-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Meta] Plugin sandboxing: Step towards modular architecture in OpenSearch #1422
Comments
Could you tell us - what is the plan for "updating" a plugin? Assuming plugin-X is not fully complete on first release, how can users of the plugin update that plugin on their own instance of Core and Dashboard? |
@pjfitzgibbons Extensions will work like in VSCode or any other sane system, where they will declare a minimum (and sometimes a max) version of OpenSearch required. Then you'll be able to upgrade them to a newer release assuming it's compatible with your current version of OpenSearch at runtime, without restarting a cluster. Does this answer your question? |
@dblock Yes, understood. Is there a specific task above that you believe implicitly includes upgrading functionality (or version detection or ... ?) |
Hey @pjfitzgibbons! You can find more details on API Versioning here: #2447 |
Problem
Plugin architecture enables extending core features of OpenSearch. There are various kinds of plugins which are supported.
But, the architecture has significant problems for OpenSearch customers. Mainly, plugins can fatally impact the cluster
e.g critical workloads like ingestion/search traffic would be impacted because of a non-critical plugin like s3-repository failed with an exception.
The problem multiplies exponentially when we would like to run an arbitrary plugin as OpenSearch core and system resources are not protected well enough.
Zooming in technically, Plugins run with-in the same process as OpenSearch. As OpenSearch process is bootstrapping, it initializes PluginService.java via
Node.java. All plugins are classloaded via loadPlugin during the bootstrap of PluginService.
It looks for
plugins
directory and loads the classpath where all the plugin jar and its dependencies are already present. During the bootstrap, each plugin is initialized and they do have various interfaces through which they could choose to subscribe to state changes within the cluster e.g ClusterService.java.Resources on the system for Plugins in OpenSearch are managed via Java Security Manager. It is initialized during the bootstrap of OpenSearch process.
Each plugin defines a
security.policy
file e.g Anomaly Detection PluginAs we can see, plugins are loaded into OpenSearch process which fundamentally needs to change.
Objective
This feature enables any plugin to run safely without impacting the cluster and the system.
Design
PLEASE NOTE: THIS DOCUMENT IS WORK IN PROGRESS AND DOES NOT REPRESENT THE FINAL DESIGN.
Requirements
TBD (Define what we would like to accomplish and whats not changing in the system).
The high level thoughts for plugin sandboxing is basically trying to isolate plugin interactions with OpenSearch.
All the interactions for plugins are via extension points.
If we can modularize these extension points, I believe we can achieve isolation for plugins.
Proposal
Plugins run with the OpenSearch process today. We are proposing running plugins through (thanks to dblock@):
We see value in offering an option to run the plugin in different parts of the system. Some plugins would like run within the process (like searching, indexing), in an independent process (like snapshot repository) and on a remote node (like machine learning).
We will build a new Plugins Orchestrator which will facilitate running plugins in all 3 ways. New interfaces will be defined to establish communication between extension and OpenSearch.
Proof of Concept
To explore this idea more, we would like to have a plugin running in an independent process.
Tracking Issues
Learn and Share:
Milestones:
Meta: #1632
Back Burner:
FAQ
We are exploring to use a light weight form of
Transport
which will help bi-directional communication. Transport is the communication mechanism OpenSearch uses between nodes.AD Extension with create detector functionality latency: opensearch-project/opensearch-sdk-java#24 (comment)
AD plugin latency: opensearch-project/opensearch-sdk-java#24 (comment)
With an example extension point onIndicesModule(), we see about 8-11% depending on workload and the throughput decrease is between .05%-7%.
Now as we have the numbers for latency, we see there is value running plugins in process and we will continue to support it for critical workloads in the cycle of querying, indexing.
We are working towards OpenSearch 3.0 to have the initial framework to support extensions and release the first version of SDK support default extension points.
We are working on anomaly detector backend plugin as prototype and run it as an extension.
#5224
The text was updated successfully, but these errors were encountered: