Experiment: Improve concurrent merge performance by weakly owning branch updates

[arielshaqed]

What

When enabled, this feature improves performance of concurrent merges.

No seriously, what?

lakeFS retains branch heads on KV. An operation that updates the branch head - typically a commit or a merge - performs a 3-phase commit protocol:

• Get the branch head from KV
• Create the metarange on block storage based on that branch head
• Create a new commit with that metarange whose parent is that branch head, IF the branch head has not moved

When the third phase fails, the operation fails. We do retry automatically on the server, but obviously under load it will still fail. Indeed we see this happen to some users who have heavy merge loads. In this case each retry is actually more expensive, because the gap between the source commit and the destination branch tends to grow with every successive commit to the destination. Failure is pretty much guaranteed once sustained load crosses some critical threshold.

How

This PR is an experiment to use "weak ownership" to avoid having to retry. Broadly speaking, every branch update operation takes ownership of its branch. This excludes all other operations from updating that branch. This exclusion does not reduce performance - only one concurrent branch operation can ever succeed, and almost all concurrent branch operations can succeed. In fact, it increases performance because it prevents wasting resources on all the concurrent failing operations.

What about CAP?

Distributed locking is impossible by the CAP theorem. That's why we use weak ownership. This gives up on C (consistency) and some P (partition resistance) in favour of keeping A (availability). Specifically, a thread takes ownership of a branch by asserting ownership as a record on KV. This ownership has an expiry time; the thread refreshes its ownership until it is done, at which point it deletes the record.

This ownership is weak: usually a single thread owns the branch, but sometimes 2 threads can end up owning the same branch! If the thread fails to refresh on time (due to a partition or slowness or poor clock sync, for instance) then another thread will also acquire ownership! When that happens we have concurrent branch updates. Because these are correct in lakeFS, we lose performance and may need to retry, but we never give incorrect answers.

Results

This PR also adds a lakectl abuse merge command to allow us to measure. b0cfca3 has some numbers when running locally: with sustained concurrency 50, we run faster and get 0 failures instead of 6.6% failures. More details there why this is even better than it sounds. Graph available here, here's a spoiler:

[github-actions]

🎊 PR Preview 0ec602d has been successfully built and deployed to https://treeverse-lakeFS-preview-pr-8268.surge.sh

🕐 Build time: 0.011s

_{🤖 By surge-preview}

[github-actions]

E2E Test Results - DynamoDB Local - Local Block Adapter

[github-actions]

E2E Test Results - Quickstart

[yonipeleg33]

@arielshaqed looks like amazing work, thank you!
I haven't reviewed it yet, but a few general notes:

1. Do we have an experiment plan for this feature? Which customers/users, for how long, etc.
2. The term "weak" is a bit inaccurate here IMO:
   The term "weak" as defined in places like CPP's std::weak_ptr or Rust's std::sync::Weak means a "non-owning reference", which is different than how this mechanism of branch locking works - each worker owns the branch exclusively, but only for a short period, and with a graceful mechanism for giving up exclusive ownership.
   The term "lease-based ownership" suites better here IMO.

[arielshaqed]

I should probably mention that if we go in this direction, we can deploy this and then improve it. The next step is to add fairness: earlier merge attempts should have a better chance of being next. Otherwise when there are multiple concurrent merges some of the earlier merge will repeatedly lose and time out. If everything is fair then we expect fewer timeouts, and in general the tail latency will shorten.
One way to make things fairer is to manage an actual queue of tasks waiting to own the branch. Then either they're thread gets priority to pick up the task (it's allowed to pick up tasks sooner after their expiry, for instance task n in the queue waits until $t_{expiry} + n\cdot dt_{check}$) or the thread that owns the branch just processes all merges in the queue.
Anyway, we don't need that to run this experiment.

[itaiad200]

This is wrong, no? multiple routines can succeed at the same time

[arielshaqed]

Ouch, yeah, this was supposed to be a SetIf with the "not present" predicate - and I forgot to find out the correct value for that predicate.
Thanks for catching this!

[arielshaqed]

Thanks, that one's embarrassing.

[arielshaqed]

Ouch, yeah, this was supposed to be a SetIf with the "not present" predicate - and I forgot to find out the correct value for that predicate.
Thanks for catching this!

[arielshaqed]

@arielshaqed looks like amazing work, thank you! I haven't reviewed it yet, but a few general notes:

Thanks!

1. Do we have an experiment plan for this feature? Which customers/users, for how long, etc.

Yes. Firstly, this PR adds a lakectl abuse merge command to measure. After we pull I will deploy to Cloud staging, switch it on for a single private installation, and measure. Also as you probably know, we have a user for whom I plan this. I will communicate with them to measure on their system; obviously timing for that depends on the customer timing and how comfortable they feel switching it on.

2. The term "weak" is a bit inaccurate here IMO:
   The term "weak" as defined in places like CPP's std::weak_ptr or Rust's std::sync::Weak means a "non-owning reference", which is different than how this mechanism of branch locking works - each worker owns the branch exclusively, but only for a short period, and with a graceful mechanism for giving up exclusive ownership.
   The term "lease-based ownership" suites better here IMO.

In the C++ and Rust standard libraries, "weak" in this case refers to the pointer. (In other cases in the C++ standard library, "weak" can refer to any variant which is logically weaker, for instance we also have class weak_ordering. In this PR "weak" is supposed to weaken "ownership".

What we have in this PR indeed uses a lease-based implementation. But it's not ownership, it just behaves like ownership in almost all reasonable cases.

A better term might be "mostly correct ownership"¹. In fact, I believe that such an unwieldy name would be a good choice! If you agree I will change to use it.

Footnotes

1. The technical term "mostly" here is intended in same sense that Miracle Max uses it. ↩

[itaiad200]

Reviewed everything except for the tests. Some really good things here!

[itaiad200]

It seems to me that this shouldn't be in kv pkg. It deserves a standalone ownership/owner/ anything else package. The kv is an implementation detail of the ownership, so this struct should be called KVWeakOwner

[arielshaqed]

Sure. Let's do this after we agree on a name? @yonipeleg33 requested a name change, I'd rather do a single name change towards the end of the review.

[itaiad200]

Suggested change

	Merge nonconflicting objects to the source branch in parallel
	Merge non-conflicting objects to the source branch in parallel

[arielshaqed]

Will auto-generate this :-)

[itaiad200]

Shouldn't you check the error value? For instance, I don't think we should continue the update flow for context cancellation.

[arielshaqed]

Why? An error like that will keep happening, and the very next operation on the context will fail. I prefer not to complicate this code with handling of context cancellation (which should really examine either err or if ctx.Done() { ...ctx.Err()...}`). All this code does is emit a log

... error=start owning key... context cancelled... message=Failed to get ownership on branch; continuing but may be slow

which will be followed by a log somewhat like

... error=get item: context cancelled... message=...

I don't think it's worth adding confusion here.

[itaiad200]

Suggested change

	own, err := m.branchOwnership.Own(ctx, requestID, string(branchID))
	ownRelease, err := m.branchOwnership.Own(ctx, requestID, string(branchID))

or

Suggested change

	own, err := m.branchOwnership.Own(ctx, requestID, string(branchID))
	ownClose, err := m.branchOwnership.Own(ctx, requestID, string(branchID))

[arielshaqed]

Nice! Changed to release(), which I hope is even nicer.

[itaiad200]

Fix linting

[arielshaqed]

This was a sentinel not an actual error. See for instance io.EOF. It is used only in sleepFor to indicate that the context expired with no error. But it turns out that there are special cases in contest.WithCancelCause so we don't need it.

Removed, thanks!

[itaiad200]

Shouldn't you check the error and exit the function?

[arielshaqed]

I reported the error, and I do not think there is any useful action to take.

Aborting the action here, in particular, will probably livelock in some situations!

This goroutine has nothing waiting for it, and there really is nothing much to do with broken ownership. "All" that happens is that performance will suffer! This goroutine for the former owner thinks that another action stole its lease. So it makes sense to continue - it is likely to win the race to update, because it has already performed some work. Meanwhile the other action thinks that the former owner has stopped and will never finish - it should continue to avoid zombielock (a name I just invented for livelock against a stuck thread).

Which one is right? Well, if this goroutine is still running then the other action will most likely suffer. If it isn't running, it cannot do anything useful anyway.

[itaiad200]

Add a comment explaining why the code continues to try and own the key. Assuming that it should, I worry that this across multiple routines may have a cascading effect of kv calls

[arielshaqed]

Adding a comment to explain. But note that "all" that happens is that we fall back to the previous behaviour. Frankly I believe that the common cause for A losing a race to B will be that the clock on B is a bit too fast; this does not cause chains of lost races. The other common cause for A losing a race to B will be that A was stuck; again, that does not give it or any other thread an advantage against B. The final case is when all are badly stuck - for instance if you configure very short acquire and refresh intervals. In that case you do get what you would expect: a stuck system.

[itaiad200]

Suggested change

	Short: "Merge nonconflicting objects to the source branch in parallel",
	Short: "Merge non-conflicting objects to the source branch in parallel",

[arielshaqed]

Done.

[itaiad200]

Suggested change

	fmt.Println("Source branch:", u)
	fmt.Println("Source branch: ", u)

[arielshaqed]

Thanks for the thorough review!

PTAL...

[arielshaqed]

Done.

[arielshaqed]

Will auto-generate this :-)

[arielshaqed]

Done.

[arielshaqed]

Done. Either way will have strange performance characteristics, of course.

[arielshaqed]

Confusion about how cancellation would work. Restored, thanks!

[arielshaqed]

Not done, I am unsure how to extract the same logic into both funcs. In particular, they have different error conditions and different handling for each error.

[arielshaqed]

Not sure why not: this key is on my partition, with my prefix, and I set it starting at l. 245. It serves to indicate ownership, and its value holds only ownership. I think I can delete it.

[arielshaqed]

Suppose a system is behaving really strangely. I can look at its ownership partition and determine which operation owns it -- that's what I put here when I took ownership. I call it "comment" rather than something else because I don't want to commit to any format of what exactly goes in there.

[arielshaqed]

Added!

[itaiad200]

@arielshaqed could you open an issue and link to it? This is hardly a minor-change :)

[itaiad200]

Review wip

[itaiad200]

👍

[itaiad200]

I really hope kv contract tests cover this

[itaiad200]

It holds ownership, but it's not guaranteed to be your routine ownership (unless I'm missing something). Some other thread might successfully set itself as owner and your cleanup code breaks it.

[arielshaqed]

@arielshaqed could you open an issue and link to it? This is hardly a minor-change :)

#8288 :-)

[arielshaqed]

I really hope kv contract tests cover this

That line no longer occurs directly. We do still have it implied. I believe that it is tested by kvtest here and here.

[arielshaqed]

Thanks!

PTAaaAAaaAAL...

[arielshaqed]

A DeleteIf operation sure would be nice here. Since we didn't spec one out, I'll replace it with a sentinel value instead.

[itaiad200]

Sorry for the late feedback, I am reviewing it very cautiously.

I wonder if wrapping BranchUpdate is the appropriate location to "Own" a branch. Every major branch changing operation, like commit & merge has 2 BranchUpdate calls. One for changing the staging token and one for the actual operation. If these 2 operations don't happen one after the other.
The current ownership model only wraps a single BranchUpdate call, thus releasing the lock prematurely.

[arielshaqed]

Sorry for the late feedback, I am reviewing it very cautiously.

I wonder if wrapping BranchUpdate is the appropriate location to "Own" a branch. Every major branch changing operation, like commit & merge has 2 BranchUpdate calls. One for changing the staging token and one for the actual operation. If these 2 operations don't happen one after the other. The current ownership model only wraps a single BranchUpdate call, thus releasing the lock prematurely.

I'm not sure this matters. There is no connection between the two update operations: my commit can succeed even if you were the last to seal staffing tokens. And of course sealing is cheap. So I would not expect this to affect performance.

Of course the easy way to be sure will be to perform the experiment.