enhancement(sinks): Add distributed service

[ktff]

Issue #3649

#13236 PR got quite large so it made sense to split it into two PR. This is the first one.

Adds service for distributing events to multiple endpoints.

cc. @tobz

[netlify]

✅ Deploy Preview for vector-project ready!

Name	Link
🔨 Latest commit	a83849a
🔍 Latest deploy log	https://app.netlify.com/sites/vector-project/deploys/6304d7e55bee570008f79c0e
😎 Deploy Preview	https://deploy-preview-13918--vector-project.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[github-actions]

Soak Test Results

Baseline: 447fdc9
Comparison: 37468d5
Total Vector CPUs: 4

Explanation

A soak test is an integrated performance test for vector in a repeatable rig, with varying configuration for vector. What follows is a statistical summary of a brief vector run for each configuration across SHAs given above. The goal of these tests are to determine, quickly, if vector performance is changed and to what degree by a pull request. Where appropriate units are scaled per-core.

The table below, if present, lists those experiments that have experienced a statistically significant change in their throughput performance between baseline and comparision SHAs, with 90.0% confidence OR have been detected as newly erratic. Negative values mean that baseline is faster, positive comparison. Results that do not exhibit more than a ±8.87% change in mean throughput are discarded. An experiment is erratic if its coefficient of variation is greater than 0.3. The abbreviated table will be omitted if no interesting changes are observed.

Changes in throughput with confidence ≥ 90.00% and absolute Δ mean >= ±8.87%:

experiment	Δ mean	Δ mean %	confidence
socket_to_socket_blackhole	-10.61MiB	-44.19	100.00%

Fine details of change detection per experiment.

experiment	Δ mean	Δ mean %	confidence	baseline mean	baseline stdev	baseline stderr	baseline outlier %	baseline CoV	comparison mean	comparison stdev	comparison stderr	comparison outlier %	comparison CoV	erratic	declared erratic
syslog_splunk_hec_logs	649.56KiB	4.04	100.00%	15.72MiB	774.6KiB	15.76KiB	0	0.0481203	16.35MiB	654.32KiB	13.35KiB	0	0.0390712	False	False
syslog_log2metric_splunk_hec_metrics	679.65KiB	3.73	100.00%	17.81MiB	556.17KiB	11.33KiB	0	0.0304819	18.48MiB	693.71KiB	14.13KiB	0	0.0366549	False	False
syslog_humio_logs	602.59KiB	3.59	100.00%	16.37MiB	300.11KiB	6.13KiB	0	0.0178971	16.96MiB	308.59KiB	6.31KiB	0	0.0177642	False	False
syslog_regex_logs2metric_ddmetrics	427.03KiB	3.35	100.00%	12.43MiB	605.36KiB	12.33KiB	0	0.0475386	12.85MiB	551.24KiB	11.24KiB	0	0.0418835	False	False
splunk_hec_route_s3	386.1KiB	2.16	100.00%	17.42MiB	2.59MiB	53.99KiB	0	0.148735	17.8MiB	2.66MiB	55.71KiB	0	0.149521	False	False
http_to_http_acks	334.0KiB	1.88	81.78%	17.37MiB	8.23MiB	172.02KiB	0	0.473667	17.7MiB	8.71MiB	181.87KiB	0	0.491952	True	True
syslog_log2metric_humio_metrics	70.27KiB	0.54	100.00%	12.73MiB	386.82KiB	7.9KiB	0	0.0296568	12.8MiB	653.23KiB	13.3KiB	0	0.0498141	False	False
http_pipelines_blackhole_acks	3.33KiB	0.28	85.00%	1.18MiB	107.96KiB	2.2KiB	0	0.0894374	1.18MiB	35.11KiB	733.77B	0	0.0290075	False	False
splunk_hec_to_splunk_hec_logs_noack	16.9KiB	0.07	85.16%	23.82MiB	466.2KiB	9.52KiB	0	0.0191081	23.84MiB	332.56KiB	6.79KiB	0	0.0136209	False	False
enterprise_http_to_http	1.34KiB	0.01	14.66%	23.84MiB	252.54KiB	5.15KiB	0	0.0103406	23.85MiB	247.78KiB	5.07KiB	0	0.0101452	False	False
splunk_hec_indexer_ack_blackhole	-4.76KiB	-0.02	14.00%	23.75MiB	931.8KiB	18.95KiB	0	0.038313	23.74MiB	943.74KiB	19.19KiB	0	0.0388113	False	False
splunk_hec_to_splunk_hec_logs_acks	-11.16KiB	-0.05	35.23%	23.76MiB	818.83KiB	16.66KiB	0	0.0336503	23.75MiB	878.79KiB	17.87KiB	0	0.036131	False	False
file_to_blackhole	-85.01KiB	-0.09	52.78%	95.37MiB	3.79MiB	78.32KiB	0	0.0396914	95.28MiB	4.27MiB	88.59KiB	0	0.0447748	False	False
fluent_elasticsearch	-138.16KiB	-0.17	100.00%	79.47MiB	53.24KiB	1.08KiB	0	0.000654072	79.34MiB	1.32MiB	27.17KiB	0	0.0166318	False	False
http_to_http_json	-48.02KiB	-0.2	99.95%	23.85MiB	343.98KiB	7.02KiB	0	0.0140835	23.8MiB	578.85KiB	11.81KiB	0	0.0237467	False	False
http_to_http_noack	-107.61KiB	-0.44	100.00%	23.84MiB	265.74KiB	5.44KiB	0	0.0108822	23.74MiB	1.12MiB	23.35KiB	0	0.0471875	False	False
http_pipelines_no_grok_blackhole	-80.66KiB	-0.71	99.96%	11.02MiB	223.29KiB	4.56KiB	0	0.0197818	10.94MiB	1.08MiB	22.45KiB	0	0.0985227	False	False
datadog_agent_remap_blackhole	-657.57KiB	-1.01	100.00%	63.81MiB	4.58MiB	95.41KiB	0	0.0718125	63.17MiB	2.62MiB	54.62KiB	0	0.0414097	False	False
http_pipelines_blackhole	-25.17KiB	-1.6	100.00%	1.54MiB	91.09KiB	1.86KiB	0	0.0578078	1.51MiB	133.64KiB	2.72KiB	0	0.0861878	False	False
datadog_agent_remap_blackhole_acks	-1.43MiB	-2.35	100.00%	61.01MiB	4.57MiB	95.2KiB	0	0.0749285	59.58MiB	3.84MiB	80.09KiB	0	0.0644205	False	False
datadog_agent_remap_datadog_logs_acks	-2.12MiB	-3.3	100.00%	64.35MiB	3.06MiB	64.08KiB	0	0.0476122	62.23MiB	4.3MiB	89.61KiB	0	0.0691549	False	False
datadog_agent_remap_datadog_logs	-2.3MiB	-3.6	100.00%	64.09MiB	851.36KiB	17.43KiB	0	0.0129703	61.78MiB	4.21MiB	87.7KiB	0	0.0681485	False	False
syslog_loki	-784.27KiB	-5.17	100.00%	14.82MiB	328.02KiB	6.72KiB	0	0.0216139	14.05MiB	696.1KiB	14.15KiB	0	0.0483673	False	False
http_text_to_http_json	-2.34MiB	-5.88	100.00%	39.84MiB	960.04KiB	19.6KiB	0	0.0235305	37.49MiB	836.26KiB	17.08KiB	0	0.0217764	False	False
socket_to_socket_blackhole	-10.61MiB	-44.19	100.00%	24.02MiB	354.58KiB	7.24KiB	0	0.0144122	13.41MiB	128.81KiB	2.63KiB	0	0.00938141	False	False

[ktff]

@tobz this is ready for review.

[tobz]

I've started reviewing this, and left a few cursory comments.

Overall, the state transition (healthy to unhealthy, unhealthy to healthy, etc) logic is what I'm primarily concerned with and I'm still going through it because I think there might be a simpler approach but I'm also not sure if the current approach is going to handle all scenarios.

[tobz]

This PR is definitely getting closer, but there's still a few hangups for me.

Primarily, I don't believe using the sink's normal healthcheck -- or anything we'd normally consider a healthcheck -- is a valid measure of the downstream system's health in this case.

As mentioned previously, the healthcheck of a system might represent only a cursory "service is running" check, whereas once we actually send traffic to the system, the request hits different code paths, queues, and so on, that lead to actual errors.

Instead, we need to be observing the actual responses when they come back from the service, using those to determine whether the system is healthy again or still unhealthy. This is the sort of design we should be following: https://martinfowler.com/bliki/CircuitBreaker.html

[ktff]

@tobz I'm not sure if we are having a misunderstanding somewhere but current implementation does behave like a circuit breaker.

It monitors responses to requests and triggers when a sufficient number of unhealthy responses are observed and no healthy in the meantime. Once triggered it goes to sleep reporting the service as unavailable. Once it wakes up it checks the service with a healthcheck. What will that do depends on the specific sink in question. For some a nop always true could make sense, for some it's worth checking if the service is at least reachable, and etc. If it passes that it enters a probation period. If a healthy response is observed, it exits probation, moves to a healthy state, and timeout is reset. If not, and a sufficient number of unhealthy responses is observed, it yet again goes to sleep but this time for longer and so on.

How many unhealthy responses are needed to trigger and how many of them are acceptable during probation period can be configured with UNHEALTHY_AMOUNT_OF_ERRORS and PROBATION_AMOUNT.

[tobz]

@ktff I see what you are saying, and to be clear, I don't think this design isn't like a circuit breaker. What I'm trying to convey is that I want it to be more like a classic circuit breaker design where the traffic itself is what we use to reset the circuit rather than the healthcheck. Testing the actual traffic that caused it to trip in the first place is the only surefire way to know if it's healthy again.

Beyond that, I'm still reviewing the logic around how it trips/resets because I want to make sure we have it right considering that updates to the healthy/unhealthy counters are happening concurrently.

[ktff]

@tobz so you have issue with usage of healthchecks at all even though they don't reset circuit breaker but just to see if it's even worth it? And even though it's implementation is left to the sinks so it could be nop?

Only traffic can reset the circuit, "healthchecks" are here to test if it's even worth it, so maybe "healthchecks" is a confusing name, perhaps "unhealthcheck" is better name since it doesn't say that a service is healthy just that it can say for sure it's unhealthy.

[tobz]

@tobz so you have issue with usage of healthchecks at all even though they don't reset circuit breaker but just to see if it's even worth it? And even though it's implementation is left to the sinks so it could be nop?

Only traffic can reset the circuit, "healthchecks" are here to test if it's even worth it, so maybe "healthchecks" is a confusing name, perhaps "unhealthcheck" is better name since it doesn't say that a service is healthy just that it can say for sure it's unhealthy.

I do, yes.

Let's call the "normal" sink traffic a "data" request, and a typical healthcheck request a "control" request, in the spirit of data plane vs control plane. It is very common that the control plane can report that things are healthy, while actually sending traffic to the data plane would show an elevated/persistent rate of errors. As well, I'm going to use circuit breaker terminology from this point one: closed (healthy, traffic flowing), open (no traffic flowing), and half open (only probe/canary traffic flowing).

In my mind, if we're observing data requests to figure out whether or not the circuit breaker should trip into the open/half open state, we should likewise be observing data requests to figure out when it can be closed.

At best, a healthcheck could provide a response that is 100% indicative of whether or not data requests should succeed, and we've simply made an extra HTTP control request when we could have skipped straight to sending a data request. At worst, we're putting the service back in the closed state prematurely, which could allow a flood of requests to be sent through it before the first one returns with an error that triggers it to trip into the open state again.

This is why I'm arguing so strongly for allowing a data request through that gets used as the canary in the half open state. At the risk of talking a little too much about the implementation details of poll_ready:

• transitioning from closed to open would store a canary token before going to sleep
• once the backoff period had elapsed, we would now be in the "half open state", which would allow a canary request to be created
• when in the half open state, if a canary token was available, we would consume it and return as being ready for another call
• • if another call came in during the half open state -- canary request already outstanding -- those callers would have to register to wait to be notified (so we'd need a mechanism to wake them up, and would only wake them once we transition back to the closed state)
• that call (our canary request) would run like any other normal request in the closed state
• further calls to poll_ready would then be able to distinguish (from the counters) if the canary request succeeded or not (if we know we're in the half open state, and the token is empty, then we're waiting to observe a delta between the counter snapshot and the current counter state)
• when we observe that counter delta, we now know if it succeeded or failed
• if it fails, we simply reset our canary token to allow for another canary request, and put ourselves back in the open state (sleep until backoff period elapses, and then we go to half open to allow another canary request)

In this way, we only use data requests to figure out if the endpoint is healthy and the circuit breaker can be closed, and additionally, we don't run the risk of letting multiple requests through immediately until we know that the endpoint is healthy, and we're more confident that the endpoint is actually healthy because we're using real data requests.

[ktff]

@tobz

Regarding letting only one request pass during probation, I think that's the job of concurrency layers to throttle the requests so that short temporary downtimes don't inhibit throughput much, although I don't have an issue to limit this in Health service to one.

Regarding not taking control plane into consideration, I don't agree. For some sinks that can make sense and so they can leave healthcheck nop, but for some it doesn't. For example Elasticsearch sink when communicating with the cluster should, or at least be left to users to enable/disable, try not to pass requests if cluster is not in healthy state regardless of data plane. I really don't see an issue in having healthckeck be here. It enables to add things when needed and to be nop when it doesn't.

[ktff]

Also sending big request vs a simple ping healthcheck will have quite the difference in latency. But that isn't important so much.

[tobz]

Regarding letting only one request pass during probation, I think that's the job of concurrency layers to throttle the requests so that short temporary downtimes don't inhibit throughput much, although I don't have an issue to limit this in Health service to one.

I definitely agree that the letting through of a single request is starting to border on this layer also acting as a rate limit/concurrency layer... but in practice, I'm not sure how much this would change the runtime behavior?

The difference would be the latency of the healthcheck endpoint vs the latency of the data plane endpoint. So when the layer first trips open, and the backoff period is, say, 100ms or whatever... yeah, maybe the healthcheck request takes 10ms and the data plane request takes 1000ms, so now we're open/half-open for 1100ms instead of 110ms... but if we've exceeded our error budget, does only waiting 100ms have a chance to meaningfully improve the health of the downstream service? Is allowing all traffic to immediately start flowing again more likely than not to hurt the service?

Additionally, ARC may not have meaningfully scaled itself back if it's only seen a few errors so far. This is really the sort of thing that I'd prefer to empirically model with some sort of queueing simulation system based on these types, because it's a bit hard to talk about the behavioral specifics without a true model.. but that's far out of the scope of this PR.

Regarding not taking control plane into consideration, I don't agree. For some sinks that can make sense and so they can leave healthcheck nop, but for some it doesn't. For example Elasticsearch sink when communicating with the cluster should, or at least be left to users to enable/disable, try not to pass requests if cluster is not in healthy state regardless of data plane. I really don't see an issue in having healthckeck be here. It enables to add things when needed and to be nop when it doesn't.

I personally don't want to have to figure out, for every component, what the right health check logic to use for HealthService is. It's not clear that every component will have a single answer for the question of "what set of values that tell you if an endpoint is healthy or unhealthy?". It's definitely not something we want to burden users with having to understand and configure: should we stop serving traffic to an ES cluster that has unassigned shards (and thus a cluster health status of "red"), even if those unassigned shards might not be related to any of the indexes we're writing to?

We can always expand on the design in the future, to incorporate the notion of checking some other source of health information... but for this PR to proceed, it needs to observe the data plane traffic.

[ktff]

Then I'll add a limit to one request in half open state, and drop healthcheck since that's necessary to proceed.

[ktff]

@tobz this is ready for review.

[tobz]

Nice, this is a solid base to continue building from. 👍🏻

[ktff]

The failing Soak analysis checks don't seem to be related to this PR, since they fail at the start while reading some files.

[tobz]

Yeah, I'll take a look.

They don't handle action runner failure gracefully, so sometimes it's as simple as just rerunning them.

[tobz]

@ktff Can you merge in the latest changes from master? Looks like it's potentially trying to run a newer soak that this PR branch doesn't have the latest code for.

[github-actions]

Soak Test Results

Baseline: 8e2201b
Comparison: a83849a
Total Vector CPUs: 4

Explanation

A soak test is an integrated performance test for vector in a repeatable rig, with varying configuration for vector. What follows is a statistical summary of a brief vector run for each configuration across SHAs given above. The goal of these tests are to determine, quickly, if vector performance is changed and to what degree by a pull request. Where appropriate units are scaled per-core.

The table below, if present, lists those experiments that have experienced a statistically significant change in their throughput performance between baseline and comparision SHAs, with 90.0% confidence OR have been detected as newly erratic. Negative values mean that baseline is faster, positive comparison. Results that do not exhibit more than a ±8.87% change in mean throughput are discarded. An experiment is erratic if its coefficient of variation is greater than 0.3. The abbreviated table will be omitted if no interesting changes are observed.

No interesting changes in throughput with confidence ≥ 90.00% and absolute Δ mean >= ±8.87%:

Fine details of change detection per experiment.

experiment	Δ mean	Δ mean %	confidence	baseline mean	baseline stdev	baseline stderr	baseline outlier %	baseline CoV	comparison mean	comparison stdev	comparison stderr	comparison outlier %	comparison CoV	erratic	declared erratic
http_pipelines_blackhole_acks	40.77KiB	3.55	100.00%	1.12MiB	119.65KiB	2.44KiB	0	0.104293	1.16MiB	110.95KiB	2.26KiB	0	0.0933922	False	False
datadog_agent_remap_blackhole	1.81MiB	2.98	100.00%	60.68MiB	5.58MiB	116.38KiB	0	0.0920028	62.49MiB	4.42MiB	92.14KiB	0	0.0706717	False	False
datadog_agent_remap_datadog_logs	1.5MiB	2.64	100.00%	56.97MiB	4.25MiB	89.12KiB	0	0.074625	58.47MiB	5.58MiB	116.15KiB	0	0.0953307	False	False
datadog_agent_remap_blackhole_acks	1.12MiB	1.77	100.00%	63.05MiB	4.41MiB	91.94KiB	0	0.0699928	64.17MiB	2.78MiB	58.23KiB	0	0.0433354	False	False
http_to_http_acks	249.64KiB	1.41	71.83%	17.24MiB	7.9MiB	165.26KiB	0	0.458312	17.48MiB	7.79MiB	162.65KiB	0	0.445235	True	True
splunk_hec_route_s3	260.54KiB	1.35	100.00%	18.88MiB	2.22MiB	46.14KiB	0	0.117385	19.13MiB	2.13MiB	44.55KiB	0	0.111211	False	False
syslog_splunk_hec_logs	190.36KiB	1.15	100.00%	16.18MiB	788.95KiB	16.05KiB	0	0.0475936	16.37MiB	562.67KiB	11.48KiB	0	0.0335576	False	False
syslog_log2metric_splunk_hec_metrics	200.08KiB	1.11	100.00%	17.65MiB	502.84KiB	10.25KiB	0	0.0278198	17.84MiB	711.66KiB	14.5KiB	0	0.0389412	False	False
syslog_humio_logs	184.56KiB	1.1	100.00%	16.36MiB	285.93KiB	5.84KiB	0	0.0170676	16.54MiB	163.95KiB	3.36KiB	0	0.00967965	False	False
socket_to_socket_blackhole	210.05KiB	0.89	100.00%	23.16MiB	221.73KiB	4.53KiB	0	0.00934562	23.37MiB	636.3KiB	12.99KiB	0	0.0265837	False	False
syslog_regex_logs2metric_ddmetrics	94.65KiB	0.74	100.00%	12.48MiB	560.1KiB	11.41KiB	0	0.0438148	12.57MiB	525.06KiB	10.7KiB	0	0.0407716	False	False
splunk_hec_indexer_ack_blackhole	7.15KiB	0.03	21.32%	23.75MiB	931.4KiB	18.95KiB	0	0.0382977	23.75MiB	907.09KiB	18.45KiB	0	0.037287	False	False
splunk_hec_to_splunk_hec_logs_noack	5.05KiB	0.02	37.16%	23.83MiB	387.56KiB	7.92KiB	0	0.0158778	23.84MiB	332.29KiB	6.78KiB	0	0.0136109	False	False
enterprise_http_to_http	-1.35KiB	-0.01	14.73%	23.85MiB	252.91KiB	5.16KiB	0	0.0103551	23.85MiB	250.29KiB	5.12KiB	0	0.0102483	False	False
splunk_hec_to_splunk_hec_logs_acks	-23.9KiB	-0.1	68.85%	23.77MiB	767.25KiB	15.62KiB	0	0.0315128	23.75MiB	870.63KiB	17.71KiB	0	0.035794	False	False
http_to_http_json	-24.29KiB	-0.1	95.87%	23.84MiB	348.91KiB	7.12KiB	0	0.0142869	23.82MiB	466.07KiB	9.53KiB	0	0.0191031	False	False
http_text_to_http_json	-40.89KiB	-0.1	84.50%	39.35MiB	1015.03KiB	20.72KiB	0	0.0251859	39.31MiB	976.15KiB	19.93KiB	0	0.0242458	False	False
file_to_blackhole	-119.04KiB	-0.12	70.78%	95.33MiB	3.42MiB	70.86KiB	0	0.035871	95.22MiB	4.24MiB	88.02KiB	0	0.0445013	False	False
syslog_loki	-20.55KiB	-0.13	79.22%	14.88MiB	273.63KiB	5.61KiB	0	0.0179591	14.86MiB	753.63KiB	15.32KiB	0	0.0495299	False	False
fluent_elasticsearch	-164.7KiB	-0.2	100.00%	79.47MiB	86.12KiB	1.74KiB	0	0.00105804	79.31MiB	1.59MiB	32.67KiB	0	0.0199974	False	False
http_pipelines_blackhole	-3.86KiB	-0.23	77.32%	1.63MiB	85.41KiB	1.75KiB	0	0.0510315	1.63MiB	131.11KiB	2.67KiB	0	0.0785232	False	False
http_to_http_noack	-129.93KiB	-0.53	100.00%	23.84MiB	409.04KiB	8.36KiB	0	0.0167548	23.71MiB	1.27MiB	26.41KiB	0	0.0534558	False	False
http_pipelines_no_grok_blackhole	-92.71KiB	-0.83	100.00%	10.86MiB	357.34KiB	7.29KiB	0	0.0321172	10.77MiB	1.04MiB	21.6KiB	0	0.0962421	False	False
datadog_agent_remap_datadog_logs_acks	-522.36KiB	-0.95	98.69%	53.85MiB	6.87MiB	143.47KiB	0	0.127547	53.34MiB	7.39MiB	153.85KiB	0	0.138542	False	False
syslog_log2metric_humio_metrics	-173.64KiB	-1.34	100.00%	12.64MiB	384.87KiB	7.86KiB	0	0.0297187	12.47MiB	512.24KiB	10.44KiB	0	0.0400917	False	False