Use immutable metadata in LedgerHandle #1646
Conversation
Which means that for the two LedgerHandle operations that mutate the metadata, ensemble change and closing, ensure that metadata is written to the metadata store before the client ever uses it. Master issue: apache#281
|
@jvrao @dlg99 @athanatos please spend some time on reviewing this PR. |
|
Ping @jvrao @athanatos @dlg99 |
|
rerun integration tests |
1 similar comment
|
rerun integration tests |
| int idx = entry.getKey(); | ||
| BookieSocketAddress addr = entry.getValue(); | ||
| if (LOG.isDebugEnabled()) { | ||
| LOG.debug("[EnsembleChange-L{}] replacing bookie: {} index: {}", ledgerId, addr, idx); |
There was a problem hiding this comment.
There used to have an ensembleChangeIdx in the logging message for debugging purpose. That was very useful on debugging ensemble change issues. It would be good if we can keep it.
There was a problem hiding this comment.
I think that's idx here if I'm interpreting it correctly. This variant allows you to specify more than one.
There was a problem hiding this comment.
No, the ensembleChangeIdx was something different. i'll readd it
There was a problem hiding this comment.
suffix 'idx' confuses people. :)
There was a problem hiding this comment.
ya, i'll change the name in any case.
There was a problem hiding this comment.
added a logContext variable, that's used in the calling method and this method to tie the logs of the operation together.
| break; | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
there is a logging message dropped. it would be great not to drop log messages related to ensemble changes. they exist for a reason.
There was a problem hiding this comment.
Agreed, the final summary message is pretty handy.
There was a problem hiding this comment.
Will readd. It's not a final summary however, it's the change that we wish to make. It's not final until the zookeeper write completes.
There was a problem hiding this comment.
Agreed, but let us not drop any debug/log messages.
There was a problem hiding this comment.
Readded, but in the calling method, as this method doesn't have all the context.
| // the ledger isn't closed between checking and | ||
| // updating lastAddPushed | ||
| if (getLedgerMetadata().isClosed()) { | ||
| if (getLedgerMetadata().isClosed() || closing) { |
There was a problem hiding this comment.
getLedgerMetadata().isClosed() || closing is used over multiple places, it would be good to have a function for it.
There was a problem hiding this comment.
See #isHandleWrittable()
| } | ||
|
|
||
| LedgerMetadataBuilder withWriteQuorumSize(int writeQuorumSize) { | ||
| checkArgument(ensembleSize >= writeQuorumSize, "Write quorum must be less or equal to ensemble size"); |
There was a problem hiding this comment.
check writeQuorumSize >= ackQuorumSize as well.
|
|
||
| // should still be able to close as long as recovery closed the ledger | ||
| // with the same last entryId and length as in the write handle. | ||
| writeLh.close(); |
There was a problem hiding this comment.
hmm this changes the closing behavior. I am not sure how it would impact the applications. so I would suggest keep the original behavior if closing a ledger hit metadata version exception don't attempt. If you want to change the behavior, do a separate PR for it.
There was a problem hiding this comment.
This seems like a desirable change to me. Moreover, it protects against the case where the racing update came from the same client due to ZooKeeperClient resending the update.
There was a problem hiding this comment.
@sijie the previous behaviour is not documented, nor is it well defined. In some cases a metadata version exception allowed a close to succeed, and in others it did not. I would not expect any application is relying on this behaviour, and if they are, they are probably broken in many other ways.
I can revert this my putting throwing an exception in the Predicate part of the loop if the metadata is closed. There'd be no guarantee that behaviour is still exactly matching though, because it isn't well defined currently.
There was a problem hiding this comment.
I understood it is not documented. but if we are changing any existing behavior, I would suggest either doing it in a separate PR, or if it is difficult to do it in a separate PR, then update the javadoc of this method to make things clear "this method will not throw any exceptions anymore if hitting metadata version exceptions"
There was a problem hiding this comment.
It may still throw an exception on metadata version exception. However, it will only throw the exception if the length or last entry id in the conflicting write is different to what the caller of #close believed it to be. I strongly prefer making this change as part of this patch, as to do otherwise would be to insert arbitrary strange behaviour into the new implementation. I'll add a javadoc for this.
|
|
||
| while ((pendingAddOp = pendingAddOps.peek()) != null | ||
| && blockAddCompletions.get() == 0) { | ||
| && !changingEnsemble) { |
There was a problem hiding this comment.
don't we need to make changingEnsemble volatile? or who is guaranteed this value is synchronized correctly ?
There was a problem hiding this comment.
Yeah, sendAddSuccessCallbacks reads it without the lock and handleBookieFailure appears to rely on readers seeing it synchronously for correctness, so either you need the lock there or changingEnsemble would have to be volatile.
There was a problem hiding this comment.
It doesn't need to be volatile. it is only ever accessed in the ordered executor thread for this ledgerhandle. Rather than throwing synchronized around everything, we should start asserting in methods that we are in fact running in the ordered executor thread.
The previous blockAddCompletion stuff would not have been safe if these weren't in the same thread.
There was a problem hiding this comment.
Such an assert would certainly clarify matters.
There was a problem hiding this comment.
Adding these asserts is out of scope for this change.
| if (delayedWriteFailedBookies.isEmpty()) { | ||
| return; | ||
| } | ||
| Map<Integer, BookieSocketAddress> toReplace = new HashMap<>(); |
There was a problem hiding this comment.
the existing code to construct the hashmap from delayedWriteFailedBookies. it is one line code. any reason why do you split into 2 lines?
There was a problem hiding this comment.
will change it back. not sure why i changed it in first place,
| handleUnrecoverableErrorDuringAdd(rc); | ||
| synchronized (metadataLock) { | ||
| if (changingEnsemble) { | ||
| delayedWriteFailedBookies.putAll(failedBookies); |
There was a problem hiding this comment.
this change potentially has a side effect causing a longer pause during ensemble changes. I don't think it is a good idea to completely block on waiting previous ensemble to be done. The only matter is we need to ensure we only update local copy of metadata until all ensemble changes are completed, no? Can you explain the performance difference between current approach and previous approach?
There was a problem hiding this comment.
I could be misunderstanding, but I think the main difference in behavior is that between when changingEnsemble gets set to true and when the ensemble change completes, new writes continue to use the old ensemble whereas with the old machinery they would have optimistically used the new one. In both cases, we have to delay acks until the ensemble change is complete, but with this variant we may have to wait to resend writes for entries written since the ensemble change began which didn't get aQ responses from unchanged indexes. Am I understanding that correctly @ivankelly ?
There was a problem hiding this comment.
@jvrao Something to note here is that unsetSuccessAndSendWriteRequest will resend the write request to those bookies regardless of whether the entry already has aQ copies, so it shouldn't generate additional under replicated ledgers in the common case.
There was a problem hiding this comment.
@sijie I think superficially it can look like it takes longer, but in practice it should only ever take less time.
The dominating latency in this operation is the write to zookeeper(LatWrite). In the case where we do not block other changes to the ensemble, and there are two failures, one of the updates will fail, have to reread (LatRead) and write again.
So the latency is (LatWrite + LatRead + LatWrite).
With the new code, it's just LatWrite + LatWrite. It gets better if there's more than 2 failures.
There was a problem hiding this comment.
@athanatos your understanding is correct. We could modify this to unsetSuccessAndSendWriteRequest after each sucessful zk write. It would at least spread the outbound load a little.
There was a problem hiding this comment.
I'm not really worried about that, and we can always add machinery for projecting the post-update ensemble for writes later.
| .lastEntry().getValue().get(replacedBookieIdx); | ||
| replaced &= !Objects.equal(replacedBookieAddr, failedBookieAddr); | ||
| List<BookieSocketAddress> origEnsemble = getCurrentEnsemble(); | ||
| ensembleChangeLoop(origEnsemble, toReplace); |
There was a problem hiding this comment.
ensembleChangeLoop potentially will trigger callbacks. can we not call this method under metadataLock?
There was a problem hiding this comment.
Yeah, both the initial error check branch and the unsetSuccessAndSendWriteRequest calls can call callbacks.
There was a problem hiding this comment.
Sure, I can move it out. There shouldn't be a problem with callbacks under metadatalock though, as it's only protected a few members. Maybe deadlocks could be an issue down the line.
There was a problem hiding this comment.
yes move the callbacks out of locks would be better in general.
There was a problem hiding this comment.
Moved out of synchronized block.
| List<BookieSocketAddress> lastEnsemble = metadata.getLastEnsembleValue(); | ||
| boolean failedBookieInEnsemble = failedBookies.entrySet().stream() | ||
| .anyMatch((e) -> lastEnsemble.get(e.getKey()).equals(e.getValue())); | ||
| return !metadata.isClosed() && !metadata.isInRecovery() && failedBookieInEnsemble; |
There was a problem hiding this comment.
!metadata.isClosed() &&
!metadata.isInRecovery() &&
failedBookies.entrySet().stream()
.anyMatch((e) -> lastEnsemble.get(e.getKey()).equals(e.getValue()))
so we only compute failedBookieInEnsmeble when metadata is open.
| // f) writing entry E+1 encountered LedgerFencedException which will enter ledger close procedure | ||
| // g) it would find that ledger metadata is closed, then it callbacks immediately without erroring | ||
| // out any pendings | ||
| synchronized (LedgerHandle.this) { |
There was a problem hiding this comment.
drainPendingAddsToErrorOut is already synchronized.
There was a problem hiding this comment.
the synchronization is around the other fields also, like the length.
| final State prevState; | ||
| List<PendingAddOp> pendingAdds; | ||
|
|
||
| if (isClosed()) { |
There was a problem hiding this comment.
Is it possible for isClosed() but not closing here? If closing, drainPendingAddsToErrorOut must have already happened (and no new ones can be added due to the check in doAsyncAddEntry), so this must necessarily be a noop. I think we should be able to check closing instead and assert that pendingAddOps is already empty.
There was a problem hiding this comment.
@athanatos if we're listening for metadata updates, it's possible someone else updated the metadata and closed it just before we close it. However, i think isClosed is wrong here as it confuses two things. What we care about in this check is whether the handle is closed or not, so using an enum for the handle state would work better.
There was a problem hiding this comment.
Yeah, but I think what I'm getting at is that whatever discovered that the ledger is actually closed or closed it should really already have called drainPendingAddsToErrorOut -- this code shouldn't be discovering that for the first time.
There was a problem hiding this comment.
It looks like the listener stuff isn't in yet (#1580). In any case, this close is only on the writing handle. So if the state of the ledger changes, that state change will be accompanied by the any new writes being fenced (the protocol is that if the state is changed from open by anyone put the writer, all bookies in last ensemble must be told to fence).
So the only way for the handle to get to closed is for a call to this 'close' method. So we should check that the handle is in the 'open' state and only then drain the pending adds. (i.e. the state of the pending adds and the handle open state are tied).
There was a problem hiding this comment.
This discussion becomes moot with how I've changed it now. We do call drain() in all cases, but I've done it this way to only have one synchronized block. In the case that the ledger is already closed, the drain should just return an empty list.
| // Original intent of this change is to do a best-effort ensemble change. | ||
| // But this is not possible until the local metadata is completely immutable. | ||
| // Until the feature "Make LedgerMetadata Immutable #610" Is complete we will use | ||
| // handleBookieFailure() to handle delayed writes as regular bookie failures. |
There was a problem hiding this comment.
This comment probably needs to be rewritten to explain precisely why we need to block acks and what would need to change.
There was a problem hiding this comment.
The whole deferred handle failure needs to change, but I can add a comment to clarify why this was previously an issue.
There was a problem hiding this comment.
Yep. That comment seems to imply that this refactor would fix it, so at least that bit should be updated.
There was a problem hiding this comment.
The whole deferred handle failure needs to change,
@ivankelly can you flush out your thoughts on this?
I agree with modifying comments as per the discussion above.
There was a problem hiding this comment.
I haven't fully fleshed it out in my head yet, but if we are to update the metadata we need to block completions while we do it, but if it turns out we can't, we shouldn't consider it an unrecoverable failure, unless we cannot get an ack quorum.
| public static final long INVALID_LEDGER_ID = -0xABCDABCDL; | ||
|
|
||
| final AtomicInteger blockAddCompletions = new AtomicInteger(0); | ||
| final Object metadataLock = new Object(); |
There was a problem hiding this comment.
I'm guessing that the reason for this lock is to prevent write completion events from contending on the LedgerHandle object with write initiation? Is that contention really enough of a problem for this to be a measurable win? If so, I think that the state protected by this lock (changingEnsemble, delayedWriteFailedBookies) should be moved into an actual object with descriptive methods. As it is, it's a bit tough to infer the update rules.
There was a problem hiding this comment.
I think it's not actually needed because everything it protects is run on the orderedexecutor thread for this ledger. A lock was requested in a previous patch though until the threading model is clarified.
#1621 (comment)
There was a problem hiding this comment.
Well, for that purpose, couldn't we just use the existing LedgerHandle object until we're sure about the single thread/ledger implementation (which I'd assume would mean pervasive assertions with testing)?
There was a problem hiding this comment.
I'd prefer not to use the handle itself, as that's an object that's exposed to clients, so clients could try to lock on it in a callback.
The single thread/ledger thing would take a couple of forms, but the biggest pieces would be 1) making sure a ledger handle instance is only given one executor 2) making sure all callbacks from bookie client are run on that one executor & 3) asserting that Thread.currentThread().getId() matches the ID of the executor given to the handle.
There was a problem hiding this comment.
Well, that ship would seem to have sailed since we lock it elsewhere, right?
There was a problem hiding this comment.
Right now, all the writes, write responses and metadata changes on write are done through orderedexecutor (lid) right? Where is the need for lock serialization?
There was a problem hiding this comment.
Well, that ship would seem to have sailed since we lock it elsewhere, right?
That's true, but I don't want to throw fuel on that fire.
Right now, all the writes, write responses and metadata changes on write are done through orderedexecutor (lid) right? Where is the need for lock serialization?
There isn't (I don't think), but I would like another mechanism in place to ensure safety before removing it.
| List<BookieSocketAddress> newEnsemble = getCurrentEnsemble(); | ||
| Set<Integer> replaced = EnsembleUtils.diffEnsemble(origEnsemble, newEnsemble); | ||
| unsetSuccessAndSendWriteRequest(newEnsemble, replaced); | ||
| changingEnsemble = false; |
There was a problem hiding this comment.
I think we have to call sendAddSuccessCallbacks after calling unsetSucccessAndSendWriteRequest. It's possible that every pendingAddOp had a bookie in the write set swapped, but nevertheless all have ackQuorum satisfied. In that case, PendingAddOp.unsetSuccessAndSendWriteRequest will not call sendAddSuccessCallbacks(), but we will still have writes ready to go. In fact, I think the call in PendingAddOp.unsetSuccessAndSendWriteRequest is entirely unnecessary and should be removed in favor of a single call here. As a side effect, you can call it outside of the metadataLock avoiding that problem as well.
There was a problem hiding this comment.
I agree. Will change this.
There was a problem hiding this comment.
I agree. Will change this.
PendingAddOp.unsetSuccessAndSendWriteRequest() will do a sendWriteRequest() even if the AQ satisfied. When that write request response comes back irrespective of a pass/fail it will do sendAddSuccessCallbacks().
There was a problem hiding this comment.
@jvrao you're right. This stuff jumps far too much between LedgerHandle and PendingAddOp. I'll leave this for now.
|
@sijie @ivankelly Ok, I'm done reviewing for now, I left some comments/questions. |
|
thank you @athanatos |
ivankelly
left a comment
ivankelly
left a comment
There was a problem hiding this comment.
@sijie @athanatos Thanks for the reviews.
There's a few things that need to be settled before i push a new patch (see my comments)
| break; | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Will readd. It's not a final summary however, it's the change that we wish to make. It's not final until the zookeeper write completes.
| List<BookieSocketAddress> lastEnsemble = metadata.getLastEnsembleValue(); | ||
| boolean failedBookieInEnsemble = failedBookies.entrySet().stream() | ||
| .anyMatch((e) -> lastEnsemble.get(e.getKey()).equals(e.getValue())); | ||
| return !metadata.isClosed() && !metadata.isInRecovery() && failedBookieInEnsemble; |
| // the ledger isn't closed between checking and | ||
| // updating lastAddPushed | ||
| if (getLedgerMetadata().isClosed()) { | ||
| if (getLedgerMetadata().isClosed() || closing) { |
| } | ||
|
|
||
| LedgerMetadataBuilder withWriteQuorumSize(int writeQuorumSize) { | ||
| checkArgument(ensembleSize >= writeQuorumSize, "Write quorum must be less or equal to ensemble size"); |
|
|
||
| // should still be able to close as long as recovery closed the ledger | ||
| // with the same last entryId and length as in the write handle. | ||
| writeLh.close(); |
There was a problem hiding this comment.
@sijie the previous behaviour is not documented, nor is it well defined. In some cases a metadata version exception allowed a close to succeed, and in others it did not. I would not expect any application is relying on this behaviour, and if they are, they are probably broken in many other ways.
I can revert this my putting throwing an exception in the Predicate part of the loop if the metadata is closed. There'd be no guarantee that behaviour is still exactly matching though, because it isn't well defined currently.
| public static final long INVALID_LEDGER_ID = -0xABCDABCDL; | ||
|
|
||
| final AtomicInteger blockAddCompletions = new AtomicInteger(0); | ||
| final Object metadataLock = new Object(); |
There was a problem hiding this comment.
I think it's not actually needed because everything it protects is run on the orderedexecutor thread for this ledger. A lock was requested in a previous patch though until the threading model is clarified.
#1621 (comment)
| private LedgerMetadata metadata; | ||
| final long ledgerId; | ||
| long lastAddPushed; | ||
| boolean closing; |
There was a problem hiding this comment.
@sijie with mutable metadata, when close happens, we updated the state in the local metadata immediately. So any call to isClosed would be true if the client was currently closing.
@athanatos yes, I was thinking of adding an explicit handleState enum. Can do now.
| final State prevState; | ||
| List<PendingAddOp> pendingAdds; | ||
|
|
||
| if (isClosed()) { |
There was a problem hiding this comment.
@athanatos if we're listening for metadata updates, it's possible someone else updated the metadata and closed it just before we close it. However, i think isClosed is wrong here as it confuses two things. What we care about in this check is whether the handle is closed or not, so using an enum for the handle state would work better.
| .lastEntry().getValue().get(replacedBookieIdx); | ||
| replaced &= !Objects.equal(replacedBookieAddr, failedBookieAddr); | ||
| List<BookieSocketAddress> origEnsemble = getCurrentEnsemble(); | ||
| ensembleChangeLoop(origEnsemble, toReplace); |
There was a problem hiding this comment.
Sure, I can move it out. There shouldn't be a problem with callbacks under metadatalock though, as it's only protected a few members. Maybe deadlocks could be an issue down the line.
| List<BookieSocketAddress> newEnsemble = getCurrentEnsemble(); | ||
| Set<Integer> replaced = EnsembleUtils.diffEnsemble(origEnsemble, newEnsemble); | ||
| unsetSuccessAndSendWriteRequest(newEnsemble, replaced); | ||
| changingEnsemble = false; |
There was a problem hiding this comment.
I agree. Will change this.
|
|
||
| static Set<Integer> diffEnsemble(List<BookieSocketAddress> e1, | ||
| List<BookieSocketAddress> e2) { | ||
| checkArgument(e1.size() == e2.size(), "Ensembles must be of same size"); |
There was a problem hiding this comment.
How is this better than Assert?
There was a problem hiding this comment.
asserts get turned off by default at runtime.
| } | ||
| metadata.addEnsemble(newEnsembleStartEntry, newEnsemble); | ||
| void notifyWriteFailed(int index, BookieSocketAddress addr) { | ||
| synchronized (metadataLock) { |
There was a problem hiding this comment.
What are we protecting it from? from ReadOnlyLedgerHandle??? In the current code, even that will go through the same orderedexecutor right?
There was a problem hiding this comment.
From our own past and future misdeeds :)
We should replace this with checkState(Thread.currentThread().getId() == myThread), but that's a separate change. synchronization that doesn't hit contention is cheap anyhow, it only touches a thread local afair.
| LOG.info("[EnsembleChange-L{}-{}] : resolved ledger metadata conflict and writing to zookeeper," | ||
| + " local meta data is \n {} \n, zk meta data is \n {}.", | ||
| ledgerId, ensembleChangeIdx, metadata, newMeta); | ||
| LOG.debug("Ledger {} reaches max allowed ensemble change number {}", |
There was a problem hiding this comment.
It will be nice to have this at INFO level as it gives good idea on why we are failing the write.
| LedgerMetadataBuilder builder = LedgerMetadataBuilder.from(metadata); | ||
| long newEnsembleStartEntry = getLastAddConfirmed() + 1; | ||
| checkState(lastEnsembleKey <= newEnsembleStartEntry, | ||
| "New ensemble must either replace the last ensemble, or add a new one"); |
There was a problem hiding this comment.
Please print the lastEnsembleKey and newEnsembleStartEntry here;
With this check state what happens? Does the write fail?
Also, when can this happen? If we are here we don't have any outstanding metadata update in the flight.
For the ledger L1 with Ensemble (B1, B2, B3) when LAC is at X; X+1 write failed on Bookie B1. The ensemble is changed to (B4,B2,B3) and then we noticed that B2 also failed. In that case, do we end up in this situation?
But that may be OK state right? why are you doing checkState?
There was a problem hiding this comment.
I believe that this cannot be violated if the protocol is operating correctly (the only other way for an ensemble to be a fence, but that's rules out by the previous argument). The checkState call would appear to be a statement that this case is impossible? The == case happens when we got a new failure since we sent the ensemble change (which worked), so we have to replace it. @ivankelly Is that right?
There was a problem hiding this comment.
@jvrao @athanatos's understanding is correct. The checkState is an assertion.
| checkState(lastEnsembleKey <= newEnsembleStartEntry, | ||
| "New ensemble must either replace the last ensemble, or add a new one"); | ||
| if (lastEnsembleKey.equals(newEnsembleStartEntry)) { | ||
| return builder.replaceEnsembleEntry(newEnsembleStartEntry, newEnsemble).build(); |
There was a problem hiding this comment.
Hmm; so the above checkSate should be < instead of <=??
There was a problem hiding this comment.
No, <, if we fail to write at all to an ensemble, it can be replaced.
|
rerun bookkeeper-server client tests |
|
@dlg99 this is still failing on MDC stuff. The problem is that if the runnable is submitted from a thread without MDC, such as the zookeeper callback threads, they won't get the context. Not sure of how to solve this without a huge amount of plumbing :/ |
Though now it only prints when the new ensemble has been persisted. Also disabled the MDC test check for this log because waiting for persistence breaks the MDC in a way that's non-trivial to fix.
|
@dlg99 actually, think about this more, it's a general problem with the MDC approach. It worked before because "New Ensemble" was being printed before actually trying to write to zookeeper, do the request hadn't lefts the ordered executor thread pools. Once the request goes to zookeeper, the MDC context is lost. For now, I've commented out that check. |
|
rerun bookkeeper-server bookie tests |
|
@athanatos @jvrao can you review @ivankelly 's latest change? |
|
@sijie @athanatos @jvrao could you all take another look at this? I'm eager to get this changeset out of my queue |
|
@sijie @athanatos @jvrao pinging again |
|
rerun java8 tests |
|
rerun integration tests |
|
rerun java8 tests |
|
rebuild java8 |
2 similar comments
|
rebuild java8 |
|
rebuild java8 |
|
@sijie @jvrao @athanatos weekly reminder to please take another look at this |
|
@ivankelly Looks like you've addressed my comments, LGTM |
|
@athanatos thanks. if you're happy with the change could you mark it as approved? |
|
@sijie @jvrao @athanatos thanks for the reviews guys. Now that this is in there's a bunch of small cleanup patches that also need to go in to enforce the immutability. They'll be much much smaller though. |
5 participants
Which means that for the two LedgerHandle operations that mutate the
metadata, ensemble change and closing, ensure that metadata is written
to the metadata store before the client ever uses it.
Master issue: #281