Add a way for a user to initiate connection shutdown.

[alexc-db]

Motivation:

#3516. A user sometimes needs to send a GOAWAY frame manually when they wants to make a client establish a new connection explicitly. Armeria currently doesn't provide an API for this.

Modifications:

• Add CompletableFuture<Void> initiateConnectionShutdown() and CompletableFuture<Void> initiateConnectionShutdown(Duration gracePeriod)methods to DefaultServiceRequestContext. CompletableFuture is completed when channel is closed. Mark as @UnstableApi to allow follow up modification. Calling this method sends InitiateConnectionShutdown event using ChannelPipeline.fireUserEventTriggered API. The event is handled by the respective protocol handler.
• Implement handling for HTTP/1 and HTTP/2 on the server side.
  • For HTTP/1 results in destruction of KeepAliveHandler. This adds "Connection: close" header to the last response and closes connection after response is done.
  • For HTTP/2 behavior depends on configured or provided grace period duration.
    • If grace period is positive:
      • Step 1: On grace period start send GOAWAY frame with 2^31-1 and NO_ERROR code to signal clients that connection will be closed but still accept in flight requests (see https://datatracker.ietf.org/doc/html/rfc7540#section-6.8).
      • Step 2: On grace period end send GOAWAY frame with the latest stream ID and NO_ERROR code, this will cause new requests to be rejected.
      • Step 3: Close connection once all active streams are closed.
    • If grace period is 0 or negative - skip grace period and start from Step 2 as described above.
• Add server-level configuration for the grace period.
• Add documentation to AbstractHttp2ConnectionHandler.goAway which mentions that flushing is responsibility of the caller. Initially, I forgot to add the ctx.flush() and spent some time debugging unexpected behavior, hopefully extra documentation will help future readers.

Result:

• Closes Add a way for a user to send a GOAWAY frame. #3516.
• Provided an API that can be used to initiate connection shutdown from the request handlers.

[ikhoon]

Awesome! We look forward to more contributions from @databricks ❤️.

[codecov]

Codecov Report

Merging #3715 (e5ab2dd) into master (f20fac2) will increase coverage by 0.01%.
The diff coverage is 84.25%.

❗ Current head e5ab2dd differs from pull request most recent head f4f34cc. Consider uploading reports for the commit f4f34cc to get more accurate results

@@             Coverage Diff              @@
##             master    #3715      +/-   ##
============================================
+ Coverage     73.35%   73.36%   +0.01%     
- Complexity    14613    14653      +40     
============================================
  Files          1283     1285       +2     
  Lines         56160    56272     +112     
  Branches       7181     7185       +4     
============================================
+ Hits          41194    41282      +88     
- Misses        11323    11338      +15     
- Partials       3643     3652       +9     

Impacted Files	Coverage Δ
...linecorp/armeria/server/ServiceRequestContext.java	94.87% <ø> (ø)
...p/armeria/server/ServiceRequestContextWrapper.java	0.00% <0.00%> (ø)
...ecorp/armeria/server/ServerHttp2ObjectEncoder.java	74.28% <66.66%> (-2.04%)	⬇️
...p/armeria/server/DefaultServiceRequestContext.java	88.38% <71.42%> (-1.69%)	⬇️
...c/main/java/com/linecorp/armeria/common/Flags.java	59.17% <75.00%> (+0.18%)	⬆️
...rnal/common/GracefulConnectionShutdownHandler.java	76.19% <76.19%> (ø)
...ava/com/linecorp/armeria/server/ServerBuilder.java	80.83% <83.33%> (+0.03%)	⬆️
...nternal/common/AbstractHttp2ConnectionHandler.java	86.00% <100.00%> (+1.90%)	⬆️
...ia/internal/common/InitiateConnectionShutdown.java	100.00% <100.00%> (ø)
...m/linecorp/armeria/server/Http1RequestDecoder.java	81.08% <100.00%> (+0.41%)	⬆️
... and 25 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f20fac2...f4f34cc. Read the comment docs.

[trustin]

I see one test failure, which may or may not be a flaky one:

ServerMaxConnectionAgeTest > http2MaxConnectionAge(SessionProtocol) > com.linecorp.armeria.server.ServerMaxConnectionAgeTest.http2MaxConnectionAge(SessionProtocol)[2] FAILED
    org.awaitility.core.ConditionTimeoutException: Assertion condition defined as a com.linecorp.armeria.server.ServerMaxConnectionAgeTest 
    Expecting a throwable with cause being an instance of:
     <com.linecorp.armeria.client.UnprocessedRequestException>
    but was an instance of:
     <com.linecorp.armeria.common.ClosedSessionException> within 10 seconds.
        at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:166)
        at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:119)
        at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:31)
        at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:939)
        at org.awaitility.core.ConditionFactory.untilAsserted(ConditionFactory.java:723)
        at com.linecorp.armeria.server.ServerMaxConnectionAgeTest.http2MaxConnectionAge(ServerMaxConnectionAgeTest.java:229)

        Caused by:
        java.lang.AssertionError: 
        Expecting a throwable with cause being an instance of:
         <com.linecorp.armeria.client.UnprocessedRequestException>
        but was an instance of:
         <com.linecorp.armeria.common.ClosedSessionException>
            at com.linecorp.armeria.server.ServerMaxConnectionAgeTest.lambda$http2MaxConnectionAge$6(ServerMaxConnectionAgeTest.java:246)

Could you take a look if your changes affected it?

[alexc-db]

Could you take a look if your changes affected it?

I think it's related to my change. It's flaky and doesn't happen all the time, but I was able to repro locally by running many tests in a loop in this branch, cannot reproduce in the master branch. Investigating.

[minwoox]

Thanks! Left some minor comments.

[ikhoon]

Considering network delay, microsecond precision of drain for in flight requests seems not effective.
How about using milliseconds for connection drain duration?

[alexc-db]

https://datatracker.ietf.org/doc/html/rfc7540#section-6.8 suggests that drain duration can be as low as round-trip time. Roundtrip inside the datacenter is < 1ms, around few hundred microseconds. If client is connected via localhost (e.g. sidecar process) it's gonna be few microseconds. I chose microsecond precision to give users an ability to configure in those lower ranges if they need to.

[ikhoon]

+1 Make sense. Let's keep it as it is.

[trustin]

I'm somewhat concerned about using micros for a long parameter because this is probably the only place we use micros instead of millis. Would it be a bad idea to accept a millis value here? A user can use Duration for micros precision.

[alexc-db]

For this builder method - its name contains Micros so there should be little room for the confusion. If you think that providing an override with Millis is valuable I can add that. But I think there's value in keeping Micros override too, to make it explicit that server builder supports that level of precision for connection drain duration.

[ikhoon]

1. Add return after closing a channel?

Suggested change

	gracefulConnectionShutdownHandler.updateDrainDuration(
	((InitiateConnectionShutdown) evt).drainDurationMicros());
	ctx.channel().close();
	gracefulConnectionShutdownHandler.updateDrainDuration(
	((InitiateConnectionShutdown) evt).drainDurationMicros());
	ctx.channel().close();
	return;

2. I imagine that InitiateConnectionShutdown events are simultaneously triggered by a throttling decorator.
   It would be inefficient that ctx.channel().close() is constantly called from multiple requests.
   Could we reschedule the ongoing drainFuture using gracefulConnectionShutdownHandler.updateDrainDuration()
   and call ctx.channel().close() only once?

[alexc-db]

Didn't realize that calling ctx.channel().close() multiple times is expensive, fixed.

[alexc-db]

@trustin re: #3715 (comment) I think it should be fixed by 1431a68, I'm not able to reproduce it anymore.

[trustin]

I'm somewhat concerned about using micros for a long parameter because this is probably the only place we use micros instead of millis. Would it be a bad idea to accept a millis value here? A user can use Duration for micros precision.

[alexc-db]

Yeah, this one might be confusing, but in this case I think your earlier argument about GC pressure applies as well. What if user needs micros precision and their server handles O(million) connections and they use this API? Constructing and destructing Duration objects for each of the connections will cause high GC pressure.

What do you think about making the method name more descriptive? E.g. initiateConnectionShutdownWithDrainDurationMicros(long) for custom micros, initiateConnectionShutdownWithDrainDuration(Duration) for custom duration, initiateConnectionShutdown() for default? Sort of similar to the server builder API #3715 (comment).

[trustin]

I'm somewhat concerned about using micros for a long parameter because this is probably the only place we use micros instead of millis. Would it be a bad idea to accept a millis value here? A user can use Duration for micros precision.

[trustin]

How about making sure all test methods in this class check if the connection is actually closed by the server, even if the client doesn't?

[alexc-db]

Done, PTAL. Found that Armeria doesn't seem to propagate config.idleTimeoutMillis during the HTTP/2 upgrade, so it's always seem to be set to Netty default. Added https://github.com/line/armeria/pull/3715/files#diff-e055c2b1d925141bd5d258b22992c79d706c678dd614399284e4b5e54ea22ac3R42, please let me know if that looks reasonable to you.

[alexc-db]

Note: discussed offline with Trustin, for HTTP/2 server connection handler we can completely disable internal Netty gracefulShutdownTimeoutMillis because drain implemented in this PR is a better way to handle graceful shutdown. This also decouples keep-alive configuration (idleTimeoutMillis) from the graceful shutdown configuration (this PR).

[trustin]

Mostly nits. Looking great otherwise!

[ikhoon]

Make this default?

[alexc-db]

See #3715 (comment)

[alexc-db]

Actually, that comment is not relevant for this method since it only converts Duration to long and can be implemented as a default. PTAL.

[ikhoon]

We could remove this if make them default methods. :-)

[alexc-db]

See #3715 (comment)

[alexc-db]

Recent checks failed with the following memory leak

04:21:11.386 [armeria-common-worker-epoll-2-2] ERROR io.netty.util.ResourceLeakDetector - LEAK: ByteBuf.release() was not called before it's garbage-collected. See https://netty.io/wiki/reference-counted-objects.html for more information.
Recent access records: 
#1:
	io.netty.buffer.AbstractPooledDerivedByteBuf.deallocate(AbstractPooledDerivedByteBuf.java:86)
	io.netty.buffer.AbstractReferenceCountedByteBuf.handleRelease(AbstractReferenceCountedByteBuf.java:110)
	io.netty.buffer.AbstractReferenceCountedByteBuf.release(AbstractReferenceCountedByteBuf.java:100)
	io.netty.buffer.WrappedByteBuf.release(WrappedByteBuf.java:1037)
	io.netty.buffer.SimpleLeakAwareByteBuf.release(SimpleLeakAwareByteBuf.java:102)
	io.netty.buffer.AdvancedLeakAwareByteBuf.release(AdvancedLeakAwareByteBuf.java:941)
	com.linecorp.armeria.common.ByteBufHttpData.close(ByteBufHttpData.java:256)
	com.linecorp.armeria.client.grpc.protocol.UnaryGrpcClient$GrpcFramingDecorator$1.onError(UnaryGrpcClient.java:256)
	com.linecorp.armeria.client.grpc.protocol.UnaryGrpcClient$GrpcFramingDecorator$1.onNext(UnaryGrpcClient.java:242)

Note UnaryGrpcClient.java:256 - this branch isn't rebased on top of fcd2d72, so there's no line 256 in UnaryGrpcClient.java in this branch. Any idea why master branch changes leaked here @trustin @ikhoon @minwoox? Do checks rebase branch on top of master implicitly?

[trustin]

@alexc-db Re: leak:

That's weird. We don't merge the base branch at all in PR runs. Please run ./gradlew --parallel -Pleak test and grep -rFl LEAK: . as the source of truth if you keep seeing this. 🤔

[alexc-db]

@alexc-db Re: leak:

That's weird. We don't merge the base branch at all in PR runs. Please run ./gradlew --parallel -Pleak test and grep -rFl LEAK: . as the source of truth if you keep seeing this. 🤔

For the record https://github.com/line/armeria/runs/3224114462 - the leak report and stack trace can be found inside the reports-JVM-15 artifact.

[trustin]

Thanks a lot for your patience. High quality code FTW 😄

[alexc-db]

@minwoox @ikhoon could you please give it a final pass and approve if everything looks good?

[minwoox]

🎉 🎉 🎉
Thanks a lot for your hard work, @alexc-db!

[ikhoon]

Awesome work! @alexc-db

[alexc-db]

Thanks for the thorough review @trustin @ikhoon @minwoox!