[Broker] Timeout opening managed ledger operation … #7506
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*Motivation* Currently broker has a timeout mechanism on loading topics. However the underlying managed ledger library doesn't provide a timeout mechanism. This will get into a situation that: A TopicLoad operation times out after 30 seconds. But the CompletableFuture of opening a managed ledger is still kept in the cache of managed ledger factory. The completable future will never returns. So any sub-sequent topic lookups will fail because any attempts to load a topic will never attempt to re-open a managed ledger. *Modification* Introduce a timeout mechanism in managed ledger factory. If a managed ledger is not open within a given timeout period, the CompletableFuture will be removed. This allows any sub-sequent attempts to load topics can try to open the managed ledger again. *Tests* This problem can be constantly reproduced in a chaos test in kubernetes by killing k8s worker nodes. It can cause producer stuck forever until the owner broker pod is restarted. The change has been verified in a chaos testing environment.
sijie
requested review from
ivankelly,
merlimat,
rdhabalia,
jiazhai and
codelipenghui
addisonj
reviewed
Jul 10, 2020
| // Unable to get the future | ||
| log.warn("[{}] Got exception while trying to retrieve ledger", name, e); | ||
| } else { | ||
| PendingInitializeManagedLedger pendingLedger = pendingInitializeLedgers.get(name); |
There was a problem hiding this comment.
As opposed to requiring another call to check if the timeout has elapsed, would it make sense to instead use a CompletableFuture with a timeout? Much like we do in the BrokerService, the future created on line 370 could instead be made to have a timeout if it isn't resolved in so many milliseconds with the error handler remove the future from the cache of futures.
There was a problem hiding this comment.
We can do that. However, I didn't go down that route because of the following reason:
we need to keep the ManageLedger reference and to close it to release resources. Because the initialization involves a long pipeline including opening managed ledger and cursors. The behavior we observed is that the operation is stuck at opening cursors. So if we don't attempt to close the ManagedLedger instance, it can result in resource leaking.
With that being said, we need to keep a reference to ManagedLedgerImpl along with the CompletableFuture. Hence I chose the current implementation.
Another reason is to allow checking the timestamp proactively. I fixed a couple of issues before that NPE is thrown between creating a Future and registering error handling logic. I would like to have a mechanism in place that can fix any potential bugs by proactively checking if a CompletableFuture timed out.
@sijie Do you know why is that never never returning? Is that for DNS error on opening the ledger? |
jiazhai
approved these changes
Jul 10, 2020
|
@merlimat it is stuck in LedgerRecoveryOp when recovering cursors. I haven't caught the real exception. My feeling is more coming from the zookeeper side. The chaos test we did is killing the Kubernetes worker node hardly. In that worker node, it has one zookeeper pod, one bookkeeper pod, and one broker pod. This sounds like causing some zookeeper call didn't come back and the ledger recovery op stuck without triggering any callback which in return causes the problem in managed ledger library. A side note - I created an issue a while ago to separate loading cursors from loading managed ledger. The idea is that we should allow producers to produce messages once the managed ledger is ready. This would improve write availability. #7404 |
codelipenghui
approved these changes
Jul 11, 2020
|
/pulsarbot run-failure-checks |
codelipenghui
pushed a commit
to streamnative/pulsar-archived
that referenced
this pull request
Jul 17, 2020
*Motivation* Currently, broker has a timeout mechanism on loading topics. However, the underlying managed ledger library doesn't provide a timeout mechanism. This will get into a situation that a TopicLoad operation times out after 30 seconds. But the CompletableFuture of opening a managed ledger is still kept in the cache of managed ledger factory. The completable future will never return. So any sub-sequent topic lookups will fail because any attempts to load a topic will never attempt to re-open a managed ledger. *Modification* Introduce a timeout mechanism in the managed ledger factory. If a managed ledger is not open within a given timeout period, the CompletableFuture will be removed. This allows any subsequent attempts to load topics that can try to open the managed ledger again. *Tests* This problem can be constantly reproduced in a chaos test in Kubernetes by killing k8s worker nodes. It can cause producer stuck forever until the owner broker pod is restarted. The change has been verified in a chaos testing environment. (cherry picked from commit 14e3b7a)
merlimat
pushed a commit
to merlimat/pulsar
that referenced
this pull request
Jul 21, 2020
*Motivation* Currently, broker has a timeout mechanism on loading topics. However, the underlying managed ledger library doesn't provide a timeout mechanism. This will get into a situation that a TopicLoad operation times out after 30 seconds. But the CompletableFuture of opening a managed ledger is still kept in the cache of managed ledger factory. The completable future will never return. So any sub-sequent topic lookups will fail because any attempts to load a topic will never attempt to re-open a managed ledger. *Modification* Introduce a timeout mechanism in the managed ledger factory. If a managed ledger is not open within a given timeout period, the CompletableFuture will be removed. This allows any subsequent attempts to load topics that can try to open the managed ledger again. *Tests* This problem can be constantly reproduced in a chaos test in Kubernetes by killing k8s worker nodes. It can cause producer stuck forever until the owner broker pod is restarted. The change has been verified in a chaos testing environment.
cdbartholomew
pushed a commit
to kafkaesque-io/pulsar
that referenced
this pull request
Jul 21, 2020
*Motivation* Currently, broker has a timeout mechanism on loading topics. However, the underlying managed ledger library doesn't provide a timeout mechanism. This will get into a situation that a TopicLoad operation times out after 30 seconds. But the CompletableFuture of opening a managed ledger is still kept in the cache of managed ledger factory. The completable future will never return. So any sub-sequent topic lookups will fail because any attempts to load a topic will never attempt to re-open a managed ledger. *Modification* Introduce a timeout mechanism in the managed ledger factory. If a managed ledger is not open within a given timeout period, the CompletableFuture will be removed. This allows any subsequent attempts to load topics that can try to open the managed ledger again. *Tests* This problem can be constantly reproduced in a chaos test in Kubernetes by killing k8s worker nodes. It can cause producer stuck forever until the owner broker pod is restarted. The change has been verified in a chaos testing environment.
cdbartholomew
pushed a commit
to kafkaesque-io/pulsar
that referenced
this pull request
Jul 24, 2020
*Motivation* Currently, broker has a timeout mechanism on loading topics. However, the underlying managed ledger library doesn't provide a timeout mechanism. This will get into a situation that a TopicLoad operation times out after 30 seconds. But the CompletableFuture of opening a managed ledger is still kept in the cache of managed ledger factory. The completable future will never return. So any sub-sequent topic lookups will fail because any attempts to load a topic will never attempt to re-open a managed ledger. *Modification* Introduce a timeout mechanism in the managed ledger factory. If a managed ledger is not open within a given timeout period, the CompletableFuture will be removed. This allows any subsequent attempts to load topics that can try to open the managed ledger again. *Tests* This problem can be constantly reproduced in a chaos test in Kubernetes by killing k8s worker nodes. It can cause producer stuck forever until the owner broker pod is restarted. The change has been verified in a chaos testing environment.
wolfstudy
pushed a commit
that referenced
this pull request
Jul 29, 2020
*Motivation* Currently, broker has a timeout mechanism on loading topics. However, the underlying managed ledger library doesn't provide a timeout mechanism. This will get into a situation that a TopicLoad operation times out after 30 seconds. But the CompletableFuture of opening a managed ledger is still kept in the cache of managed ledger factory. The completable future will never return. So any sub-sequent topic lookups will fail because any attempts to load a topic will never attempt to re-open a managed ledger. *Modification* Introduce a timeout mechanism in the managed ledger factory. If a managed ledger is not open within a given timeout period, the CompletableFuture will be removed. This allows any subsequent attempts to load topics that can try to open the managed ledger again. *Tests* This problem can be constantly reproduced in a chaos test in Kubernetes by killing k8s worker nodes. It can cause producer stuck forever until the owner broker pod is restarted. The change has been verified in a chaos testing environment. (cherry picked from commit 14e3b7a)
huangdx0726
pushed a commit
to huangdx0726/pulsar
that referenced
this pull request
Aug 24, 2020
*Motivation* Currently, broker has a timeout mechanism on loading topics. However, the underlying managed ledger library doesn't provide a timeout mechanism. This will get into a situation that a TopicLoad operation times out after 30 seconds. But the CompletableFuture of opening a managed ledger is still kept in the cache of managed ledger factory. The completable future will never return. So any sub-sequent topic lookups will fail because any attempts to load a topic will never attempt to re-open a managed ledger. *Modification* Introduce a timeout mechanism in the managed ledger factory. If a managed ledger is not open within a given timeout period, the CompletableFuture will be removed. This allows any subsequent attempts to load topics that can try to open the managed ledger again. *Tests* This problem can be constantly reproduced in a chaos test in Kubernetes by killing k8s worker nodes. It can cause producer stuck forever until the owner broker pod is restarted. The change has been verified in a chaos testing environment.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
Currently, broker has a timeout mechanism on loading topics. However, the underlying managed ledger library
doesn't provide a timeout mechanism. This will get into a situation that a TopicLoad operation times out
after 30 seconds. But the CompletableFuture of opening a managed ledger is still kept in the cache of managed ledger
factory. The completable future will never return. So any sub-sequent topic lookups will fail because any
attempts to load a topic will never attempt to re-open a managed ledger.
Modification
Introduce a timeout mechanism in the managed ledger factory. If a managed ledger is not open within a given timeout
period, the CompletableFuture will be removed. This allows any subsequent attempts to load topics that can try to
open the managed ledger again.
Tests
This problem can be constantly reproduced in a chaos test in Kubernetes by killing k8s worker nodes. It can cause
producer stuck forever until the owner broker pod is restarted. The change has been verified in a chaos testing environment.