Receiver: Fix quorum handling for all hashing algorithms #5791
Conversation
If there are only conlifct errors present during the error determination, it can be safely assumed other requests succeeded and therefore we can directly return conflict. Signed-off-by: Matej Gera <[email protected]>
…ests Instead of deciding on the basis of individual requests, this change takes into consideration the fact that there can be multiple requests per each replica number (for simplification I refer to these as 'replica groups'). For confirming quorum it is then decisive to assert whether ALL requests succeeded from AT LEAST the number of replica groups equal to the write quorom. Signed-off-by: Matej Gera <[email protected]>
Extends the E2E tests to cover both hashing algorithms. Signed-off-by: Matej Gera <[email protected]>
Signed-off-by: Matej Gera <[email protected]>
pkg/receive/handler.go
Outdated
| if success[i] >= replicaGroupReqs[i] { | ||
| // If enough replica groups succeed, we can finish early (quorum | ||
| // is guaranteed). | ||
| replicaGroupSuccess++ |
There was a problem hiding this comment.
So each replicaGroup signifies all the requests made to replicate a batch of series to a replica-endpoint? And if all the requests within that replicaGroup succeed, we count that as a success towards ensuring quorum?
There was a problem hiding this comment.
Yes, that's the gist 👍, there is now also second way to verify quorum, I added more details in description.
pkg/receive/handler.go
Outdated
| var success int | ||
| var ( | ||
| // success counts how many requests per replica have succedeed. | ||
| success = make([]int, h.options.ReplicationFactor) |
There was a problem hiding this comment.
This change initializes some slices. Maybe it would be a good idea to benchmark and see changes to hot path?
There was a problem hiding this comment.
I ran BenchmarkHandlerReceiveHTTP, I think we won't be able to avoid those few extra allocs but I think it should still be acceptable?
name old time/op new time/op delta
HandlerReceiveHTTP/typical_labels_under_1KB,_500_of_them/OK-12 891µs ± 0% 942µs ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_500_of_them/conflict_errors-12 1.07ms ± 0% 1.12ms ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_5000_of_them/OK-12 9.42ms ± 0% 9.68ms ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_5000_of_them/conflict_errors-12 11.5ms ± 0% 11.2ms ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_20000_of_them/OK-12 39.7ms ± 0% 39.3ms ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_20000_of_them/conflict_errors-12 49.7ms ± 0% 49.7ms ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/extremely_large_label_value_10MB,_10_of_them/OK-12 85.7ms ± 0% 105.6ms ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/extremely_large_label_value_10MB,_10_of_them/conflict_errors-12 87.6ms ± 0% 89.9ms ± 0% ~ (p=1.000 n=1+1)
name old alloc/op new alloc/op delta
HandlerReceiveHTTP/typical_labels_under_1KB,_500_of_them/OK-12 1.15MB ± 0% 1.15MB ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_500_of_them/conflict_errors-12 1.41MB ± 0% 1.41MB ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_5000_of_them/OK-12 13.1MB ± 0% 13.1MB ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_5000_of_them/conflict_errors-12 15.5MB ± 0% 15.5MB ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_20000_of_them/OK-12 53.4MB ± 0% 53.4MB ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_20000_of_them/conflict_errors-12 62.0MB ± 0% 62.0MB ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/extremely_large_label_value_10MB,_10_of_them/OK-12 110MB ± 0% 110MB ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/extremely_large_label_value_10MB,_10_of_them/conflict_errors-12 110MB ± 0% 110MB ± 0% ~ (p=1.000 n=1+1)
name old allocs/op new allocs/op delta
HandlerReceiveHTTP/typical_labels_under_1KB,_500_of_them/OK-12 3.10k ± 0% 3.10k ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_500_of_them/conflict_errors-12 6.63k ± 0% 6.64k ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_5000_of_them/OK-12 30.3k ± 0% 30.3k ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_5000_of_them/conflict_errors-12 65.2k ± 0% 65.2k ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_20000_of_them/OK-12 121k ± 0% 121k ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_20000_of_them/conflict_errors-12 260k ± 0% 260k ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/extremely_large_label_value_10MB,_10_of_them/OK-12 89.0 ± 0% 93.0 ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/extremely_large_label_value_10MB,_10_of_them/conflict_errors-12 217 ± 0% 223 ± 0% ~ (p=1.000 n=1+1)
There was a problem hiding this comment.
With latest changes, still looking fine:
name old time/op new time/op delta
HandlerReceiveHTTP/typical_labels_under_1KB,_500_of_them/OK-12 1.20ms ± 0% 0.87ms ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_500_of_them/conflict_errors-12 1.25ms ± 0% 1.05ms ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_5000_of_them/OK-12 10.6ms ± 0% 9.3ms ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_5000_of_them/conflict_errors-12 12.8ms ± 0% 10.8ms ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_20000_of_them/OK-12 46.3ms ± 0% 36.8ms ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_20000_of_them/conflict_errors-12 55.5ms ± 0% 43.6ms ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/extremely_large_label_value_10MB,_10_of_them/OK-12 102ms ± 0% 82ms ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/extremely_large_label_value_10MB,_10_of_them/conflict_errors-12 101ms ± 0% 86ms ± 0% ~ (p=1.000 n=1+1)
name old alloc/op new alloc/op delta
HandlerReceiveHTTP/typical_labels_under_1KB,_500_of_them/OK-12 1.15MB ± 0% 1.15MB ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_500_of_them/conflict_errors-12 1.41MB ± 0% 1.41MB ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_5000_of_them/OK-12 13.1MB ± 0% 13.1MB ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_5000_of_them/conflict_errors-12 15.5MB ± 0% 15.5MB ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_20000_of_them/OK-12 53.3MB ± 0% 53.2MB ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_20000_of_them/conflict_errors-12 62.0MB ± 0% 62.0MB ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/extremely_large_label_value_10MB,_10_of_them/OK-12 110MB ± 0% 110MB ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/extremely_large_label_value_10MB,_10_of_them/conflict_errors-12 110MB ± 0% 110MB ± 0% ~ (p=1.000 n=1+1)
name old allocs/op new allocs/op delta
HandlerReceiveHTTP/typical_labels_under_1KB,_500_of_them/OK-12 3.10k ± 0% 3.10k ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_500_of_them/conflict_errors-12 6.63k ± 0% 6.64k ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_5000_of_them/OK-12 30.3k ± 0% 30.3k ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_5000_of_them/conflict_errors-12 65.2k ± 0% 65.2k ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_20000_of_them/OK-12 121k ± 0% 121k ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/typical_labels_under_1KB,_20000_of_them/conflict_errors-12 260k ± 0% 260k ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/extremely_large_label_value_10MB,_10_of_them/OK-12 89.0 ± 0% 94.0 ± 0% ~ (p=1.000 n=1+1)
HandlerReceiveHTTP/extremely_large_label_value_10MB,_10_of_them/conflict_errors-12 218 ± 0% 224 ± 0% ~ (p=1.000 n=1+1)
|
@matej-g I am not familiar enough with this code path to determine correctness here or not, but determining quorum in this fashion makes sense to me for ketama |
pkg/receive/handler.go
Outdated
| if err != nil { | ||
| level.Debug(tLogger).Log("msg", "request failed, but not needed to achieve quorum", "err", err) | ||
| } | ||
| } | ||
| }() | ||
| }() | ||
|
|
||
| var success int | ||
| var ( | ||
| // success counts how many requests per replica have succedeed. |
There was a problem hiding this comment.
Could we reflect this comment and all the others that follow into their respective variable name? This pattern of comment explaining "what" and not "why" is often a sign that something deserves a better name.
There was a problem hiding this comment.
I tried to name it a bit better, although I'm finding it challenging to try and find clear enough name that it would encapsulate the complexity of replication logic and be obvious without additional commentary. Suggestions welcome.
pkg/receive/handler.go
Outdated
| @@ -976,6 +1011,16 @@ func determineWriteErrorCause(err error, threshold int) error { | |||
| return err | |||
| } | |||
|
|
|||
| // errWithReplicaFunc is a type to enable sending replica number and err over channel. | |||
| type errWithReplicaFunc func() (uint64, error) | |||
There was a problem hiding this comment.
Why does this have to a function and can't be a struct { uint64, error }?
There was a problem hiding this comment.
Does not have to, I found it simpler to "send" it via function, no strong preference here though.
There was a problem hiding this comment.
If we don't need a function, I think we should "downgrade" the type to a struct to be as simple as possible.
| @@ -226,6 +226,15 @@ func TestDetermineWriteErrorCause(t *testing.T) { | |||
| threshold: 1, | |||
| exp: errors.New("baz: 3 errors: 3 errors: qux; rpc error: code = AlreadyExists desc = conflict; rpc error: code = AlreadyExists desc = conflict; foo; bar"), | |||
| }, | |||
| { | |||
There was a problem hiding this comment.
I wonder why this issue was not caught by tests. Do we run unit tests for Ketama?
There was a problem hiding this comment.
We do have tests to verify quorum but they all run just with hashmod, I'm extending those as well to run with both algorithms.
There was a problem hiding this comment.
Are you referring to the e2e tests that were extended? Can we also do the same for unit tests?
There was a problem hiding this comment.
Yes, I meant I'm working on extending those unit tests in handler_test.go
There was a problem hiding this comment.
Ah ok, sorry for misunderstanding :)
There was a problem hiding this comment.
All relevant unit tests now have been expanded to run with both algorithms.
There was a problem hiding this comment.
Out of curiosity, did tests fail before your fix?
There was a problem hiding this comment.
Not really, which I believe was mainly because:
- With replication factor 3 and 3 nodes (which were all the test cases), even with ketama, it probably cannot be caught since the number of requests is small (but even on
mainexpanding tests to simulate 6 node deployment, the failures start to show up) - We were running all tests with single time series, which is probably more of an edge case (now I run the tests with 50 series which should give us a good enough test data)
- The node addresses were randomized, I believe on
mainon ketama this was causing some inconsistent results (I pushed fix for this now as well to generate the addresses in a predictable manner, no need for randomized addresses I believe)
I think that to avoid confusions we should clarify one fundamental difference between For example, 2 timeseries with ketama using a replication factor 3 will require between 3 and 6 requests to be fully replicated. This will depend on their hash. In fact, I am even curious whether our code can prevent 2 replicas of a given series from landing on the same node. Could be a low probability scenario, but on systems running millions of timeseries even a low probability might have a big impact. Do you know if this could happen, @fpetkovski or @matej-g? |
|
This cannot happen anymore. It used to, but is now fixed by ensuring that the replica for each section in the ring is covered by a different node: https://github.com/thanos-io/thanos/blob/main/pkg/receive/hashring.go#L138-L154 |
- Adds second success mode - even if requests from multiple replica group fails, we can still claim quorum as long as the failed requests are from max permissible number of endpoints (this depends on quorum). - Fix replica success group count from previous change - the count should be local to the success counting loop - Adjust error write determination for requests counted per replica- we need to either ensure there is only single error cause or fallback to a single error to signal failed replication; this is because if there's a mixed bag of errors, we cannot guarantee write success and we simply need to return that this particular replication failed - Add more tags to traces Signed-off-by: Matej Gera <[email protected]>
- Add new unit tests for error determination - Simplify and unify quorum unit tests; run for both hashing algorithms; extended unit tests (add tests with 6 nodes and higher repl factor) Signed-off-by: Matej Gera <[email protected]>
Signed-off-by: Matej Gera <[email protected]>
Signed-off-by: Matej Gera <[email protected]>
|
Sorry for the delay folks. I fixed a few more things, updated the description accordingly (I know there are quite few changes, if something's not clear or if I can make things easier to review by splitting / reorganizing this, please let me know). I have also expanded all unit tests to verify quorum to run for both algorithms. |
pkg/receive/handler.go
Outdated
| var success int | ||
| var ( | ||
| // perReplicaSuccess is used to determine if enough requests succeeded for given replica number. | ||
| preReplicaSuccess = make([]int, h.options.ReplicationFactor) |
There was a problem hiding this comment.
Small typo here:
| preReplicaSuccess = make([]int, h.options.ReplicationFactor) | |
| perReplicaSuccess = make([]int, h.options.ReplicationFactor) |
There was a problem hiding this comment.
Shouldn't we be tracking per-shard success rate?
There was a problem hiding this comment.
What do you mean with "shard", @fpetkovski? Is this the same as the "replica group request" mentioned in the description of this pull request?
There was a problem hiding this comment.
I think we might be talking about the same thing, but I still think this variable is very confusing. Requests get split into independent partitions (shards), and then each shard gets replicated. So I would expect us to track how many successful replications each shard has, e.g perShardSuccessfulReplicas.
There was a problem hiding this comment.
I'm not sure I follow fully as well, but throwing in yet another term is even more confusing for me. Are we talking about the initial batching of requests in https://github.com/thanos-io/thanos/blob/main/pkg/receive/handler.go#L555 when you say 'shards'? Since most of the docs refer to these as 'batches', I'd either stick to this or refer to this as 'shards' everywhere (I don't have strong preference but I associate shards more with actual databases rather than requests).
Other than that you're right, but I named it 'per replica', since each index in the slice tracks success of requests going to given replica (for a single shard / batch), but if it's not obvious enough I can prefix it as you suggested.
There was a problem hiding this comment.
Calling it a batch makes sense as well, I agree that sharding is not mentioned anywhere else. What I wanted to say is that a receiver is not a replica, because each receiver can hold a unique portion of the data.
There was a problem hiding this comment.
If I'm not mistaken, in most of the places in this part of the code we could literally replace the word "replica" with "replicationIndex". This confuses me a lot.
There was a problem hiding this comment.
Agreed @douglascamata, I think this where lot of the confusion originates, as @fpetkovski also mentions, this creates impression that replica = receiver node, but it's more of a logical replica (since parts of that replica will end up on different nodes). I'd be happy to rename this, I'll also try to improve the other variables and get rid of the "group request" naming.
There was a problem hiding this comment.
I tried to improve on the naming somewhat, I also added a diagram to the PR description as @douglascamata suggested, I hope it will make things a bit clearer. What I'm struggling with it seems is how to properly name / encapsulate the logic on the very right side of the diagram, i.e. confirming success of replication requests.
There was a problem hiding this comment.
Amaaaaaazing, @matej-g!
Signed-off-by: Matej Gera <[email protected]>
matej-g
force-pushed
the
fix-quorum-error-handling
branch
from
8c00361
to
b0ed83a
Compare
Signed-off-by: Matej Gera <[email protected]>
Signed-off-by: Matej Gera <[email protected]>
|
|
||
| // TestReadWriteThanosSetup sets up a Thanos deployment with 6 receiver replicas and replication factor 3 for writing. | ||
| // On top of that, the written metrics are queryable via querier. | ||
| func TestReadWriteThanosSetup(t *testing.T) { |
There was a problem hiding this comment.
Can we add some automatic avalanche/Prometheus to this setup to continuously write and then we could manually (or automatically within e2e test if we don't to this yet) play with killing one container.
| // replica encapsulates the replica number of a request and if the request is | ||
| // already replicated. | ||
| // replica encapsulates the replication index of a request and if the request is | ||
| // already replicated. Replication index represents the number of logical replica to which |
There was a problem hiding this comment.
| // already replicated. Replication index represents the number of logical replica to which | |
| // already replicated. Replication index represents the number of logical replicas to which |
| } | ||
| finalErr := errs.Err() | ||
| // Second success mode - it is permissible to fail all requests to specific endpoints, | ||
| // up to maxEndpointFailures, in which case we still know quorum is reached. |
There was a problem hiding this comment.
Hm, I read through the descriptions, and I still can't tell why we need this. Even despite your great diagrams and TWO definitions 🙈 sorry.
Essentially do we need the first success mode if we have such a trivial second mode? Can we have just a second mode? I think we should be safe if one receiver is down - that's the purpose of hashring - but maybe our hashring algorithm is making the wrong decision here and we don't have this invariant:
I guess I need to spend more time to understand this..
| }) | ||
|
|
||
| t.Run("replication_with_outage", func(t *testing.T) { | ||
| t.Run("replication_hashmod_with_outage", func(t *testing.T) { |
There was a problem hiding this comment.
| t.Run("replication_hashmod_with_outage", func(t *testing.T) { | |
| t.Run("replication_hashmod_with_acceptable_outage", func(t *testing.T) { |
It would be nice to add test with unacceptable outage
|
Furthermore to me, e2e test
|
|
I agree that the current way replication works is not ideal, but if this is an issue we should probably prioritize fixing it. So unless the idea from #5807 is easy to implement, I don't think we should delay the fix until we have a pretty solution. |
|
@fpetkovski we had finally some F2F time yesterday on this and we're considering if there's better alternative to this, but I'd agree with prioritizing the fix. I'll try to have this resolved by the end of this week. |
| // It will inspect the error's cause if the error is a MultiError. It will return cause of each contained error but will not traverse any deeper. | ||
| // If no cause can be determined, the original error is returned. When forReplication is true, | ||
| // it will return failed replication error on any unknown error cause. | ||
| func determineWriteErrorCause(err error, threshold int, forReplication bool) error { |
There was a problem hiding this comment.
Is this fixing a separate issue?
|
I tried solving the issue independently to see if we converge to the same solution: #5910 I think we're pretty much aligned, with the exception of sending a function over a channel which I found a bit confusing 😄 |
Thanks, I took a look, it makes sense to me 👍.
For the sending function over func, I think @douglascamata also pointed this out, and I don't have a strong stance on that, we can send a struct as well, but I thought just to be able to send two multiple independent values this a common solution (but perhaps not). As for the replication success counting, yes, I think we're on the similar page, but in #5910 you do it for each batch vs. here I try to achieve it globally, but your way seems less complex. |
|
Closing as this has been superseded by #5910 |
|
@matej-g I think you forgot to press the "Close" button. |
|
Thanks @douglascamata for keeping track of this. Since @matej-g is away, let's close the issue for now. It's also out of sync with main. We can always ask for forgiveness from Matej if he objects :) |
Changes
This PR suggest a way to fix #5784 discovered with
ketamahashing.The presumption one replication = one request was true for
hashmodhashing, however withketamahashing this is no longer the case (same could be true for behavior for other algorithms in the future). There can now be requests being made to multiple endpoints as part of single replicated request (i.e. one replication = multiple requests). As described in #5784, this renders the current quorum handling incorrect.To fix quorum validation, I suggest to:
Introduce an additional way to validate quorum - instead of counting individual request, the focus should be on confirming if all requests that have been made on behalf of a replica have succeeded (for simplification I refer to these as 'replica group request'). In this way we can confirm that if successful replica group requests >= success threshold, the quorum has been achieved. For example: for replication factor 3, we will end up with three replica group requests (1,2,3) - to guarantee quorum (2), at least two of these groups need to be written successfully.
Additionally validate quorum by counting endpoint failures - besides knowing that we need at least quorum of replica requests to succeed, we also know that due to hashing series each replica must end on a distinct node. This means that even if not all requests for any given replica group succeed, we still know quorum was reached if all request succeeded except for requests going to specific endpoint(s). The number of such failed endpoints can be determined based on quorum.
This necessitates to send back the number of replica together with an error (or
nilerror in case of success), in order to make ti possible to track success of a replica group request and endpoint failures. This PR makes the necessary changes to errors channel in the forward fanout method.Some adjustments to the method determining write success were also made - when determining error for requests going to a particular replica, we need to either be able to find single cause for all errors or return single error signalizing that his replication failed.
Another simplification included here is in when determining error cause - if the multi error includes only conflict errors, we do not need to care about the threshold, as we can assume other requests succeeded and we can directly return conflict.
I also added read / write interactive tests (makes it easier to manually play with receiver changes)
Verification