KAFKA-10199: Commit the restoration progress within StateUpdater #12279
Conversation
…ommit-in-state-updater
| } | ||
|
|
||
| for (final Task task : updatingTasks.values()) { | ||
| // do not enforce checkpointing during restoration if its position has not advanced much |
There was a problem hiding this comment.
This is not a Todo: it's explaining why we set the enforceCheckpoint as false. Inside that callee when it's false we will only write a new checkpoint if the offsets has significantly advanced.
There was a problem hiding this comment.
I see! This is a bit hard to understand in my opinion. Could we have two methods -- commitTaskAndEnforceCheckpoint() and commitTaskAndMaybeEnforcedCheckpoint()? If we change the code to only write the checkpoints, this code might change anyways.
There was a problem hiding this comment.
Fair enough. I will refactor this piece of code in the follow-up PR (I have one doing the code refactoring already) such that:
- We remove the
prepareCommitandpostCommitin standby task, instead we callwriteCheckpointdirectly. - We remove the
postCommitin active task,enforceCheckpointboolean in themaybeCheckpointfunction.
There was a problem hiding this comment.
Looking forward to the follow-up PR 🙂
| throw new IllegalStateException("Task " + task.id() + " should not have any source offset " + | ||
| "committable during restoration, but have " + offsetAndMetadata + " instead. " + BUG_ERROR_MESSAGE); | ||
| } | ||
|
|
|
|
||
| @AfterEach | ||
| public void tearDown() { | ||
| stateUpdater.shutdown(Duration.ofMinutes(1)); | ||
| } | ||
|
|
||
| private Properties configProps(final int commitInterval) { | ||
| return mkObjectProperties(mkMap( | ||
| mkEntry(StreamsConfig.APPLICATION_ID_CONFIG, safeUniqueClassTestName(getClass())), |
There was a problem hiding this comment.
Why do we need this since we do not use an embedded Kafka cluster?
There was a problem hiding this comment.
These two configs are required configs of StreamsConfig and hence we have to provide a dummy.
There was a problem hiding this comment.
Yes, I know. My question was actually about if we need to use safeUniqueClassTestName(getClass()) and provide a new override for that method. AFAIK, that method is primarily used in integration tests to ensure that consumer groups within one integration test class have distinct names so that consumer groups of different tests in the test class do not clash leading to longer execution times. This is not an integration test and we do not use an embedded Kafka cluster. Why do we need safeUniqueClassTestName(getClass())?
There was a problem hiding this comment.
That's fair. I will remove the safeUniqueClassTestName and just dummy with appID.
| mkEntry(StreamsConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost:2171"), | ||
| mkEntry(StreamsConfig.PROCESSING_GUARANTEE_CONFIG, StreamsConfig.EXACTLY_ONCE_V2), | ||
| mkEntry(StreamsConfig.COMMIT_INTERVAL_MS_CONFIG, commitInterval), | ||
| // we need to make sure that transaction timeout is not lower than commit interval for EOS |
There was a problem hiding this comment.
Not a todo: I was explaining why we need to explicitly set the RANSACTION_TIMEOUT_CONFIG as commitInterval as well.
There was a problem hiding this comment.
Do we have a check for this somewhere in our production code?
There was a problem hiding this comment.
Yes, otherwise the app would fail upon starting up.
There was a problem hiding this comment.
If there is a check in the production code, we do not need to add this comment since the test would fail anyways, right? I would remove the comment.
| verify(task, times(0)).prepareCommit(); | ||
| verify(task, times(0)).postCommit(true); | ||
| verify(task, times(0)).postCommit(false); |
There was a problem hiding this comment.
| verify(task, times(0)).prepareCommit(); | |
| verify(task, times(0)).postCommit(true); | |
| verify(task, times(0)).postCommit(false); | |
| verify(task, never()).prepareCommit(); | |
| verify(task, never()).postCommit(true); | |
| verify(task, never()).postCommit(false); |
| waitForCondition( | ||
| () -> { | ||
| for (final Task task : tasks) { | ||
| verify(task, atLeast(1)).prepareCommit(); | ||
| verify(task, atLeast(1)).postCommit(enforceCheckpoint); | ||
| } | ||
|
|
||
| return true; | ||
| }, | ||
| VERIFICATION_TIMEOUT, | ||
| "Did not auto commit all tasks within the given timeout!" | ||
| ); |
There was a problem hiding this comment.
Did you consider to use verify(task, timeout(VERIFICATION_TIMEOUT).atLeast(1)) instead of waitForCondition()?
There was a problem hiding this comment.
Thanks for the tip! will give it a try.
|
|
||
| return true; | ||
| }, | ||
| VERIFICATION_TIMEOUT, |
There was a problem hiding this comment.
Could you express the timeout in terms of the commit interval?
There was a problem hiding this comment.
I tried it a bit but since we are using a system test here using exact commit interval could cause flakiness; while using a larger value say commit interval * 2 is safe enough I felt it would be similar to just using a longer value as VERIFICATION_TIMEOUT here.
|
|
||
| private void commitTask(final Task task, final boolean enforceCheckpoint) { | ||
| // prepare commit should not take any effect except a no-op verification | ||
| final Map<TopicPartition, OffsetAndMetadata> offsetAndMetadata = task.prepareCommit(); |
There was a problem hiding this comment.
I am not sure I understand why we should commit. The task does not read from the input at this point. Wouldn't flushing the stores and writing the checkpoint file be enough? Can we somehow just flush the state store and write the checkpoint instead of calling the *Commit() methods? I think that would simplify the code.
There was a problem hiding this comment.
I was trying to leverage on the extra state validation logic inside the *Commit() function, but I agree we can directly call checkpointing which would be more straight-forward. LMK if you feel strong about this and I can change it accordingly.
There was a problem hiding this comment.
Yes, I feel strongly about it. 🙂
There was a problem hiding this comment.
I plan to do the function refactoring (mentioned above) in the follow-up PR, and here I would just directly call the checkpoint functions.
| @@ -286,6 +308,7 @@ public void shouldRestoreActiveStatefulTasksAndUpdateStandbyTasks() throws Excep | |||
| stateUpdater.add(task4); | |||
|
|
|||
| verifyRestoredActiveTasks(task2, task1); | |||
| verifyCommitTasks(true, task2, task1); | |||
There was a problem hiding this comment.
Shouldn't the offsets of standby tasks also be written to the checkpoint file?
There was a problem hiding this comment.
We can only be certain that active tasks would be checkpointed since they are completed upon when we enforce the checkpoint; standby tasks would only try checkpointing without enforcing during processing and hence here they will not write the checkpoint.
There was a problem hiding this comment.
What if you move this verification after verifyUpdatingStandbyTasks()? Are standby tasks still not checkpointed because we do not enforce the checkpoint?
There was a problem hiding this comment.
Yes, unless we wait for commit interval.. btw I think since this is already covered in other tests we do not need to wait (and since it's system time we need to wait conservatively to reduce flakiness) again in this test.
…ommit-in-state-updater
…ommit-in-state-updater
| @@ -85,7 +86,7 @@ public Collection<StandbyTask> getUpdatingStandbyTasks() { | |||
| } | |||
|
|
|||
| public boolean onlyStandbyTasksLeft() { | |||
| return !updatingTasks.isEmpty() && updatingTasks.values().stream().allMatch(t -> !t.isActive()); | |||
| return !updatingTasks.isEmpty() && updatingTasks.values().stream().noneMatch(Task::isActive); | |||
There was a problem hiding this comment.
I did the same change in #12312 🙂
I will revert the change in my PR to avoid merge conflicts.
| @@ -88,7 +88,8 @@ public abstract class AbstractTask implements Task { | |||
| * @throws StreamsException fatal error when flushing the state store, for example sending changelog records failed | |||
| * or flushing state store get IO errors; such error should cause the thread to die | |||
| */ | |||
| protected void maybeWriteCheckpoint(final boolean enforceCheckpoint) { | |||
| @Override | |||
| public void maybeCheckpoint(final boolean enforceCheckpoint) { | |||
There was a problem hiding this comment.
Now that this method is public, could you please add unit tests for this method?
| } | ||
|
|
||
| for (final Task task : updatingTasks.values()) { | ||
| // do not enforce checkpointing during restoration if its position has not advanced much |
There was a problem hiding this comment.
Looking forward to the follow-up PR 🙂
| mkEntry(StreamsConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost:2171"), | ||
| mkEntry(StreamsConfig.PROCESSING_GUARANTEE_CONFIG, StreamsConfig.EXACTLY_ONCE_V2), | ||
| mkEntry(StreamsConfig.COMMIT_INTERVAL_MS_CONFIG, commitInterval), | ||
| // we need to make sure that transaction timeout is not lower than commit interval for EOS |
There was a problem hiding this comment.
If there is a check in the production code, we do not need to add this comment since the test would fail anyways, right? I would remove the comment.
| public static String safeUniqueClassTestName(final Class<?> testClass) { | ||
| return (testClass.getSimpleName()) | ||
| .replace(':', '_') | ||
| .replace('.', '_') | ||
| .replace('[', '_') | ||
| .replace(']', '_') | ||
| .replace(' ', '_') | ||
| .replace('=', '_'); | ||
| } | ||
|
|
There was a problem hiding this comment.
This should be dead code now that we do not need this method in DefaultStateUpdater. Could you please remove it?
| @@ -506,6 +537,7 @@ public void shouldAddFailedTasksToQueueWhenRestoreThrowsStreamsExceptionWithTask | |||
| verifyUpdatingTasks(task2); | |||
| verifyRestoredActiveTasks(); | |||
| verifyRemovedTasks(); | |||
| verifyNeverCheckpointTasks(task1, task3); | |||
| @@ -531,6 +563,7 @@ public void shouldAddFailedTasksToQueueWhenRestoreThrowsTaskCorruptedException() | |||
| verifyUpdatingTasks(task3); | |||
| verifyRestoredActiveTasks(); | |||
| verifyRemovedTasks(); | |||
| verifyNeverCheckpointTasks(task1, task2); | |||
| @@ -552,6 +585,7 @@ public void shouldAddFailedTasksToQueueWhenUncaughtExceptionIsThrown() throws Ex | |||
| verifyUpdatingTasks(); | |||
| verifyRestoredActiveTasks(); | |||
| verifyRemovedTasks(); | |||
| verifyNeverCheckpointTasks(task1, task2); | |||
| final StreamsConfig config = new StreamsConfig(configProps(Integer.MAX_VALUE)); | ||
| final DefaultStateUpdater stateUpdater = new DefaultStateUpdater(config, changelogReader, offsetResetter, Time.SYSTEM); |
There was a problem hiding this comment.
It is better to do this, otherwise verifications like verifyExceptionsAndFailedTasks() will not work. You do not use them in this method, but the change makes the test future-proof.
| final StreamsConfig config = new StreamsConfig(configProps(Integer.MAX_VALUE)); | |
| final DefaultStateUpdater stateUpdater = new DefaultStateUpdater(config, changelogReader, offsetResetter, Time.SYSTEM); | |
| stateUpdater.shutdown(Duration.ofMinutes(1)); | |
| final StreamsConfig config = new StreamsConfig(configProps(Integer.MAX_VALUE)); | |
| stateUpdater = new DefaultStateUpdater(config, changelogReader, offsetResetter, Time.SYSTEM); |
There was a problem hiding this comment.
Sounds good, I will remove final on that variable then.
|
|
||
| private void verifyCheckpointTasks(final boolean enforceCheckpoint, final Task... tasks) throws Exception { | ||
| for (final Task task : tasks) { | ||
| verify(task, timeout(VERIFICATION_TIMEOUT).atLeast(1)).maybeCheckpoint(enforceCheckpoint); |
There was a problem hiding this comment.
nit: I think the timeout is not needed here, since you use this verification after the tasks are either restored or removed. In those cases maybeCheckpoint() should have already be called by then.
There was a problem hiding this comment.
When I removed the timeout(VERIFICATION_TIMEOUT) the shouldAutoCheckpointTasksOnInterval starts to be flaky (once every ~30 on my laptop). This is because in that test we do not close the task before verification, and the system time makes sleeping just one commit interval not sufficient to be 100% sure (even with commit interval * 2 I can still see flakiness). So I reverted that removal by the end.
…ommit-in-state-updater
|
Thanks for having another look @cadonna , your comments are addressed. |
|
Oh I had one commit for adding the unit test lost, adding now. |
There was a problem hiding this comment.
@guozhangwang Thanks for the updates
Here my feedback.
Feel free to react on my feedback in a follow-up PR.
| task.maybeCheckpoint(false); // this should not checkpoint | ||
| task.maybeCheckpoint(false); // this should checkpoint | ||
| task.maybeCheckpoint(false); // this should not checkpoint |
There was a problem hiding this comment.
This test is not really clear about when the checkpointing happens. Ideally, we would need to verify after each call to maybeCheckpoint(). That might be possible with EasyMock#reset() but I am not 100% sure.
There was a problem hiding this comment.
Ack. I figured out a way without relying on reset(), and instead just checking on offsetSnapshotSinceLastFlush which is only updated if checkpoint is indeed executed.
| task = createOptimizedStatefulTask(createConfig("100"), consumer); | ||
|
|
||
| task.initializeIfNeeded(); | ||
| task.maybeCheckpoint(true); |
There was a problem hiding this comment.
Do we not need to also test task.maybeCheckpoint(false)?
| @@ -313,6 +337,7 @@ public void shouldRestoreActiveStatefulTaskThenUpdateStandbyTaskAndAgainRestoreA | |||
| stateUpdater.add(task2); | |||
|
|
|||
| verifyRestoredActiveTasks(task1); | |||
| verifyCheckpointTasks(true, task1); | |||
There was a problem hiding this comment.
I think we need another verification before line 350.
|
Thanks @cadonna . I will follow-up on your comments for unit tests in the next PR. |
| stateUpdater.add(task3); | ||
| stateUpdater.add(task4); | ||
|
|
||
| sleep(COMMIT_INTERVAL); |
There was a problem hiding this comment.
Shall we use MockTime() instead of system time to better control the progress of time?
…che#12279) During restoring, we should always commit a.k.a. write checkpoint file regardless of EOS or ALOS, since if there's a failure we would just over-restore them upon recovery so no EOS violations happened. Also when we complete restore or remove task, we should enforce a checkpoint as well; for failing cases though, we should not write a new one. Reviewers: Bruno Cadonna <cadonna@apache.org>
During restoring, we should always commit a.k.a. write checkpoint file regardless of EOS or ALOS, since if there's a failure we would just over-restore them upon recovery so no EOS violations happened.
Also when we complete restore or remove task, we should enforce a checkpoint as well; for failing cases though, we should not write a new one.
Committer Checklist (excluded from commit message)