kv/sql: GC after TRUNCATE temporarily craters write throughput

[nvanbenschoten]

This issue described the back half of #62672.

After waiting out the GC TLL of a TRUNCATE or DROP TABLE, a series of ClearRange requests are issued to clear out space. This can cause a dramatic drop in write throughput on other tables that takes 10s of minutes to recover from. In the words of the customer that helped us diagnose this: "it's a write availability time bomb."

Reproduction

The easiest way to reproduce this is to use the clearrange/checks=false roachtest, with a slight adaptation to run load during the cleanup:

diff --git a/pkg/cmd/roachtest/clearrange.go b/pkg/cmd/roachtest/clearrange.go
index e557cdd17b..25d8b4d10c 100644
--- a/pkg/cmd/roachtest/clearrange.go
+++ b/pkg/cmd/roachtest/clearrange.go
@@ -73,7 +73,7 @@ func runClearRange(ctx context.Context, t *test, c *cluster, aggressiveChecks bo

        if t.buildVersion.AtLeast(version.MustParse("v19.2.0")) {
                conn := c.Conn(ctx, 1)
-               if _, err := conn.ExecContext(ctx, `SET CLUSTER SETTING kv.bulk_io_write.concurrent_addsstable_requests = $1`, c.spec.NodeCount); err != nil {
+               if _, err := conn.ExecContext(ctx, `SET CLUSTER SETTING kv.bulk_io_write.concurrent_addsstable_requests = $1`, 8); err != nil {
                        t.Fatal(err)
                }
                conn.Close()
@@ -114,6 +114,11 @@ func runClearRange(ctx context.Context, t *test, c *cluster, aggressiveChecks bo
        }()

        m := newMonitor(ctx, c)
+       m.Go(func(ctx context.Context) error {
+               c.Run(ctx, c.Node(1), `./cockroach workload init kv`)
+               c.Run(ctx, c.All(), `./cockroach workload run kv --concurrency=32 --duration=1h30m`)
+               return nil
+       })
        m.Go(func(ctx context.Context) error {
                conn := c.Conn(ctx, 1)
                defer conn.Close()
@@ -132,7 +137,7 @@ func runClearRange(ctx context.Context, t *test, c *cluster, aggressiveChecks bo

                // Set a low TTL so that the ClearRange-based cleanup mechanism can kick in earlier.
                // This could also be done after dropping the table.
-               if _, err := conn.ExecContext(ctx, `ALTER TABLE bigbank.bank CONFIGURE ZONE USING gc.ttlseconds = 30`); err != nil {
+               if _, err := conn.ExecContext(ctx, `ALTER TABLE bigbank.bank CONFIGURE ZONE USING gc.ttlseconds = 1800`); err != nil {
                        return err
                }

This configures the test to import a 2 TB table, ramp write load up on a different table over 30 minutes, clear the 2 TB table, and then observe the impact on the foreground traffic. The effect is not pretty:

Other notes

In attempting to reproduce, I also ran this with a configuration that looked more similar to the relevant customer's cluster - 20 nodes, 32 vCPU per node, 2 SSDs per node, and a 4 TB table. This looked very similar:

note: this is a 10 minute time scale, not 30 minute like above

Epic: CRDB-2627

[lunevalex]

@nvanbenschoten was this run with the Pebble fix cockroachdb/pebble#1085?

[nvanbenschoten]

No, it was not. This was running v20.2.6.

[nvanbenschoten]

I did some exploration on master to see where things stand today, where things are going wrong, and what we can do about it. With the same setup as above, I saw roughly the same behavior. Things may have fared slightly better, as throughput never hit 0 and latency never spiked above 1s, but the GC was still quite disruptive.

As expected, the GC is followed by a wave of range merges that are in some way correlated with the destabilization.

---

I then ran a few experiments to get an idea of cause and effect, as well as to determine whether there are any short-term mitigations here. We had speculated that a wave of range merges was responsible for destabilizing the cluster due to the rebalancing load imposed by the merge themselves along with the rebalancing load that fell out of the sudden change in cluster balance.

So first, I played with the kv.range_merge.queue_interval cluster setting, which dictates the rate at which a store will perform range merges. The rate defaults to 1 merge per second per store. The test was intentionally dropping this interval to 0, leading to no throttling at all. I tested with bumping the interval to 10s, leading to 1 range merge per 10 seconds per store. This demonstrated a large improvement in behavior.

In this run, GC was followed by a steady rate of range merges and almost no impact to foreground traffic.

This was a pretty clear indication that range merges are in some way responsible for the instability we are seeing here - either directly or indirectly. We actually already knew this to some extent, as we had seen early that with range merges disabled entirely, the GC was mostly non-disruptive. Then, when we enabled range merges, the instability immediately hit. So this test once again confirmed this fact. It also demonstrated that reducing the aggressiveness of range merges is a good short-term mitigation for this problem. So to summarize, the following should make TRUNCATE much less disruptive, even in earlier versions of CRDB:

SET CLUSTER SETTING kv.range_merge.queue_interval = '10s';

---

I then started digging into why a wave of range merges on a keyspace disjoint from the load was so disruptive. In this setup, we have very few ranges outside of those in the table being GCed, so the idea that range merges were leading to other rebalancing activity didn't quite add up. And yet, we still saw serious disruption due to range merges. So it seemed likely that the range merges and the empty range rebalancing they lead to was itself causing problems.

One theory I had was that we've been failing to account for a fixed externality of Raft snapshots - the need to flush the LSM's overlapping memtables when ingesting a Raft snapshot. This is a cost that a Raft snapshot currently (since #38932) has to pay, regardless of how small the snapshot is. It is also a cost that may be passed on to concurrent writers. As detailed in the documentation on (*pebble.DB).Ingest:

Note that if the mutable memtable overlaps with ingestion, a flush of the memtable is forced equivalent to DB.Flush. Additionally, subsequent mutations that get sequence numbers larger than the ingestion sequence number get queued up behind the ingestion waiting for it to complete. This can produce a noticeable hiccup in performance. See cockroachdb/pebble#25 for an idea for how to fix this hiccup.

I put together a prototype of a change we had originally (see #25134) intended to make when addressing #16954. Instead of always using external SST ingestion during Raft snapshot application, we would only do so for ranges above some size threshold. This allows us to use the LSM's standard write path when applying Raft snapshots below a size threshold, avoiding the memtable flush and "clean up" compactions of small SSTs. This prototype is hacked together in #63013.

Using this prototype, I ran the test, once again with range merging set to maximum aggressiveness (kv.range_merge.queue_interval = '0s'). The results are very promising.

In the test, we saw that there was a small blip in throughput when the GC went into effect due to p99 latency jumping from 30ms to about 60ms. However, throughput immediately recovered even as all 10k ranges were merged away in seconds. I'd like to re-run this experiment a few times to confirm that I'm not fooling myself, but this looks very good and hints that we may be on to something with the theory about SST ingestion during snapshot application being the cause of foreground latency.

---

One other thing I noticed when drafting this prototype is that we do not call PreIngestDelay during Raft snapshot ingestion like we do before ingesting an SST in an AddSSTable Raft proposal. Is this intentional? Could this help prevent rapid rebalancing from trashing L0? cc. @petermattis

[petermattis]

Great sleuthing, @nvanbenschoten.

One other thing I noticed when drafting this prototype is that we do not call PreIngestDelay during Raft snapshot ingestion like we do before ingesting an SST in an AddSSTable Raft proposal. Is this intentional? Could this help prevent rapid rebalancing from trashing L0? cc. @petermattis

I don't recall if that was intentional, and I don't know if it would help. The snapshot pre-ingest delay stuff was added by the Bulk IO team and we may simply have never thought to add it to the Raft snapshot ingestion path. On the other hand, delaying Raft snapshot ingestion will block other operations on the replica. Could that be problematic? I'm too distant from this area of the code now to judge. Certainly seems like a possible easy thing to experiment with.

I put together a prototype of a change we had originally (see #25134) intended to make when addressing #16954. Instead of always using external SST ingestion during Raft snapshot application, we would only do so for ranges above some size threshold. This allows us to use the LSM's standard write path when applying Raft snapshots below a size threshold, avoiding the memtable flush and "clean up" compactions of small SSTs. This prototype is hacked together in #63013.

Not ingesting very small sstables sounds like a good idea, though I don't have a good idea for how to make a principled decision on the size threshold at which to do ingestion vs the standard write path. Perhaps @sumeerbhola has some ideas. We could also consider doing this at the Pebble layer. cockroachdb/pebble#25 is one possibility for making ingestions faster. Another is that a very small ingested sstable could be transformed in an addition to the memtable. The WAL entry would be a pointer to the ingested sstable and the "commit" would iterate over the sstable and add the entries to the memtable. The upside to this approach is that it feels like a storage level concern. The downside is that either cockroachdb/pebble#25 or another approach would not be backward compatible so we'd have to gate using that on a cluster version.

[jbowens]

Nice @nvanbenschoten!

Another is that a very small ingested sstable could be transformed in an addition to the memtable. The WAL entry would be a pointer to the ingested sstable and the "commit" would iterate over the sstable and add the entries to the memtable. The upside to this approach is that it feels like a storage level concern.

Pebble also has the context to determine whether or not the files overlap the memtable. Maybe we we incorporate that into the heuristic of whether or not to apply the ingest as a memtable addition.

[sumeerbhola]

I don't have an opinion regarding what to do regarding a backportable fix. But going forward, given the number of places we ingest sstables, and how sensitive customers are likely to be wrt high percentile latency hiccups in an OLTP setting, cockroachdb/pebble#25 seems like the right approach (regardless of sstable size).

[nvanbenschoten]

We could also consider doing this at the Pebble layer.

I am generally very in favor of doing this in Pebble, as SST ingestion is used in a number of places, like Sumeer is saying. I suspect that this is in some way related to the concerns we periodically hear about index creation being disruptive to foreground traffic.

That said, it is at least worth mentioning the I/O we could save by avoiding SST ingestion for small Raft snapshots. Today, each Raft snapshot results in 4+ SSTs, most of which are very small. In situations like we see here, all of them are very small. So we end up writing out 4+ small SSTs to the filesystem, then ingesting them, then quickly compacting them away. A WriteBatch avoids this wasted I/O, so it should be more efficient. How much more efficient? I don't know - so it would be a premature optimization to do anything here if more general solutions exist. And the downside is of course the added code complexity of needing to maintain an SST ingestion path and a WriteBatch path for Raft snapshots. But a WriteBatch path may be a more reasonable backport target.

[petermattis]

That said, it is at least worth mentioning the I/O we could save by avoiding SST ingestion for small Raft snapshots. Today, each Raft snapshot results in 4+ SSTs, most of which are very small. In situations like we see here, all of them are very small. So we end up writing out 4+ small SSTs to the filesystem, then ingesting them, then quickly compacting them away. A WriteBatch avoids this wasted I/O, so it should be more efficient. How much more efficient? I don't know - so it would be a premature optimization to do anything here if more general solutions exist. And the downside is of course the added code complexity of needing to maintain an SST ingestion path and a WriteBatch path for Raft snapshots. But a WriteBatch path may be a more reasonable backport target.

This is a good point. We need to be mindful of what is a more reasonable backport target. The proposed improvement to Pebble's sstable ingestion will not be backportable. The creation of the 4 small sstables will also result in 4 fsyncs. The WriteBatch approach avoids that, doing a single fsync of the Pebble WAL.

[nvanbenschoten]

Unfortunately, I no longer believe that the analysis above is complete. About a week ago, I began working on a patch that would avoid the IngestExternalFiles calls when applying small Raft snapshots in a manner that I believed would be backportable. Unlike the first prototype, which built a WriteBatch instead of writing sst files as the Raft snapshot streamed in, this more targetted approach continued to write the sst files, but would then read them in and copy them into a WriteBatch and apply that if it determined that the WriteBatch would be reasonably sized. The patch is here.

I then ran a few more tests to confirm that the patch did address the issue, as I had seen before with the slightly different approach to avoiding the sst ingestion. Unfortunately, I was not able to demonstrate the improvement. I did see that we were no longer rapidly flushing memtables during the GC period, so the patch was doing what it intended to.

without patch

with patch

However, I once again saw throughput crater after a short period of time, eventually bottoming out at 0:

So I went back to the original patch from above that I had seen demonstrate such an improvement. Sure enough, I had a hard time reproducing those results, as I was still seeing cases where throughput was cratering.

So it became clear that the previous diagnosis was not correct. There is more to the story.

I started exploring hardware metrics to try to correlate the degraded throughput with degredation of storage performance. There was certainly a correlation, as log commit latency often spiked during the GC period, as did the IOPS In Progress metric, but there wasn't much more to go off here.

---

I came back to the issue this week. This time, I focused less on storage-level performance degradation and more on distribution-level operations that may be causing stalls. The throughput hit began to look too severe to be explained by degraded storage performance, even if log commit latencies were spiking into the 800ms range. In each of the previous reproductions, there had been a period of performance degradation by about 60%, which can be mostly explained by a jump in storage latency. However, this had always been followed by a full outage period where qps hit 0, often repeatedly, which was even more concerning.

After a few tests, the following correlation caught my eye:

Notice that throughput is inversely correlated with the combined occurrences of NotLeaseHolderErrors and RangeNotFoundErrors. The first of these errors is thrown when a request is routed to a follower replica who the DistSender thought had the lease, but who did not. It is a sign of lease transfers. The second of these errors is thrown when a request is routed to a store that does not contain a replica for the destination range. It is a sign of rebalancing or range merging.

This was all a bit surprising, as the expectation was that merging and rebalancing were occurring on the dropped keyspace that was being GCed, but not on the keyspace of the active table which was seeing all the load. And yet, requests were hitting these errors.

I began playing with cluster settings to try to disable all lease transfers. The theory was that due to the range merges on the inactive table, we were moving around the leases on the active table to balance qps and count. The thought was that storage was slowing down in response to lots of compactions due to the range merges on the inactive table, then we started moving around leases, the lease transfers would be quite slow because storage is slow (especially in the tail), so we would have seconds-long blips of unavailability because a range is unavailable between the time that it begins a lease transfer and the time that the lease transfer applies on the new leaseholder. In that way, a lease transfer is a lot like a range-wide lock. Since the load was randomly distributed across all ranges, the second a range became unavailable, everyone would pile up on it and qps across the cluster would go to 0.

To test this out, I made an attempt to prevent all lease transfers. I tested with the following cluster settings:

SET CLUSTER SETTING kv.allocator.min_lease_transfer_interval = '20m';
SET CLUSTER SETTING kv.allocator.load_based_lease_rebalancing.enabled = false;
SET CLUSTER SETTING kv.allocator.load_based_rebalancing = 'off';
set cluster setting kv.allocator.range_rebalance_threshold = .25;

Unfortunately, this also did not help.

---

Next, I started thinking about the RangeNotFoundErrors, because I couldn't quite explain the rebalancing on the active table. I pulled the system.rangelog on the active table over the time period of the degraded qps to get a sense for what was happening over the course of this instability:

> SELECT table_id FROM crdb_internal.tables WHERE name = 'kv';

  table_id
------------
        57


> SELECT
    "eventType", count(*)
FROM
    system.rangelog
WHERE
    crdb_internal.pretty_key(decode(info::JSONB->'UpdatedDesc'->>'start_key', 'base64'), 0) LIKE '/57%'
    AND "timestamp" BETWEEN '2021-04-23 02:45:00' AND '2021-04-23 03:00:00'
GROUP BY
    "eventType";

   eventType   | count
---------------+--------
  split        |   119
  add_voter    |   393
  remove_voter |   399
  merge        |   100

What jumped out wasn't the rebalancing, but the range merges. Why on earth were we merging ranges in the active table? The answer to this lies in why these ranges existed in the first place - they were load-based splits! So when qps dropped on the cluster, the mergeQueue decided that the split points were no longer needed, so it removed them by merging ranges. This led to more of a slowdown, and more merges. And the merge cascade continued as the poor load struggled to keep up as it was bounced around between nodes and stalled on merges and lease transfers. Furthermore, as ranges merged, the load began to consolidate back on a few nodes instead of being well distributed across the cluster.

There's some history here, as something similar was tracked in #41317. We closed that issue by introducing a new kv.range_split.by_load_merge_delay cluster setting, which dictates the delay that range splits created due to load will wait before considering being merged away. By default, a load-based split will not be merged away if it was created less than 5 minutes ago. This helps, but it's also not a complete solution, as is discussed in the issue. The problem is that the delay doesn't prevent a load-based split from immediately being merged away if the load is suddenly cut after 5 minutes. To implement something like that, we'd need to track the history of qps on a range.

So to test this theory, I ran another test with kv.range_split.by_load_merge_delay set to 2 hours, so that load-based splits would never be merged away. The result:

What we see is that qps still drops by about 60% during the range merge load, as we had seen previously. However, there was no follow-up period of reverberating full throughput stalls, which were bad on this 16 node cluster and way worse on the 72 node cluster we saw before. Instead, qps dips while inactive ranges are merging and log commit latency grows, and then recovers immediately after log commit latency recovers. So it looks like the merge cascade of load-based splits can explain the extended unavailability we have seen in these clusters (this time, I triple checked 😃).

This also explains why I somehow got lucky enough to fool myself up above. This "merge cascade on performance dip" behavior is quite unstable. Once you hit it, the system melts down. But you also won't hit it if you never see an initial performance dip. So for one reason or anything, maybe because the memtable stall theory wasn't totally off-base, my experiment with that change never triggered the beginning of the cascade - slowing down qps just enough to allow a single range in the active table to merge - so they never saw performance collapse.

---

So there are a few takeaways from this:

First, we should revisit #41317. Load-based splitting is a great tool, but if performance depends on the splits that it creates and the splits disappear the moment load slows down, it creates a very unstable situation.

Second, we should determine what short-term suggestions we can make with this new understanding. My guess is that the following would serve the current user who is running into this quite well, as it would prevent load-based splits created between the TRUNCATE and GC from being merged away during any temporary instability during the GC:

SET CLUSTER SETTING kv.range_split.by_load_merge_delay = <2 x gc.ttlseconds>

Finally, we should continue investigating the degraded (but not stalled) performance while ranges on the inactive table are merging. Unlike with the more confounding stalls, we see a clear correlation between the reduced throughput and all of (disk read bytes, disk write bytes, disk read IOPS, log commit tail latency, and LSM compactions). So on the surface, this looks less bizarre. This may be a result of the test making range merges extra aggressive, but there is likely something to learn here.

[sumeerbhola]

First, we should revisit #41317. Load-based splitting is a great tool, but if performance depends on the splits that it creates and the splits disappear the moment load slows down, it creates a very unstable situation.

(from a past life) In addition to that, do we take ongoing count and latency of merges into account when deciding whether to start a new merge. If we took resource overload signals into account before deciding to merge, we would potentially fare better.

So when qps dropped on the cluster, the mergeQueue decided that the split points were no longer needed, so it removed them by merging ranges. This led to more of a slowdown, and more merges.

It is unfortunate that we cannot differentiate between low load because the external load is actually low, versus the closed loop load generators are experiencing a slow system and therefore the load rate has reduced. Is there an explicit queue somewhere that we could measure at the Replica level to realize that load may not have reduced? Or seeing if the raft proposal quota is decreasing?
The current admission control work is at the granularity of a node, so queueing there wouldn't tell us anything at the granularity of a range (though it could be used as a coarse off switch to stop merges involving this node).

[petermattis]

It is unfortunate that we cannot differentiate between low load because the external load is actually low, versus the closed loop load generators are experiencing a slow system and therefore the load rate has reduced. Is there an explicit queue somewhere that we could measure at the Replica level to realize that load may not have reduced? Or seeing if the raft proposal quota is decreasing?

I was thinking something similar when I read @nvanbenschoten's write-up. Splitting a range based on load to that range makes sense. For merging, simply looking at the load on the ranges to be merged seems insufficient. I think a coarse switch might be ok. Don't we do something similar to throttle SQL stats collection. I'm imagining something where we could look at CPU, disk IOPS, compaction debt, etc and temporarily disable range merges if they are high.

[nvanbenschoten]

In addition to that, do we take ongoing count and latency of merges into account when deciding whether to start a new merge. If we took resource overload signals into account before deciding to merge, we would potentially fare better.

We don't. The only thing we do is throttle merges based on the kv.range_merge.queue_interval cluster setting, which defaults to 1s per store but which this test drops to 0. I ran the test with the increased kv.range_split.by_load_merge_delay and the 1s delay between merges and things look pretty stable, with only minor performance dips that correlate with compactions (as we would expect from a write-heavy workload):

Don't we do something similar to throttle SQL stats collection.

For SQL stats collection, we throttle based on CPU utilization on the current node here:

cockroach/pkg/sql/rowexec/sampler.go

Lines 276 to 316 in fe96523

	if s.maxFractionIdle > 0 {
	// Look at CRDB's average CPU usage in the last 10 seconds:
	// - if it is lower than cpuUsageMinThrottle, we do not throttle;
	// - if it is higher than cpuUsageMaxThrottle, we throttle all the way;
	// - in-between, we scale the idle time proportionally.
	usage := s.flowCtx.Cfg.RuntimeStats.GetCPUCombinedPercentNorm()
	if usage > cpuUsageMinThrottle {
	fractionIdle := s.maxFractionIdle
	if usage < cpuUsageMaxThrottle {
	fractionIdle *= (usage - cpuUsageMinThrottle) /
	(cpuUsageMaxThrottle - cpuUsageMinThrottle)
	}
	if log.V(1) {
	log.Infof(
	ctx, "throttling to fraction idle %.2f (based on usage %.2f)", fractionIdle, usage,
	)
	}
	elapsed := timeutil.Now().Sub(lastWakeupTime)
	// Throttle the processor according to fractionIdle.
	// Wait time is calculated as follows:
	//
	// fraction_idle = t_wait / (t_run + t_wait)
	// ==> t_wait = t_run * fraction_idle / (1 - fraction_idle)
	//
	wait := time.Duration(float64(elapsed) * fractionIdle / (1 - fractionIdle))
	if wait > maxIdleSleepTime {
	wait = maxIdleSleepTime
	}
	timer.Reset(wait)
	select {
	case <-timer.C:
	timer.Read = true
	break
	case <-s.flowCtx.Stopper().ShouldQuiesce():
	break
	}
	}
	lastWakeupTime = timeutil.Now()
	}

The way this works is if the cpu usage is below 25%, we don't throttle at all. If it is between 25% and 75%, sleep for some fraction of maxFractionIdle proportional to the CPU usage. And if it is above 75%, we sleep for the full maxFractionIdle.

It is unfortunate that we cannot differentiate between low load because the external load is actually low, versus the closed loop load generators are experiencing a slow system and therefore the load rate has reduced. Is there an explicit queue somewhere that we could measure at the Replica level to realize that load may not have reduced? Or seeing if the raft proposal quota is decreasing?

Splitting a range based on load to that range makes sense. For merging, simply looking at the load on the ranges to be merged seems insufficient. I think a coarse switch might be ok. ... I'm imagining something where we could look at CPU, disk IOPS, compaction debt, etc and temporarily disable range merges if they are high.

I'm still trying to understand how to think about these kinds of approaches, so if you two have references to prior art in this area, I'd find that very helpful. There's also discussion from @sumeerbhola about other areas where we could think along these lines in #57247 and #57248.

The challenges to this kind of throttling behavior seem to be that 1) we need cluster-wide information to make good decisions, otherwise we may not properly account for unbalanced load (one way or the other), 2) we need to determine which signals are appropriate to look at and which ones aren't (the classic admission control problem), and 3) it seems quite easy to accidentally design a throttling heuristic that results in range merges never running under certain workload characteristics. We may want some form of probabilistic throttling to avoid that kind of pathology.

An alternative approach I've been thinking of along the lines of probabilistic throttling is to keep track on the leaseholder of the first time a range was run through the mergeQueue and could have been merged because its load was low enough. The time would be reset whenever the mergeQueue processes a replica and the load is determined to be sufficiently high. The probability that we actually will merge a range when run through the mergeQueue would start low and grow as this duration grows.

[sumeerbhola]

The only thing we do is throttle merges based on the kv.range_merge.queue_interval cluster setting, which defaults to 1s per store but which this test drops to 0.

I want to clarify one thing: does the maxConcurrency of 1 in merge_queue.go mean that there is only 1 merge being run per node in the cluster and that a new merge won't start at that node before the previous one has completed (I am guessing the call to AdminMerge in mergeQueue.process is synchronous but I am not sure)?

Regarding the rate limiting that we do for SQL stats and your concerns about "need cluster-wide information to make good decisions";ending up with a design that accidentally doesn't merge; probabilistic throttling: these are all good points and I don't have any clear answers from prior art I have encountered:

• I'm generally wary of rate based throttling schemes that have some lower bound on rate, since it is never clear to me how that lower bound was chosen (like the maxIdleSleepTime in sampler.go). These tend to work well in early stages of the system, but multiple different activities doing their own throttles can still collectively overload the system.
• For the sql sampler stuff we can more easily subject it to admission control. I am wary of doing the same for KV admin commands -- I was expecting they would usually bypass admission control, and good judgement would be exercised at a higher level on whether to submit such BatchRequests. Thoughts?
• Keeping a bounded number of merges active in the whole system, that take into account that the system is not overloaded, and the nodes involved in those merges are not overloaded, does work reasonably in a serverless setting where we are controlling the provisioning. For instance if we say we won't do merges when certain resource utilization signals are > 80% we can arrange things such that we take action to add resources when utilization goes higher than 80%. It seems more complicated in on-prem settings since it is one more thing that customers need to worry about.
• Everything I have seen in this area does use cluster-wide information. This tends to come about naturally when there is a central master that is tracking load information, and doing splits/merges/rebalancing.

[nvanbenschoten]

does the maxConcurrency of 1 in merge_queue.go mean that there is only 1 merge being run per node in the cluster and that a new merge won't start at that node before the previous one has completed (I am guessing the call to AdminMerge in mergeQueue.process is synchronous but I am not sure)?

This is roughly correct, though the limit is actually per store, not per node.

I am wary of doing the same for KV admin commands -- I was expecting they would usually bypass admission control, and good judgement would be exercised at a higher level on whether to submit such BatchRequests. Thoughts?

I agree with this. I'm not confident that we would be able to construct an accurate cost-model of each admin command that fully accounts for all of its immediate costs and all of its externalities. So I think throttling here needs to be performed by whoever is deciding to issue the admin command.

Keeping a bounded number of merges active in the whole system, that take into account that the system is not overloaded, and the nodes involved in those merges are not overloaded, does work reasonably in a serverless setting where we are controlling the provisioning. For instance if we say we won't do merges when certain resource utilization signals are > 80% we can arrange things such that we take action to add resources when utilization goes higher than 80%. It seems more complicated in on-prem settings since it is one more thing that customers need to worry about.

This is an interesting point. This kind of approach becomes possible when we closely monitor the health and control the resources in a system. But requiring an operator to be in the loop becomes much less appealing for on-prem deployments.

Everything I have seen in this area does use cluster-wide information. This tends to come about naturally when there is a central master that is tracking load information, and doing splits/merges/rebalancing.

Also interesting. Does the rate at which these centralized decisions get applied tend to scale linearly with available resources or are constant limits imposed?

[sumeerbhola]

Does the rate at which these centralized decisions get applied tend to scale linearly with available resources or are constant limits imposed?

For something like limiting the number of ongoing merges, I've seen simple heuristics like no merges at mean cluster utilization > N%. And when < N%, no more than a mean of M ongoing merges/node. So yes, it does scale with deployed resources but not necessarily in a sophisticated way. Looks like we already have an M which is the number of stores per node.