[controller] Add DegradedModeRecoveryService, metrics, and E2E test#2760
Merged
mynameborat merged 12 commits intoJun 5, 2026
Merged
Conversation
misyel
reviewed
Apr 28, 2026
Contributor
Code reviewFound 1 issue:
🤖 Generated with Claude Code - If this code review was useful, please react with 👍. Otherwise, react with 👎. |
mynameborat
force-pushed
the
degraded-mode/pr4-recovery-metrics-e2e
branch
4 times, most recently
from
a7a03f5 to
f3339b6
Compare
misyel
reviewed
Jun 1, 2026
14 tasks
degraded-mode batch push - DegradedModeRecoveryService: 2-phase recovery orchestrator (initiate + confirm) with orphaned PARTIALLY_ONLINE detection for leader failover, configurable thread pool, and retry backoff. Triggers automatically on DC unmark when auto-recovery is enabled. - DegradedModeStats: 9 OTel metrics + latency histogram for recovery, push auto-conversion, incremental push blocking, and degraded DC duration monitoring. - RecoveryProgressResponse: REST API model for recovery progress tracking. - GET_RECOVERY_PROGRESS endpoint in ClusterRoutes and AdminSparkServer. - UpdateClusterConfigQueryParams: setDegradedModeEnabled for dynamic feature flag control. - E2E integration test: full lifecycle (enable -> mark DC -> batch push -> verify auto-conversion -> unmark DC -> verify recovery) plus incremental push blocking and idempotent unmark tests. - Wired metrics recording into VeniceParentHelixAdmin for push auto-convert and inc push block. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…rRoute test entry - Extract RecoveryProgress and StoreVersionPair into top-level RecoveryProgress.java to keep DegradedModeRecoveryService under 500-line enforce-lines-added limit. - Extract monitor logic (duration metrics, orphan detection) into DegradedDcMonitor.java. - Add GET_RECOVERY_PROGRESS to ControllerRouteDimensionTest expected values. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Blocking fixes: - Gate orphan detection behind isDegradedModeAutoRecoveryEnabled in DegradedDcMonitor to honor the opt-in guarantee (duration metrics still always emit) - Change exception in isVersionCurrentInRegion to skip+log region instead of defaulting to regionNeedsRecovery=true (avoids recovery on transient ZK blips) Runtime bug fixes: - Implement getCurrentVersionInRegion in VeniceParentHelixAdmin (queries child controller) - Implement updateStoreVersionStatus in VeniceHelixAdmin (ZK store metadata update with lock) - Both were default methods that threw VeniceUnsupportedOperationException at runtime Correctness fixes: - Skipped stores (no longer PARTIALLY_ONLINE) now increment recovered counter so progressFraction reaches 1.0 - Catch InterruptedException separately in Phase 2 confirmation and re-interrupt thread - Add comment clarifying PARTIALLY_ONLINE overlap with DeferredVersionSwapService - Fix "exponential backoff" comment — it is linear Observability improvements: - Add cluster+datacenter dimensions to recordRecoveryProgress gauge - Rate-limit timeout alert log to once per 10 minutes - Use time-based progress logging (every 5 min) instead of poll-count based - Add SLOW RECOVERY warning when Phase 2 polling exceeds 30 minutes - Add awaitTermination for degradedDcMonitor in close() - Add comment explaining why thread pools and duration monitor always run Testing: - E2E test now verifies dc-1 has version + data after recovery - Updated test assertions for skipped-store counter change - Mock multiClusterConfigs in recovery service tests for config gate Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The local integration test cluster does not support cross-DC data recovery (prepareDataRecovery → initiateDataRecovery). The recovery flow is fully covered by unit tests in TestDegradedModeRecoveryService. The E2E test now verifies the version exists on the parent after the deferred version swap, rather than asserting dc-1 recovery completion which cannot work in a local test environment. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
end-to-end, collapse state into LiveClusterConfig Builds on the staged AdminOperation v100 schema (previous commit) by activating the new protocol version and using the new degradedDatacenters field to propagate the set of degraded DCs from parent to child controllers per push. Also collapses the separate DegradedDcStates ZK repo back into LiveClusterConfig (matching the original feature-branch design) and adds a small DVSS fix needed for the multi-target degraded-mode push to converge to PARTIALLY_ONLINE. Schema activation - build.gradle: drop the v98 AdminOperation override so Java regenerates from v100 - AvroProtocolDefinition.ADMIN_OPERATION: 98 -> 100 Per-message propagation of degraded DCs - VeniceParentHelixAdmin.getAddVersionMessage: populate addVersion.degradedDatacenters from getDegradedDatacenters(clusterName) at version-creation time (gated on isDegradedModeEnabled) - AdminExecutionTask.handleAddVersion: read message.degradedDatacenters to determine isDegradedDC instead of relying on child-local ZK (which was never populated cross-region). This makes the AdminExecutionTask isDegradedDC branch fire correctly on child controllers and prevents degraded DCs from ingesting versions even when versionSwapDeferred=true. DeferredVersionSwapService fix - Add a fourth branch in getRegionsToRollForward: when some non-target regions failed and the rest are already ONLINE (no PUSHED-completed regions left to roll forward), mark the parent as PARTIALLY_ONLINE. Without this branch, a multi-target deferred-swap push that excludes a degraded DC (e.g. target= dc-0,dc-2; excluded=dc-1) gets stuck at PUSHED forever because the existing branches require either all non-targets failed (PARTIALLY_ONLINE) or all non-targets online (ONLINE). Collapse DegradedDcStates into LiveClusterConfig - LiveClusterConfig: add degradedDatacenters Map<String, DegradedDcInfo> field plus add/remove/isDatacenterDegraded/getDegradedDatacenters helpers. Jackson-serialized, additive, backward-compatible. - VeniceHelixAdmin: markDatacenterDegraded / unmarkDatacenterDegraded now read+modify+write LiveClusterConfig under one cluster write lock (atomic). getDegradedDcStates() -> getDegradedDatacenters() returning Map directly. Removed clusterToDegradedDcStatesRepo and its lazy-init. - Admin interface, VeniceParentHelixAdmin, DegradedDcMonitor, ClusterRoutes, CreateVersion: updated callers to the new method signature. - VeniceZkPaths: removed DEGRADED_DC_STATES constant. - Deleted: DegradedDcStates, HelixReadWriteDegradedDcStatesRepository, HelixReadOnlyDegradedDcStatesRepository (never instantiated in main src), TestDegradedDcStates, TestHelixDegradedDcStatesRepository. - Test files updated: TestVeniceParentHelixAdmin, TestDegradedModeRecoveryService, ClusterRoutesTest, CreateVersionTest, AdminExecutionTaskTest. The AdminExecutionTask tests now exercise the field-on-message path instead of mocking getDegradedDcStates. End-to-end test - DegradedModeBatchPushTest: enable DVSS in controller props, setTargetRegionSwapWaitTime(0) so DVSS evaluates immediately, replace the naive waitForNonDeterministicPushCompletion (poisoned by the correctly-skipped dc-1 reporting NOT_CREATED) with a target-region-aware queryJobStatus poll, call queryJobStatus(..., true) once to trigger the STARTED -> PUSHED transition, and wait for the parent version to reach PARTIALLY_ONLINE. Runs in ~21s locally on a passing iteration (~2min total build). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ervice Splits DegradedModeRecoveryService (511 LOC, over the 500-line lint threshold) into two cohesive classes. No behavior change. DegradedModeRecoveryService (305 LOC) keeps cross-store orchestration: - triggerRecovery (Phase 1: prepare + initiate per store) - confirmRecoveryAndTransitionVersions (Phase 2: poll completion + transition) - findPartiallyOnlineStores (discovery) - thread pools, progress tracking, lifecycle, public API StoreRecoveryExecutor (251 LOC) owns per-store recovery operations: - recoverSingleStore (pre-check + retry/backoff around prepare → poll-ready → initiate) - pollUntilReady (readiness polling helper) - resolveSourceFabric (source-fabric resolution helper) - pollUntilVersionCurrent + VersionPollResult enum (Phase 2 polling) - Owns the constants and tunables relevant to per-store recovery: MAX_RETRIES, READINESS_POLL_*, DEFAULT_RECOVERY_COMPLETION_POLL_*. setRecoveryCompletionPollParameters on the service forwards to the executor so existing tests don't need to learn about the executor. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
phantom-recovery gate, lazy service Phantom-recovery gate (VeniceParentHelixAdmin.unmarkDatacenterDegraded) - Pre-check getDegradedDatacenters().containsKey(dc) before recording the active-DC metric and calling triggerRecovery. The inner unmark is idempotent — without this gate, calling unmark on a not-currently-degraded DC fired a phantom recovery cycle. Lazy DegradedModeRecoveryService - Only instantiate the service (and its thread pools + degraded-dc monitor) if at least one cluster on this parent has isDegradedModeAutoRecoveryEnabled. Hot-enabling later requires a controller restart. close() and getRecoveryProgress() are null-safe; the trigger site is reached only when the per-cluster check is true, which implies the service exists. RedundantExceptionFilter for poll-progress logs (StoreRecoveryExecutor) - Replace manual lastLogMs / "fire-once" bookkeeping in pollUntilVersionCurrent with a process-wide RedundantExceptionFilter (5-min window). Per-store dedup is implicit in the message content (store + version + dc). - Pull SLOW_RECOVERY_THRESHOLD_MS to a constant. DegradedDcMonitor timeout alert dedup - Replace the single AtomicLong rate-limit with a RedundantExceptionFilter (10-min window) so alerts dedup per (cluster, dc) rather than globally — previously dc-2 alerts could be suppressed because dc-1 had just alerted. Import nits - DegradedModeBatchPushTest: import JobStatusQueryResponse and ExecutionStatus instead of FQNs. - Admin: import DegradedDcInfo instead of FQN in getDegradedDatacenters return type. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…Cs under degraded mode Production VPJ pushes already pass targetedRegions through the target-region- push-with-deferred-swap path, so the previous "skip auto-convert when targetedRegions is non-empty" gate made degraded mode a no-op for every real push (flagged in PR review). Change the guard: - If caller did NOT supply targetedRegions: base target = all known DCs (as before). - If caller DID supply targetedRegions: base target = the supplied list. In either case, drop degraded DCs from the base target; if the resulting set is empty, throw VeniceException with a message naming the requested and degraded sets. Only flip versionSwapDeferred and record the auto-conversion metric when the intersection actually dropped at least one DC — pushes that already excluded every degraded DC are passed through unchanged. Tests: - testAutoConversionIntersectsSuppliedTargetedRegionsWithHealthyDcs (new) — VPJ-style supplied [dc-0, dc-1, dc-2], dc-1 degraded → effective target [dc-0, dc-2], versionSwapDeferred forced true. - testAutoConversionThrowsWhenAllSuppliedTargetsAreDegraded (new) — supplied [dc-1] only, dc-1 degraded → VeniceException with the new message. - testAutoConversionNoOpWhenSuppliedTargetsAlreadyExcludeDegradedDcs (new) — supplied [dc-0, dc-2], dc-1 degraded → target unchanged, no metric. - Updated testAutoConversionThrowsWhenAllDcsDegraded to match the new exception message. - Removed testAutoConversionSkippedWhenTargetedRegionsAlreadySet (asserted the old short-circuit behavior). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
relocation, sequential E2E Phase 2 polling consolidated to a single dedicated thread (PR review B8) - Replace the per-store Future fan-out in confirmRecoveryAndTransitionVersions with a single dedicated executor (degraded-mode-phase2-poller). The new task iterates all initiated stores per tick: each store either transitions to ONLINE / counts as SUPERSEDED / increments an attempt counter, then sleeps the configured interval and repeats until pending is empty. - Frees recoveryExecutor from being held for hours by Phase-2 stragglers, so Phase 1 of subsequent DC recoveries can proceed. - progress.markComplete() + recordRecoveryProgress() + logPostRecoveryActions() now run at the end of the Phase 2 task (or immediately when there are no initiated stores). The monitor thread releases as soon as Phase 1 is done. InterruptedException handling (A3) - The Phase 2 loop catches InterruptedException distinctly: re-interrupt the thread, log how many stores were left unprocessed, return without recording failure. On controller leader failover, the new leader's DegradedDcMonitor re-detects orphaned PARTIALLY_ONLINE versions and retriggers — no change needed there. DeferredVersionSwapService: drop the parallel-path PARTIALLY_ONLINE branch (A4) - Reviewer noted the new branch I added in getRegionsToRollForward isn't reached in production (deferred-swap pushes always go through the sequential rollout path). The sequential path already handles the degraded-mode case via the existing "version null after retries → PARTIALLY_ONLINE" logic in getNextRegionToRollForward. - Reconfigure DegradedModeBatchPushTest to use sequential rollout (set DEFERRED_VERSION_SWAP_REGION_ROLL_FORWARD_ORDER), which matches the prod config. Delete the parallel-path branch — was only ever reachable in tests. E2E recovery assertion stays soft (E17/E18) - Tried strengthening to assert dc-1's currentVersion catches up after unmark and data is readable through dc-1's router. The local integration cluster doesn't actually plumb cross-DC data recovery — prepareDataRecovery / initiateDataRecovery succeed at the controller layer but the data doesn't ingest in dc-1. So we keep the "version remains on parent" check and document explicitly that end-to-end recovery is covered by the unit-level TestDegradedModeRecoveryService with admin and child controller mocks. Unit tests - testConfirmRecoveryAndTransitionVersions now wraps in waitForNonDeterministicAssertion(progress.isComplete()) since Phase 2 is asynchronous. - StoreRecoveryExecutor.pollUntilVersionCurrent split into checkAndMaybeTransition (single-shot per-store check + transition that the Phase 2 loop iterates) plus the existing helpers; VersionPollResult gains a PENDING variant. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
discriminator Activate the v45 schema staged in d572750f0 and use the new isDegradedPush boolean to distinguish degraded-mode auto-converted pushes from other sources of PARTIALLY_ONLINE (DVSS partial rollforward, rollbacks). Parent stamps isDegradedPush=true on the Version inside the ZK write transaction when the auto-conversion path actually drops a degraded DC. DegradedModeRecoveryService.findPartiallyOnlineStores now takes the recovering DC and filters to versions where isDegradedPush=true AND the DC is excluded from targetSwapRegion. DegradedDcMonitor's orphan scanner is simplified to call the new predicate per region instead of probing isVersionCurrentInRegion.
mynameborat
force-pushed
the
degraded-mode/pr4-recovery-metrics-e2e
branch
from
ce0b777 to
a5607e6
Compare
misyel
reviewed
Jun 5, 2026
There was a problem hiding this comment.
Pull request overview
Adds automated post–degraded-DC recovery orchestration on the parent controller, plus new degraded-mode observability (OTel/Tehuti metrics + a recovery-progress REST endpoint) and expanded test coverage (unit + E2E).
Changes:
- Introduces
DegradedModeRecoveryService+StoreRecoveryExecutor+DegradedDcMonitorto trigger and monitor recovery ofPARTIALLY_ONLINEversions after a DC is unmarked. - Adds
DegradedModeStats(OTel + Tehuti) and wires new routeGET /get_recovery_progress. - Migrates degraded DC state storage from
DegradedDcStatesZK node toLiveClusterConfig(degraded.datacenters), updating controller logic and tests accordingly.
Reviewed changes
Copilot reviewed 41 out of 42 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| services/venice-controller/src/test/java/com/linkedin/venice/controller/TestVeniceParentHelixAdmin.java | Updates parent-admin tests for new degraded-DC API + targeted-region intersection behavior. |
| services/venice-controller/src/test/java/com/linkedin/venice/controller/TestDegradedModeRecoveryService.java | New unit tests for recovery orchestration + orphan detection + retries. |
| services/venice-controller/src/test/java/com/linkedin/venice/controller/stats/DegradedModeStatsOtelTest.java | New OTel metrics tests for degraded-mode stats. |
| services/venice-controller/src/test/java/com/linkedin/venice/controller/server/CreateVersionTest.java | Updates degradedDatacenters response population tests for new API. |
| services/venice-controller/src/test/java/com/linkedin/venice/controller/server/ClusterRoutesTest.java | Updates degraded-DC routes test for new API response type. |
| services/venice-controller/src/test/java/com/linkedin/venice/controller/kafka/consumer/AdminExecutionTaskTest.java | Updates skipConsumption tests to use AddVersion’s embedded degradedDatacenters. |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/VeniceParentHelixAdmin.java | Wires metrics, recovery service trigger on unmark, targeted-region intersection, and AddVersion degradedDatacenters snapshotting. |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/VeniceHelixAdmin.java | Moves degraded DC state to LiveClusterConfig and adds version-status update API. |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/VeniceControllerClusterConfig.java | Adds per-cluster config for auto-recovery enablement and recovery thread pool size. |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/VeniceController.java | Registers degraded-mode metric entity for controller service metrics. |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/UserSystemStoreLifeCycleHelper.java | Updates addVersion call signature with new isDegradedPush parameter. |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/StoreRecoveryExecutor.java | New per-store recovery execution + polling/transition logic with retry/backoff and metrics. |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/stats/DegradedModeStats.java | New degraded-mode metrics (recovery/push/duration/active-count). |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/server/CreateVersion.java | Updates degradedDatacenters population to use new degradedDatacenters map API. |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/server/ClusterRoutes.java | Adds GET recovery progress route + updates degraded-DC route to new API. |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/server/AdminSparkServer.java | Registers GET /get_recovery_progress endpoint. |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/RecoveryProgress.java | New in-memory recovery progress model shared by service + API response. |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/kafka/consumer/AdminExecutionTask.java | Uses AddVersion.degradedDatacenters to decide degraded-region skipConsumption locally. |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/DegradedModeRecoveryService.java | New orchestrator for recovery and phase-2 completion polling + monitor wiring. |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/DegradedDcMonitor.java | New scheduled monitor for degraded-DC duration metrics + orphan recovery detection. |
| services/venice-controller/src/main/java/com/linkedin/venice/controller/Admin.java | Adds new Admin APIs: getDegradedDatacenters/getRecoveryProgress/getCurrentVersionInRegion/updateStoreVersionStatus. |
| internal/venice-test-common/src/integrationTest/java/com/linkedin/venice/endToEnd/DegradedModeBatchPushTest.java | New multi-region E2E tests for degraded-mode lifecycle + incremental push blocking + idempotent unmark. |
| internal/venice-test-common/src/integrationTest/java/com/linkedin/venice/controller/TestVeniceHelixAdminWithSharedEnvironment.java | Updates addVersion call signature with new isDegradedPush parameter. |
| internal/venice-common/src/test/java/com/linkedin/venice/meta/TestLiveClusterConfig.java | Adds tests for new degraded.datacenters LiveClusterConfig field + backwards compat deserialization. |
| internal/venice-common/src/test/java/com/linkedin/venice/meta/TestDegradedDcStates.java | Removes tests for deleted DegradedDcStates model. |
| internal/venice-common/src/test/java/com/linkedin/venice/helix/TestHelixDegradedDcStatesRepository.java | Removes tests for deleted degraded-DC ZK repositories. |
| internal/venice-common/src/test/java/com/linkedin/venice/controllerapi/ControllerRouteDimensionTest.java | Adds route dimension coverage for GET_RECOVERY_PROGRESS. |
| internal/venice-common/src/main/java/com/linkedin/venice/zk/VeniceZkPaths.java | Removes ZK path constant for deleted degraded-DC states node. |
| internal/venice-common/src/main/java/com/linkedin/venice/serialization/avro/AvroProtocolDefinition.java | Bumps protocol IDs for new AdminOperation and StoreMetaValue schemas. |
| internal/venice-common/src/main/java/com/linkedin/venice/meta/VersionImpl.java | Implements isDegradedPush field propagation (including clone). |
| internal/venice-common/src/main/java/com/linkedin/venice/meta/Version.java | Adds isDegradedPush API to Version contract. |
| internal/venice-common/src/main/java/com/linkedin/venice/meta/ReadOnlyStore.java | Delegates isDegradedPush; disallows mutation. |
| internal/venice-common/src/main/java/com/linkedin/venice/meta/LiveClusterConfig.java | Adds degraded.datacenters map + helpers (add/remove/isDegraded). |
| internal/venice-common/src/main/java/com/linkedin/venice/meta/DegradedDcStates.java | Deletes legacy DegradedDcStates model. |
| internal/venice-common/src/main/java/com/linkedin/venice/meta/DegradedDcInfo.java | Updates documentation for new storage location (LiveClusterConfig). |
| internal/venice-common/src/main/java/com/linkedin/venice/helix/HelixReadWriteDegradedDcStatesRepository.java | Deletes legacy degraded-DC ZK repository. |
| internal/venice-common/src/main/java/com/linkedin/venice/helix/HelixReadOnlyDegradedDcStatesRepository.java | Deletes legacy degraded-DC ZK repository. |
| internal/venice-common/src/main/java/com/linkedin/venice/controllerapi/UpdateClusterConfigQueryParams.java | Adds updateClusterConfig support for degraded.mode.enabled. |
| internal/venice-common/src/main/java/com/linkedin/venice/controllerapi/RecoveryProgressResponse.java | New controller API response type for recovery progress endpoint. |
| internal/venice-common/src/main/java/com/linkedin/venice/controllerapi/ControllerRoute.java | Adds GET_RECOVERY_PROGRESS route definition. |
| internal/venice-common/src/main/java/com/linkedin/venice/ConfigKeys.java | Adds degraded-mode auto-recovery configs. |
| build.gradle | Removes Avro codegen versionOverrides now that new protocol versions are active. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…uard - Admin.java: replace fully-qualified java.util.Map / Collections with imported forms (already imported in the file). - StoreRecoveryExecutor.checkAndMaybeTransition: on the TIMED_OUT branch, also call progress.incrementFailed() and re-record progress so progressFraction reaches 1.0 — previously only the stats metric fired, leaving the in-memory counter (and post-recovery summary) out of sync. - DegradedModeRecoveryService.runPhase2Loop: finalize the recovery (markComplete) before clearing initiatedStores. The orphan monitor's gate is existing != null && !existing.isComplete(); flipping isComplete first ensures the next monitor tick sees the recovery as done before per-store state is torn down. - DegradedModeRecoveryService.close: shut down executors in dependency-chain order (degradedDcMonitor -> recoveryExecutor -> monitorExecutor -> phase2Executor) with per-step awaitTermination via a small helper, so an upstream task can never submit to a downstream executor that is already shut down (RejectedExecutionException). - DegradedDcMonitor.detectAndRecoverOrphanedVersions: early-exit when any DC in the cluster is currently degraded. The orphan-recovery window is only valid post-unmark; recovering into a still-degraded DC is wasted work, and the unmark path triggers recovery directly when the DC is brought back. Tests: - TestDegradedModeRecoveryService.testConfirmRecoveryAndTransitionVersions: assert getFailedStores() == 1 on the timeout path (new behavior). - TestDegradedModeRecoveryService.testOrphanScanSkippedWhileAnyDatacenterDegrade d: new test confirming the orphan scan short-circuits while a DC is degraded.
… metric
correctness
- VeniceParentHelixAdmin.unmarkDatacenterDegraded: null-check
degradedModeRecoveryService
before calling triggerRecovery. The service is null when no cluster on the
parent had
auto-recovery enabled at startup; hot-flipping the per-cluster flag at
runtime would
have NPE'd the unmark path. Now logs+skips with a clear restart-required
message.
- VeniceParentHelixAdmin (constructor comment): the previous comment claimed
the recovery
service + DC duration monitor are "always created" — they are not. Up
dated to describe
the actual behavior (instantiated only when at least one cluster has
auto-recovery
enabled at startup; duration metrics are not emitted otherwise).
- VeniceHelixAdmin.getDegradedDatacenters: wrap the returned map in
Collections.unmodifiableMap. LiveClusterConfig#getDegradedDatacenters
returns the
underlying map reference from the ZK-cached config; without the wrap,
callers could
mutate the cache in-memory without persisting through
markDatacenterDegraded /
unmarkDatacenterDegraded.
- VeniceHelixAdmin.updateStoreVersionStatus: only transition when current
status is
PARTIALLY_ONLINE. Matches the Admin interface doc ("Only transitions if the
version
is still PARTIALLY_ONLINE") and prevents a late recovery completion from
silently
clobbering a concurrent terminal transition (ERROR / KILLED) to a different
status.
- DegradedModeStats.recordRecoveryProgress: scale the 0.0-1.0 fraction to a
0-100
integer percentage. Venice OTel gauges store values as long internally, so
the raw
fraction would truncate to 0 for any in-flight progress and hide everything
below
100%. Updated the OTel test to assert 50 for input 0.5.
- DegradedModeStats.DEGRADED_DC_ACTIVE_COUNT: add VENICE_CLUSTER_NAME
dimension and
thread clusterName through recordDegradedDcActiveCount. Previously the
gauge was
dimensionless but recorded per-cluster counts, so on a multi-cluster parent
it
flapped between clusters' counts and was not interpretable. Call sites in
markDatacenterDegraded / unmarkDatacenterDegraded updated; OTel test
asserts the
new clusterAttributes() match.
misyel
approved these changes
Jun 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem Statement
After a degraded DC is unmarked, stores with PARTIALLY_ONLINE versions need to be recovered (data re-replicated to the recovering DC). Without automation, operators must manually trigger data recovery for each affected store — tedious and error-prone in large clusters. Additionally, there is no observability into degraded mode operations (push auto-conversions, incremental push blocks, recovery progress, DC degradation duration).
This is part of the degraded-mode batch push feature (PRs #2681, #2741, #2732 already merged).
Solution
DegradedModeRecoveryService
degraded.mode.recovery.thread.pool.size.DegradedModeStats (9 OTel metrics + latency histogram)
recovery.store_success_count/recovery.store_failure_countrecovery.version_transitioned_countrecovery.progress(gauge, 0.0-1.0)push.auto_converted_count/push.blocked_incremental_countdc.active_count/dc.duration_minutesrecovery.store_duration_ms(avg/max)REST API
GET /get_recovery_progress?cluster=X&datacenter_name=Y— returns recovery status, progress fraction, store counts.E2E Integration Test
Code changes
degraded.mode.auto.recovery.enabled(default:false),degraded.mode.recovery.thread.pool.size(default:5)Concurrency-Specific Checks
activeRecoveriesusesConcurrentHashMap.compute()for atomic check-and-replace.RecoveryProgressusesAtomicIntegerandvolatile booleanfor thread-safe progress tracking.initiatedStoresusesCollections.synchronizedList.VeniceConcurrentHashMapfor active recoveries,Collections.synchronizedListfor initiated stores.How was this PR tested?
TestDegradedModeRecoveryService(17 tests covering happy path, retries, failures, orphan detection, version supersession, leader failover, re-trigger after completion)DegradedModeBatchPushTest(4 E2E tests)DegradedModeStatsOtelTest(12 tests)Does this PR introduce any user-facing or breaking changes?
degraded.mode.auto.recovery.enabled=falseby default). New REST endpoint is additive. Metrics are new counters/gauges.