Better error-handling and cancellation of ON CLUSTER backups and restores

[vitlibar]

Changelog category (leave one):

• Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Better error-handling and cancellation of ON CLUSTER backups and restores:

• If a backup or restore fails on one host then it'll be cancelled on other hosts automatically
• No weird errors must be produced because some hosts failed while other hosts continued their work
• If a backup or restore is cancelled on one host then it'll be cancelled on other hosts automatically
• Fix issues with test_disallow_concurrency - now disabling of concurrency must work better
• Backups and restores now are much more resistant to ZooKeeper disconnects

[robot-ch-test-poll1]

This is an automated comment for commit b16a18e with description of existing statuses. It's updated for the latest CI running

❌ Click here to open a full report in a separate page

Check name	Description	Status
AST fuzzer	Runs randomly generated queries to catch program errors. The build type is optionally given in parenthesis. If it fails, ask a maintainer for help	❌ error
Integration tests	The integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests	❌ failure

Successful checks

Check name	Description	Status
Builds	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
ClickBench	Runs [ClickBench](https://github.com/ClickHouse/ClickBench/) with instant-attach table	✅ success
Compatibility check	Checks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help	✅ success
Docker keeper image	The check to build and optionally push the mentioned image to docker hub	✅ success
Docker server image	The check to build and optionally push the mentioned image to docker hub	✅ success
Fast test	Normally this is the first check that is ran for a PR. It builds ClickHouse and runs most of stateless functional tests, omitting some. If it fails, further checks are not started until it is fixed. Look at the report to see which tests fail, then reproduce the failure locally as described here	✅ success
Flaky tests	Checks if new added or modified tests are flaky by running them repeatedly, in parallel, with more randomization. Functional tests are run 100 times with address sanitizer, and additional randomization of thread scheduling. Integration tests are run up to 10 times. If at least once a new test has failed, or was too long, this check will be red. We don't allow flaky tests, read the doc	✅ success
Install packages	Checks that the built packages are installable in a clear environment	✅ success
Performance Comparison	Measure changes in query performance. The performance test report is described in detail here. In square brackets are the optional part/total tests	✅ success
Stateful tests	Runs stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Stateless tests	Runs stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Stress test	Runs stateless functional tests concurrently from several clients to detect concurrency-related errors	✅ success
Style check	Runs a set of checks to keep the code style clean. If some of tests failed, see the related log from the report	✅ success
Unit tests	Runs the unit tests for different release types	✅ success
Upgrade check	Runs stress tests on server version from last release and then tries to upgrade it to the version from the PR. It checks if the new server can successfully startup without any errors, crashes or sanitizer asserts	✅ success

[vitlibar]

The main change of this PR is that this BackupCoordinationStageSync was completely rewritten. This class creates some nodes in ZooKeeper and also tracks such nodes created by other hosts which are also executing the same BACKUP ON CLUSTER or RESTORE ON CLUSTER command. There are multiple nodes - started*, current*, alive*, and finished*.

The alive* nodes are ephemeral and they're used to tell other hosts that the current host is still working on the same BACKUP/RESTORE operation. Earlier those alive* nodes were recreated and checked from time to time quite randomly which caused weird errors. In this PR I changed it - now there is a separate thread which helps to both recreate those alive* nodes quickly and to react to an error happened on other host quickly. A cancellation with KILL QUERY is handled as the QUERY_WAS_CANCELLED error so as an another important result this PR also gives us an ability to cancel ON CLUSTER backups and restores.

[vitlibar]

20 retries (about 20*backup_restore_keeper_retry_max_backoff_ms = 100 seconds) may be enough for a quick operation, but we don't want a long backup to fail in the middle because of ZooKeeper server was restarting for a couple of minutes.

1000 retries with default backup_restore_keeper_retry_max_backoff_ms (5 second) gives more than 1 hour which seems to be enough to cover any temporary ZooKeeper failure.

[vitlibar]

This change was made to keep the same error through the cluster when a backup fails.
If an error happens on a host then we want to cancel the operation on other hosts too - but it seems it's kinder (for anyone who will look at the logs) to keep the same error instead of introducing any other error codes.

[vitlibar]

Here is a small change to allow fmt::format() and LOG_INFO to print values like std::chrono::seconds.

[vitlibar]

This structure WithRetries::KeeperSettings was moved to BackupKeeperSettings.

[vitlibar]

Test failures are unrelated:

• test_scheduler/test.py::test_workload_entity_keeper_storage - see Fix test test_workload_entity_keeper_storage: add more retries #71325

[vitlibar]

@kssenii I've changed this PR a lot since your last review, do you want to look at it again before I merge it?

[hanfei1991]

I have problems on this test right now: I extened the backup meta file for lightweight backup, and update the file version to V2. The old_node will not recognize a v2 meta file, that means as long as we upgrade the file version, this test has to fail ...

Any suggestions?