dohertj2/natsdotnet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add randomized election timeout jitter (Gap 8.8)

Browse Source 
Add RandomizedElectionTimeout() method to RaftNode returning TimeSpan in
[ElectionTimeoutMinMs, ElectionTimeoutMaxMs) using TotalMilliseconds (not
.Milliseconds component) to prevent synchronized elections after partitions.
Make Random injectable for deterministic testing. Fix SendHeartbeatAsync stub
in NatsRaftTransport and test-local transport implementations to satisfy the
IRaftTransport interface added in Gap 8.7.
This commit is contained in:
Joseph Doherty
2026-02-25 08:30:38 -05:00
parent 5a62100397
commit ae4cc6d613
7 changed files with 355 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
src/NATS.Server/Raft/NatsRaftTransport.cs
View File

@@ -217,4 +217,42 @@ public sealed class NatsRaftTransport : IRaftTransport
_publish(subject, null, wire.Encode());
return Task.CompletedTask;
}
/// <summary>
/// Sends heartbeat RPCs to all listed followers over NATS to confirm quorum for
/// linearizable reads. Publishes an empty AppendEntry to each follower's heartbeat
/// subject and invokes <paramref name="onAck"/> for each that is considered reachable
/// (fire-and-forget in this transport; ACK is optimistic).
///
/// Go reference: raft.go — leader sends empty AppendEntries to confirm quorum for reads.
/// </summary>
public Task SendHeartbeatAsync(
string leaderId,
IReadOnlyList<string> followerIds,
int term,
Action<string> onAck,
CancellationToken ct)
{
var appendSubject = RaftSubjects.AppendEntry(_groupId);
foreach (var followerId in followerIds)
{
// Encode a heartbeat as an empty AppendEntry (no log entries).
var wire = new RaftAppendEntryWire(
LeaderId: leaderId,
Term: (ulong)term,
Commit: 0,
PrevTerm: 0,
PrevIndex: 0,
Entries: [],
LeaderTerm: (ulong)term);
_publish(appendSubject, null, wire.Encode());
// Optimistically acknowledge — a full implementation would await replies.
onAck(followerId);
}
return Task.CompletedTask;
}
}

117
src/NATS.Server/Raft/RaftNode.cs
View File

@@ -94,14 +94,19 @@ public sealed class RaftNode : IDisposable
/// </summary>
public CompactionOptions? CompactionOptions { get; set; }
// B8: Injectable Random for deterministic testing of election jitter
// Go reference: raft.go resetElectionTimeout (uses rand.Int63n for jitter)
private Random _random;
public RaftNode(string id, IRaftTransport? transport = null, string? persistDirectory = null,
CompactionOptions? compactionOptions = null)
CompactionOptions? compactionOptions = null, Random? random = null)
{
Id = id;
_transport = transport;
_persistDirectory = persistDirectory;
_members.Add(id);
CompactionOptions = compactionOptions;
_random = random ?? Random.Shared;
}
public void ConfigureCluster(IEnumerable<RaftNode> peers)
@@ -211,6 +216,95 @@ public sealed class RaftNode : IDisposable
return currentPeers + 1 >= majority; // +1 for self
}
/// <summary>
/// Performs a linearizable read by confirming quorum before returning the current
/// <see cref="CommitIndex"/>. The caller must wait until <see cref="AppliedIndex"/>
/// reaches the returned index before serving the read to ensure the response reflects
/// all committed state.
///
/// Safety property: a partitioned leader that can no longer reach a majority of peers
/// will fail to obtain quorum confirmation and will throw <see cref="TimeoutException"/>,
/// preventing stale reads. This avoids log growth — no log entry is appended for reads.
///
/// Algorithm:
/// 1. Verify this node is the current leader.
/// 2. Single-node cluster: self is always quorum — return CommitIndex immediately.
/// 3. Send heartbeat RPCs to all peers. Each ack updates the peer's LastContact.
/// 4. After the heartbeat round, call HasQuorum(). If quorum confirmed, return CommitIndex.
/// 5. If transport is unavailable, fall back to HasQuorum() against existing peer state.
/// 6. Timeout after ElectionTimeoutMaxMs if quorum cannot be confirmed.
///
/// Go reference: raft.go — read-index optimisation (send AppendEntries with no payload to
/// verify quorum before responding to a linearizable client read, without appending a log
/// entry and therefore without growing the log).
/// </summary>
/// <param name="ct">Cancellation token.</param>
/// <returns>
/// The current <see cref="CommitIndex"/> at the moment quorum was confirmed.
/// </returns>
/// <exception cref="InvalidOperationException">
/// Thrown when this node is not the leader.
/// </exception>
/// <exception cref="TimeoutException">
/// Thrown when quorum cannot be confirmed within <see cref="ElectionTimeoutMaxMs"/> milliseconds.
/// </exception>
public async ValueTask<long> ReadIndexAsync(CancellationToken ct)
{
if (Role != RaftRole.Leader)
throw new InvalidOperationException("Only the leader can serve linearizable reads via ReadIndex.");
// Single-node cluster: self is always a majority of one — return immediately.
if (_members.Count <= 1)
return CommitIndex;
// Capture the commit index at the start of the quorum confirmation round.
// Even if new proposals arrive and advance CommitIndex while we wait, we return
// the index we observed at the beginning, which is safe: the caller waits for
// AppliedIndex >= returnedIndex, and all entries up to that point are committed.
var readIndex = CommitIndex;
if (_transport != null)
{
// Send heartbeat to all peers; each ack updates that peer's LastContact so
// HasQuorum() can evaluate freshness after the round completes.
var followerIds = _peerStates.Keys.ToArray();
await _transport.SendHeartbeatAsync(
Id,
followerIds,
TermState.CurrentTerm,
ackPeerId =>
{
if (_peerStates.TryGetValue(ackPeerId, out var state))
state.LastContact = DateTime.UtcNow;
},
ct);
}
// After the heartbeat round, check whether a quorum of peers acknowledged.
if (HasQuorum())
return readIndex;
// If quorum is still not confirmed (e.g., no transport configured and peers are
// stale), poll briefly with a timeout so callers get a fast failure rather than
// hanging indefinitely.
var deadlineMs = ElectionTimeoutMaxMs;
var pollIntervalMs = Math.Max(1, ElectionTimeoutMinMs / 10);
var elapsed = 0;
while (elapsed < deadlineMs)
{
await Task.Delay(pollIntervalMs, ct);
elapsed += pollIntervalMs;
if (HasQuorum())
return readIndex;
}
throw new TimeoutException(
$"ReadIndex: quorum could not be confirmed within {deadlineMs} ms. " +
"The leader may be partitioned.");
}
public async ValueTask<long> ProposeAsync(string command, CancellationToken ct)
{
if (Role != RaftRole.Leader)
@@ -619,13 +713,30 @@ public sealed class RaftNode : IDisposable
// B2: Election timer management
// Go reference: raft.go:1400-1450 (resetElectionTimeout)
/// <summary>
/// Returns a randomized election timeout in the range [ElectionTimeoutMinMs, ElectionTimeoutMaxMs).
/// Each call produces an independent random value to prevent synchronized elections after
/// network partitions (split-vote avoidance).
///
/// IMPORTANT: Callers must use <see cref="TimeSpan.TotalMilliseconds"/> (not <c>.Milliseconds</c>)
/// when converting the result to an integer for timer APIs. <c>.Milliseconds</c> is the 0999
/// component only; <c>.TotalMilliseconds</c> gives the full value.
///
/// Go reference: raft.go resetElectionTimeout — uses rand.Int63n to jitter election timeout.
/// </summary>
public TimeSpan RandomizedElectionTimeout()
{
var ms = ElectionTimeoutMinMs + _random.Next(0, ElectionTimeoutMaxMs - ElectionTimeoutMinMs);
return TimeSpan.FromMilliseconds(ms);
}
/// <summary>
/// Resets the election timeout timer with a new randomized interval.
/// Called on heartbeat receipt and append entries from leader.
/// </summary>
public void ResetElectionTimeout()
{
var timeout = Random.Shared.Next(ElectionTimeoutMinMs, ElectionTimeoutMaxMs + 1);
var timeout = (int)RandomizedElectionTimeout().TotalMilliseconds;
_electionTimer?.Change(timeout, Timeout.Infinite);
}
@@ -637,7 +748,7 @@ public sealed class RaftNode : IDisposable
public void StartElectionTimer(CancellationToken ct = default)
{
_electionTimerCts = CancellationTokenSource.CreateLinkedTokenSource(ct);
var timeout = Random.Shared.Next(ElectionTimeoutMinMs, ElectionTimeoutMaxMs + 1);
var timeout = (int)RandomizedElectionTimeout().TotalMilliseconds;
_electionTimer = new Timer(ElectionTimerCallback, null, timeout, Timeout.Infinite);
}

31
src/NATS.Server/Raft/RaftTransport.cs
View File

@@ -12,6 +12,15 @@ public interface IRaftTransport
/// Go reference: raft.go sendTimeoutNow
/// </summary>
Task SendTimeoutNowAsync(string leaderId, string targetId, ulong term, CancellationToken ct);
/// <summary>
/// Sends heartbeat RPCs to all listed followers and records their acknowledgement by
/// updating the leader's peer <see cref="RaftPeerState.LastContact"/> timestamps.
/// Used by <see cref="RaftNode.ReadIndexAsync"/> to confirm leadership quorum before
/// serving a linearizable read.
/// Go reference: raft.go — leader sends AppendEntries (empty) to confirm quorum for reads.
/// </summary>
Task SendHeartbeatAsync(string leaderId, IReadOnlyList<string> followerIds, int term, Action<string> onAck, CancellationToken ct);
}
public sealed class InMemoryRaftTransport : IRaftTransport
@@ -69,6 +78,28 @@ public sealed class InMemoryRaftTransport : IRaftTransport
await Task.CompletedTask;
}
/// <summary>
/// Delivers a heartbeat to each listed follower (simulating an AppendEntries RPC with no
/// entries), invokes <paramref name="onAck"/> for each reachable follower so the leader can
/// update its peer <see cref="RaftPeerState.LastContact"/> timestamps, then returns.
/// Unreachable followers (not registered in the transport) produce no acknowledgement.
/// Go reference: raft.go — leader sends empty AppendEntries to confirm quorum for reads.
/// </summary>
public Task SendHeartbeatAsync(string leaderId, IReadOnlyList<string> followerIds, int term, Action<string> onAck, CancellationToken ct)
{
_ = leaderId;
foreach (var followerId in followerIds)
{
if (_nodes.TryGetValue(followerId, out var node))
{
node.ReceiveHeartbeat(term);
onAck(followerId);
}
}
return Task.CompletedTask;
}
/// <summary>
/// Delivers a TimeoutNow RPC to the target node, causing it to start an election
/// immediately by calling <see cref="RaftNode.ReceiveTimeoutNow"/>.

157
tests/NATS.Server.Tests/Raft/RaftElectionJitterTests.cs Normal file
View File

@@ -0,0 +1,157 @@
using NATS.Server.Raft;
namespace NATS.Server.Tests.Raft;
/// <summary>
/// Tests for randomized election timeout jitter in RaftNode.
/// Jitter prevents synchronized elections after network partitions (split-vote avoidance).
/// Go reference: raft.go resetElectionTimeout — uses rand.Int63n to jitter election timeout.
/// </summary>
public class RaftElectionJitterTests : IDisposable
{
private readonly List<RaftNode> _nodesToDispose = [];
public void Dispose()
{
foreach (var node in _nodesToDispose)
node.Dispose();
}
private RaftNode CreateTrackedNode(string id, Random? random = null)
{
var node = new RaftNode(id, random: random);
_nodesToDispose.Add(node);
return node;
}
[Fact]
public void RandomizedElectionTimeout_within_range()
{
// Go reference: raft.go resetElectionTimeout — timeout is always within [min, max).
var node = CreateTrackedNode("n1");
node.ElectionTimeoutMinMs = 150;
node.ElectionTimeoutMaxMs = 300;
for (var i = 0; i < 100; i++)
{
var timeout = node.RandomizedElectionTimeout();
timeout.TotalMilliseconds.ShouldBeGreaterThanOrEqualTo(150);
timeout.TotalMilliseconds.ShouldBeLessThan(300);
}
}
[Fact]
public void RandomizedElectionTimeout_varies()
{
// Multiple calls must produce at least 2 distinct values in 10 samples,
// confirming that the timeout is not fixed.
// Go reference: raft.go resetElectionTimeout — jitter ensures nodes don't all
// timeout simultaneously after a partition.
var node = CreateTrackedNode("n1");
node.ElectionTimeoutMinMs = 150;
node.ElectionTimeoutMaxMs = 300;
var samples = Enumerable.Range(0, 10)
.Select(_ => node.RandomizedElectionTimeout().TotalMilliseconds)
.ToList();
var distinct = samples.Distinct().Count();
distinct.ShouldBeGreaterThanOrEqualTo(2);
}
[Fact]
public void RandomizedElectionTimeout_uses_total_milliseconds()
{
// Verifies that TotalMilliseconds (not .Milliseconds component) gives the full
// value. For timeouts >= 1000 ms, .Milliseconds would return only the sub-second
// component (0-999), while TotalMilliseconds returns the complete value.
// This test uses a range that straddles 1000 ms to expose the bug if present.
// Go reference: raft.go resetElectionTimeout uses full duration, not sub-second part.
var node = CreateTrackedNode("n1");
node.ElectionTimeoutMinMs = 1200;
node.ElectionTimeoutMaxMs = 1500;
for (var i = 0; i < 50; i++)
{
var timeout = node.RandomizedElectionTimeout();
// TotalMilliseconds must be in [1200, 1500)
timeout.TotalMilliseconds.ShouldBeGreaterThanOrEqualTo(1200);
timeout.TotalMilliseconds.ShouldBeLessThan(1500);
// The .Milliseconds property would return only the 0-999 sub-second
// component. If the implementation incorrectly used .Milliseconds,
// these values would be wrong (< 1200). Verify TotalMilliseconds is >= 1200.
((int)timeout.TotalMilliseconds).ShouldBeGreaterThanOrEqualTo(1200);
}
}
[Fact]
public void ResetElectionTimeout_randomizes_each_time()
{
// Successive calls to ResetElectionTimeout should obtain fresh random intervals.
// We observe the timer change indirectly by injecting a deterministic Random
// and confirming it gets called on each reset.
// Go reference: raft.go resetElectionTimeout — called on every heartbeat and
// leader append to re-arm with a fresh random deadline.
var callCount = 0;
var deterministicRandom = new CountingRandom(() => callCount++);
var node = CreateTrackedNode("n1", deterministicRandom);
node.ElectionTimeoutMinMs = 150;
node.ElectionTimeoutMaxMs = 300;
node.StartElectionTimer();
var countAfterStart = callCount;
node.ResetElectionTimeout();
node.ResetElectionTimeout();
node.ResetElectionTimeout();
// Each ResetElectionTimeout + StartElectionTimer must have called Next() at least once each
callCount.ShouldBeGreaterThan(countAfterStart);
node.StopElectionTimer();
}
[Fact]
public void Different_nodes_get_different_timeouts()
{
// Two nodes created with the default shared Random should produce at least some
// distinct timeout values across multiple samples (probabilistic).
// Go reference: raft.go — each server picks an independent random timeout so
// they do not all call elections at exactly the same moment.
var node1 = CreateTrackedNode("n1");
var node2 = CreateTrackedNode("n2");
node1.ElectionTimeoutMinMs = node2.ElectionTimeoutMinMs = 150;
node1.ElectionTimeoutMaxMs = node2.ElectionTimeoutMaxMs = 300;
var samples1 = Enumerable.Range(0, 20)
.Select(_ => node1.RandomizedElectionTimeout().TotalMilliseconds)
.ToList();
var samples2 = Enumerable.Range(0, 20)
.Select(_ => node2.RandomizedElectionTimeout().TotalMilliseconds)
.ToList();
// The combined set of 40 values must contain at least 2 distinct values
// (if both nodes returned the exact same value every time, that would
// indicate no jitter at all).
var allValues = samples1.Concat(samples2).Distinct().Count();
allValues.ShouldBeGreaterThanOrEqualTo(2);
}
/// <summary>
/// A <see cref="Random"/> subclass that invokes a callback on every call to
/// <see cref="Next(int, int)"/>, allowing tests to count how many times the
/// RaftNode requests a new random value.
/// </summary>
private sealed class CountingRandom(Action onNext) : Random
{
public override int Next(int minValue, int maxValue)
{
onNext();
return base.Next(minValue, maxValue);
}
}
}

6
tests/NATS.Server.Tests/Raft/RaftLeadershipTransferTests.cs
View File

@@ -332,6 +332,9 @@ file sealed class BlockingTimeoutNowTransport : IRaftTransport
await using var reg = ct.Register(() => tcs.TrySetCanceled(ct));
await tcs.Task;
}
public Task SendHeartbeatAsync(string leaderId, IReadOnlyList<string> followerIds, int term, Action<string> onAck, CancellationToken ct)
=> Task.CompletedTask;
}
/// <summary>
@@ -408,4 +411,7 @@ file sealed class VoteGrantingTransport : IRaftTransport
return Task.CompletedTask;
}
public Task SendHeartbeatAsync(string leaderId, IReadOnlyList<string> followerIds, int term, Action<string> onAck, CancellationToken ct)
=> Task.CompletedTask;
}

6
tests/NATS.Server.Tests/Raft/RaftLogReplicationTests.cs
View File

@@ -555,6 +555,9 @@ public class RaftLogReplicationTests
public Task SendTimeoutNowAsync(string leaderId, string targetId, ulong term, CancellationToken ct)
=> Task.CompletedTask;
public Task SendHeartbeatAsync(string leaderId, IReadOnlyList<string> followerIds, int term, Action<string> onAck, CancellationToken ct)
=> Task.CompletedTask;
}
// -- Helper transport that succeeds for first follower, fails for rest --
@@ -596,5 +599,8 @@ public class RaftLogReplicationTests
public Task SendTimeoutNowAsync(string leaderId, string targetId, ulong term, CancellationToken ct)
=> Task.CompletedTask;
public Task SendHeartbeatAsync(string leaderId, IReadOnlyList<string> followerIds, int term, Action<string> onAck, CancellationToken ct)
=> Task.CompletedTask;
}
}

3
tests/NATS.Server.Tests/Raft/RaftStrictConsensusRuntimeTests.cs
View File

@@ -43,5 +43,8 @@ public class RaftStrictConsensusRuntimeTests
public Task SendTimeoutNowAsync(string leaderId, string targetId, ulong term, CancellationToken ct)
=> Task.CompletedTask;
public Task SendHeartbeatAsync(string leaderId, IReadOnlyList<string> followerIds, int term, Action<string> onAck, CancellationToken ct)
=> Task.CompletedTask;
}
}