Fix queriers shuffle-sharding blast radius containment #3901
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pracucci
changed the title
pracucci
changed the title
pstibrany
reviewed
Mar 3, 2021
pkg/scheduler/queue/user_queues.go
Outdated
| querierConnections map[string]int | ||
| // How long to wait before removing a querier which has got disconnected | ||
| // but hasn't notified a graceful shutdown. | ||
| forgetTimeout time.Duration |
There was a problem hiding this comment.
Nit: I'd suggest to move forgetTimeout to user_queues.go, and pass only threshold to forgetDisconnectQueriers. removeQuerierConnection is also using this field, but only to know whether to keep disconnected querier or not. We could pass that information as a bool to removeQuerierConnection. This would simplify queues a bit, and allow for easier testing of forgetDisconnectQueriers. I would also suggest passing time.Now() as parameter to removeQuerierConnection, to avoid having dependency on current time in queues. WDYT?
pracucci
force-pushed
the
fix-querier-shuffle-sharding
branch
from
2ccc0d8 to
03cb76f
Compare
ranton256
reviewed
Mar 4, 2021
pracucci
force-pushed
the
fix-querier-shuffle-sharding
branch
from
2732880 to
4ec324d
Compare
ranton256
approved these changes
Mar 6, 2021
pstibrany
reviewed
Mar 8, 2021
CHANGELOG.md
Outdated
| @@ -91,6 +91,7 @@ | |||
| * `cortex_bucket_store_chunk_pool_returned_bytes_total` | |||
| * [ENHANCEMENT] Alertmanager: load alertmanager configurations from object storage concurrently, and only load necessary configurations, speeding configuration synchronization process and executing fewer "GET object" operations to the storage when sharding is enabled. #3898 | |||
| * [ENHANCEMENT] Blocks storage: Ingester can now stream entire chunks instead of individual samples to the querier. At the moment this feature must be explicitly enabled either by using `-ingester.stream-chunks-when-using-blocks` flag or `ingester_stream_chunks_when_using_blocks` (boolean) field in runtime config file, but these configuration options are temporary and will be removed when feature is stable. #3889 | |||
| * [ENHANCEMENT] Query-frontend/scheduler: added querier forget delay (`-query-frontend.querier-forget-delay` and `-query-scheduler.querier-forget-delay`) to mitigate the blast radius in the event queriers crash because of a repeatedly sent "query of death" when shuffle-sharding is enabled. #3901 | |||
There was a problem hiding this comment.
Cortex release 1.8.0 is now in progress. Could you please rebase master and move the CHANGELOG entry under the master / unreleased section?
pracucci
force-pushed
the
fix-querier-shuffle-sharding
branch
from
68d9eca to
8b915a5
Compare
pstibrany
approved these changes
Mar 8, 2021
| querierConnections map[string]int | ||
| // How long to wait before removing a querier which has got disconnected | ||
| // but hasn't notified about a graceful shutdown. | ||
| forgetDelay time.Duration |
There was a problem hiding this comment.
suggestion: I would prefer to move forgetDelay out of queues struct, and pass forgetTime (when to forget given querier, or zero time if immediately) to removeQuerierConnection and only threshold to forgetDisconnectedQueriers. It's a small change, but helps to minimize change to the queues struct, which is already tricky.
pracucci
force-pushed
the
fix-querier-shuffle-sharding
branch
from
04220de to
1a2582d
Compare
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
…ting a querier Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com>
pracucci
force-pushed
the
fix-querier-shuffle-sharding
branch
from
1a2582d to
1ca9855
Compare
Signed-off-by: Marco Pracucci <marco@pracucci.com>
2 tasks
roystchiang
pushed a commit
to roystchiang/cortex
that referenced
this pull request
Apr 6, 2022
…#3901) * Added forget timeout support to queues Signed-off-by: Marco Pracucci <marco@pracucci.com> * Added notify shutdown rpc to query-frontend and query-scheduler proto Signed-off-by: Marco Pracucci <marco@pracucci.com> * Querier worker notifies shutdown to query-frontend/scheduler Signed-off-by: Marco Pracucci <marco@pracucci.com> * Log when query-frontend/scheduler receives a shutdown notification Signed-off-by: Marco Pracucci <marco@pracucci.com> * Added config option to configure the forget timeout Signed-off-by: Marco Pracucci <marco@pracucci.com> * Fixed re-connect while in forget waiting period Signed-off-by: Marco Pracucci <marco@pracucci.com> * Fixed unit tests Signed-off-by: Marco Pracucci <marco@pracucci.com> * Fixed GetNextRequestForQuerier() when a resharding happen after fogetting a querier Signed-off-by: Marco Pracucci <marco@pracucci.com> * Update pkg/frontend/v1/frontend.go Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com> * Update pkg/scheduler/queue/user_queues.go Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com> * Update pkg/scheduler/queue/user_queues.go Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com> * Update pkg/scheduler/scheduler.go Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com> * Update pkg/querier/worker/frontend_processor.go Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com> * Updated comment based on review feedback Signed-off-by: Marco Pracucci <marco@pracucci.com> * Updated comment based on review feedback Signed-off-by: Marco Pracucci <marco@pracucci.com> * Updated generated doc Signed-off-by: Marco Pracucci <marco@pracucci.com> * Added name to services Signed-off-by: Marco Pracucci <marco@pracucci.com> * Moved forgetCheckPeriod where it's used Signed-off-by: Marco Pracucci <marco@pracucci.com> * Added queues forget timeout unit tests Signed-off-by: Marco Pracucci <marco@pracucci.com> * Added RequestQueue unit test Signed-off-by: Marco Pracucci <marco@pracucci.com> * Renamed querier forget timeout into delay Signed-off-by: Marco Pracucci <marco@pracucci.com> * Added timeout to the notify shutdown notification Signed-off-by: Marco Pracucci <marco@pracucci.com> * Updated doc Signed-off-by: Marco Pracucci <marco@pracucci.com> * Added CHANGELOG entry Signed-off-by: Marco Pracucci <marco@pracucci.com> * Update pkg/scheduler/scheduler.go Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com> * Update pkg/frontend/v1/frontend.go Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com> * Updated doc Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Peter Štibraný <pstibrany@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does:
As described in the #3571, when shuffle-sharding is enabled in the query-frontend/scheduler and a querier crashes, tenants are immediately resharded across the remaining queriers. This practically invalidates the assumption that shuffle-sharding can be used to contain the blast radius in case of a "poisoned query" on the read path: if a tenant repeatedly send a poisoned query over and over it has the ability to crash all queriers, and not just its shard.
In this PR I propose a solution to mitigate it, introducing a delay ("forget delay") between when a querier disconnects because of a crash and when a tenant's shard changes because of that.
To do it, a query-frontend/scheduler needs to know when a querier disconnects because of crash. I've introduced a "graceful shutdown notification" from the querier to query-frontend/scheduler: when a querier disconnects from the query-frontend/scheduler without sending such notification it means the querier crashed / abruptly terminated.
I've done some manual testing and looks working as expected.
Which issue(s) this PR fixes:
Fixes #3571
Checklist
CHANGELOG.mdupdated - the order of entries should be[CHANGE],[FEATURE],[ENHANCEMENT],[BUGFIX]