Provide a way to detect unhealthy connections

[ikhoon]

Motivation:

Currently, there is no extension point to detect errors for specific connections and terminate connections that are unhealthy.

Related: #5717 #5751

API design:

OutlierDetector is similar to CircuitBreaker, but the state is simpler, only one direction, and optimized for ephemeral resources such as connections and streams.

• OutlierDetector determines whether the target is an outlier based on onSuccess() and onFailure() events.
• OutlierDetectingRule is used to decide whether a request fails.
• OutlierDetectionDecision is the result of OutlierDetectingRule.
  • OutlierDetectionDecision.FATAL is a special result that can immediately mark the target as an outlier.

Example:

OutlierDetectingRule rule =
  OutlierDetectingRule
    .builder()
    .onServerError()
    .onException(IOException.class)
    .onException(WriteTimeoutException, OutlierDetectionDecision.FATAL)
    .build();

OutlierDetection outlierDetection = 
  OutlierDetection
    .builder(rule)
    .counterSlidingWindow(10_seconds)
    .counterUpdateInterval(1_seconds)
    .failureRateThreshold(0.5)
    .build();

ClientFactory
  .builder()
  // Apply the OutlierDetection to detect and close unhealthy connections
  .connectionOutlierDetection(outlierDetection)

Modifications:

• Add OutlierDetector, OutlierDetectingRule and OutlierDetectionDecision and their implementations to common.outlier package.
• Move EventCounter, EventCount and SlidingWindowCounter to common.util package and expose EventCounter and EventCount as public APIs to minimize duplication.
  • SlidingWindowCounter can be created with EventCounter.ofSlidingWindow(...).
• Unlike CircuitBreakerRule, OutlierDetectingRule returns a decision synchronously and is simplified to look at headers and causes. Because:
  • I didn't see content is necessary to detect an outlier.
  • The response status and exception type are sufficient information to determine the result.
• Create an OutlierDetector in HttpSessionHandler
  • A hook applying OutlierDetector is added right after HttpSessionHandler.invoke() is called.
• Deprecating) CircuitBreakerListener.onEventCountUpdated(String,.circuitbreaker.EventCount) has been deprecated in favor of CircuitBreakerListener.onEventCountUpdated(String,.util.EventCount).
• Add ClientFactoryBuilder.connectionOutlierDetection(OutlierDetection) to detect unhealthy connection.
  • This option is disabled by default.

Result:

• You can now use OutlierDetection to detect unhealthy connections and close them gracefully.
• Closes Outlier detection for connections #5751

[github-actions]

🔍 Build Scan® (commit: 76c38f1)

Job name	Status	Build Scan®
build-self-hosted-unsafe-jdk-8	✅	https://ge.armeria.dev/s/a2l3qfp437e4g
build-self-hosted-unsafe-jdk-21-snapshot-blockhound	✅	https://ge.armeria.dev/s/rob6boeoowa5i
build-self-hosted-unsafe-jdk-17-min-java-17-coverage	✅	https://ge.armeria.dev/s/qb3yyvpwsxsgq
build-self-hosted-unsafe-jdk-17-min-java-11	✅	https://ge.armeria.dev/s/r6eldo3vnos2w
build-self-hosted-unsafe-jdk-17-leak	✅	https://ge.armeria.dev/s/ds2dzip3zfckm
build-self-hosted-unsafe-jdk-11	✅	https://ge.armeria.dev/s/wpojdg464ddu2
build-macos-12-jdk-21	✅	https://ge.armeria.dev/s/fzw52exefj6xs

[jrhee17]

Looks good in terms of correctness. Left only nit comments 👍 👍 👍

[jrhee17]

Optional) would OutlierDetectorFactory be a clearer name?

[ikhoon]

I also thought about the name, OutlierConfig and OutlierContext.
OutlierDetectorFactory wasn't chosen since it had OutlierDetectingRule.

I'm not strong on the name. Let's listen to other folks' opinions and choose a better one.

[trustin]

OutlierDetection sounds OK to me, but OutlierDetectingRule could be renamed to OutlierRule?

[minwoox]

OutlierDetectorFactory wasn't chosen since it had OutlierDetectingRule.

It seems like OutlierDetectingRule is used alongside OutlierDetector, and both are retrieved and created from this OutlierDetection. What do you think of adding OutlierDetectingRule to OutlierDetector instead?

outlierDetector.rule().decide(...)

[jrhee17]

Note: I would still recommend users (especially those using HTTP1) to use a RetryingClient as I think it's possible that requests that unluckily acquired this connection could be failed due to this call depending on the timing. Although I know the code path to markUnacquirable is already exposed to the user, I feel like the timing of this call is more unpredictable with this change.

e.g. If canSendRequest = false:

armeria/core/src/main/java/com/linecorp/armeria/client/AbstractHttpRequestHandler.java

Line 160 in 2219de1

id = session.incrementAndGetNumRequestsSent();

[ikhoon]

Good point. What do you think of explicitly executing this callback in the EventLoop to guarantee the execution order?

[trustin]

Can we extend AbstractRuleBuilder?

[ikhoon]

They are similar but AbstractRuleBuilder is in the client package and ClientRequestContext is used while OutlierDetectingRuleBuilder uses RequestContext.

[minwoox]

Looks great! Left a few suggestions. 👍

[minwoox]

OutlierDetectorFactory wasn't chosen since it had OutlierDetectingRule.

It seems like OutlierDetectingRule is used alongside OutlierDetector, and both are retrieved and created from this OutlierDetection. What do you think of adding OutlierDetectingRule to OutlierDetector instead?

outlierDetector.rule().decide(...)

[ikhoon]

It seems like OutlierDetectingRule is used alongside OutlierDetector, and both are retrieved and created from this OutlierDetection. What do you think of adding OutlierDetectingRule to OutlierDetector instead?

They are used together but the role of OutlierDetector and OutlierDetectingRule is different. OutlierDetector is designed as a utility. It may be used alone. So I didn't want to force users who only need OutlierDetector to implement OutlierDetectingRule.

[minwoox]

OutlierDetector is designed as a utility. It may be used alone.

Haven't thought about this case. Then, I'm fine with the current design. 👍

[minwoox]

I'm not sure that you want to use this for xDS but I found there's a mismatch with the Envoy implementation so I've left a question. PTAL. 😉

[minwoox]

So if it once becomes an outlier, the client will never use it unlike Envoy bring it back after rejection time. Is that correct?
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/outlier#ejection-algorithm

[ikhoon]

The outlier algorithm of Envoy is designed at the host (endpoint) level. Hosts do not tend to change for a long time. So, after ejection_time, sending requests again like a circuit breaker is necessary.

To provide the same functionality as Envoy, we may create an OutlierDetectingEndpointGroup using OutlierDetector.

• If a host is determined as an outlier, the host is excluded from healthy endpoints for ejection_time.
• After ejection_time, if the host is still in the endpoints, a new OutlierDetector is created for it.
• ejection_time option will be provided by OutlierDetectingEndpointGroup

In fact, I implemented a similar EndpointGroup internally for the LINE push server. It would be better to modify the implementation and add it to Armeria.

[minwoox]

Understood. 👍

[minwoox]

Thanks! 👍 👍 👍