replica redirect read&write to master in standalone mode

[soloestoy]

To implement #319

1. replica is able to redirect read and write commands to it's master in standalone mode
   • reply with "-MOVED -1 master-ip:port"
2. add a config replica-enable-redirect to control whether to redirect or not, with the default setting being off
   • when enabled, the data access commands(read and write) will be redirected
3. allow readonly and readwrite command in standalone mode, may be a breaking change
   • use READONLY command can allow read commands on a replica when replica-enable-redirect enabled

[zuiderkwast]

High level LGTM.

(I didn't review the documentation of the config yet.)

[zuiderkwast]

For cluster, we return the TLS port if the client is TLS and the non-TLS port if the client is non-TLS.

How can we handle this in standalone mode? Maybe we can only handle it if client connection and replication connection are both TLS or none of them is TLS? Otherwise return an error?

[CharlesChen888]

Let's not coupling client connection and replication connection together (just like client connection and cluster bus). Maybe we need a new dedicated port to do the replicatlication, and this is a breaking change.

[soloestoy]

@zuiderkwast yes, this is a problem if users use both TLS port and non-TLS port. And now in standalone mode replicas and master doesn't know the port's info each other.

Maybe we can use REPLCONF or something to send the port's info, I incline to open another issue to discuss it. I think it's better to discuss them separately to avoid mixing them up and making the problem more complicated.

At the beginning of TLS design, the server adopted a two port model, but many related issues were not well resolved. For example, cluster can provide two different services, TLS and non TLS, until redis/redis#12233 fixed by @CharlesChen888 . TLS is a more macro level issue I think.

[zuiderkwast]

If we don't implement something now to to make the replica know both ports of the primary, then at least we should only use the redirect when the client can use it. Otherwise we should just return an error. We can't return a non-TLS port to a TLS client and vice versa.

Another problem that @enjoy-binbin pointed out is the announced-ip and announced-port. If they are in use, then probably the primary is using them too and the client can't use the redirect.

[soloestoy]

The actual scenario is more complex, involving not only non-TLS and TLS port issues but also concerns regarding network isolation and NAT. There are four distinct scenarios in general:

1. Both the client and the master/replica nodes are deployed in the same network, and both nodes utilize a single port (non-TLS or TLS port). In this case, replica and client access the master through the same port.
2. Both the client and the master/replica nodes are deployed in the same network, and nodes provides two services ports (non-TLS and TLS port). In this situation, replica and client may access master's different ports.
3. Client and master/replica nodes are deployed in separate networks. During this time the master/replica nodes need to provide service to client through NAT. Therefore, the master ip returned by REDIRECT also needs to be configured as the NAT IP.
4. A more complex scenario involves the master and replica being deployed in separate networks as well. In this case, not only would the master/replica need to provide NAT IPs to the client, but they would also require additional NAT IPs for communication between themselves.

I understand all of these issues as we have encountered them in the production environment as well. We can thoroughly discuss these scenarios, but I would like to address the above issues step by step. I do not favor complicating things right from the start as it increases the complexity of engineering implementation.

This PR can resolve issue 1, achieving smooth switchover when it is within the same network and the same port. Then, we can proceed to solve the remaining issues.

[enjoy-binbin]

generally LGTM. I think the slot number -1 is acceptable, and i suppose that many clients will find that it is easy to add the support. (but we seem to be lacking the most support from clients right now.)

The other one is announced-ip and announced-port, i'm not sure about this.

[codecov]

Codecov Report

Attention: Patch coverage is 92.85714% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 69.84%. Comparing base (fdd023f) to head (be838bc).
Report is 18 commits behind head on unstable.

Additional details and impacted files

@@             Coverage Diff              @@
##           unstable     #325      +/-   ##
============================================
+ Coverage     69.81%   69.84%   +0.03%     
============================================
  Files           109      109              
  Lines         61792    61809      +17     
============================================
+ Hits          43139    43173      +34     
+ Misses        18653    18636      -17     

Files	Coverage Δ
src/cluster.c	87.05% <ø> (+0.77%)	⬆️
src/commands.def	100.00% <ø> (ø)
src/server.c	88.63% <100.00%> (+0.02%)	⬆️
src/networking.c	85.03% <83.33%> (+0.13%)	⬆️

... and 15 files with indirect coverage changes

[yangbodong22011]

Suggested change

	# When enabled, a replica instance will reply "-MOVED -1 master-ip:port"
	# When enabled, a replica instance will reply "-REDIRECT -1 master-ip:port"

[yangbodong22011]

Why is -1 missing here? Keep the same format as MOVED and the client can reuse the parsing code.

[zuiderkwast]

-1 is not part of MOVED.

MOVED is for a slot. REDIRECT is for all writes to the node, without slot. (Only cluster has slots.)

[yangbodong22011]

MOVED is for a slot. REDIRECT is for all writes to the node, without slot. (Only cluster has slots.)

ok, that's reasonable from valkey developer.

[hwware]

@soloestoy Now it looks like we agree to add "-REDIRECT ip port", I think you could update the top description to match the latest decision. Thanks

[madolson]

Highlighting my two concerns:

• How much complexity are we signing up standalone clients to implement by having them understand the concept of "redirects", that was already built for cluster aware clients. Clients need to understand that when getting this new error message, they should update their internal endpoint to point to this instead, which is not what clients are expected to do today. Since this logic already basically exists for Valkey cluster, my preference is we still wait to understand if that is what we want longterm for standalone Valkey, but could be convinced otherwise. @PingXie Since we discussed this.
• I don't like that this is adding a server configuration that causes backwards incompatible state, which is basically adding a type of configuration that clients have to know and understand. Specifically, in the happy path, when a client was previously able to directly talk to a replica client and send read commands, it will now get the -REDIRECT error unless it also sends the READONLY command. If an operator is unsure of this behavior, it's a very painful end user experience to start seeing unexpected errors and their only recourse is to flip a server configuration back. I think we should bias towards having clients negotiate this new capability, by sending either a new command (like CLIENT REDIRECT ON) or using the READONLY READWRITE command as flags. This should allow us to remove the config.

[soloestoy]

After the discussion I think we have an agreement about the redirections value, and need a bit change that this feature should not be a config in server. To make it as a flag of per client would be better (CLIENT REDIRECT ON seems not a good choice, since it can be easily confused with CLIENT TRACKING REDIRECT), I'm thinking which command or a new command is better.

[madolson]

CLIENT TRACKING REDIRECT I did think about that but was hoping nobody really uses is. I think basically everyone that uses server assisted client side caching uses RESP3 which doesn't require that command. We could maybe do CLIENT NODE REDIRECT.

[PingXie]

Summarizing @valkey-io/core-team's discussion and thought process:

1. This is a breaking change. Standalone replicas can serve reads just fine today. This change when enabled would break the read-replica scenario for unenlightened clients
2. Breaking changes should be not introduced via server-side knobs, such as configs/etc
3. Breaking changes should be opt'ed in by the client explicitly
4. We don't have a systematic way to support client opt-ins today but there have been precedents of client opt-in via special commands like READONLY

[PingXie]

Even if we allow the client to opt-in via a new command like CLIENT NODE REDIRECT, we should not enable this particular behavior server-wide. This is because a Valkey server can be shared by multiple applications. It would be really confusing to application B if application A changes a global setting unilaterally. This brings in another problem however. I can imagine some other behavior changes in the future would only make sense at the server level. It feels like we might need to think through what a "capability" model would look like first or I am worried about getting into another discussion like the half done function support #58.

[madolson]

I can imagine some other behavior changes in the future would only make sense at the server level.

Can you elaborate more, because I don't think there are that many real cases like this.

[soloestoy]

I removed the server config, and make it as a per client opt-in feature via CLIENT CAPA REDIRECT (we can append more capabilities in future), WDYT?