Experiment: Improve concurrent merge performance by weakly owning branch updates

[arielshaqed]

What

When enabled, this feature improves performance of concurrent merges.

No seriously, what?

lakeFS retains branch heads on KV. An operation that updates the branch head - typically a commit or a merge - performs a 3-phase commit protocol:

• Get the branch head from KV
• Create the metarange on block storage based on that branch head
• Create a new commit with that metarange whose parent is that branch head, IF the branch head has not moved

When the third phase fails, the operation fails. We do retry automatically on the server, but obviously under load it will still fail. Indeed we see this happen to some users who have heavy merge loads. In this case each retry is actually more expensive, because the gap between the source commit and the destination branch tends to grow with every successive commit to the destination. Failure is pretty much guaranteed once sustained load crosses some critical threshold.

How

This PR is an experiment to use "weak ownership" to avoid having to retry. Broadly speaking, every branch update operation takes ownership of its branch. This excludes all other operations from updating that branch. This exclusion does not reduce performance - only one concurrent branch operation can ever succeed, and almost all concurrent branch operations can succeed. In fact, it increases performance because it prevents wasting resources on all the concurrent failing operations.

What about CAP?

Distributed locking is impossible by the CAP theorem. That's why we use weak ownership. This gives up on C (consistency) and some P (partition resistance) in favour of keeping A (availability). Specifically, a thread takes ownership of a branch by asserting ownership as a record on KV. This ownership has an expiry time; the thread refreshes its ownership until it is done, at which point it deletes the record.

This ownership is weak: usually a single thread owns the branch, but sometimes 2 threads can end up owning the same branch! If the thread fails to refresh on time (due to a partition or slowness or poor clock sync, for instance) then another thread will also acquire ownership! When that happens we have concurrent branch updates. Because these are correct in lakeFS, we lose performance and may need to retry, but we never give incorrect answers.

Results

This PR also adds a lakectl abuse merge command to allow us to measure. b0cfca3 has some numbers when running locally: with sustained concurrency 50, we run faster and get 0 failures instead of 6.6% failures. More details there why this is even better than it sounds. Graph available here, here's a spoiler:

[github-actions]

♻️ PR Preview d352071 has been successfully destroyed since this PR has been closed.

_{🤖 By surge-preview}

[github-actions]

E2E Test Results - DynamoDB Local - Local Block Adapter

[github-actions]

E2E Test Results - Quickstart

[yonipeleg33]

@arielshaqed looks like amazing work, thank you!
I haven't reviewed it yet, but a few general notes:

1. Do we have an experiment plan for this feature? Which customers/users, for how long, etc.
2. The term "weak" is a bit inaccurate here IMO:
   The term "weak" as defined in places like CPP's std::weak_ptr or Rust's std::sync::Weak means a "non-owning reference", which is different than how this mechanism of branch locking works - each worker owns the branch exclusively, but only for a short period, and with a graceful mechanism for giving up exclusive ownership.
   The term "lease-based ownership" suites better here IMO.

[arielshaqed]

I should probably mention that if we go in this direction, we can deploy this and then improve it. The next step is to add fairness: earlier merge attempts should have a better chance of being next. Otherwise when there are multiple concurrent merges some of the earlier merge will repeatedly lose and time out. If everything is fair then we expect fewer timeouts, and in general the tail latency will shorten.
One way to make things fairer is to manage an actual queue of tasks waiting to own the branch. Then either they're thread gets priority to pick up the task (it's allowed to pick up tasks sooner after their expiry, for instance task n in the queue waits until $t_{expiry} + n\cdot dt_{check}$) or the thread that owns the branch just processes all merges in the queue.
Anyway, we don't need that to run this experiment.

[itaiad200]

This is wrong, no? multiple routines can succeed at the same time

[arielshaqed]

Ouch, yeah, this was supposed to be a SetIf with the "not present" predicate - and I forgot to find out the correct value for that predicate.
Thanks for catching this!

[arielshaqed]

Thanks, that one's embarrassing.

[arielshaqed]

Ouch, yeah, this was supposed to be a SetIf with the "not present" predicate - and I forgot to find out the correct value for that predicate.
Thanks for catching this!

[arielshaqed]

@arielshaqed looks like amazing work, thank you! I haven't reviewed it yet, but a few general notes:

Thanks!

1. Do we have an experiment plan for this feature? Which customers/users, for how long, etc.

Yes. Firstly, this PR adds a lakectl abuse merge command to measure. After we pull I will deploy to Cloud staging, switch it on for a single private installation, and measure. Also as you probably know, we have a user for whom I plan this. I will communicate with them to measure on their system; obviously timing for that depends on the customer timing and how comfortable they feel switching it on.

2. The term "weak" is a bit inaccurate here IMO:
   The term "weak" as defined in places like CPP's std::weak_ptr or Rust's std::sync::Weak means a "non-owning reference", which is different than how this mechanism of branch locking works - each worker owns the branch exclusively, but only for a short period, and with a graceful mechanism for giving up exclusive ownership.
   The term "lease-based ownership" suites better here IMO.

In the C++ and Rust standard libraries, "weak" in this case refers to the pointer. (In other cases in the C++ standard library, "weak" can refer to any variant which is logically weaker, for instance we also have class weak_ordering. In this PR "weak" is supposed to weaken "ownership".

What we have in this PR indeed uses a lease-based implementation. But it's not ownership, it just behaves like ownership in almost all reasonable cases.

A better term might be "mostly correct ownership"¹. In fact, I believe that such an unwieldy name would be a good choice! If you agree I will change to use it.

Footnotes

1. The technical term "mostly" here is intended in same sense that Miracle Max uses it. ↩

[itaiad200]

Reviewed everything except for the tests. Some really good things here!

[itaiad200]

It seems to me that this shouldn't be in kv pkg. It deserves a standalone ownership/owner/ anything else package. The kv is an implementation detail of the ownership, so this struct should be called KVWeakOwner

[arielshaqed]

Sure. Let's do this after we agree on a name? @yonipeleg33 requested a name change, I'd rather do a single name change towards the end of the review.

[itaiad200]

Suggested change

	Merge nonconflicting objects to the source branch in parallel
	Merge non-conflicting objects to the source branch in parallel

[arielshaqed]

Will auto-generate this :-)

[itaiad200]

Suggested change

	own, err := m.branchOwnership.Own(ctx, requestID, string(branchID))
	ownRelease, err := m.branchOwnership.Own(ctx, requestID, string(branchID))

or

Suggested change

	own, err := m.branchOwnership.Own(ctx, requestID, string(branchID))
	ownClose, err := m.branchOwnership.Own(ctx, requestID, string(branchID))

[arielshaqed]

Nice! Changed to release(), which I hope is even nicer.

[itaiad200]

Fix linting

[arielshaqed]

This was a sentinel not an actual error. See for instance io.EOF. It is used only in sleepFor to indicate that the context expired with no error. But it turns out that there are special cases in contest.WithCancelCause so we don't need it.

Removed, thanks!

[itaiad200]

Shouldn't you check the error and exit the function?

[arielshaqed]

I reported the error, and I do not think there is any useful action to take.

Aborting the action here, in particular, will probably livelock in some situations!

This goroutine has nothing waiting for it, and there really is nothing much to do with broken ownership. "All" that happens is that performance will suffer! This goroutine for the former owner thinks that another action stole its lease. So it makes sense to continue - it is likely to win the race to update, because it has already performed some work. Meanwhile the other action thinks that the former owner has stopped and will never finish - it should continue to avoid zombielock (a name I just invented for livelock against a stuck thread).

Which one is right? Well, if this goroutine is still running then the other action will most likely suffer. If it isn't running, it cannot do anything useful anyway.

[itaiad200]

Add a comment explaining why the code continues to try and own the key. Assuming that it should, I worry that this across multiple routines may have a cascading effect of kv calls

[arielshaqed]

Adding a comment to explain. But note that "all" that happens is that we fall back to the previous behaviour. Frankly I believe that the common cause for A losing a race to B will be that the clock on B is a bit too fast; this does not cause chains of lost races. The other common cause for A losing a race to B will be that A was stuck; again, that does not give it or any other thread an advantage against B. The final case is when all are badly stuck - for instance if you configure very short acquire and refresh intervals. In that case you do get what you would expect: a stuck system.

[itaiad200]

Suggested change

	Short: "Merge nonconflicting objects to the source branch in parallel",
	Short: "Merge non-conflicting objects to the source branch in parallel",

[arielshaqed]

Done.

[itaiad200]

Suggested change

	fmt.Println("Source branch:", u)
	fmt.Println("Source branch: ", u)

[arielshaqed]

Thanks for the thorough review!

PTAL...

[arielshaqed]

Done.

[arielshaqed]

Will auto-generate this :-)

[arielshaqed]

Done.

[arielshaqed]

Done. Either way will have strange performance characteristics, of course.

[arielshaqed]

Confusion about how cancellation would work. Restored, thanks!

[arielshaqed]

Not sure why not: this key is on my partition, with my prefix, and I set it starting at l. 245. It serves to indicate ownership, and its value holds only ownership. I think I can delete it.

[arielshaqed]

Suppose a system is behaving really strangely. I can look at its ownership partition and determine which operation owns it -- that's what I put here when I took ownership. I call it "comment" rather than something else because I don't want to commit to any format of what exactly goes in there.

[arielshaqed]

Added!

[itaiad200]

@arielshaqed could you open an issue and link to it? This is hardly a minor-change :)

[itaiad200]

Review wip

[itaiad200]

👍

[itaiad200]

I really hope kv contract tests cover this

[itaiad200]

It holds ownership, but it's not guaranteed to be your routine ownership (unless I'm missing something). Some other thread might successfully set itself as owner and your cleanup code breaks it.

[arielshaqed]

@arielshaqed could you open an issue and link to it? This is hardly a minor-change :)

#8288 :-)

[arielshaqed]

I really hope kv contract tests cover this

That line no longer occurs directly. We do still have it implied. I believe that it is tested by kvtest here and here.

[arielshaqed]

Thanks!

PTAaaAAaaAAL...

[arielshaqed]

A DeleteIf operation sure would be nice here. Since we didn't spec one out, I'll replace it with a sentinel value instead.

[itaiad200]

Sorry for the late feedback, I am reviewing it very cautiously.

I wonder if wrapping BranchUpdate is the appropriate location to "Own" a branch. Every major branch changing operation, like commit & merge has 2 BranchUpdate calls. One for changing the staging token and one for the actual operation. If these 2 operations don't happen one after the other.
The current ownership model only wraps a single BranchUpdate call, thus releasing the lock prematurely.

[arielshaqed]

Sorry for the late feedback, I am reviewing it very cautiously.

I wonder if wrapping BranchUpdate is the appropriate location to "Own" a branch. Every major branch changing operation, like commit & merge has 2 BranchUpdate calls. One for changing the staging token and one for the actual operation. If these 2 operations don't happen one after the other. The current ownership model only wraps a single BranchUpdate call, thus releasing the lock prematurely.

I'm not sure this matters. There is no connection between the two update operations: my commit can succeed even if you were the last to seal staffing tokens. And of course sealing is cheap. So I would not expect this to affect performance.

Of course the easy way to be sure will be to perform the experiment.

[arielshaqed]

Testing on lakeFS Cloud (staging)

Setup

• Cloud installation on staging (codename popular-mastodon 🐘).
  • Boosted it to 500 RCUs + 50 WCUs.
• Replaced image with an experimental image built from the branch, tagged v1.38.0-15-g0ec60--hinted-merger.1.
• Run the lakectl abuse merge command that this PR provides.
• Run from remote (home); this does not matter much because we perform 1.5-2 merges/s.
• In one case (* below) I noticed a gateway error so I reran to get better numbers. This was a test with the feature turned off.

Results

Weak ownership	Parallelism	Results
❌	3*	First error: merge from 92: [502 Bad Gateway]: request failed 200 total with 15 failures in 2m0.220660011s 1.663608 successes/s 0.124771 failures/s Gateway failure and 11 branches actually not created. Re-ran.
	3	First error: merge from 88: [423 Locked]: Too many attempts, try again later request failed 200 total with 1 failures in 2m11.462751261s 1.521343 successes/s 0.007607 failures/s
	6	First error: merge from 2: [423 Locked]: Too many attempts, try again later request failed 200 total with 19 failures in 1m49.366288753s 1.828717 successes/s 0.173728 failures/s
	20 (fastest! worst!)	First error: merge from 22: [423 Locked]: Too many attempts, try again later request failed 200 total with 52 failures in 1m36.082933636s 2.081535 successes/s 0.541199 failures/s
✅	3	200 total with 0 failures in 2m1.140085198s 1.650981 successes/s 0.000000 failures/s
	6	200 total with 0 failures in 1m46.569144906s 1.876716 successes/s 0.000000 failures/s
	20	200 total with 0 failures in 1m49.595498987s 1.824892 successes/s 0.000000 failures/s

Analysis

Without weak ownership, contention always caused failures. With concurrency 20, > 25% of merges failed. Each failure actually helps concurrent merges, so failures speed things up.

With weak ownership, we saw no errors. The merge rate improved slightly from 3 to 6, and then stayed flat.

[itaiad200]

LGTM with few minor comments.
Thank you for your patience!

[itaiad200]

I don't think we need to change this. Let's keep the Owner as is, you have the 0 Expires field and Comment if you need to add info. It's best to keep the same format if we can.

[arielshaqed]

Done.

[itaiad200]

Suggested change

	}).Info("Lost ownership race while trying to release")
	}).Debug("Lost ownership race while trying to release")

[arielshaqed]

Again, not done because I like knowing about these races.

[itaiad200]

Suggested change

	log.Info("Lost ownership race before trying to release")
	log.Debug("Lost ownership race before trying to release")

[arielshaqed]

Again, as rare as before, and even more interesting. Keeping it at info.

[itaiad200]

I think

Suggested change

	// per second, and an additional ~7 read and write operations
	// per second, and an additional ~7 read operations

[arielshaqed]

Thanks! But also an additional write operation actually to acquire it. So made the explanation even longer.

[itaiad200]

I think we added some one time costs with releaseIf

[arielshaqed]

Yup, added those!

[itaiad200]

Suggested change

	}).Info("Lost ownership race")
	}).Trace("Lost ownership race")

[arielshaqed]

Not done. Losing an ownership race should be rare. And when it does happen, it stops the loop.

[itaiad200]

Don't forget to move this to a proper location, this is not a kv util :)

[arielshaqed]

Thanks for the reminder! Next commit :-)

[arielshaqed]

And now... move and rename!

@yonipeleg33 & @itaiad200 : I found no recognized term for this kind of technique. I will go with "mostly-correct ownership", based on this paper by Dr. M Max.

[arielshaqed]

Thanks! But also an additional write operation actually to acquire it. So made the explanation even longer.

[arielshaqed]

Yup, added those!

[arielshaqed]

Thanks for the reminder! Next commit :-)

[arielshaqed]

Not done. Losing an ownership race should be rare. And when it does happen, it stops the loop.

[arielshaqed]

Again, as rare as before, and even more interesting. Keeping it at info.

[arielshaqed]

Done.

[arielshaqed]

Again, not done because I like knowing about these races.

[arielshaqed]

Thanks! Pulling... time flies by so quickly when you're having fun...

[arielshaqed]

" Run latest lakeFS app on AWS S3 Expected — Waiting for status to be reported "

• this is literally finished, today I am not a GitHub fan.