[Broker][Proxy][Function worker] Fix backpressure handling in Jetty web server configuration

[lhotari]

Motivation

The current Jetty configuration doesn't properly handle backpressure. This is a problem when asynchronous request handling is used and there's high load. The requests will get handled and the asynchronous calls are made to the backend system and this might cause all requests to fail.

One of the main reasons to configure backpressure is to ensure that the system doesn't get overwhelmed and can handle successfully a certain amount of requests and reject the other requests. When more and more asynchronous request handling is happening, it is importance of having a backpressure handling that prevents too much work entering the system.

It should be possible to limit the number of concurrent requests that are handled at a time. There is a setting maxConcurrentHttpRequests, but that is not correctly implemented and has no impact.

This PR fixes the backpressure handling and improves the settings around backpressure control. The changes are made consistently for broker, proxy, function worker and websocket proxy, where Jetty is used in Pulsar.

Modifications

• Fix maxConcurrentHttpRequests by using QoSFilter to limit concurrent requests

  • previous solution didn't limit concurrent http requests. The setting maxConcurrentHttpRequests was used to configure accept queue size. This didn't limit concurrent http requests.

• Replace previous hardcoded connection limit of 10000 http connections with configurable setting maxHttpServerConnections

  • use Jetty's built-in connection limit instead of PulsarServerConnector's custom solution

• Rate limiting should happen in the beginning of the filter chain

• Let Jetty tune selectors and acceptors based on number of cores

  • JETTY_AVAILABLE_PROCESSORS=n environment variable can be used to override the number of cores reported by the OS
    • This is useful when CPU limit isn't set on k8s and the number of cores is the number of total cores available on the k8s node
    • use can also use -XX:ActiveProcessorCount=n to make Java's Runtime.getRuntime().availableProcessors() return n

• Make accept queue capacity configurable by httpServerAcceptQueueSize setting

• make the queue for Jetty's thread pool's bounded and configured with httpServerThreadPoolQueueSize setting

  • the default is unlimited and doesn't cause backpressure which is desired when the queue grows

[lhotari]

btw. It would be useful to investigate the use of https://www.eclipse.org/jetty/javadoc/jetty-9/org/eclipse/jetty/servlets/DoSFilter.html for basic DoS protection.

[github-actions]

The pr had no activity for 30 days, mark with Stale label.

[eolivelli]

Really great work.
It is better to use builtin Jetty components

[eolivelli]

@merlimat @rdhabalia @codelipenghui would you mind taking a look ?

[michaeljmarshall]

Great work @lhotari! I think we should also add this back pressure handling to the WorkerServer, which also runs a Jetty server.

[lhotari]

Great work @lhotari! I think we should also add this back pressure handling to the WorkerServer, which also runs a Jetty server.

@michaeljmarshall Thanks for pointing that out. I added a commit to cover Function Worker with similar changes.

[lhotari]

There's a follow up PR #15637 to address some remaining gaps in the backpressure solution. Each context path had it's own rate limiter instance and that's why it's not currently behaving in an expected way. #15637 fixes this issue. Please review