How to configure Akka.Cluster for services that Crash when binding to port 0

1
votes

What I am testing is the following scenario:

Start 2 Lighthouses, then start a 3 service that is a member of the cluster. It's seed nodes are configured to be the two Lighthouses that were previously started.

Now this 3rd service has it's HOCON set to bind to port 0, which does it's job and gives me a random port.

Now when I force quit this service to simulate a crash, The logging output from Akka.Net gets REAL chatty (important parts)

AssociationError...Tried to associate with unreachable remote address address is now gated for 5000ms ... No connection could be made because the target machine actively refused it.

And it seems like it just goes on forever. I assume this is probably harmless and it just looks like a terrible error. The message itself makes sense, the service is literally gone so it can not and will never be able to connect.

Now if I restart the service since it's configured to bind to 0 for Akka.Remoting, it will get an entirely new port, so the Unreachable status of the other failed service will never be resolved.

Is this the expected behavior? I also think there is a configuration setting that might come into play here:

auto-down-unreachable-after

Now this comes with it's own warning about:

Using auto-down implies that two separate clusters will automatically be formed in case of network partition.

Setting this does silence the messages:

auto-down-unreachable-after = 3s

And I get a new message after the node is marked unreachable:

Association to [akka.tcp://ClusterName@localhost:58977] having UID [983892349]is irrecoverably failed. UID is now quarantined and all messages to this UID will be delivered to dead letters. Remote actorsystem must be restarted to recover from this situation.

Remote actorsystem must be restarted to recover from this situation. Seems pretty serious and something to avoid. At the same time, given that the service joins on a random port, it is irrecoverable. In trying to gain some more knowledge about the UID it seems that it's internally assigned. So I can only guess there would not be any collisions later in time with UIDs, so this would be the proper behavior.

This seems to be the only option outside of 

log-info = off

to just silence the logs

1
akka.net

1 Answers

0
votes

I assume the logging of the lighthouse services are chatty, right? That is 'normal' behaviour of the Akka gossip protocol trying to communicate with the crashed node. When this happens, you must configure what you want to do.

The solution for solving this is not always the same for each situation. It could depend for example if you are running the services on a cloud microservices platform for example. But one of the options is indeed 'auto-downing'. This will mark the service as 'UNREACHABLE' (as you can see). This means that the node isn't out of the cluster, but the cluster continues to operate without the crashed node. That's the reason that the same node cannot join, because it is still marked as 'UNREACHABLE'.

Be aware that auto-downing could result into a 'split-brain' of the cluster, where the two parts of the cluster (for example one cluster of 4 nodes gets split into 2 clusters of 2 nodes). This is a situation that you don't want, so this may not be the best solution!

Akka.NET has some other solution to you can configure to correctly deal with this: the Split Brain Resolver. More information how to configure this: https://getakka.net/articles/clustering/split-brain-resolver.html

These are all strategies to prevent 'split-brain' situations and will involve sacrificing nodes to keep the cluster consistent. Use these strategies in combination with for example a microservices orchestration platform (so that instances will restart themselves after crashing/exiting) to create a perfect self-healing Akka cluster.