Kinesis adaptive memory management

[zachjsh]

Description

Our Kinesis consumer works by using the GetRecords API in some number of fetchThreads, each fetching some number of records (recordsPerFetch) and each inserting into a shared buffer that can hold a recordBufferSize number of records. The logic is described in our documentation at: https://druid.apache.org/docs/27.0.0/development/extensions-core/kinesis-ingestion/#determine-fetch-settings

There is a problem with the logic that this pr fixes: the memory limits rely on a hard-coded “estimated record size” that is 10 KB if deaggregate: false and 1 MB if deaggregate: true. There have been cases where a supervisor had deaggregate: true set even though it wasn’t needed, leading to under-utilization of memory and poor ingestion performance.

Users don’t always know if their records are aggregated or not. Also, even if they could figure it out, it’s better to not have to. So we’d like to eliminate the deaggregate parameter, which means we need to do memory management more adaptively based on the actual record sizes.

We take advantage of the fact that GetRecords doesn’t return more than 10MB (https://docs.aws.amazon.com/streams/latest/dev/service-sizes-and-limits.html ):

This pr:

eliminates recordsPerFetch, always use the max limit of 10000 records (the default limit if not set)

eliminate deaggregate, always have it true

cap fetchThreads to ensure that if each fetch returns the max (10MB) then we don't exceed our budget (100MB or 5% of heap). In practice this means fetchThreads will never be more than 10. Tasks usually don't have that many processors available to them anyway, so in practice I don't think this will change the number of threads for too many deployments

add recordBufferSizeBytes as a bytes-based limit rather than records-based limit for the shared queue. We do know the byte size of kinesis records by at this point. Default should be 100MB or 10% of heap, whichever is smaller.

add maxBytesPerPoll as a bytes-based limit for how much data we poll from shared buffer at a time. Default is 1000000 bytes.

deprecate recordBufferSize, use recordBufferSizeBytes instead. Warning is logged if recordBufferSize is specified

deprecate maxRecordsPerPoll, use maxBytesPerPoll instead. Warning is logged if maxRecordsPerPoll` is specified

Fixed issue that when the record buffer is full, the fetchRecords logic throws away the rest of the GetRecords result after recordBufferOfferTimeout and starts a new shard iterator. This seems excessively churny. Instead, wait an unbounded amount of time for queue to stop being full. If the queue remains full, we’ll end up right back waiting for it after the restarted fetch.

There was also a call to newQ::offer without check in filterBufferAndResetBackgroundFetch, which seemed like it could cause data loss. Now checking return value here, and failing if false.

Release Note

Kinesis ingestion memory tuning config has been greatly simplified, and a more adaptive approach is now taken for the configuration. Here is a summary of the changes made:

eliminates recordsPerFetch, always use the max limit of 10000 records (the default limit if not set)

eliminate deaggregate, always have it true

cap fetchThreads to ensure that if each fetch returns the max (10MB) then we don't exceed our budget (100MB or 5% of heap). In practice this means fetchThreads will never be more than 10. Tasks usually don't have that many processors available to them anyway, so in practice I don't think this will change the number of threads for too many deployments

add recordBufferSizeBytes as a bytes-based limit rather than records-based limit for the shared queue. We do know the byte size of kinesis records by at this point. Default should be 100MB or 10% of heap, whichever is smaller.

add maxBytesPerPoll as a bytes-based limit for how much data we poll from shared buffer at a time. Default is 1000000 bytes.

deprecate recordBufferSize, use recordBufferSizeBytes instead. Warning is logged if recordBufferSize is specified

deprecate maxRecordsPerPoll, use maxBytesPerPoll instead. Warning is logged if maxRecordsPerPoll` is specified

This PR has:

• been self-reviewed.
  • using the concurrency checklist (Remove this item if the PR doesn't have any relation to concurrency.)
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.

[jon-wei]

Should this be higher? I wonder if this is too low in the case of non-aggregated records

[zachjsh]

I wondered the same actually. tbh, im not sure. I think validation for this requires extensive performance testing.

[zachjsh]

Changed it so that it polls for at least one record and at most 1_000_000 bytes if more than 1 record, which is what we were targeting for before.

[gianm]

So does that mean we should update the maxRecordsPerPoll: 1 here?

[zachjsh]

updated

[jon-wei]

nit: maybe use a constant for the 10MB limit with a comment that explains the limit comes from the Kinesis library

[zachjsh]

updated

[jon-wei]

Do you think it'd make sense to log a warning if the eliminated property is provided?

[zachjsh]

good thought, will add.

[zachjsh]

added

[jon-wei]

How come the shardIterator doesn't need to be reset here as before?

[zachjsh]

Previously when the record buffer is full here, the fetchRecords logic threw away the rest of the GetRecords result after recordBufferOfferTimeout and starts a new shard iterator. This seemed excessively churny. Instead we wait an unbounded amount of time for queue to stop being full. If the queue remains full, we’ll end up right back waiting for it after the restarted fetch.

[jon-wei]

Are the points about the licensing above still correct? Looks like amazon-kinesis-client is Apache licensed now: https://github.com/awslabs/amazon-kinesis-client/blob/master/LICENSE.txt

[zachjsh]

Removed the licensing comments.

[gianm]

Oh, it even looks like since #12370, amazon-kinesis-client with an Apache license is a regular dependency. So this reflective stuff is no longer needed. Please either rewrite it to use regular Java calls, or if you don't rewrite it, include a comment describing the situation. Something like:

The deaggregate function is implemented by the amazon-kinesis-client, whose license was formerly not compatible with Apache. The code here avoids the license issue by using reflection, but is no longer necessary since amazon-kinesis-client is now Apache-licensed and is now a dependency of Druid. This code could safely be modified to use regular calls rather than reflection.

[zachjsh]

updated

[jon-wei]

Is this a new failure mode? What would've happened in the old code if the queue size was exceeded?

[zachjsh]

it is a new failure more. I believe if the data was not added here, it could have resulted in data loss. Any other suggestion here? I was a little concerned about this too, but I think potential data loss is worse.

[zachjsh]

added comment saying that this shouldnt really happen, but is added for safety.

[gianm]

Tagged "release notes" since various memory-related configs are changed.

[gianm]

So does that mean we should update the maxRecordsPerPoll: 1 here?

[gianm]

It looks like maxRecordsPerPoll isn't doing anything anymore. Is that right? If so let's get rid of it.

[zachjsh]

removed, and added maxBytesPerPoll which is being used instead now.

[gianm]

Checks that should never happen, but are for safety, should be DruidException.defensive

[zachjsh]

thanks! updated

[gianm]

The comment above is no longer accurate -- we aren't grabbing new stream iterators anymore when the buffer is full.

[zachjsh]

removed.

[gianm]

Please move these two checks to run rather than the constructor, because we don't need to log this stuff every time a task object is constructed. (That happens at various points on the Overlord due to various API calls and internal machinations, and will create a log of log spam.)

[zachjsh]

Good catch. Moved.

[gianm]

This warning should only get logged if configuredFetchThreads != null. There's no reason to log it if runtimeInfo.getAvailableProcessors() * 2 is lower than maxFetchThreads.

[zachjsh]

Good catch, updated.

[gianm]

The recordsPerFetch and deaggregate properties should stay here for better compatibility during rolling updates and rollbacks. (We don't want to lose track of them prior to a potential rollback.)

So let's instead mark them deprecated, but keep them.

[zachjsh]

added back and marked as deprecated.

[jon-wei]

What happens if a single record is larger than maxBytePerPoll? Would this get stuck and make no progress?

[zachjsh]

good question, it always drains at least one record, clarified that in the docs. I added a test for this, see org.apache.druid.java.util.common.MemoryBoundLinkedBlockingQueueTest#test_drain_queueWithFirstItemSizeGreaterThanLimit_succeeds