roachtest: enable DistSender circuit breakers in failover/partial/lease-leader #133214
Conversation
…se-leader DistSender circuit breakers are useful in this test to avoid artificially inflated latencies due to the way the test measures failover time (pMax, no timeouts). Without circuit breakers, a request stuck on the partitioned leaseholder will get blocked indefinitely, despite the range recovering on the other side of the partition and becoming available to all new traffic. As a result, the test won't differentiate between temporary and permanent range unavailability. We have other tests which demonstrate the benefit of DistSender circuit breakers (especially when applications do not use statement timeouts), so we don't need to test them here. With this change, the test's failover time drops from: | lease=epoch (ms) | lease=expiration (ms) | lease=leader (ms) | |-----------------:|----------------------:|------------------:| | 60,129 | 60,129 | 60,129 | down to: | lease=epoch (ms) | lease=expiration (ms) | lease=leader (ms) | |-----------------:|----------------------:|------------------:| | 60,129 | 22,549 | 31,139 | Notice that expiration and leader leases now recover, while epoch leases remain unavailable indefinitely. Epic: None Release note: None
nvanbenschoten
added
the
backport-24.3.x
nvanbenschoten
requested review from
srosenberg and
DarrylWong
and removed request for
a team
|
This change is |
Part of cockroachdb#132762. Leader leases have different availability properties than epoch leases under most failure modes. This patch adds failover test variants that use leader leases where possible. Initial test results: | test | lease=epoch (ms) | lease=expiration (ms) | lease=leader (ms) | parity with expiration | |:---------------------------------------------|-----------------:|----------------------:|------------------:|:----------------------:| | failover/chaos/read-only | 60,129 | 18,253 | 60,129 | ✔ | | failover/chaos/read-write | 60,129 | 20,401 | 60,129 | XXX | | failover/liveness/blackhole | 9,663 | 369 | 335 | ✔ | | failover/liveness/blackhole-recv | 11,274 | 402 | 369 | ✔ | | failover/liveness/blackhole-send | 9,663 | 385 | 469 | ✔ | | failover/liveness/crash | 8,053 | 352 | 318 | ✔ | | failover/liveness/deadlock | 24,696 | 385 | 369 | ✔ | | failover/liveness/disk-stall | 26,843 | 369 | 419 | ✔ | | failover/liveness/pause | 10,200 | 385 | 436 | ✔ | | failover/non-system/blackhole | 7,247 | 7,516 | 15,032 | XX | | failover/non-system/blackhole-recv | 12,348 | 10,737 | 18,253 | XX | | failover/non-system/blackhole-send | 6,979 | 6,979 | 8,053 | X | | failover/non-system/crash | 7,247 | 6,979 | 9,126 | X | | failover/non-system/deadlock | 60,129 | 60,129 | 60,129 | ✔ | | failover/non-system/disk-stall | 22,548 | 22,548 | 25,769 | X | | failover/non-system/pause | 7,247 | 7,247 | 9,126 | X | | failover/partial/lease-gateway | 8,589 | 19,327 [^1] | 60,129 | XXX | | failover/partial/lease-leader | 60,129 | 22,549 [^2] | 31,139 [^2] | XX | | failover/partial/lease-liveness | 8,589 | 301 | 318 | ✔ | | failover/system-non-liveness/blackhole | 369 | 402 | 352 | ✔ | | failover/system-non-liveness/blackhole-recv | 335 | 285 | 318 | ✔ | | failover/system-non-liveness/blackhole-send | 402 | 419 | 335 | ✔ | | failover/system-non-liveness/crash | 419 | 301 | 453 | ✔ | | failover/system-non-liveness/deadlock | 369 | 352 | 402 | ✔ | | failover/system-non-liveness/disk-stall | 402 | 318 | 453 | ✔ | | failover/system-non-liveness/pause | 369 | 385 | 335 | ✔ | _note: because of the way the test measures pMax, anything under 1,000ms is essentially "no impact"_ **Key _(comparing leader vs. expiration)_**: ✔ = parity X = minor regression XX = major regression XXX = unavailability [^1]: I don't understand why expiration-based lease perform worse than epoch-based leases on this test. [^2]: With cockroachdb#133214. Epic: none Release note: None
Part of cockroachdb#132762. Leader leases have different availability properties than epoch leases under most failure modes. This patch adds failover test variants that use leader leases where possible. Initial test results: | test | lease=epoch (ms) | lease=expiration (ms) | lease=leader (ms) | parity with expiration | |:---------------------------------------------|-----------------:|----------------------:|------------------:|:----------------------:| | failover/chaos/read-only | 60,129 | 18,253 | 60,129 | ✔ | | failover/chaos/read-write | 60,129 | 20,401 | 60,129 | XXX | | failover/liveness/blackhole | 9,663 | 369 | 335 | ✔ | | failover/liveness/blackhole-recv | 11,274 | 402 | 369 | ✔ | | failover/liveness/blackhole-send | 9,663 | 385 | 469 | ✔ | | failover/liveness/crash | 8,053 | 352 | 318 | ✔ | | failover/liveness/deadlock | 24,696 | 385 | 369 | ✔ | | failover/liveness/disk-stall | 26,843 | 369 | 419 | ✔ | | failover/liveness/pause | 10,200 | 385 | 436 | ✔ | | failover/non-system/blackhole | 7,247 | 7,516 | 15,032 | XX | | failover/non-system/blackhole-recv | 12,348 | 10,737 | 18,253 | XX | | failover/non-system/blackhole-send | 6,979 | 6,979 | 8,053 | X | | failover/non-system/crash | 7,247 | 6,979 | 9,126 | X | | failover/non-system/deadlock | 60,129 | 60,129 | 60,129 | ✔ | | failover/non-system/disk-stall | 22,548 | 22,548 | 25,769 | X | | failover/non-system/pause | 7,247 | 7,247 | 9,126 | X | | failover/partial/lease-gateway | 8,589 | 19,327 [^1] | 60,129 | XXX | | failover/partial/lease-leader | 60,129 | 22,549 [^2] | 31,139 [^2] | XX | | failover/partial/lease-liveness | 8,589 | 301 | 318 | ✔ | | failover/system-non-liveness/blackhole | 369 | 402 | 352 | ✔ | | failover/system-non-liveness/blackhole-recv | 335 | 285 | 318 | ✔ | | failover/system-non-liveness/blackhole-send | 402 | 419 | 335 | ✔ | | failover/system-non-liveness/crash | 419 | 301 | 453 | ✔ | | failover/system-non-liveness/deadlock | 369 | 352 | 402 | ✔ | | failover/system-non-liveness/disk-stall | 402 | 318 | 453 | ✔ | | failover/system-non-liveness/pause | 369 | 385 | 335 | ✔ | _note: because of the way the test measures pMax, anything under 1,000ms is essentially "no impact"_ **Key _(comparing leader vs. expiration)_**: ✔ = parity X = minor regression XX = major regression XXX = unavailability [^1]: I don't understand why expiration-based lease perform worse than epoch-based leases on this test. [^2]: With cockroachdb#133214. Epic: none Release note: None
There was a problem hiding this comment.
Reviewed 1 of 1 files at r1, all commit messages.
Reviewable status:complete! 1 of 0 LGTMs obtained (waiting on @DarrylWong, @nvanbenschoten, and @srosenberg)
-- commits line 6 at r1:
I'm a bit conflicted on this change. On one hand, without DistSender circuit breakers and no timeouts, I'm not entirely sure what this test is trying to test is doing to begin with. Especially considering we're measuring pMax, which means we don't differentiate between a temporary outage or a permanent one.
On the other hand, given it's not in our medium term plans to productionize DistSender circuit breakers, I'm wondering if it's fair to turn them on here. You could say they're a proxy for a statement timeout[1].
IMO, we should re-think these tests to not use pMax at all. Instead, we should switch these to track the duration of the outage (like we've spoken about a few times at this point) and not use DistSender circuit breakers at all here (maybe we add statement timeouts). Until then though, turning on DistSender circuit breakers sounds reasonable.
[1] I asked myself why don't we set a statement timeout here instead -- and I think I know why -- it's because adding a statement timeout will put a cap on pMax, which means we'll be back to square one where we can't differentiate between the three lease types.
-- commits line 25 at r1:
Mostly for my edification, do you have a high level idea of how this 20s breaks down for expiration based leases? Or maybe even where you're putting your money on the 10s difference between leader leases / expiration based leases?
pkg/cmd/roachtest/tests/failover.go line 551 at r1 (raw file):
// use statement timeouts), so we don't need to test them here. // TODO(arul): this can be removed if/when we turn on DistSender circuit // breakers for all ranges by default.
Or if we rework this test to track the duration of the outage instead of pMax as well?
There was a problem hiding this comment.
TFTR!
bors r+
Reviewable status:
I asked myself why don't we set a statement timeout here instead -- and I think I know why -- it's because adding a statement timeout will put a cap on
pMax, which means we'll be back to square one where we can't differentiate between the three lease types.
Yes, that's exactly right. If we put a statement timeout here and then keep measuring pMax as our proxy for outage duration, then we will consider all outages to last for only statement_timeout.
I'm in agreement with everything you've said. I'll track this in #133361.
Previously, arulajmani (Arul Ajmani) wrote…
Mostly for my edification, do you have a high level idea of how this 20s breaks down for expiration based leases? Or maybe even where you're putting your money on the 10s difference between leader leases / expiration based leases?
For both of them, we are seeing the 10s DistSender circuit breaker timeout, so the outage duration is 10s less than what's measured here. I don't understand the 10s difference between them, but I'd like to.
pkg/cmd/roachtest/tests/failover.go line 551 at r1 (raw file):
Previously, arulajmani (Arul Ajmani) wrote…
Or if we rework this test to track the duration of the outage instead of pMax as well?
Agree 100%.
Part of #132762. Leader leases have different availability properties than epoch leases under most failure modes. This patch adds failover test variants that use leader leases where possible. Initial test results: | test | lease=epoch (ms) | lease=expiration (ms) | lease=leader (ms) | parity with expiration | |:---------------------------------------------|-----------------:|----------------------:|------------------:|:----------------------:| | failover/chaos/read-only | 60,129 | 18,253 | 60,129 | ✔ | | failover/chaos/read-write | 60,129 | 20,401 | 60,129 | XXX | | failover/liveness/blackhole | 9,663 | 369 | 335 | ✔ | | failover/liveness/blackhole-recv | 11,274 | 402 | 369 | ✔ | | failover/liveness/blackhole-send | 9,663 | 385 | 469 | ✔ | | failover/liveness/crash | 8,053 | 352 | 318 | ✔ | | failover/liveness/deadlock | 24,696 | 385 | 369 | ✔ | | failover/liveness/disk-stall | 26,843 | 369 | 419 | ✔ | | failover/liveness/pause | 10,200 | 385 | 436 | ✔ | | failover/non-system/blackhole | 7,247 | 7,516 | 15,032 | XX | | failover/non-system/blackhole-recv | 12,348 | 10,737 | 18,253 | XX | | failover/non-system/blackhole-send | 6,979 | 6,979 | 8,053 | X | | failover/non-system/crash | 7,247 | 6,979 | 9,126 | X | | failover/non-system/deadlock | 60,129 | 60,129 | 60,129 | ✔ | | failover/non-system/disk-stall | 22,548 | 22,548 | 25,769 | X | | failover/non-system/pause | 7,247 | 7,247 | 9,126 | X | | failover/partial/lease-gateway | 8,589 | 19,327 [^1] | 60,129 | XXX | | failover/partial/lease-leader | 60,129 | 22,549 [^2] | 31,139 [^2] | XX | | failover/partial/lease-liveness | 8,589 | 301 | 318 | ✔ | | failover/system-non-liveness/blackhole | 369 | 402 | 352 | ✔ | | failover/system-non-liveness/blackhole-recv | 335 | 285 | 318 | ✔ | | failover/system-non-liveness/blackhole-send | 402 | 419 | 335 | ✔ | | failover/system-non-liveness/crash | 419 | 301 | 453 | ✔ | | failover/system-non-liveness/deadlock | 369 | 352 | 402 | ✔ | | failover/system-non-liveness/disk-stall | 402 | 318 | 453 | ✔ | | failover/system-non-liveness/pause | 369 | 385 | 335 | ✔ | _note: because of the way the test measures pMax, anything under 1,000ms is essentially "no impact"_ **Key _(comparing leader vs. expiration)_**: ✔ = parity X = minor regression XX = major regression XXX = unavailability [^1]: I don't understand why expiration-based lease perform worse than epoch-based leases on this test. [^2]: With #133214. Epic: none Release note: None
DistSender circuit breakers are useful in this test to avoid artificially inflated latencies due to the way the test measures failover time (pMax, no timeouts). Without circuit breakers, a request stuck on the partitioned leaseholder will get blocked indefinitely, despite the range recovering on the other side of the partition and becoming available to all new traffic. As a result, the test won't differentiate between temporary and permanent range unavailability. We have other tests which demonstrate the benefit of DistSender circuit breakers (especially when applications do not use statement timeouts), so we don't need to test them here.
With this change, the test's meaured failover time drops from:
down to:
This is because the circuit breakers place a 10s timeout on all KV requests, so no request gets stuck indefinitely. Notice that expiration and leader leases now recover, while epoch leases remain unavailable indefinitely.
Epic: None
Release note: None