neutron

neutron agents are too aggressive under server load

Bug #1554332 reported by Kevin Benton
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Kevin Benton
neutron newton-1 "n1"

Bug Description

If a server operation takes long enough to trigger a timeout on an agent call to the server, the agent will just give up and issue a new call immediately. This pattern is pervasive throughout the agents and it leads to two issues:

First, if the server is busy and the requests take more than the timeout window to fulfill, the agent will just continually hammer the server with calls that are bound to fail until the server load is reduced enough to fulfill the query. If the load is a result of calls from agents, this leads to a stampeding effect where the server will be unable to fulfill requests until operator intervention.

Second, the server will build a backlog of call requests that makes the window of time to process a message smaller as the backlog grows. With enough clients making calls, the timeout threshold can be crossed before a call even starts to process. For example, if it takes the server 6 seconds to process a given call and the clients are configured with a 60 second timeout, 30 agents making the call simultaneously will result in a situation where 20 of the agents will never get a response. The first 10 will get their calls filled and the last 20 will end up in a loop where the server is just spending time replying to calls that are expired by the time it processes them.

See the push notification spec for a proposal to eliminate heavy agent calls: https://review.openstack.org/#/c/225995/

However, even with that spec, we need more intelligent handling of the cases where calls are required (e.g. initial sync) or where push notifications are too invasive to change from a call.

Kevin Benton (kevinbenton)
Changed in neutron:
assignee: nobody → Kevin Benton (kevinbenton)
milestone: none → mitaka-rc1
OpenStack Infra (hudson-openstack)
Changed in neutron:
status: New → In Progress
Kevin Benton (kevinbenton)
Changed in neutron:
importance: Undecided → High
Ihar Hrachyshka (ihar-hrachyshka)
tags: added: loadimpact
Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

Related: https://review.openstack.org/#/c/280595/

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: mitaka-rc1 → newton-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/280595
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3e668b6a3720c1509ffef4ad5b91b4242dfd47b3
Submitter: Jenkins
Branch: master

commit 3e668b6a3720c1509ffef4ad5b91b4242dfd47b3
Author: Kevin Benton <email address hidden>
Date: Tue Feb 16 01:50:23 2016 -0800

    Add exponential back-off RPC client

    This adds an exponential backoff mechanism for timeout values
    on any RPC calls in Neutron that don't explicitly request a timeout
    value. This will prevent the clients from DDoSing the server by
    giving up on requests and retrying them before they are fulfilled.

    Each RPC call method in each namespace gets its own timeout value since
    some calls are expected to be much more expensive than others and we
    don't want to modify the timeouts of cheap calls.

    The backoff currently has no reduction mechanism under the assumption
    that timeouts not legitimately caused by heavy system load
    (i.e. messages completely dropped by AMQP) are rare enough that the
    cost of shrinking the timeout back down and potentially causing
    another server timeout isn't worth it. The timeout does have a ceiling
    of 10 times the configured default timeout value.

    Whenever a timeout exception occurs, the client will also sleep for a
    random value between 0 and the configured default timeout value to
    introduce a splay across all of the agents that may be trying to
    communicate with the server.

    This patch is intended to be uninvasive for candidacy to be
    back-ported. A larger refactor of delivering data to the agents
    is being discussed in I3af200ad84483e6e1fe619d516ff20bc87041f7c.

    Closes-Bug: #1554332
    Change-Id: I923e415c1b8e9a431be89221c78c14f39c42c80f

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/314317

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/314319

Sheena Conant (sheena-conant)
tags: added: scale
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/liberty)

Reviewed: https://review.openstack.org/314319
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0ffab0930cb8a4e283fa3920fc704aab94385e26
Submitter: Jenkins
Branch: stable/liberty

commit 0ffab0930cb8a4e283fa3920fc704aab94385e26
Author: Kevin Benton <email address hidden>
Date: Tue Feb 16 01:50:23 2016 -0800

    Add exponential back-off RPC client

    This adds an exponential backoff mechanism for timeout values
    on any RPC calls in Neutron that don't explicitly request a timeout
    value. This will prevent the clients from DDoSing the server by
    giving up on requests and retrying them before they are fulfilled.

    Each RPC call method in each namespace gets its own timeout value since
    some calls are expected to be much more expensive than others and we
    don't want to modify the timeouts of cheap calls.

    The backoff currently has no reduction mechanism under the assumption
    that timeouts not legitimately caused by heavy system load
    (i.e. messages completely dropped by AMQP) are rare enough that the
    cost of shrinking the timeout back down and potentially causing
    another server timeout isn't worth it. The timeout does have a ceiling
    of 10 times the configured default timeout value.

    Whenever a timeout exception occurs, the client will also sleep for a
    random value between 0 and the configured default timeout value to
    introduce a splay across all of the agents that may be trying to
    communicate with the server.

    This patch is intended to be uninvasive for candidacy to be
    back-ported. A larger refactor of delivering data to the agents
    is being discussed in I3af200ad84483e6e1fe619d516ff20bc87041f7c.

    Closes-Bug: #1554332
    Change-Id: I923e415c1b8e9a431be89221c78c14f39c42c80f
    (cherry picked from commit 3e668b6a3720c1509ffef4ad5b91b4242dfd47b3)

tags: added: in-stable-liberty
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/mitaka)

Reviewed: https://review.openstack.org/314317
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3ab2ada748a5f66c3f1dd717223a2d180f686c89
Submitter: Jenkins
Branch: stable/mitaka

commit 3ab2ada748a5f66c3f1dd717223a2d180f686c89
Author: Kevin Benton <email address hidden>
Date: Tue Feb 16 01:50:23 2016 -0800

    Add exponential back-off RPC client

    This adds an exponential backoff mechanism for timeout values
    on any RPC calls in Neutron that don't explicitly request a timeout
    value. This will prevent the clients from DDoSing the server by
    giving up on requests and retrying them before they are fulfilled.

    Each RPC call method in each namespace gets its own timeout value since
    some calls are expected to be much more expensive than others and we
    don't want to modify the timeouts of cheap calls.

    The backoff currently has no reduction mechanism under the assumption
    that timeouts not legitimately caused by heavy system load
    (i.e. messages completely dropped by AMQP) are rare enough that the
    cost of shrinking the timeout back down and potentially causing
    another server timeout isn't worth it. The timeout does have a ceiling
    of 10 times the configured default timeout value.

    Whenever a timeout exception occurs, the client will also sleep for a
    random value between 0 and the configured default timeout value to
    introduce a splay across all of the agents that may be trying to
    communicate with the server.

    This patch is intended to be uninvasive for candidacy to be
    back-ported. A larger refactor of delivering data to the agents
    is being discussed in I3af200ad84483e6e1fe619d516ff20bc87041f7c.

    Closes-Bug: #1554332
    Change-Id: I923e415c1b8e9a431be89221c78c14f39c42c80f
    (cherry picked from commit 3e668b6a3720c1509ffef4ad5b91b4242dfd47b3)

tags: added: in-stable-mitaka
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/neutron 8.1.1

This issue was fixed in the openstack/neutron 8.1.1 release.

Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/neutron 7.1.0

This issue was fixed in the openstack/neutron 7.1.0 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/neutron 9.0.0.0b1

This issue was fixed in the openstack/neutron 9.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.