fix(opensearch-migration): unify phase-aware OS startup connection gate (#36244)

[fabrizzio-dotCMS]

Problem

dotCMS had inconsistent OpenSearch connection gating at startup (#36244). The OS readiness gate was not phase-aware, and the empty-DB bootstrap path created OS indices with no connection gate at all — so an unreachable/misconfigured OS surfaced as an opaque ConnectionClosedException deep inside createContentIndex ~30s into startup (SystemExitManager - Startup failure) instead of a fast, actionable failure.

Root cause found while implementing

OSIndexAPIImpl.getClusterStats() swallows every exception and returns a non-null empty result, so the retry loop in waitUtilIndexReady() could never observe a failure — the OS connection gate was effectively dead code and always passed.

Changes (minimal scope)

B — OSIndexAPIImpl.waitUtilIndexReady() is phase-aware

• Probes with client.info() (which propagates transport/TLS/auth failures), replacing the swallowing getClusterStats() probe.
• On retry exhaustion:
  • Phase 3 (OS primary, ES decommissioned) → abort via SystemExitManager.immediateExit(1) with an actionable FATAL message (phase + endpoints + cause). No fallback.
  • Phase 1 / 2 (shadow) → haltMigration() (reset to Phase 0, ES-only fallback) + ERROR log; returns false instead of killing the server.
• Retry count and sleep remain configurable (OS_CONNECTION_ATTEMPTS w/ ES_CONNECTION_ATTEMPTS fallback, OS_CONNECTION_RETRY_SLEEP_SECONDS).

C — Connection gate runs before OS index creation on both startup paths

• ContentletIndexAPIImpl.bootstrapAndPointOS() runs the phase-aware OS gate (operationsOS.indexAPI().waitUtilIndexReady()) before creating OS indices. As the single chokepoint for OS index creation, both startup paths — populated-DB (InitServlet) and empty-DB (Task00004LoadStarter) — now pass through the same gate. A shadow-phase fallback skips OS creation.

A — MainServlet waits on the primary store, not ES-hardcoded

• getESIndexAPI() already returns the phase-aware router (IndexAPIImpl), so the startup wait routes to the primary store for the phase (ES in 0–1, OS in 2–3). Comment clarified; on a shadow-phase fallback to ES the wait runs again so the new primary (ES) is gated too. No Phase 0 behavior change.

Acceptance criteria

• A — startup readiness wait routes through the phase-aware router; ES unchanged in Phase 0/1
• B — Phase 3 aborts with actionable message; Phase 1/2 falls back to ES (no exit); retry/sleep configurable
• C — gate runs before OS index creation; both startup paths share the same gate; minimal (does not move validateIndexingConfig() into the hot path)
• No regression to Phase 0 startup (populated or empty DB)
• New phase-branching behavior covered by tests

Testing

• ./mvnw compile -pl :dotcms-core ✅ (Java 25)
• 28 unit tests green: new OSIndexAPIImplWaitReadyTest (Phase 1/2 ES-only fallback) + PhaseRouterTest + ContentletIndexAPIImplPhaseTest.
• Phase 3 abort and the bootstrap gate (OS unreachable during bootstrap) are verified by IT/manual QA — SystemExitManager halts the JVM, so the abort branch is not safely unit-testable.

Out of scope (separate follow-up)

• Error classification of the connection catch (TLS-scheme mismatch vs HTTP 403 vs connection-refused) — to be filed as a child issue.

🤖 Generated with Claude Code

[claude]

Claude finished @fabrizzio-dotCMS's task in 1m 20s —— View job

---

Rollback Safety Analysis

• Read rollback-unsafe categories reference
• Get full PR diff
• Analyze diff against unsafe categories
• Post result and apply label

---

Result: ✅ Safe To Rollback

The label AI: Safe To Rollback has been applied.

---

Analysis

The diff touches 4 files: ContentletIndexAPIImpl.java, OSIndexAPIImpl.java, MainServlet.java, and a new test class OSIndexAPIImplWaitReadyTest.java. All changes are purely behavioral/startup-logic changes with no database, index mapping, or API contract impact.

Checked against every category in the rollback-unsafe reference:

Category	Verdict	Reason
C-1 Structural Data Model Change	✅ Safe	No runonce tasks, no table/column changes.
C-2 Elasticsearch Mapping Change	✅ Safe	No changes to ESMappingAPIImpl, ESMappingUtilHelper, or ES mappings. No putMapping() calls.
C-3 Content JSON Model Version Bump	✅ Safe	No changes to ImmutableContentlet, CURRENT_MODEL_VERSION, or ToCurrentVersionConverter.
C-4 DROP TABLE / DROP Column	✅ Safe	No DDL statements of any kind.
H-1 One-Way Data Migration	✅ Safe	No UPDATE … SELECT transformations or destructive backfills.
H-2 RENAME TABLE / COLUMN	✅ Safe	No renames.
H-3 PK Restructuring	✅ Safe	No constraint changes.
H-4 New ContentType Field Type	✅ Safe	No new field types registered.
H-5 Storage Provider Change	✅ Safe	No change to FileStorageAPIImpl or storage provider configuration.
H-6 DROP PROCEDURE / FUNCTION	✅ Safe	No stored procedure changes.
H-7 NOT NULL Column Without Default	✅ Safe	No schema changes at all.
H-8 VTL Viewtool Contract Change	✅ Safe	No viewtool method signatures changed.
M-1 Non-Broadening Column Type Change	✅ Safe	No DDL.
M-2 Push Publishing Bundle Format Change	✅ Safe	No bundle serialization changes.
M-3 REST / GraphQL API Contract Change	✅ Safe	No REST endpoint changes; no JSON field renames or type changes.
M-4 OSGi Plugin API Breakage	✅ Safe	No public interface signature changes to OSGi-exported packages.

Summary: All changes are confined to startup connection-gate behavior (waitUtilIndexReady() probe logic, bootstrapAndPointOS() guard, MainServlet phase-aware wait) and a new test file. Rolling back to N-1 restores the old startup logic; no persisted state (DB rows, ES mappings, index structure) is altered by N in a way that would be misread by N-1.

[github-actions]

🤖 Bedrock Review — deepseek.v3.2

[🟠 High] dotCMS/src/main/java/com/dotcms/content/index/opensearch/OSIndexAPIImpl.java:508-110 — The waitUtilIndexReady method catches all exceptions, including Error types like OutOfMemoryError or StackOverflowError, which should not be caught and retried. This could mask critical JVM failures. Consider catching only specific transport/connection exceptions (e.g., IOException, OpenSearchException).

[🟡 Medium] dotCMS/src/main/java/com/dotcms/content/index/opensearch/OSIndexAPIImpl.java:508-110 — The method waitUtilIndexReady logs the full exception message but not the stack trace, which could hinder debugging. Use Logger.error(this.getClass(), "OpenSearch Connection Attempt #" + (i + 1) + " of " + attempts, e); to include the stack trace.

[🟡 Medium] dotCMS/src/main/java/com/dotcms/content/index/opensearch/OSIndexAPIImpl.java:508-110 — The waitUtilIndexReady method's retry loop uses a fixed sleep time; under heavy load or network latency, the total wait time may be insufficient. Consider making the sleep time configurable with a maximum, but this is already addressed via OS_CONNECTION_RETRY_SLEEP_SECONDS. Ensure the default is appropriate for production.

[🟡 Medium] dotCMS/src/main/java/com/dotcms/content/index/opensearch/OSIndexAPIImpl.java:508-110 — The method handleConnectionExhausted calls IndexConfigHelper.haltMigration() without checking if the migration was already halted, potentially causing unnecessary phase resets. Add a guard to avoid redundant operations.

[🟡 Medium] dotCMS/src/main/java/com/dotcms/content/index/opensearch/OSIndexAPIImpl.java:508-110 — The resolveEndpointsForLogging method uses Config.getStringArrayProperty directly, which is acceptable, but ensure that OS_ENDPOINTS is properly validated elsewhere to prevent injection or malformed URLs.

[🟠 High] dotCMS/src/main/java/com/liferay/portal/servlet/MainServlet.java:109-115 — The code calls APILocator.getESIndexAPI().waitUtilIndexReady() twice if the first call returns false. This could cause a second wait cycle, delaying startup unnecessarily. The second call should only occur if the first indicates a fallback, but the logic is unclear and may double the wait time. Consider restructuring to avoid redundant waits.

[🟡 Medium] dotCMS/src/test/java/com/dotcms/content/index/opensearch/OSIndexAPIImplWaitReadyTest.java:1-97 — The test class sets configuration properties via Config.setProperty but does not restore the original values in case of test failure, which could affect other tests. While @After clears them, a failure before @After could leave properties set. Ensure proper cleanup in a try-finally block or use a rule.

[🟡 Medium] dotCMS/src/test/java/com/dotcms/content/index/opensearch/OSIndexAPIImplWaitReadyTest.java:1-97 — The test uses a FailingClientProvider that throws a generic RuntimeException. This may not accurately simulate real OpenSearch connection failures (e.g., OpenSearchException, IOException). Consider using a more specific exception type for better realism.

[🟡 Medium] dotCMS/src/test/java/com/dotcms/content/index/opensearch/OSIndexAPIImplWaitReadyTest.java:1-97 — The test does not cover the scenario where waitUtilIndexReady returns true (successful connection). This is noted in the comment but leaves a gap in unit test coverage for the happy path. Ensure integration tests cover this.

---

_{Run: #27851470641 · tokens: in: 4576 · out: 863 · total: 5439}