[RFC] Admission Control mechanism for Cluster Manager APIs #7520
Labels
discuss
Issues intended to help drive brainstorming and decision making
distributed framework
enhancement
Enhancement or improvement to existing feature or request
idea
Things we're kicking around.
RFC
Issues requesting major changes
v2.13.0
Issues and PRs related to version 2.13.0
Is your feature request related to a problem? Please describe.
Today, Cluster Manager can be overwhelmed by sending too many requests which can cause its memory/ CPU to spike and also making its transport busy. This can have unwanted effect on the cluster with critical operations like health checks failing, node-joins/ left processing getting delayed etc. There are circuit breakers which operate based on heap memory usage and would start rejection after a certain threshold is breached. But, it can allow lot of incoming requests as it takes into account incoming request size which would be 0 for most of the get requests. Also, APIs like _cluster/health, _cluster/state which are critical for cluster functioning are not tripped over but their response payload size could be really big potentially in MBs as well. The circuit breakers also don’t handle any prioritization.
OpenSearch already supports Indexing and Search Back Pressure with intelligent resource tracking. The proposal is to build smart admission control for Cluster Manager APIs (eventually back pressure).
Describe the solution you'd like
Cluster Manager availability is critical to overall availability and stability of the cluster. The proposal here is to provide more Intelligent request rejection mechanism which takes into account the pending requests in transport thread pool queue, consider other resources like cpu, handles prioritisation during rejection etc.
For write APIs, there is ClusterManager Task Throttling which should provide protection against too many tasks but few tasks spiking up the resource usage could cause impact. Though in the first phase, the plan is to focus on read APIs only.
In future, there should also be mechanism to cancel the read requests related to admin operation like _cat, _nodes/stats, _cluster APIs which are running for long duration.
I am looking for feedback from the community to evolve this feature from an idea to concrete proposal.
The text was updated successfully, but these errors were encountered: