Better-behaved HBONE pooling #931
Conversation
istio-testing
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
istio-testing
added
the
size/XXL
istio-testing
added
the
needs-rebase
bleggett
force-pushed
the
bleggett/fix-pooling
branch
3 times, most recently
from
f2c21fb to
0a22c61
Compare
|
Added a form of conn timeout to evict connections from the pool that haven't been used in a while. Once evicted, they will be closed by hyper when clients close, due to |
bleggett
force-pushed
the
bleggett/fix-pooling
branch
from
440f533 to
37a586f
Compare
istio-testing
removed
the
needs-rebase
|
Switched to a proper concurrent hashmap that actually has a decent pedigree, which should allow for nonblocking reads (at the cost of using a little more memory, TANSTAAFL) |
bleggett
changed the title
istio-testing
removed
the
do-not-merge/work-in-progress
bleggett
force-pushed
the
bleggett/fix-pooling
branch
from
f30bd94 to
b9cf358
Compare
src/proxy/pool.rs
Outdated
| // and has no actual hyper/http/connection logic. | ||
| connected_pool: Arc<pingora_pool::ConnectionPool<ConnClient>>, | ||
| // this must be an atomic/concurrent-safe list-of-locks, so we can lock per-key, not globally, and avoid holding up all conn attempts | ||
| established_conn_writelock: HashMap<u64, Option<Arc<Mutex<()>>>>, |
There was a problem hiding this comment.
Thinking more about this it feels, really non-rusty. I suppose the issue pingora and there's not, at present, a very good way around this though so I don't have a suggestion.
There was a problem hiding this comment.
What does? The use of locks?
There was a problem hiding this comment.
Just locks which don't wrap the thing they're locking...
There was a problem hiding this comment.
Ah, yep. It's not very cosmetic, agree.
But the kind of locking we have to do is not something the pools out there will do for us, and pingora_pool has some use, at least.
The important thing about a Mutex is what holds it, what's inside is sort of moot. The mutex here is almost a semaphore arguably, which is why it feels weird.
There was a problem hiding this comment.
Its moot unless we want to fork or contribute to pingora (or I guess lock the entire pool, which we don't care to do) but the point of wrapping the mutex around the thing being accessed is more than cosmetic. It ties holding the lock and accessing the thing together in a way that we can't do with pingora. We'll need to be more careful since we can't do take advantage of that.
There was a problem hiding this comment.
If we wanted to make this simpler later, I would advocate we throw out pingora and implement our own inner data structure from scratch, what we want to do is non-standard and pingora is not likely to want or need what we would have to change to make it work like this - nor is any other "generic" HTTP2 pool.
Which is why for now I just use it and then do the other stuff outside.
src/proxy/pool.rs
Outdated
| // After waiting, we found an available conn, but for whatever reason couldn't use it. | ||
| // (streamcount maxed, etc) | ||
| // Start a new one, clone the underlying client, return a copy, and put the other back in the pool. | ||
| None => { |
There was a problem hiding this comment.
If we have multiple waiters, can they all end up here at once and spam a bunch of new connections?
There was a problem hiding this comment.
No, because we only get a NONE here if we found a conn, checked it out, and it was at maxed streamcount.
(and we don't put it back in in that case, we leave it popped to die a natural death once streamcount + refcount == 0)
If we popped it, no one else can.
bleggett
force-pushed
the
bleggett/fix-pooling
branch
from
8cb7925 to
a8224bf
Compare
|
I am seeing unexpected behavior. Open up 99 connections at once, I got 9 connections. Only 1 of them closes after the idle tieout, the rest are zombies. Also if I then open up 99 more, I get the same - 8 more zombies, 16 total. |
I may have broken it with recent commits then, and the tests aren't sufficient/needs more tests - |
bleggett
force-pushed
the
bleggett/fix-pooling
branch
from
a8224bf to
ca913b6
Compare
Signed-off-by: Benjamin Leggett <[email protected]>
Signed-off-by: Benjamin Leggett <[email protected]>
Signed-off-by: Benjamin Leggett <[email protected]>
Signed-off-by: Benjamin Leggett <[email protected]>
Signed-off-by: Benjamin Leggett <[email protected]>
Signed-off-by: Benjamin Leggett <[email protected]>
Signed-off-by: Benjamin Leggett <[email protected]>
Signed-off-by: Benjamin Leggett <[email protected]>
Signed-off-by: Benjamin Leggett <[email protected]>
Signed-off-by: Benjamin Leggett <[email protected]>
Signed-off-by: Benjamin Leggett <[email protected]>
Signed-off-by: Benjamin Leggett <[email protected]>
rig flakes Signed-off-by: Benjamin Leggett <[email protected]>
Signed-off-by: Benjamin Leggett <[email protected]>
bleggett
force-pushed
the
bleggett/fix-pooling
branch
from
b02750a to
fcc845f
Compare
|
/test test |
bleggett
force-pushed
the
bleggett/fix-pooling
branch
from
04dbb34 to
4622532
Compare
Signed-off-by: Benjamin Leggett <[email protected]>
bleggett
force-pushed
the
bleggett/fix-pooling
branch
from
4622532 to
7e794b6
Compare
|
Signed-off-by: Benjamin Leggett <[email protected]>
|
In response to a cherrypick label: new pull request created: #983 |
|
(ty vm to @howardjohn for tracking down that |
This works around several issues found in #864 relating to clients (loadgen mostly) that open many connections very rapidly.
hyper's pooling library has rather basic scheduling controls, to the point where we can rather easily overwhelm "send_request" such that it never resolves. Tweaking server/client streamlimits does not work around this, as the pooling scheduler does not respect them when selecting pooled streams, and will simply allow a single conn to get backed up.hyper's pooling library doesn't really have the concept of multiple HTTP/2 connections to the same dest, which makes sense as the HTTP/2 spec doesn't recommend this (the spec says SHOULD NOT instead of MUST NOT, which in spec-speak is "we can't stop you, I guess")Racing to create connections creates problems in scenarios where a lot of connection attempts are made at once due to lack of throttling - many connections can actually be established or "cross the finish line at the same time", when we only need one, and this noise can compromise the ability of the local or dest ztunnel to respond to other workloads.
Notes:
By design, this pool does not manage Hyper client state, nor is it tightly coupled with it. All it does is hold references to Hyper clients that can be reused, and evict its own held references to those Hyper clients when they cannot be reused. The rest is managing async access.
By design, this pool is designed to create backpressure when one client opens many connections to the same destination at the same time. It does this by locking connection-mutative operations per src/dest key.
The only write lock should be on that inner src/dest key. The only operations inside the pool that must be ordered/force ordering are 1. Ensuring that we have a key writelock in the outer map. 2. Locking the inner key writelock. The rest should not demand any sort of ordering to be safe.
This pool does not decrement stream counts - when a connection hits its max stream count, the pool pops the reference and removes it from the rotation, leaving the connection to die when whatever is using it drops all the refs, and will create a new connection on the next go round. This leads to simpler accounting, while still maintaining the protections against connection storms that we need.