Throttle the system based on active-ack timeouts.

[markusthoemmes]

This is a fairly big change but bear with me!

Today, we have an arbitrary system-wide limit of maximum concurrent connections. In general that is fine, but it doesn't have a direct correlation to what's actually happening in the system.

This adds a new state to each monitored invoker: Overloaded. An invoker will go into overloaded state if active-acks are starting to timeout. Eventually, if the system is really overloaded, all Invokers will be in overloaded state which will cause the loadbalancer to return a failure. This failure now results in a 503 - System overloaded message back to the user.

My changes affect the following components

• API
• Controller
• Message Bus (e.g., Kafka)
• Loadbalancer
• Invoker
• Intrinsic actions (e.g., sequences, conductors)
• Data stores (e.g., CouchDB)
• Tests
• Deployment
• CLI
• General tooling
• Documentation

Types of changes

• Bug fix (generally a non-breaking change which closes an issue).
• Enhancement or new feature (adds new functionality).
• Breaking change (a bug fix or enhancement which changes existing behavior).

Checklist:

• I signed an Apache CLA.
• I reviewed the style guides and followed the recommendations (Travis CI will check :).
• I added tests to cover my changes.
• My changes require further changes to the documentation.
• I updated the documentation where necessary.

[codecov-io]

Codecov Report

Merging #3875 into master will decrease coverage by 4.89%.
The diff coverage is 66.21%.

@@            Coverage Diff            @@
##           master    #3875     +/-   ##
=========================================
- Coverage   75.82%   70.92%   -4.9%     
=========================================
  Files         145      145             
  Lines        6924     6930      +6     
  Branches      421      423      +2     
=========================================
- Hits         5250     4915    -335     
- Misses       1674     2015    +341

Impacted Files	Coverage Δ
.../scala/src/main/scala/whisk/core/WhiskConfig.scala	91.86% <ø> (-0.14%)	⬇️
...a/whisk/core/entitlement/ActivationThrottler.scala	80% <ø> (ø)	⬆️
...src/main/scala/whisk/core/controller/Actions.scala	90.35% <0%> (-0.93%)	⬇️
.../main/scala/whisk/core/controller/Controller.scala	0% <0%> (ø)	⬆️
.../main/scala/whisk/core/controller/WebActions.scala	87.89% <0%> (-0.7%)	⬇️
...scala/src/main/scala/whisk/common/RingBuffer.scala	75% <100%> (ø)	⬆️
...on/scala/src/main/scala/whisk/common/Logging.scala	86.66% <100%> (-0.15%)	⬇️
...e/loadBalancer/ShardingContainerPoolBalancer.scala	29.41% <11.11%> (-2.02%)	⬇️
...ain/scala/whisk/core/entitlement/Entitlement.scala	78.07% <66.66%> (+1.45%)	⬆️
...a/whisk/core/loadBalancer/InvokerSupervision.scala	84.55% <93.47%> (+1.74%)	⬆️
... and 6 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b542fa6...1872f1e. Read the comment docs.

[rabbah]

I haven’t looked at the changes yet- based on the description:

• is this heuristic affected by a network partition which results in no active acks
• timing out active acks can happen in the controller side if it can’t drain active acks fast enough (too slow, too many, gc); is the heuristic affected?

[markusthoemmes]

@rabbah, in theory, yes!

to 1.: If a network partition causes no active-acks, this network partition will also either lead to the controller not being able to write to kafka or the invoker not being able to read/write from kafka. These are valid cases to consider an invoker unusable?

to 2.: Again, I think this is a valid case of general overload. If there are too many active-acks for whatever reason, its safer to call the system done than continue to process with more crpytic errors (timeouts, crashes etc.)

WDYT?

[markusthoemmes]

Summarizing a discussion with @rabbah: We agree that this is not optimal and might be subject to heuristics. It is however better what we have today and it serves as a catch-all around the invoker to catch any errors possible.

[markusthoemmes]

PG4 2003 🔵

[cbickel]

In general the PR looks good to me, but I see a problem on sending already timed-out active acks to the invoker-pool. This can cause a flapping state in the invoker.

[cbickel]

... with timeouts

[cbickel]

Does it make sense to call the state Unresponsible or something like that?

[cbickel]

Sending active-acks to the invokerPool, after they already did timeout will recover the invoker too early, as it might have still a queue, that is too large.
But this case also handles the active-acks of the health actions, which still need to be sent to the invokerpool.

[markusthoemmes]

Brilliant find! Indeed this kinda breaks the protocol because in an overloaded scenario, the invokers will swap between Healthy and Overloaded continuously.

As discussed in person, we now no longer send the result of an activation that finished after it was forced into the invokerPool 👍

[cbickel]

LGTM

[markusthoemmes]

PG2 3408 🔵