KAFKA-5132: abort long running transactions #2957
Conversation
|
@guozhangwang @apurvam @hachikuji @mjsax should the expiry time be based on the transaction start time or the last updated time? Also, in the Google doc it says:
Though i'm not sure why we'd need to do this. If the transaction has made it either of those statuses then it is going to complete anyway. |
|
The expiry time is based on the start time. I think we need to add that field to the messages on the transaction log and set it on the first add partitions. From then on, we use that time to determine if the transaction needs to be timed out. Regarding your second comment, you are correct. If the transaction is in |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Hmm. there might be a resource leak somewhere, because all the tests are failing with an |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
I don't understand the build failure. I've ran the jenkins build locally and it is all good. |
|
Refer to this link for build results (access rights to CI server needed): |
|
It is leaking threads. Looking into it. |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
There was a problem hiding this comment.
Looks good to me overall. My biggest comment is about the 'two phase' operation of bumping the epoch and then transitioning to PREPARE_ABORT when a transaction needs to be expired. I think we can just initiate PREPARE_ABORT with the higher epoch. Please correct me if I am wrong!
Also, out of curiosity, all the shutdown and close are in response to the resource leaks that were exposed on Jenkins. But a lot of these resources seemed to be leaking anyway, independently of these changes (there was no networkClient.close, no transactionCoordinator.shutdown(), etc.). This suggests that the tests were already at tipping point, and this new code pushed it over. Is my assessment correct?
| idAndMetadata.metadata.producerEpoch, | ||
| TransactionResult.ABORT, | ||
| (errors: Errors) => { | ||
| warn(s"rollback of transactionalId: ${idAndMetadata.transactionalId} failed during transaction expiry. errors: $errors") |
There was a problem hiding this comment.
Shoudn't this only be logged if there is an error?
| idAndMetadata.metadata.prepareTransitionTo(Ongoing) | ||
| txnManager.appendTransactionToLog(idAndMetadata.transactionalId, idAndMetadata.metadata, (errors: Errors) => { | ||
| if (errors != Errors.NONE) | ||
| // TODO: Is this sufficient? It will be retried later if it failed |
There was a problem hiding this comment.
I think this is sufficient. What else can you do on a background scheduled thread anyway?
| if (!txnManager.isCoordinatorLoadingInProgress(idAndMetadata.transactionalId)) { | ||
| idAndMetadata.metadata.producerEpoch = (idAndMetadata.metadata.producerEpoch + 1).toShort | ||
| idAndMetadata.metadata.prepareTransitionTo(Ongoing) | ||
| txnManager.appendTransactionToLog(idAndMetadata.transactionalId, idAndMetadata.metadata, (errors: Errors) => { |
There was a problem hiding this comment.
Why can't we initiate an ABORT directly with the bumped epoch? We have to write the PREPARE anyway. We might as well do it with the the higher epoch.
There was a problem hiding this comment.
Thinking about this a bit more, I can see the motivation for two phase approach: you will categorically fence off any existing producer while maintaining the Ongoing state. You can then safely begin the abort.
However, even with the two phase approach, won't you still have a race condition where the existing producer could do a PREPARE_COMMIT which gets in before your epoch bump?
There was a problem hiding this comment.
Yes the idea is to fence off any existing producer.
As for the race condition - yes i should check that there is no pending state transaction before bumping the epoch etc. Thanks for pointing out
| scheduler.startup() | ||
|
|
||
| if (!scheduler.isStarted) | ||
| scheduler.startup() | ||
| // TODO: add transaction and pid expiration logic |
There was a problem hiding this comment.
Is this comment still valid?
|
@apurvam - yes the resources were leaking anyway, but this pushed it beyond the limit. |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
retest this please |
| && idAndMetadata.metadata.pendingState.isEmpty) { | ||
| idAndMetadata.metadata.producerEpoch = (idAndMetadata.metadata.producerEpoch + 1).toShort | ||
| idAndMetadata.metadata.prepareTransitionTo(Ongoing) | ||
| txnManager.appendTransactionToLog(idAndMetadata.transactionalId, idAndMetadata.metadata, (errors: Errors) => { |
There was a problem hiding this comment.
This looks good. For my edification: this txnManager.appendTransactionToLog will happen under the idAndMetadata.metadata lock, which is a shared object. so any futher request from the producer with this transactional id will be blocked until after the epoch is bumped, and hence will get a ProducerFencedException, correct?
There was a problem hiding this comment.
@apurvam correct they will get a ProducerFencedException.
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
| if (!txnManager.isCoordinatorLoadingInProgress(idAndMetadata.transactionalId) | ||
| && idAndMetadata.metadata.pendingState.isEmpty) { | ||
| idAndMetadata.metadata.producerEpoch = (idAndMetadata.metadata.producerEpoch + 1).toShort | ||
| idAndMetadata.metadata.prepareTransitionTo(Ongoing) |
There was a problem hiding this comment.
Sorry if this was raised before, but why don't we bump the epoch and transition to PREPARE_ABORT in the same write? If there's an edge case we're protecting by doing the epoch bump first, it might be useful to add a comment to document it.
|
retest this please. |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
retest this please |
| @@ -611,6 +611,8 @@ class KafkaServer(val config: KafkaConfig, time: Time = Time.SYSTEM, threadNameP | |||
| CoreUtils.swallow(zkUtils.close()) | |||
| if (metrics != null) | |||
| CoreUtils.swallow(metrics.close()) | |||
| if (transactionCoordinator != null) | |||
| CoreUtils.swallow(transactionCoordinator.shutdown()) | |||
There was a problem hiding this comment.
This needs to be removed as we have already merged a PR that fixes this:
Note that the shutdown needs to happen before the LogManager is shutdown (we had an issue where the GroupCoordinator tried to write to an already closed LogManager in the past).
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
retest this please |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
Abort any ongoing transactions that haven't been touched for longer than the transaction timeout