grpcproxy: support lease coalescing

[fanminshi]

FIX #6912

[fanminshi]

I will add tests later if the code structure seems reasonable.

[heyitsanthony]

I noticed this has broadcasts. Usually leases are only going to be updated by a single client so I'm not sure it makes sense to structure it this way.

Also, does that broadcasting mean the proxy will send a keepalive response even if a client doesn't issue a keep alive request?

There's no need for special tests for this... integration tests with -tags cluster_proxy should cover it.

[heyitsanthony]

Update integration/cluster_proxy.go so it uses this?

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (master@49a1237). Click here to learn what that means.
The diff coverage is 1.39%.

@@            Coverage Diff            @@
##             master    #7221   +/-   ##
=========================================
  Coverage          ?   63.88%           
=========================================
  Files             ?      233           
  Lines             ?    20981           
  Branches          ?        0           
=========================================
  Hits              ?    13403           
  Misses            ?     6579           
  Partials          ?      999

Impacted Files	Coverage Δ
proxy/grpcproxy/watch_client_adapter.go	0% <ø> (ø)
proxy/grpcproxy/lease_client_adapter.go	0% <ø> (ø)
etcdmain/grpc_proxy.go	19.79% <ø> (ø)
proxy/grpcproxy/chan_stream.go	0% <ø> (ø)
proxy/grpcproxy/lease.go	0% <ø> (ø)
clientv3/lease.go	91.11% <100%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 49a1237...65b59f4. Read the comment docs.

[fanminshi]

@heyitsanthony, i structured the code that mirror to that of watch. I am unsure if this is the best approach. This is what i am thinking, I want to group all the lease proxy streams that's issues keepalive req to the same lease Id together. I call that group a broadcast. with in the broadcast structure, I use lease client to send the keepAlive req to the etcd backend for that leaseID. Once the lease client receives a keepalive response back, then it broadcasst the response to all the lease proxy streams in the broadcast group. then it is the responsibility of lease proxy stream to determine whether to send the keep alive response back to the client. broadcasts maintains mapping of lease proxy stream and broadcast.

also i noticed that the msg transmission logic inside leaseProxyStream is not correct. let me fix that first.

[heyitsanthony]

Please use descriptive file names. chan_stream.go?

[heyitsanthony]

needs a rebase against master

[fanminshi]

@heyitsanthony yeah, will resolve the merge conflict and also will remove the print statements when the code looks good.

[heyitsanthony]

if leaderc is closed, what ensures the recv loop is stopped? The stream ctx won't be canceled by lps.cancel()

[fanminshi]

LeaseKeepAlive() exits should cause stream to cancel right? therefore the recv() should be cancelled.

[heyitsanthony]

Yes, but LeaseKeepAlive() calls defer lps.stop(). There's a deadlock.

[fanminshi]

can stream.send() blocks forever? from https://github.com/fanminshi/etcd/blob/61d99449d5e6c7ae523c90379d66f0e83dd94531/proxy/grpcproxy/lease.go#L254

if that blocks forever, then it means that lps.stop() will be blocked. that's where i see the deadlock.

[heyitsanthony]

Please don't write essay comments when what's happening isn't very complicated or intricate; it's misleading and makes the code more difficult to read

The code doesn't need to make this assumption anyway, the first select can block indefinitely on a nil ticker channel:

var ticker <-chan time.Time
select {
case <-ticker:
    ...
case ka := <-keepaliveCh:
    ....
    ticker = time.After(ka.TTL)
}

[fanminshi]

got it. will change.

[fanminshi]

All fixed. PTAL cc\ @heyitsanthony.

[heyitsanthony]

just ctx, cancel

[heyitsanthony]

why move this? it works fine for the regular etcd server

[fanminshi]

lease proxy uses watch to detect leader loss where as the etcd server has some different logic for that. from my testing, lease proxy detects the leader loss right away. so at

func TestV3LeaseFailover(t *testing.T) {
...
	for {
               // first loop
		if err = lac.Send(lreq); err != nil {
			break
		}
		lkresp, rxerr := lac.Recv()
		if rxerr != nil {
                        // lease proxy returns leader loss at here.
			break
		}
                // lease proxy code never reaches here 
		expectedExp = time.Now().Add(time.Duration(lkresp.TTL) * time.Second)
		time.Sleep(time.Duration(lkresp.TTL/2) * time.Second)
	}
...

        // if expectedExp not set, waits forever
	time.Sleep(expectedExp.Sub(time.Now()) - 500*time.Millisecond)
}

the original code will not have expectedExp set , so the time.Sleep(expectedExp.Sub(time.Now()) - 500*time.Millisecond) sleeps forever.

in order to solve that issue, we need to set expectedExp at very beginning.

why did the etcd server code works?

from my investigation,

func TestV3LeaseFailover(t *testing.T) {
...
	for {
                // loop one okay
                // loop two
		if err = lac.Send(lreq); err != nil {
			break
		}
		lkresp, rxerr := lac.Recv()
               // loop two encounters rxerr(request timeout)
		if rxerr != nil {
			break
		}
               // loop one sets expectedExp
		expectedExp = time.Now().Add(time.Duration(lkresp.TTL) * time.Second)
		time.Sleep(time.Duration(lkresp.TTL/2) * time.Second)
	}
...
// expectedExp is set at loop one, therefore the sleeps works.
time.Sleep(expectedExp.Sub(time.Now()) - 500*time.Millisecond)
...
}

[heyitsanthony]

lease proxy uses watch to detect leader loss where as the etcd server has some different logic for that.

They both go through the same interceptor path on the etcd server; the only difference is there is a separate stream monitoring for leader loss on the proxy. Why is the etcd server processing a keepalive request/response before erroring out on leader loss, but not the proxy? There should still be a delay between the leader loss and the etcd server recognizing that loss...

This needs some kind of investigation instead of trying to mask it.

[fanminshi]

I think the problem with the proxy is that using keepAlive() for lease renewal doesn't return any error to the proxy such as the request timeout i think. In that case, my current code doesn't return any proxy_etcd client error. so it is then the job of the proxy watch to catch the leader loss event. should we also return any errors that's due to proxy_etcd client? I am not sure how to achieve that by just using keepAlive().

[fanminshi]

i investigate a bit more. the reason why proxy doesn't get the first req through is that there is a delay in when lease client sends out ka req to etcd server. https://github.com/coreos/etcd/blob/master/clientv3/lease.go#L456
this delay is long enough for watch detect leader loss before the req being sending out. if i change the delay to 10ms, the behavior is the same as etcd server.

[heyitsanthony]

remove

[heyitsanthony]

2017

[heyitsanthony]

remove

[heyitsanthony]

shouldn't there be a return when the ticker expires?

[fanminshi]

good catch

[heyitsanthony]

keepAliveLoop?

[heyitsanthony]

why have this? ccancel() is only called when the the function exits so nothing is blocking on cctx; it's a no-op

[fanminshi]

what do you mean by blocking on cctx? the purpose of the new context is to cancel the KeepAlive() for the given leaseID if keepAliveLoop() exit. If we don't use a new ctx, how do we tell the proxy_etcd client to stop sending keepalive req for this lease id to etcd backend?

[heyitsanthony]

Oh, OK. You're right. Nevermind.

[heyitsanthony]

this is racey:

1. client has ka stream on this proxy, issues ka reqs
2. client loses connection
3. client connects to another proxy, issues ka reqs
4. client loses connection to that proxy
5. opens new ka stream on this proxy, sends ka req; proxy receives req, reuses existing channel, posts message
6. ticker times out before receiving posted message, tears down goroutine, keepalive request is lost

[fanminshi]

at step 2, should the loss of connection causes the stream to be closed and therefore closes the leaseProxyStream?
then at step 5, reusing the existing channel is not possible because the channel is closed at step 1 when leaseProxyStream is closed.

[heyitsanthony]

OK, it's fine for the disconnect case. Suppose there's no disconnect but the next request is delayed so that the ticker times out and the defer begins. The ka request is received on the stream and the lease proxy finds an entry in lps.keepAliveLeases, passing the request to the corresponding goroutine. However, the defer continues and tears down the goroutine. What happens to that request?

[fanminshi]

i see. got it. the req doesn't go though because keepAliveLoop() for that lease id has teared down. let me rethink how to handle case.

[fanminshi]

Suppose that I get rid of the ticker. the keepAliveLoop() only exits if context is cancelled or lps.client.KeepAlive() closes the response channel. In this case, a new ka request finds an entry in lps.keepAliveLeases and passes through right before the keepAliveLoop() defer function deletes the entry in lps.keepAliveLeases. in this case, what should we deal with the new request that's not being processed? should the keepAliveLoop() clean up logic check if there are outstanding keepalive requests and send some kinda error back to stream?

[heyitsanthony]

The ticker / some timeout mechanism is still necessary, otherwise the proxy will keep sending keepalives until the stream is torn down.

[fanminshi]

yeah, you are right.

[heyitsanthony]

is it safe to drop this message on the floor?

[fanminshi]

it is a best effort approach. I am not entirely sure if that's the best solution. it is entirely possible that a critical message be dropped, suppose that we have 1000 leaseKeepAlive req for lease A and only one lease leaseKeepAlive req for lease B, we get all 1000 leaseKeepAlive resps back for A, and they fill up the lps.respc. Then we also get the only leaseKeepAlive resp for B, and it will be dropped. so it will be unsafe in that scenario.

[heyitsanthony]

That's not how the lease grpc stream protocol works. See https://github.com/coreos/etcd/blob/master/etcdserver/api/v3rpc/lease.go#L63 -- where does it drop requests on the floor?

It's not best-effort; it will not drop requests without sending a response. If it doesn't eventually respond to every request, that should mean the stream is lost.

[fanminshi]

kk, should I just not drop msg then? just let go routine wait if the channel is full? and close the channel if the stream proxy is closed?

[heyitsanthony]

Probably just block for now...

[fanminshi]

got it.

[fanminshi]

All fixed. PTAL c/ @heyitsanthony

[heyitsanthony]

if it's creating a Lease object from a raw grpc lease client, it shouldn't know about clientv3 config; defeats the purpose of having raw grpc if it needs a higher-level clientv3 config

[heyitsanthony]

new /what/? This function makes the cut at the wrong place so it's impossible to have a sensible name. Try:

func NewLease(c *Client) Lease {
    return NewLeaseFromLeaseClient(RetryLeaseClient(c), c.cfg.DialTimeout + time.Second)
}

func NewLeaseFromLeaseClient(remote pb.LeaseClient, keepAliveTimeout time.Duration) Lease {
	l := &lessor{
		donec:                 make(chan struct{}),
		keepAlives:            make(map[LeaseID]*keepAlive),
		remote:                remote,
		firstKeepAliveTimeout: keepAliveTimeout,
 	}
	if l.firstKeepAliveTimeout == time.Second {
		l.firstKeepAliveTimeout = defaultTTL
	}
	l.stopCtx, l.stopCancel = context.WithCancel(context.Background())
	return l
}

(this is similar to how watch does it)

[heyitsanthony]

this probably needs to be under the pmu lock to avoid a goroutine leak if cluster termination races with creating a new client

[heyitsanthony]

don't change year for files that already exist

[heyitsanthony]

what uses this?

[fanminshi]

LeaseGrant(), LeaseRevoke(), and LeaseTimeToLive() use client to create new conn.
e.g

func (lp *leaseProxy) LeaseGrant(ctx context.Context, cr *pb.LeaseGrantRequest) (*pb.LeaseGrantResponse, error) {
	conn := lp.client.ActiveConnection()
	return pb.NewLeaseClient(conn).LeaseGrant(ctx, cr)
}

[heyitsanthony]

These should use clientv3.Lease

[fanminshi]

sounds good.

[fanminshi]

using clientv3.Lease fails few tests that specifically use raw grpc LeaseGrant() with pb.LeaseGrantRequest{ID: 1, TTL: 1}).
e.g

lresp, err := toGRPC(clus.RandClient()).Lease.LeaseGrant(
		context.TODO(),
		&pb.LeaseGrantRequest{ID: 1, TTL: 1})

since the clientv3.Lease.Grant() doesn't not accept a lease ID, there is no way to satisfy a LeaseGrant() req for a specific lease ID.

[heyitsanthony]

ok keep around a LeaseClient, then-- not a full clientv3.Client

[heyitsanthony]

ticker = nil

[heyitsanthony]

abcC looks too much like channels. Try neededResps

[heyitsanthony]

this breaks if canSendRespC.get() > 1

[fanminshi]

if canSendRespC.get() > 1, then I execute following code to send ka resp back to the client.

case rp, ok := <-respc:
if !ok {
        ...
        if canSendRespC.get() == 0 {
 	        return nil
 	}
        // case: canSendRespC.get() > 1
	ttlResp, err := lps.lessor.TimeToLive(cctx, clientv3.LeaseID(leaseID))
	if err != nil {
		return err
	}
	r := &pb.LeaseKeepAliveResponse{
		Header: ttlResp.ResponseHeader,
		ID:     int64(ttlResp.ID),
		TTL:    ttlResp.TTL,
	}
	lps.respc <- r
	return nil
}
       ...

i am unsure what does above code breaks?

[heyitsanthony]

If there are n > 1 responses, it will not send n responses.

[fanminshi]

I see.

[heyitsanthony]

This should send as many responses as possible within some short time window:

timer := time.After(500 * time.Millisecond)
for neededResps.get() > 0 {
    done := false
    select {
    case lps.respc <- r:
    case <-timer: done = true
    }
    if done { break }
}

[fanminshi]

why couldn't i send n msgs where n := neededResps.get()?

[heyitsanthony]

The TTL will be stale

[fanminshi]

by sending as many responses as possible breaks the 1:1 reqs to resps ratio.
e.g suppose a client sends 2 ka reqs for same lease to proxy and proxy hasn't receive any resps, then proxy received a resp and the neededResps.get() == 2. proxy then send 5 msgs back to client within 500 ms.

[heyitsanthony]

Sorry, it should have neededResps.add(-1) at the end of the loop

[fanminshi]

i see. that makes sense. ty

[heyitsanthony]

Rather, not the end of the loop, but case lps.respc <- r: neededResps.add(-1)

[heyitsanthony]

I don't think this is necessary

[fanminshi]

the errch is not buffered. what if it receives multiple errors at the same time and blocks goroutines that sends the error. e.g multiple keepAliveLoop goroutines sends error at the same time. My original thought is that the first error wins and will be sent back to client and rest of errors will be ignored.

[heyitsanthony]

Buffer it by 2 entries (one for recv, one for send) and keep the scope restricted to LeaseKeepAlive...

[fanminshi]

got it.

[fanminshi]

PTAL cc/ @heyitsanthony. I will add the leader stuff when #7314 is merged.

[heyitsanthony]

This only needs to be scoped to LeaseKeepAlive, just move the close(errc) out of lps.close(). Try to limit scope when possible, it's a corollary to the principle of least privilege.

[fanminshi]

recvLoop() and sendLoop() can return error even after the LeaseKeepAlive() returns. In that case, if I close close(errc) in the scope of LeaseKeepAlive(), then it is possible that recvLoop() and sendLoop() send error to a closed errc.

[heyitsanthony]

Huh? Move it to the goroutine in LeaseKeepAlive right after lps.close(). It is the exact same behavior but without the scope creep.

[fanminshi]

oh, got it. ty

[heyitsanthony]

This won't stop blocking until all outstanding streams in the proxy are closed out. I don't think it should be here; it's leaky.

[fanminshi]

Could you elaborate on the blocking part? I thought the purpose of this goroutine is to make sure all resources related to this leaseProxyStream are released. Once the resources are released, it tells that the lease proxy that this stream is done. Not sure what's blocking this goroutine.

[heyitsanthony]

You're right; never mind. This is fine.

[heyitsanthony]

cancel context.CancelFunc

[heyitsanthony]

I don't think this extra description is necessary...

[fanminshi]

kk, i'll keep first sentence then. keepAliveLeases tracks how many outstanding keepalive requests which need responses are on a lease.

[heyitsanthony]

What errors come out of this that are actually needed? The watch proxy doesn't do this. Is it only context cancel errors?

[fanminshi]

what about any stream error occurred in the recvLoop. the errc catches that. the watch code ignores those errors.

[heyitsanthony]

You didn't answer my question. What errors are being returned?

[fanminshi]

oh, I am not entirely sure. I recall that the original implementation return error on stream.Send(). from here https://github.com/coreos/etcd/blob/master/proxy/grpcproxy/lease.go#L77-L86. I am trying to keep that semantic.

[heyitsanthony]

ok...

[fanminshi]

anyways, should I ignore any errors occurred on stream send() or recv()?

[heyitsanthony]

just keep it I guess

[heyitsanthony]

just wg? There's only one waitgroup per lps

[fanminshi]

kk, i thought kawg might be a bit more descriptive. i guess not.

[heyitsanthony]

replyToClient? toRespc is not descriptive at all

[fanminshi]

will change.

[heyitsanthony]

This needs to reply to every request, not only the ones that can be sent in the TTL window; the goroutine can't terminate if it can't reply to all of them within the TTL window. If the lease is expired, it can send them all since the TTL can't be "stale". If the TimeToLive request says it's not expired, this should probably panic.

[fanminshi]

also i think we should take care of the case that LeaseKeepAlive() ctx is cancelled while sending resp msg back. In that case, replyToClient() should just return.

[heyitsanthony]

yes, it will need a select to avoid blocking on cancelation

[fanminshi]

All fixed. PTAL @heyitsanthony

[heyitsanthony]

Seriously, only scope this to LeaseKeepAlive, don't put it in leaseProxyStream. Right below this lps := statement, have errc := make(chan error, 2).

[heyitsanthony]

remove

[heyitsanthony]

remove line empty; ctx/cancel are related

[heyitsanthony]

this isn't necessary if it's a separate function, just do return wherever there is a done = true

[fanminshi]

All fixed. PTAL @heyitsanthony

[fanminshi]

fixed replyToClient() logic. PTAL @heyitsanthony

[fanminshi]

Incorporated kick leader into lease proxy. PTAL @heyitsanthony

[heyitsanthony]

lgtm

[fanminshi]

proxy ci fails on

--- FAIL: TestGRPCStreamRequireLeader (1.25s)
	v3_grpc_test.go:1391: err = context canceled, want etcdserver: no leader

I don't think it is related to this pr.

[heyitsanthony]

Failure is unrelated