossip tick.
//!
//! The full state machine (`Joining → Up → Leaving → Exiting →
//! Removed`) lives here as helpers; the active driver that wires
//! these into the gossip loop is Phase 6.B.

use atomr_core::actor::Address;

use crate::member::{Member, MemberStatus};
use crate::membership::MembershipState;

/// Pick the deterministic leader from a [`MembershipState`].
///
/// Algorithm: among reachable members in the `Up` or `Leaving`
/// status, return the one with the lowest `Address` (lexicographic
/// over the `Display` form). Returns `None` if no eligible member
/// exists.
pub fn elect_leader(state: &MembershipState) -> Option<Address> {
    let mut eligible: Vec<&Member> = state
        .members
        .iter()
        .filter(|m| matches!(m.status, MemberStatus::Up | MemberStatus::Leaving))
        .filter(|m| state.reachability.is_reachable(&m.address))
        .collect();
    eligible.sort_by_key(|a| a.address.to_string());
    eligible.first().map(|m| m.address.clone())
}

/// Compute the next status for a member given the current convergence
/// state. Returns `None` if no transition applies.
///
/// * `Joining` → `Up` once convergence is reached and this member is
///   reachable from the leader.
/// * `Leaving` → `Exiting` once the leader sees the leave intent.
/// * `Exiting` → `Removed` once the leader-side cleanup completes.
/// * `Down` → `Removed` once the gossip purge interval elapses.
pub fn next_status(current: MemberStatus, converged: bool) -> Option<MemberStatus> {
    match (current, converged) {
        (MemberStatus::Joining, true) => Some(MemberStatus::Up),
        (MemberStatus::Leaving, true) => Some(MemberStatus::Exiting),
        (MemberStatus::Exiting, true) => Some(MemberStatus::Removed),
        (MemberStatus::Down, _) => Some(MemberStatus::Removed),
        _ => None,
    }
}

/// Convergence holds when every member that this node believes is
/// alive is also reachable. gossip uses convergence as a
/// pre-condition for the leader's status-transition tick (the
/// leader won't move members from `Joining → Up` while a partition
/// is in flight).
///
/// Simplified vs. upstream: we don't track per-node "seen" sets yet,
/// so this is the local-view variant. A partitioned member shows up
/// as unreachable; once SBR (or a heartbeat recovery) resolves it,
/// convergence holds again. `Down` members don't block convergence
/// because they're already on the way out.
pub fn is_converged(state: &MembershipState) -> bool {
    state.members.iter().all(|m| {
        if matches!(m.status, MemberStatus::Down | MemberStatus::Removed) {
            return true;
        }
        state.reachability.is_reachable(&m.address)
    })
}

#[cfg(test)]
mod tests {
    use super::*;

    fn member(addr: &str, status: MemberStatus) -> Member {
        let mut m = Member::new(Address::local(addr), vec![]);
        m.status = status;
        m
    }

    #[test]
    fn leader_is_lowest_address_up_member() {
        let mut s = MembershipState::new();
        s.add_or_update(member("c", MemberStatus::Up));
        s.add_or_update(member("a", MemberStatus::Up));
        s.add_or_update(member("b", MemberStatus::Up));
        assert_eq!(elect_leader(&s), Some(Address::local("a")));
    }

    #[test]
    fn leader_skips_non_up_members() {
        let mut s = MembershipState::new();
        s.add_or_update(member("a", MemberStatus::Joining));
        s.add_or_update(member("b", MemberStatus::Up));
        assert_eq!(elect_leader(&s), Some(Address::local("b")));
    }

    #[test]
    fn leader_skips_unreachable_members() {
        let mut s = MembershipState::new();
        s.add_or_update(member("a", MemberStatus::Up));
        s.add_or_update(member("b", MemberStatus::Up));
        // Mark "a" unreachable from "b".
        s.reachability.unreachable(Address::local("b"), Address::local("a"));
        assert_eq!(elect_leader(&s), Some(Address::local("b")));
    }

    #[test]
    fn no_leader_when_no_eligible_members() {
        let s = MembershipState::new();
        assert_eq!(elect_leader(&s), None);
    }

    #[test]
    fn next_status_transitions() {
        assert_eq!(next_status(MemberStatus::Joining, true), Some(MemberStatus::Up));
        assert_eq!(next_status(MemberStatus::Joining, false), None);
        assert_eq!(next_status(MemberStatus::Leaving, true), Some(MemberStatus::Exiting));
        assert_eq!(next_status(MemberStatus::Exiting, true), Some(MemberStatus::Removed));
        assert_eq!(next_status(MemberStatus::Down, false), Some(MemberStatus::Removed));
        assert_eq!(next_status(MemberStatus::Up, true), None);
    }

    #[test]
    fn convergence_holds_when_everyone_reachable() {
        let mut s = MembershipState::new();
        s.add_or_update(member("a", MemberStatus::Up));
        s.add_or_update(member("b", MemberStatus::Joining));
        assert!(is_converged(&s));
    }

    #[test]
    fn convergence_fails_when_a_member_is_unreachable() {
        let mut s = MembershipState::new();
        s.add_or_update(member("a", MemberStatus::Up));
        s.add_or_update(member("b", MemberStatus::Up));
        s.reachability.unreachable(Address::local("a"), Address::local("b"));
        assert!(!is_converged(&s));
    }

    #[test]
    fn down_members_do_not_block_convergence() {
        let mut s = MembershipState::new();
        s.add_or_update(member("a", MemberStatus::Up));
        s.add_or_update(member("b", MemberStatus::Down));
        // b is Down so its reachability doesn't matter for convergence.
        s.reachability.unreachable(Address::local("a"), Address::local("b"));
        assert!(is_converged(&s));
    }
}

// -- Distributed leader-election handover ---------------------------

/// Handover event emitted by a [`LeaderHandover`] watcher when the
/// elected leader changes between snapshots.
/// `Cluster.LeaderChanged` event published on the cluster's domain
/// event stream.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct LeaderHandoverEvent {
    pub from: Option<Address>,
    pub to: Option<Address>,
}

/// Watcher that detects leader transitions across successive
/// [`MembershipState`] snapshots. Stateful: holds the previous
/// snapshot's leader and emits a [`LeaderHandoverEvent`] only on
/// change.
///
/// Wire it up by calling [`LeaderHandover::observe`] every gossip
/// tick — a `Some(event)` return value means a handover occurred and
/// should be published. Across-process handover comes from the
/// cluster daemon broadcasting these events on the
/// [`crate::ClusterEventBus`] via remote.
#[derive(Debug, Default, Clone)]
pub struct LeaderHandover {
    previous: Option<Address>,
}

impl LeaderHandover {
    pub fn new() -> Self {
        Self::default()
    }

    /// Observe a new membership snapshot. Returns `Some(event)` if
    /// the leader changed since the last observation; `None` if it
    /// did not.
    pub fn observe(&mut self, state: &MembershipState) -> Option<LeaderHandoverEvent> {
        let next = elect_leader(state);
        if self.previous != next {
            let event = LeaderHandoverEvent { from: self.previous.clone(), to: next.clone() };
            self.previous = next;
            return Some(event);
        }
        None
    }

    /// The leader observed at the last call to [`Self::observe`].
    pub fn current(&self) -> Option<&Address> {
        self.previous.as_ref()
    }
}

#[cfg(test)]
mod handover_tests {
    use super::*;

    fn member(addr: &str, status: MemberStatus) -> Member {
        let mut m = Member::new(Address::local(addr), vec![]);
        m.status = status;
        m
    }

    #[test]
    fn first_observation_emits_initial_election() {
        let mut s = MembershipState::new();
        s.add_or_update(member("a", MemberStatus::Up));
        let mut h = LeaderHandover::new();
        let ev = h.observe(&s).unwrap();
        assert_eq!(ev.from, None);
        assert_eq!(ev.to, Some(Address::local("a")));
    }

    #[test]
    fn no_event_when_leader_unchanged() {
        let mut s = MembershipState::new();
        s.add_or_update(member("a", MemberStatus::Up));
        let mut h = LeaderHandover::new();
        h.observe(&s);
        assert!(h.observe(&s).is_none());
    }

    #[test]
    fn leader_leaving_triggers_handover_to_next_member() {
        let mut s = MembershipState::new();
        s.add_or_update(member("a", MemberStatus::Up));
        s.add_or_update(member("b", MemberStatus::Up));
        let mut h = LeaderHandover::new();
        h.observe(&s);
        assert_eq!(h.current(), Some(&Address::local("a")));

        // 'a' transitions to Leaving — still eligible — leader unchanged.
        let mut leaving = MembershipState::new();
        leaving.add_or_update(member("a", MemberStatus::Leaving));
        leaving.add_or_update(member("b", MemberStatus::Up));
        assert!(h.observe(&leaving).is_none());

        // 'a' transitions to Exiting (no longer eligible). Leader now b.
        let mut exiting = MembershipState::new();
        exiting.add_or_update(member("a", MemberStatus::Exiting));
        exiting.add_or_update(member("b", MemberStatus::Up));
        let ev = h.observe(&exiting).unwrap();
        assert_eq!(ev.from, Some(Address::local("a")));
        assert_eq!(ev.to, Some(Address::local("b")));
    }

    #[test]
    fn leader_becoming_unreachable_triggers_handover() {
        let mut s = MembershipState::new();
        s.add_or_update(member("a", MemberStatus::Up));
        s.add_or_update(member("b", MemberStatus::Up));
        let mut h = LeaderHandover::new();
        h.observe(&s);
        // Mark 'a' unreachable from b. Leader becomes b.
        s.reachability.unreachable(Address::local("b"), Address::local("a"));
        let ev = h.observe(&s).unwrap();
        assert_eq!(ev.from, Some(Address::local("a")));
        assert_eq!(ev.to, Some(Address::local("b")));
    }

    #[test]
    fn no_eligible_members_emits_to_none() {
        let mut s = MembershipState::new();
        s.add_or_update(member("a", MemberStatus::Up));
        let mut h = LeaderHandover::new();
        h.observe(&s);

        // a is removed — no eligible leader remains.
        let mut empty = MembershipState::new();
        empty.add_or_update(member("a", MemberStatus::Removed));
        let ev = h.observe(&empty).unwrap();
        assert_eq!(ev.from, Some(Address::local("a")));
        assert_eq!(ev.to, None);
    }

    #[test]
    fn handover_through_full_cluster_lifecycle() {
        let mut h = LeaderHandover::new();

        // 3 members all Up: leader is a.
        let mut s1 = MembershipState::new();
        for n in ["a", "b", "c"] {
            s1.add_or_update(member(n, MemberStatus::Up));
        }
        assert_eq!(h.observe(&s1).unwrap().to, Some(Address::local("a")));

        // a leaves: leader becomes b.
        let mut s2 = MembershipState::new();
        s2.add_or_update(member("a", MemberStatus::Removed));
        for n in ["b", "c"] {
            s2.add_or_update(member(n, MemberStatus::Up));
        }
        assert_eq!(h.observe(&s2).unwrap().to, Some(Address::local("b")));

        // b leaves too: leader becomes c.
        let mut s3 = MembershipState::new();
        for n in ["a", "b"] {
            s3.add_or_update(member(n, MemberStatus::Removed));
        }
        s3.add_or_update(member("c", MemberStatus::Up));
        assert_eq!(h.observe(&s3).unwrap().to, Some(Address::local("c")));
    }
}