etcdserver: improve linearizable renew lease #20589
Conversation
This change fixes the issue where excessive "apply request took too long" warnings can potentially block all lease keep-alive operations. The changes mitigates this impact while preserving system correctness: 1. Lease Not Found Handling: When a lease is not found, it might be undergoing application processing. We wait for the applied index to advance to confirm whether the lease truly doesn't exist, preventing false negatives. 2. Revoking Lease Handling: When a lease is found but in revoking state, the revoke request has been committed but not yet applied. Allowing the current renewal to proceed doesn't compromise correctness since the lease will still be properly revoked once the revoke request is applied. Signed-off-by: Aaron Zhang <[email protected]>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: aaronjzhang The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hi @aaronjzhang. Thanks for your PR. I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@ahrtr would you please help to review this PR? thanks. |
It might be improving a little bit. Assuming there are already N entries pending to be applied, during the Have you confirmed that there is any improvement in your production or test environment? |
Yes, this has been confirmed in our production environment and can be easily reproduced in a test environment using the following steps:
Without this improvement, the lease keep-alive fails; with the improvement, it functions correctly. Based on my understanding, a lease is only checkpointed when its TTL is greater than the checkpoint interval. Since we are using the default checkpoint interval of 5 minutes, the code below would not be executed when renewing a lease with a short TTL. |
Could you be more explicit on this? What's the difference on lease renew's behaviour before and after the change in this PR when etcdserver is under load? |
Before the change, each lease keep-alive operation had to wait for the current apply index to be processed—even if the ongoing applying process was unrelated to the lease. If the waitApplyIndex operation blocked for too long, it could delay the keep-alive and potentially cause the lease to expire. After the change, we check whether the lease already exists. If it exists, it implies that none of the current applying operations should be related to that lease. Therefore, we can renew the lease without waiting for the current apply index. This decouples the lease renewal process from unrelated applying operations, preventing their delays from causing leases to expire. |
Sorry, I should be clearer. I wasn't asking you to explain this PR. Instead I was asking the outcome from user perspective, for example how many leases were wrongly revoked when etcdserver under heavy load in a certain period (i.e. every minute), and how much this PR improved that. |
All leases were wrongly revoked without the change. With this PR, no leases are revoked wrongly. |
|
OK, adding a feature gate might be a more prudent choice. |
| // 2. If a lease is found but in revoking state, the revoke request has | ||
| // been committed but not yet applied. Even if we allow the current | ||
| // renewal to proceed, it won't affect the eventual outcome since the | ||
| // lease will still be properly revoked once the revoke request is applied. |
There was a problem hiding this comment.
In the second scenario, there is a small chance that users might get confused when the LeaseKeepAlive responds no error even after they just successfuly called LeaseRevoke.
The LeaseRevoke will eventually be applied, KeepAlive will quit, so it does not break correctness.
A suprising renewal failure seems a bigger threat to a metadata system.
This change adds a FastLeaseKeepAlive feature gate that allows skipping the wait for the applied index when renewing an existing lease. Signed-off-by: Aaron Zhang <[email protected]>
Added a feature gate. |
This change fixes the issue where excessive "apply request took too long" warnings can potentially block all lease keep-alive operations which is discussed in #18100 . The changes mitigates this impact while preserving system correctness:
Lease Not Found Handling: When a lease is not found, it might be undergoing application processing. We wait for the applied index to advance to confirm whether the lease truly doesn't exist, preventing false negatives.
Revoking Lease Handling: When a lease is found but in revoking state, the revoke request has been committed but not yet applied. Allowing the current renewal to proceed doesn't compromise correctness since the lease will still be properly revoked once the revoke request is applied.
Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.