ZOOKEEPER-4306: Avoid CloseSessionTxns larger than jute.maxbuffer
#1716
Conversation
There was a problem hiding this comment.
I am not sure this is the right way to address the problem.
The problem is in close session, here you are adding an hard (unpredictable and u configurable) bound on the number of ephemeral nodes.
If the problem is only about close session we could work only on that case.
If you want to go down this way of limiting the number of ephemeral we must make it configurable somehow.
You are also introducing a new error code, how do old clients will handle that error code?
|
Hi @eolivelli, Thank you for the initial review! Perhaps I should create a parallel thread on the
Right. Me neither, but I thought I'd start the discussion with a concrete proposal, so here we are :)
Well, yes and no. The "unpreditable" bound exists—it's just that right now it does not cause failures at creation time, but rather a hard crash of the whole ensemble at session close. Hitting the new error is bad news, but not worse news than the status quo :) It is possible to "manually" delete the nodes, of course, in which case there is no issue at session close—but having that many ephemerals in a session probably means that the application has gone berserk.
Yes, but. As far as I can tell, other options include:
One problem with these options, though, is that the amount of data still is under client control, and mostly not covered by the quota mechanism—they are, in a way, a loophole allowing clients to work around the (admittedly quite limited) DoS protection afforded by Jute. In any case: would you have additional suggestions to append to that list?
First, we could of course make the "feature" optional—but again: the ensemble is in great danger if the limit is reached, which is why I did not. Note that the limit is configurable, though, even if not independently—it simply tracks
Badly, particularly when it comes to synchronous operations. (This is a common problem with the current ZooKeeper protocol; most clients are not very good at dealing with unexpected codes.) I actually have some patches about that which I should polish and submit here. But hey, at least they won't crash the ensemble :) Cheers, -D |
|
I think that we can resume this patch. The problem has been reported again on the mailing list (and I don't have a better proposal at the moment) |
|
@ztzg When you have a chance, would you please rebase this patch and resolve conflicts? @eolivelli @kezhuw Shall we shoot for 3.9.3 here what do you think? |
This commit does not introduce anything new; it simply refactors the ephemeral path management logic in preparation for storing additional bookkeeping information.
ztzg
force-pushed
the
ZOOKEEPER-4306-limit-ephemerals
branch
from
e888236
to
1dbd423
Compare
|
Hi @anmolnar,
I just pushed a rebased version.
I was late for your previous attempts at a 3.9.3, but perhaps we get another go at it? I created a |
|
Hi @eolivelli,
I don't have a better proposal either. Here is a rebased version, with a slightly expanded test. |
|
What if we have consistent point-in-time snapshot ? ZOOKEEPER-4874 proposed not to do fuzzy snapshot. We probably do too many tricks for fuzzy snapshot to solve corner cases, and I think it is worth for us to resort to a consistent approach. Fuzzy snapshot is fuzzy. |
|
(@kezhuw: wrote this a few days ago, but it seems GitHub drops email replies now?!) Hi Kezhu, Are you sure this is the issue you want to comment on? "Overflowing" Cheers, -D P.-S. — I will have a look at (Note that in my "own" |
|
I thought ZOOKEEPER-4306 is caused by ZOOKEEPER-3145(#622) which is dealing with fuzzy snapshot. |
Interesting; thanks for the link! I will check it out. But no, ZOOKEEPER-4306 would happen even without fuzziness. The fundamental issue is that transactions are inherently bounded by |
Before ZOOKEEPER-3145(#622), |
Allowing a serialized
CloseSessionTxnto grow larger thanjute.maxbufferis a really bad idea: not only does it quickly makes the target ensemble unavailable, it even prevents it from restarting.Such availability issues have been reported or fixed in the past, notably in ZOOKEEPER-2101 and ZOOKEEPER-3496. This one is a bit different because of the "distance" between the cause and its effect.
The size of a
CloseSessionTxntransaction is directly related to the total length of the paths of the ephemeral nodes belonging to the session to be closed. That "mass" of data can be built incrementally, across many requests; it is not that difficult for a small "leak" to push the transaction size overjute.maxbufferif a session lasts long enough.This series adds serialization size bookkeeping to the per-session ephemeral node management, and fails ephemeral node creation requests which would potentially result in an "overflowing"
CloseSessionTxn.