syntax = "proto3"; package rpcpb; import "github.com/gogo/protobuf/gogoproto/gogo.proto"; option (gogoproto.marshaler_all) = true; option (gogoproto.sizer_all) = true; option (gogoproto.unmarshaler_all) = true; option (gogoproto.goproto_getters_all) = false; message Request { Operation Operation = 1; // Member contains the same Member object from tester configuration. Member Member = 2; // Tester contains tester configuration. Tester Tester = 3; } // SnapshotInfo contains SAVE_SNAPSHOT request results. message SnapshotInfo { string MemberName = 1; repeated string MemberClientURLs = 2; string SnapshotPath = 3; string SnapshotFileSize = 4; string SnapshotTotalSize = 5; int64 SnapshotTotalKey = 6; int64 SnapshotHash = 7; int64 SnapshotRevision = 8; string Took = 9; } message Response { bool Success = 1; string Status = 2; // Member contains the same Member object from tester request. Member Member = 3; // SnapshotInfo contains SAVE_SNAPSHOT request results. SnapshotInfo SnapshotInfo = 4; } service Transport { rpc Transport(stream Request) returns (stream Response) {} } message Member { // EtcdExec is the executable etcd binary path in agent server. string EtcdExec = 1 [(gogoproto.moretags) = "yaml:\"etcd-exec\""]; // AgentAddr is the agent HTTP server address. string AgentAddr = 11 [(gogoproto.moretags) = "yaml:\"agent-addr\""]; // FailpointHTTPAddr is the agent's failpoints HTTP server address. string FailpointHTTPAddr = 12 [(gogoproto.moretags) = "yaml:\"failpoint-http-addr\""]; // BaseDir is the base directory where all logs and etcd data are stored. string BaseDir = 101 [(gogoproto.moretags) = "yaml:\"base-dir\""]; // EtcdClientProxy is true when client traffic needs to be proxied. // If true, listen client URL port must be different than advertise client URL port. bool EtcdClientProxy = 201 [(gogoproto.moretags) = "yaml:\"etcd-client-proxy\""]; // EtcdPeerProxy is true when peer traffic needs to be proxied. // If true, listen peer URL port must be different than advertise peer URL port. bool EtcdPeerProxy = 202 [(gogoproto.moretags) = "yaml:\"etcd-peer-proxy\""]; // EtcdClientEndpoint is the etcd client endpoint. string EtcdClientEndpoint = 301 [(gogoproto.moretags) = "yaml:\"etcd-client-endpoint\""]; // Etcd defines etcd binary configuration flags. Etcd Etcd = 302 [(gogoproto.moretags) = "yaml:\"etcd\""]; // EtcdOnSnapshotRestore defines one-time use configuration during etcd // snapshot recovery process. Etcd EtcdOnSnapshotRestore = 303; // ClientCertData contains cert file contents from this member's etcd server. string ClientCertData = 401 [(gogoproto.moretags) = "yaml:\"client-cert-data\""]; string ClientCertPath = 402 [(gogoproto.moretags) = "yaml:\"client-cert-path\""]; // ClientKeyData contains key file contents from this member's etcd server. string ClientKeyData = 403 [(gogoproto.moretags) = "yaml:\"client-key-data\""]; string ClientKeyPath = 404 [(gogoproto.moretags) = "yaml:\"client-key-path\""]; // ClientTrustedCAData contains trusted CA file contents from this member's etcd server. string ClientTrustedCAData = 405 [(gogoproto.moretags) = "yaml:\"client-trusted-ca-data\""]; string ClientTrustedCAPath = 406 [(gogoproto.moretags) = "yaml:\"client-trusted-ca-path\""]; // PeerCertData contains cert file contents from this member's etcd server. string PeerCertData = 501 [(gogoproto.moretags) = "yaml:\"peer-cert-data\""]; string PeerCertPath = 502 [(gogoproto.moretags) = "yaml:\"peer-cert-path\""]; // PeerKeyData contains key file contents from this member's etcd server. string PeerKeyData = 503 [(gogoproto.moretags) = "yaml:\"peer-key-data\""]; string PeerKeyPath = 504 [(gogoproto.moretags) = "yaml:\"peer-key-path\""]; // PeerTrustedCAData contains trusted CA file contents from this member's etcd server. string PeerTrustedCAData = 505 [(gogoproto.moretags) = "yaml:\"peer-trusted-ca-data\""]; string PeerTrustedCAPath = 506 [(gogoproto.moretags) = "yaml:\"peer-trusted-ca-path\""]; // SnapshotPath is the snapshot file path to store or restore from. string SnapshotPath = 601 [(gogoproto.moretags) = "yaml:\"snapshot-path\""]; // SnapshotInfo contains last SAVE_SNAPSHOT request results. SnapshotInfo SnapshotInfo = 602; } message Tester { string DataDir = 1 [(gogoproto.moretags) = "yaml:\"data-dir\""]; string Network = 2 [(gogoproto.moretags) = "yaml:\"network\""]; string Addr = 3 [(gogoproto.moretags) = "yaml:\"addr\""]; // DelayLatencyMsRv is the delay latency in milliseconds, // to inject to simulated slow network. uint32 DelayLatencyMs = 11 [(gogoproto.moretags) = "yaml:\"delay-latency-ms\""]; // DelayLatencyMsRv is the delay latency random variable in milliseconds. uint32 DelayLatencyMsRv = 12 [(gogoproto.moretags) = "yaml:\"delay-latency-ms-rv\""]; // UpdatedDelayLatencyMs is the update delay latency in milliseconds, // to inject to simulated slow network. It's the final latency to apply, // in case the latency numbers are randomly generated from given delay latency field. uint32 UpdatedDelayLatencyMs = 13 [(gogoproto.moretags) = "yaml:\"updated-delay-latency-ms\""]; // RoundLimit is the limit of rounds to run failure set (-1 to run without limits). int32 RoundLimit = 21 [(gogoproto.moretags) = "yaml:\"round-limit\""]; // ExitOnCaseFail is true, then exit tester on first failure. bool ExitOnCaseFail = 22 [(gogoproto.moretags) = "yaml:\"exit-on-failure\""]; // EnablePprof is true to enable profiler. bool EnablePprof = 23 [(gogoproto.moretags) = "yaml:\"enable-pprof\""]; // CaseDelayMs is the delay duration after failure is injected. // Useful when triggering snapshot or no-op failure cases. uint32 CaseDelayMs = 31 [(gogoproto.moretags) = "yaml:\"case-delay-ms\""]; // CaseShuffle is true to randomize failure injecting order. bool CaseShuffle = 32 [(gogoproto.moretags) = "yaml:\"case-shuffle\""]; // Cases is the selected test cases to schedule. // If empty, run all failure cases. repeated string Cases = 33 [(gogoproto.moretags) = "yaml:\"cases\""]; // FailpointCommands is the list of "gofail" commands // (e.g. panic("etcd-tester"),1*sleep(1000). repeated string FailpointCommands = 34 [(gogoproto.moretags) = "yaml:\"failpoint-commands\""]; // RunnerExecPath is a path of etcd-runner binary. string RunnerExecPath = 41 [(gogoproto.moretags) = "yaml:\"runner-exec-path\""]; // ExternalExecPath is a path of script for enabling/disabling an external fault injector. string ExternalExecPath = 42 [(gogoproto.moretags) = "yaml:\"external-exec-path\""]; // Stressers is the list of stresser types: // KV, LEASE, ELECTION_RUNNER, WATCH_RUNNER, LOCK_RACER_RUNNER, LEASE_RUNNER. repeated Stresser Stressers = 101 [(gogoproto.moretags) = "yaml:\"stressers\""]; // Checkers is the list of consistency checker types: // KV_HASH, LEASE_EXPIRE, NO_CHECK, RUNNER. // Leave empty to skip consistency checks. repeated string Checkers = 102 [(gogoproto.moretags) = "yaml:\"checkers\""]; // StressKeySize is the size of each small key written into etcd. int32 StressKeySize = 201 [(gogoproto.moretags) = "yaml:\"stress-key-size\""]; // StressKeySizeLarge is the size of each large key written into etcd. int32 StressKeySizeLarge = 202 [(gogoproto.moretags) = "yaml:\"stress-key-size-large\""]; // StressKeySuffixRange is the count of key range written into etcd. // Stress keys are created with "fmt.Sprintf("foo%016x", rand.Intn(keySuffixRange)". int32 StressKeySuffixRange = 203 [(gogoproto.moretags) = "yaml:\"stress-key-suffix-range\""]; // StressKeySuffixRangeTxn is the count of key range written into etcd txn (max 100). // Stress keys are created with "fmt.Sprintf("/k%03d", i)". int32 StressKeySuffixRangeTxn = 204 [(gogoproto.moretags) = "yaml:\"stress-key-suffix-range-txn\""]; // StressKeyTxnOps is the number of operations per a transaction (max 64). int32 StressKeyTxnOps = 205 [(gogoproto.moretags) = "yaml:\"stress-key-txn-ops\""]; // StressClients is the number of concurrent stressing clients // with "one" shared TCP connection. int32 StressClients = 301 [(gogoproto.moretags) = "yaml:\"stress-clients\""]; // StressQPS is the maximum number of stresser requests per second. int32 StressQPS = 302 [(gogoproto.moretags) = "yaml:\"stress-qps\""]; } enum StresserType { KV_WRITE_SMALL = 0; KV_WRITE_LARGE = 1; KV_READ_ONE_KEY = 2; KV_READ_RANGE = 3; KV_DELETE_ONE_KEY = 4; KV_DELETE_RANGE = 5; KV_TXN_WRITE_DELETE = 6; LEASE = 10; ELECTION_RUNNER = 20; WATCH_RUNNER = 31; LOCK_RACER_RUNNER = 41; LEASE_RUNNER = 51; } message Stresser { string Type = 1 [(gogoproto.moretags) = "yaml:\"type\""]; double Weight = 2 [(gogoproto.moretags) = "yaml:\"weight\""]; } enum Checker { KV_HASH = 0; LEASE_EXPIRE = 1; RUNNER = 2; NO_CHECK = 3; } message Etcd { string Name = 1 [(gogoproto.moretags) = "yaml:\"name\""]; string DataDir = 2 [(gogoproto.moretags) = "yaml:\"data-dir\""]; string WALDir = 3 [(gogoproto.moretags) = "yaml:\"wal-dir\""]; // HeartbeatIntervalMs is the time (in milliseconds) of a heartbeat interval. // Default value is 100, which is 100ms. int64 HeartbeatIntervalMs = 11 [(gogoproto.moretags) = "yaml:\"heartbeat-interval\""]; // ElectionTimeoutMs is the time (in milliseconds) for an election to timeout. // Default value is 1000, which is 1s. int64 ElectionTimeoutMs = 12 [(gogoproto.moretags) = "yaml:\"election-timeout\""]; repeated string ListenClientURLs = 21 [(gogoproto.moretags) = "yaml:\"listen-client-urls\""]; repeated string AdvertiseClientURLs = 22 [(gogoproto.moretags) = "yaml:\"advertise-client-urls\""]; bool ClientAutoTLS = 23 [(gogoproto.moretags) = "yaml:\"auto-tls\""]; bool ClientCertAuth = 24 [(gogoproto.moretags) = "yaml:\"client-cert-auth\""]; string ClientCertFile = 25 [(gogoproto.moretags) = "yaml:\"cert-file\""]; string ClientKeyFile = 26 [(gogoproto.moretags) = "yaml:\"key-file\""]; string ClientTrustedCAFile = 27 [(gogoproto.moretags) = "yaml:\"trusted-ca-file\""]; repeated string ListenPeerURLs = 31 [(gogoproto.moretags) = "yaml:\"listen-peer-urls\""]; repeated string AdvertisePeerURLs = 32 [(gogoproto.moretags) = "yaml:\"initial-advertise-peer-urls\""]; bool PeerAutoTLS = 33 [(gogoproto.moretags) = "yaml:\"peer-auto-tls\""]; bool PeerClientCertAuth = 34 [(gogoproto.moretags) = "yaml:\"peer-client-cert-auth\""]; string PeerCertFile = 35 [(gogoproto.moretags) = "yaml:\"peer-cert-file\""]; string PeerKeyFile = 36 [(gogoproto.moretags) = "yaml:\"peer-key-file\""]; string PeerTrustedCAFile = 37 [(gogoproto.moretags) = "yaml:\"peer-trusted-ca-file\""]; string InitialCluster = 41 [(gogoproto.moretags) = "yaml:\"initial-cluster\""]; string InitialClusterState = 42 [(gogoproto.moretags) = "yaml:\"initial-cluster-state\""]; string InitialClusterToken = 43 [(gogoproto.moretags) = "yaml:\"initial-cluster-token\""]; int64 SnapshotCount = 51 [(gogoproto.moretags) = "yaml:\"snapshot-count\""]; int64 QuotaBackendBytes = 52 [(gogoproto.moretags) = "yaml:\"quota-backend-bytes\""]; bool PreVote = 63 [(gogoproto.moretags) = "yaml:\"pre-vote\""]; bool InitialCorruptCheck = 64 [(gogoproto.moretags) = "yaml:\"initial-corrupt-check\""]; string Logger = 71 [(gogoproto.moretags) = "yaml:\"logger\""]; // LogOutputs is the log file to store current etcd server logs. repeated string LogOutputs = 72 [(gogoproto.moretags) = "yaml:\"log-outputs\""]; string LogLevel = 73 [(gogoproto.moretags) = "yaml:\"log-level\""]; } enum Operation { // NOT_STARTED is the agent status before etcd first start. NOT_STARTED = 0; // INITIAL_START_ETCD is only called to start etcd, the very first time. INITIAL_START_ETCD = 10; // RESTART_ETCD is sent to restart killed etcd. RESTART_ETCD = 11; // SIGTERM_ETCD pauses etcd process while keeping data directories // and previous etcd configurations. SIGTERM_ETCD = 20; // SIGQUIT_ETCD_AND_REMOVE_DATA kills etcd process and removes all data // directories to simulate destroying the whole machine. SIGQUIT_ETCD_AND_REMOVE_DATA = 21; // SAVE_SNAPSHOT is sent to trigger local member to download its snapshot // onto its local disk with the specified path from tester. SAVE_SNAPSHOT = 30; // RESTORE_RESTART_FROM_SNAPSHOT is sent to trigger local member to // restore a cluster from existing snapshot from disk, and restart // an etcd instance from recovered data. RESTORE_RESTART_FROM_SNAPSHOT = 31; // RESTART_FROM_SNAPSHOT is sent to trigger local member to restart // and join an existing cluster that has been recovered from a snapshot. // Local member joins this cluster with fresh data. RESTART_FROM_SNAPSHOT = 32; // SIGQUIT_ETCD_AND_ARCHIVE_DATA is sent when consistency check failed, // thus need to archive etcd data directories. SIGQUIT_ETCD_AND_ARCHIVE_DATA = 40; // SIGQUIT_ETCD_AND_REMOVE_DATA_AND_STOP_AGENT destroys etcd process, // etcd data, and agent server. SIGQUIT_ETCD_AND_REMOVE_DATA_AND_STOP_AGENT = 41; // BLACKHOLE_PEER_PORT_TX_RX drops all outgoing/incoming packets from/to // the peer port on target member's peer port. BLACKHOLE_PEER_PORT_TX_RX = 100; // UNBLACKHOLE_PEER_PORT_TX_RX removes outgoing/incoming packet dropping. UNBLACKHOLE_PEER_PORT_TX_RX = 101; // DELAY_PEER_PORT_TX_RX delays all outgoing/incoming packets from/to // the peer port on target member's peer port. DELAY_PEER_PORT_TX_RX = 200; // UNDELAY_PEER_PORT_TX_RX removes all outgoing/incoming delays. UNDELAY_PEER_PORT_TX_RX = 201; } // Case defines various system faults or test case in distributed systems, // in order to verify correct behavior of etcd servers and clients. enum Case { // SIGTERM_ONE_FOLLOWER stops a randomly chosen follower (non-leader) // but does not delete its data directories on disk for next restart. // It waits "delay-ms" before recovering this failure. // The expected behavior is that the follower comes back online // and rejoins the cluster, and then each member continues to process // client requests ('Put' request that requires Raft consensus). SIGTERM_ONE_FOLLOWER = 0; // SIGTERM_ONE_FOLLOWER_UNTIL_TRIGGER_SNAPSHOT stops a randomly chosen // follower but does not delete its data directories on disk for next // restart. And waits until most up-to-date node (leader) applies the // snapshot count of entries since the stop operation. // The expected behavior is that the follower comes back online and // rejoins the cluster, and then active leader sends snapshot // to the follower to force it to follow the leader's log. // As always, after recovery, each member must be able to process // client requests. SIGTERM_ONE_FOLLOWER_UNTIL_TRIGGER_SNAPSHOT = 1; // SIGTERM_LEADER stops the active leader node but does not delete its // data directories on disk for next restart. Then it waits "delay-ms" // before recovering this failure, in order to trigger election timeouts. // The expected behavior is that a new leader gets elected, and the // old leader comes back online and rejoins the cluster as a follower. // As always, after recovery, each member must be able to process // client requests. SIGTERM_LEADER = 2; // SIGTERM_LEADER_UNTIL_TRIGGER_SNAPSHOT stops the active leader node // but does not delete its data directories on disk for next restart. // And waits until most up-to-date node ("new" leader) applies the // snapshot count of entries since the stop operation. // The expected behavior is that cluster elects a new leader, and the // old leader comes back online and rejoins the cluster as a follower. // And it receives the snapshot from the new leader to overwrite its // store. As always, after recovery, each member must be able to // process client requests. SIGTERM_LEADER_UNTIL_TRIGGER_SNAPSHOT = 3; // SIGTERM_QUORUM stops majority number of nodes to make the whole cluster // inoperable but does not delete data directories on stopped nodes // for next restart. And it waits "delay-ms" before recovering failure. // The expected behavior is that nodes come back online, thus cluster // comes back operative as well. As always, after recovery, each member // must be able to process client requests. SIGTERM_QUORUM = 4; // SIGTERM_ALL stops the whole cluster but does not delete data directories // on disk for next restart. And it waits "delay-ms" before recovering // this failure. // The expected behavior is that nodes come back online, thus cluster // comes back operative as well. As always, after recovery, each member // must be able to process client requests. SIGTERM_ALL = 5; // SIGQUIT_AND_REMOVE_ONE_FOLLOWER stops a randomly chosen follower // (non-leader), deletes its data directories on disk, and removes // this member from cluster (membership reconfiguration). On recovery, // tester adds a new member, and this member joins the existing cluster // with fresh data. It waits "delay-ms" before recovering this // failure. This simulates destroying one follower machine, where operator // needs to add a new member from a fresh machine. // The expected behavior is that a new member joins the existing cluster, // and then each member continues to process client requests. SIGQUIT_AND_REMOVE_ONE_FOLLOWER = 10; // SIGQUIT_AND_REMOVE_ONE_FOLLOWER_UNTIL_TRIGGER_SNAPSHOT stops a randomly // chosen follower, deletes its data directories on disk, and removes // this member from cluster (membership reconfiguration). On recovery, // tester adds a new member, and this member joins the existing cluster // restart. On member remove, cluster waits until most up-to-date node // (leader) applies the snapshot count of entries since the stop operation. // This simulates destroying a leader machine, where operator needs to add // a new member from a fresh machine. // The expected behavior is that a new member joins the existing cluster, // and receives a snapshot from the active leader. As always, after // recovery, each member must be able to process client requests. SIGQUIT_AND_REMOVE_ONE_FOLLOWER_UNTIL_TRIGGER_SNAPSHOT = 11; // SIGQUIT_AND_REMOVE_LEADER stops the active leader node, deletes its // data directories on disk, and removes this member from cluster. // On recovery, tester adds a new member, and this member joins the // existing cluster with fresh data. It waits "delay-ms" before // recovering this failure. This simulates destroying a leader machine, // where operator needs to add a new member from a fresh machine. // The expected behavior is that a new member joins the existing cluster, // and then each member continues to process client requests. SIGQUIT_AND_REMOVE_LEADER = 12; // SIGQUIT_AND_REMOVE_LEADER_UNTIL_TRIGGER_SNAPSHOT stops the active leader, // deletes its data directories on disk, and removes this member from // cluster (membership reconfiguration). On recovery, tester adds a new // member, and this member joins the existing cluster restart. On member // remove, cluster waits until most up-to-date node (new leader) applies // the snapshot count of entries since the stop operation. This simulates // destroying a leader machine, where operator needs to add a new member // from a fresh machine. // The expected behavior is that on member remove, cluster elects a new // leader, and a new member joins the existing cluster and receives a // snapshot from the newly elected leader. As always, after recovery, each // member must be able to process client requests. SIGQUIT_AND_REMOVE_LEADER_UNTIL_TRIGGER_SNAPSHOT = 13; // SIGQUIT_AND_REMOVE_QUORUM_AND_RESTORE_LEADER_SNAPSHOT_FROM_SCRATCH first // stops majority number of nodes, deletes data directories on those quorum // nodes, to make the whole cluster inoperable. Now that quorum and their // data are totally destroyed, cluster cannot even remove unavailable nodes // (e.g. 2 out of 3 are lost, so no leader can be elected). // Let's assume 3-node cluster of node A, B, and C. One day, node A and B // are destroyed and all their data are gone. The only viable solution is // to recover from C's latest snapshot. // // To simulate: // 1. Assume node C is the current leader with most up-to-date data. // 2. Download snapshot from node C, before destroying node A and B. // 3. Destroy node A and B, and make the whole cluster inoperable. // 4. Now node C cannot operate either. // 5. SIGTERM node C and remove its data directories. // 6. Restore a new seed member from node C's latest snapshot file. // 7. Add another member to establish 2-node cluster. // 8. Add another member to establish 3-node cluster. // 9. Add more if any. // // The expected behavior is that etcd successfully recovers from such // disastrous situation as only 1-node survives out of 3-node cluster, // new members joins the existing cluster, and previous data from snapshot // are still preserved after recovery process. As always, after recovery, // each member must be able to process client requests. SIGQUIT_AND_REMOVE_QUORUM_AND_RESTORE_LEADER_SNAPSHOT_FROM_SCRATCH = 14; // BLACKHOLE_PEER_PORT_TX_RX_ONE_FOLLOWER drops all outgoing/incoming // packets from/to the peer port on a randomly chosen follower // (non-leader), and waits for "delay-ms" until recovery. // The expected behavior is that once dropping operation is undone, // each member must be able to process client requests. BLACKHOLE_PEER_PORT_TX_RX_ONE_FOLLOWER = 100; // BLACKHOLE_PEER_PORT_TX_RX_ONE_FOLLOWER_UNTIL_TRIGGER_SNAPSHOT drops // all outgoing/incoming packets from/to the peer port on a randomly // chosen follower (non-leader), and waits for most up-to-date node // (leader) applies the snapshot count of entries since the blackhole // operation. // The expected behavior is that once packet drop operation is undone, // the slow follower tries to catch up, possibly receiving the snapshot // from the active leader. As always, after recovery, each member must // be able to process client requests. BLACKHOLE_PEER_PORT_TX_RX_ONE_FOLLOWER_UNTIL_TRIGGER_SNAPSHOT = 101; // BLACKHOLE_PEER_PORT_TX_RX_LEADER drops all outgoing/incoming packets // from/to the peer port on the active leader (isolated), and waits for // "delay-ms" until recovery, in order to trigger election timeout. // The expected behavior is that after election timeout, a new leader gets // elected, and once dropping operation is undone, the old leader comes // back and rejoins the cluster as a follower. As always, after recovery, // each member must be able to process client requests. BLACKHOLE_PEER_PORT_TX_RX_LEADER = 102; // BLACKHOLE_PEER_PORT_TX_RX_LEADER_UNTIL_TRIGGER_SNAPSHOT drops all // outgoing/incoming packets from/to the peer port on the active leader, // and waits for most up-to-date node (leader) applies the snapshot // count of entries since the blackhole operation. // The expected behavior is that cluster elects a new leader, and once // dropping operation is undone, the old leader comes back and rejoins // the cluster as a follower. The slow follower tries to catch up, likely // receiving the snapshot from the new active leader. As always, after // recovery, each member must be able to process client requests. BLACKHOLE_PEER_PORT_TX_RX_LEADER_UNTIL_TRIGGER_SNAPSHOT = 103; // BLACKHOLE_PEER_PORT_TX_RX_QUORUM drops all outgoing/incoming packets // from/to the peer ports on majority nodes of cluster, thus losing its // leader and cluster being inoperable. And it waits for "delay-ms" // until recovery. // The expected behavior is that once packet drop operation is undone, // nodes come back online, thus cluster comes back operative. As always, // after recovery, each member must be able to process client requests. BLACKHOLE_PEER_PORT_TX_RX_QUORUM = 104; // BLACKHOLE_PEER_PORT_TX_RX_ALL drops all outgoing/incoming packets // from/to the peer ports on all nodes, thus making cluster totally // inoperable. It waits for "delay-ms" until recovery. // The expected behavior is that once packet drop operation is undone, // nodes come back online, thus cluster comes back operative. As always, // after recovery, each member must be able to process client requests. BLACKHOLE_PEER_PORT_TX_RX_ALL = 105; // DELAY_PEER_PORT_TX_RX_ONE_FOLLOWER delays outgoing/incoming packets // from/to the peer port on a randomly chosen follower (non-leader). // It waits for "delay-ms" until recovery. // The expected behavior is that once packet delay operation is undone, // the follower comes back and tries to catch up with latest changes from // cluster. And as always, after recovery, each member must be able to // process client requests. DELAY_PEER_PORT_TX_RX_ONE_FOLLOWER = 200; // RANDOM_DELAY_PEER_PORT_TX_RX_ONE_FOLLOWER delays outgoing/incoming // packets from/to the peer port on a randomly chosen follower // (non-leader) with a randomized time duration (thus isolated). It // waits for "delay-ms" until recovery. // The expected behavior is that once packet delay operation is undone, // each member must be able to process client requests. RANDOM_DELAY_PEER_PORT_TX_RX_ONE_FOLLOWER = 201; // DELAY_PEER_PORT_TX_RX_ONE_FOLLOWER_UNTIL_TRIGGER_SNAPSHOT delays // outgoing/incoming packets from/to the peer port on a randomly chosen // follower (non-leader), and waits for most up-to-date node (leader) // applies the snapshot count of entries since the delay operation. // The expected behavior is that the delayed follower gets isolated // and behind the current active leader, and once delay operation is undone, // the slow follower comes back and catches up possibly receiving snapshot // from the active leader. As always, after recovery, each member must be // able to process client requests. DELAY_PEER_PORT_TX_RX_ONE_FOLLOWER_UNTIL_TRIGGER_SNAPSHOT = 202; // RANDOM_DELAY_PEER_PORT_TX_RX_ONE_FOLLOWER_UNTIL_TRIGGER_SNAPSHOT delays // outgoing/incoming packets from/to the peer port on a randomly chosen // follower (non-leader) with a randomized time duration, and waits for // most up-to-date node (leader) applies the snapshot count of entries // since the delay operation. // The expected behavior is that the delayed follower gets isolated // and behind the current active leader, and once delay operation is undone, // the slow follower comes back and catches up, possibly receiving a // snapshot from the active leader. As always, after recovery, each member // must be able to process client requests. RANDOM_DELAY_PEER_PORT_TX_RX_ONE_FOLLOWER_UNTIL_TRIGGER_SNAPSHOT = 203; // DELAY_PEER_PORT_TX_RX_LEADER delays outgoing/incoming packets from/to // the peer port on the active leader. And waits for "delay-ms" until // recovery. // The expected behavior is that cluster may elect a new leader, and // once packet delay operation is undone, the (old) leader comes back // and tries to catch up with latest changes from cluster. As always, // after recovery, each member must be able to process client requests. DELAY_PEER_PORT_TX_RX_LEADER = 204; // RANDOM_DELAY_PEER_PORT_TX_RX_LEADER delays outgoing/incoming packets // from/to the peer port on the active leader with a randomized time // duration. And waits for "delay-ms" until recovery. // The expected behavior is that cluster may elect a new leader, and // once packet delay operation is undone, the (old) leader comes back // and tries to catch up with latest changes from cluster. As always, // after recovery, each member must be able to process client requests. RANDOM_DELAY_PEER_PORT_TX_RX_LEADER = 205; // DELAY_PEER_PORT_TX_RX_LEADER_UNTIL_TRIGGER_SNAPSHOT delays // outgoing/incoming packets from/to the peer port on the active leader, // and waits for most up-to-date node (current or new leader) applies the // snapshot count of entries since the delay operation. // The expected behavior is that cluster may elect a new leader, and // the old leader gets isolated and behind the current active leader, // and once delay operation is undone, the slow follower comes back // and catches up, likely receiving a snapshot from the active leader. // As always, after recovery, each member must be able to process client // requests. DELAY_PEER_PORT_TX_RX_LEADER_UNTIL_TRIGGER_SNAPSHOT = 206; // RANDOM_DELAY_PEER_PORT_TX_RX_LEADER_UNTIL_TRIGGER_SNAPSHOT delays // outgoing/incoming packets from/to the peer port on the active leader, // with a randomized time duration. And it waits for most up-to-date node // (current or new leader) applies the snapshot count of entries since the // delay operation. // The expected behavior is that cluster may elect a new leader, and // the old leader gets isolated and behind the current active leader, // and once delay operation is undone, the slow follower comes back // and catches up, likely receiving a snapshot from the active leader. // As always, after recovery, each member must be able to process client // requests. RANDOM_DELAY_PEER_PORT_TX_RX_LEADER_UNTIL_TRIGGER_SNAPSHOT = 207; // DELAY_PEER_PORT_TX_RX_QUORUM delays outgoing/incoming packets from/to // the peer ports on majority nodes of cluster. And it waits for // "delay-ms" until recovery, likely to trigger election timeouts. // The expected behavior is that cluster may elect a new leader, while // quorum of nodes struggle with slow networks, and once delay operation // is undone, nodes come back and cluster comes back operative. As always, // after recovery, each member must be able to process client requests. DELAY_PEER_PORT_TX_RX_QUORUM = 208; // RANDOM_DELAY_PEER_PORT_TX_RX_QUORUM delays outgoing/incoming packets // from/to the peer ports on majority nodes of cluster, with randomized // time durations. And it waits for "delay-ms" until recovery, likely // to trigger election timeouts. // The expected behavior is that cluster may elect a new leader, while // quorum of nodes struggle with slow networks, and once delay operation // is undone, nodes come back and cluster comes back operative. As always, // after recovery, each member must be able to process client requests. RANDOM_DELAY_PEER_PORT_TX_RX_QUORUM = 209; // DELAY_PEER_PORT_TX_RX_ALL delays outgoing/incoming packets from/to the // peer ports on all nodes. And it waits for "delay-ms" until recovery, // likely to trigger election timeouts. // The expected behavior is that cluster may become totally inoperable, // struggling with slow networks across the whole cluster. Once delay // operation is undone, nodes come back and cluster comes back operative. // As always, after recovery, each member must be able to process client // requests. DELAY_PEER_PORT_TX_RX_ALL = 210; // RANDOM_DELAY_PEER_PORT_TX_RX_ALL delays outgoing/incoming packets // from/to the peer ports on all nodes, with randomized time durations. // And it waits for "delay-ms" until recovery, likely to trigger // election timeouts. // The expected behavior is that cluster may become totally inoperable, // struggling with slow networks across the whole cluster. Once delay // operation is undone, nodes come back and cluster comes back operative. // As always, after recovery, each member must be able to process client // requests. RANDOM_DELAY_PEER_PORT_TX_RX_ALL = 211; // NO_FAIL_WITH_STRESS stops injecting failures while testing the // consistency and correctness under pressure loads, for the duration of // "delay-ms". Goal is to ensure cluster be still making progress // on recovery, and verify system does not deadlock following a sequence // of failure injections. // The expected behavior is that cluster remains fully operative in healthy // condition. As always, after recovery, each member must be able to process // client requests. NO_FAIL_WITH_STRESS = 300; // NO_FAIL_WITH_NO_STRESS_FOR_LIVENESS neither injects failures nor // sends stressig client requests to the cluster, for the duration of // "delay-ms". Goal is to ensure cluster be still making progress // on recovery, and verify system does not deadlock following a sequence // of failure injections. // The expected behavior is that cluster remains fully operative in healthy // condition, and clients requests during liveness period succeed without // errors. // Note: this is how Google Chubby does failure injection testing // https://static.googleusercontent.com/media/research.google.com/en//archive/paxos_made_live.pdf. NO_FAIL_WITH_NO_STRESS_FOR_LIVENESS = 301; // FAILPOINTS injects failpoints to etcd server runtime, triggering panics // in critical code paths. FAILPOINTS = 400; // EXTERNAL runs external failure injection scripts. EXTERNAL = 500; }