Do not close the socket when the broker failed due to MetadataStoreException #390

BewareMyPower · 2024-01-30T14:50:00Z

Motivation

When the broker failed to acquire the ownership of a namespace bundle by LockBusyException. It means there is another broker that has acquired the metadata store path and didn't release that path. For example:

Broker 1:

2024-01-24T23:35:36,626+0000 [metadata-store-10-1] WARN  org.apache.pulsar.broker.lookup.TopicLookupBase - Failed to lookup <role> for topic persistent://<tenant>/<ns>/<topic> with error org.apache.pulsar.broker.PulsarServerException: Failed to acquire ownership for namespace bundle <tenant>/<ns>/0x50000000_0x51000000
   Caused by: java.util.concurrent.CompletionException: org.apache.pulsar.metadata.api.MetadataStoreException$LockBusyException: Resource at /namespace/<tenant>/<ns>/0x50000000_0x51000000 is already locked

Broker 2:

2024-01-24T23:35:36,650+0000 [broker-topic-workers-OrderedExecutor-3-0] INFO  org.apache.pulsar.broker.PulsarService - Loaded 1 topics on <tenant>/<ns>/0x50000000_0x51000000 -- time taken: 0.044 seconds

After broker 2 released the lock at 23:35:36,650, the lookup request to broker 1 should tell the client that namespace bundle 0x50000000_0x51000000 is currently being unloaded and in the next retry the client will connect to the new owner broker.

Here is another typical error:

2024-01-24T23:57:57,264+0000 [pulsar-io-4-5] INFO  org.apache.pulsar.broker.lookup.TopicLookupBase - Failed to lookup <role> for topic persistent://<tenant>/<ns>/<topic> with error Namespace bundle <tenant>/<ns>/0x0d000000_0x0e000000 is being unloaded

Though after apache/pulsar#21211, the server error becomes MetadataError rather than ServiceNotReady.

However, since the ServerError is ServiceNotReady, the client will close the connection. If there are many other producers or consumers on the same connection, they will all reestablish connection to the broker, which is unnecessary and brings much pressure to broker side.

Modifications

In checkServerError, when the error code is ServiceNotReady, check
the error message as well, if it hit the case in handleLookupError, do
not close the connection.

Add ConnectionTest on a mocked ClientConnection object to verify
close() will not be called.

…kBusyException ### Motivation When a broker restarted, there is a case in `NamespaceService#findBrokerServiceUrl`: 1. `ownershipCache.getOwnerAsync(bundle)` got an empty data, then `searchForCandidateBroker` will be called 2. The broker itself was elected as the candidate broker. 3. Meanwhile, the other broker has acquired the distributed lock of the bundle, then `ownershipCache.tryAcquiringOwnership` will fail with ```java lookupFuture.completeExceptionally(new PulsarServerException( "Failed to acquire ownership for namespace bundle " + bundle, exception)); ``` See apache/pulsar-client-cpp#390 for the real world case. Then in `TopicLookupBase#handleLookupError`, this exception will be wrapped into a `ServiceNotReady` error to client. This case happens very frequently in our production environment when a broker restarted. If there is a `PulsarClient` that has many producers or consumers, the connection will be closed, which results in many reconnections, which brings much pressure to the cluster. ### Modifications In `handleLookupError`, check the `PulsarServerException` and unwrap the `CompletionException`. If the unwrapped exception is `MetadataStoreException`, return the `MetadataError` to avoid closing the connection at client side. Add `testLookupConnectionNotCloseIfFailedToAcquireOwnershipOfBundle` to simulate the case and verify the socket won't be closed.

BewareMyPower · 2024-01-31T07:58:25Z

Mark it as drafted for now, I'm trying to mock the ClientConnection so that this change can be protected by tests.

…ception ### Motivation When the broker failed to acquire the ownership of a namespace bundle by `LockBusyException`. It means there is another broker that has acquired the metadata store path and didn't release that path. For example: Broker 1: ``` 2024-01-24T23:35:36,626+0000 [metadata-store-10-1] WARN org.apache.pulsar.broker.lookup.TopicLookupBase - Failed to lookup <role> for topic persistent://<tenant>/<ns>/<topic> with error org.apache.pulsar.broker.PulsarServerException: Failed to acquire ownership for namespace bundle <tenant>/<ns>/0x50000000_0x51000000 Caused by: java.util.concurrent.CompletionException: org.apache.pulsar.metadata.api.MetadataStoreException$LockBusyException: Resource at /namespace/<tenant>/<ns>/0x50000000_0x51000000 is already locked ``` Broker 2: ``` 2024-01-24T23:35:36,650+0000 [broker-topic-workers-OrderedExecutor-3-0] INFO org.apache.pulsar.broker.PulsarService - Loaded 1 topics on <tenant>/<ns>/0x50000000_0x51000000 -- time taken: 0.044 seconds ``` After broker 2 released the lock at 23:35:36,650, the lookup request to broker 1 should tell the client that namespace bundle 0x50000000_0x51000000 is currently being unloaded and in the next retry the client will connect to the new owner broker. Here is another typical error: ``` 2024-01-24T23:57:57,264+0000 [pulsar-io-4-5] INFO org.apache.pulsar.broker.lookup.TopicLookupBase - Failed to lookup <role> for topic persistent://<tenant>/<ns>/<topic> with error Namespace bundle <tenant>/<ns>/0x0d000000_0x0e000000 is being unloaded ``` Though after apache/pulsar#21211, the server error becomes `MetadataError` rather than `ServiceNotReady`. However, since the `ServerError` is `ServiceNotReady`, the client will close the connection. If there are many other producers or consumers on the same connection, they will all reestablish connection to the broker, which is unnecessary and brings much pressure to broker side. ### Modifications In `checkServerError`, when the error code is `ServiceNotReady`, check the error message as well, if it hit the case in `handleLookupError`, do not close the connection. Add `ConnectionTest` on a mocked `ClientConnection` object to verify `close()` will not be called.

BewareMyPower requested review from merlimat, RobertIndie, Demogorgon314, poorbarcode and shibd January 30, 2024 14:50

BewareMyPower self-assigned this Jan 30, 2024

BewareMyPower added this to the 3.5.0 milestone Jan 30, 2024

BewareMyPower mentioned this pull request Jan 30, 2024

[improve][broker] Do not close the socket if lookup failed due to LockBusyException apache/pulsar#21993

Merged

4 tasks

BewareMyPower marked this pull request as draft January 31, 2024 07:57

BewareMyPower force-pushed the bewaremypower/service-not-ready-retry branch from cc5d8b0 to 58223e7 Compare January 31, 2024 13:39

BewareMyPower changed the title ~~Do not close the socket when the broker failed to acquire ownership for namespace bundle~~ Do not close the socket when the broker failed due to MetadataStoreException Jan 31, 2024

BewareMyPower force-pushed the bewaremypower/service-not-ready-retry branch from 58223e7 to b6329e8 Compare January 31, 2024 16:47

BewareMyPower marked this pull request as ready for review January 31, 2024 17:00

RobertIndie approved these changes Feb 2, 2024

View reviewed changes

BewareMyPower merged commit c7e53ac into apache:main Feb 2, 2024
12 checks passed

BewareMyPower deleted the bewaremypower/service-not-ready-retry branch February 2, 2024 11:37

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Do not close the socket when the broker failed due to MetadataStoreException #390

Do not close the socket when the broker failed due to MetadataStoreException #390

BewareMyPower commented Jan 30, 2024 •

edited

Loading

BewareMyPower commented Jan 31, 2024

Do not close the socket when the broker failed due to MetadataStoreException #390

Do not close the socket when the broker failed due to MetadataStoreException #390

Conversation

BewareMyPower commented Jan 30, 2024 • edited Loading

Motivation

Modifications

BewareMyPower commented Jan 31, 2024

BewareMyPower commented Jan 30, 2024 •

edited

Loading