[mod_cluster-dev] Handling crashed/hung AS nodes

Paul Ferraro paul.ferraro at redhat.com
Mon Mar 30 11:29:37 EDT 2009 

On Fri, 2009-03-27 at 16:23 -0500, Brian Stansberry wrote:
> Paul Ferraro wrote:
> > On Fri, 2009-03-27 at 09:15 -0500, Brian Stansberry wrote:
> >> jean-frederic clere wrote:
> >>> Paul Ferraro wrote:
> >>>> Currently, the HAModClusterService (where httpd communication is
> >>>> coordinated by an HA singleton) does not react to crashed/hung members.
> >>>> Specifically, when the HA singleton gets a callback that the group
> >>>> membership changes, it does not send any REMOVE-APP messages to httpd on
> >>>> behalf of the member that just left.  Currently, httpd will detect the
> >>>> failure (via a disconnected socket) on its own and sets its internal
> >>>> state accordingly, e.g. a STATUS message will return NOTOK.
> >>>>
> >>>> The non-handling of dropped members is actually a good thing in the
> >>>> event of a network partition, where communication between nodes is lost,
> >>>> but communication between httpd and the nodes is unaffected.  If we were
> >>>> handling dropped members, we would have to handle the ugly scenario
> >>>> described here:
> >>>> https://jira.jboss.org/jira/browse/MODCLUSTER-66
> >>>>
> >>>> Jean-Frederic: a few questions...
> >>>> 1. Is it up to the AS to drive the recovery of a NOTOK node when it
> >>>> becomes functional again?
> >>> Yes.
> >>>
> >>>>  In the case of a crashed member, fresh
> >>>> CONFIG/ENABLE-APP messages will be sent upon node restart.  In the case
> >>>> of a re-merged network partition, no additional messages are sent.  Is
> >>>> the subsequent STATUS message (with a non-zero lbfactor) enough to
> >>>> trigger the recovery of this node?
> >>> Yes.
> > 
> > Good to know.
> >  
> >>>> 2. Can httpd detect hung nodes?  A hung node will not affect the
> >>>> connected state of the AJP/HTTP/S connector - it could only detect this
> >>>> by sending data to the connector and timing out on the response.
> >>> The hung node will be detected and marked as broken but the 
> >>> corresponding request(s) may be delayed or lost due to time-out.
> >>>
> >> How long does this take, say in a typical case where the hung node was 
> >> up and running with a pool of AJP connections open? Is it the 10 secs, 
> >> the default value of the "ping" property listed at 
> >> https://www.jboss.org/mod_cluster/java/properties.html#proxy ?
> > 
> > I think he's talking about "nodeTimeout".
> > 
> 
> There's also the mod_proxy ProxyTimeout directive which might??? apply 
> since mod_proxy is what is being used. From the mod_proxy docs:
> 
> "This directive allows a user to specifiy a timeout on proxy requests. 
> This is useful when you have a slow/buggy appserver which hangs, and you 
> would rather just return a timeout and fail gracefully instead of 
> waiting however long it takes the server to return."
> 
> Default there is 300 seconds!!
> 
> It would be good to beef up the docs of this quite a bit. From the 
> mod_jk docs at 
> http://tomcat.apache.org/connectors-doc/reference/workers.html I can get 
> a pretty good idea of all the details of how mod_jk works in this area. 
> Not so much from 
> https://www.jboss.org/mod_cluster/java/properties.html#proxy 
> particularly when I factor in that it's mod_proxy/mod_proxy_ajp that's 
> actually handling requests.

Agreed.

> >> Also, if a request is being handled by a hung node and the 
> >> HAModClusterService tells httpd to stop that node, the request will 
> >> fail, yes? It shouldn't just fail over, as it may have already caused 
> >> the transfer of my $1,000,000 to my secret account at UBS. Failing over 
> >> would cause transfer of a second $1,000,000 and sadly I don't have that 
> >> much.
> > 
> > Not unlike those damn double-clickers...
> > 
> 
> Ah, that's what happened to my second $1,000,000! Thanks!
> 
> >>>> And some questions for open discussion:
> >>>> What does HAModClusterService really buy us over the normal
> >>>> ModClusterService?  Do the benefits outweigh the complexity?
> >>>>  * Maintains a uniform view of proxy status across each AS node
> >>>>  * Can detect and send STOP-APP/REMOVE-APP messages on behalf of
> >>>> hung/crashed nodes (if httpd cannot already do this) (not yet
> >>>> implemented)
> >>>>    + Requires special handling of network partitions
> >>>>  * Potentially improve scalability by minimizing network traffic for
> >>>> very large clusters.
> >> Assume a near-term goal is to run a 150 node cluster with say 10 httpd 
> >> servers. Assume the background thread runs every 10 seconds. That comes 
> >> to 150 connections per second across the cluster being opened/closed to 
> >> handle STATUS. Each httpd server handles 15 connections per second.
> >>
> >> With HAModClusterService the way it is now, you get the same, because 
> >> besides STATUS each node also checks its ability to communicate w/ each 
> >> httpd in order to validate its ability to become master. But let's 
> >> assume we add some complexity to allow that health check to become much 
> >> more infrequent. So ignore those ping checks. So, w/ HAModClusterService 
> >> you get 1 connection/sec being opened closed across the cluster for 
> >> status, 0.1 connection/sec per httpd.  But the STATUS request sent 
> >> across each connection has a much bigger payload.
> > 
> > True, the STATUS request body is larger than the INFO request (no body),
> > but the resulting STATUS-RSP is significantly smaller than the
> > corresponding INFO-RSP.
> > 
> 
> Ah, we're still using INFO for the connectivity checks? That's not good; 
> for sure we'd want to make that happen less often.

Yes - we need the INFO-RSP data to determine whether or not the proxy
requires resetting.

> I wasn't clear; what I was driving at was the STATUS request from 
> HAModClusterService covering 150 nodes has a bigger payload than any 
> single node's STATUS; i.e. there's no magic reduction in data. The 
> efficiency would be in getting rid of opening/closing lots of connections.

These connections stay open across proxy messages - so there's no cost
there.

> >> How significant is the cost of opening/closing all those connections?
> >>
> >>>>    e.g. non-masters ping httpd less often
> >>>>  * Anything else?
> >> 1) Management?? You don't want to have to interact with every node to do 
> >> management tasks (e.g. disable app X on domain A to drain sessions so we 
> >> can shut down the domain.) A node having a complete view might allow 
> >> more sophisticated management operations.  This is takes more thought 
> >> though.
> > 
> > Good point.
> > 
> >> 2) The more sophisticated case discussed on 
> >> https://jira.jboss.org/jira/browse/MODCLUSTER-66, where a primary 
> >> partition approach is appropriate rather than letting minority 
> >> subpartitions continue to live. But TBH mod_cluster might not be the 
> >> right place to handle this. Probably more appropriate is to have 
> >> something associated with the webapp itself determine it is in a 
> >> minority partition and undeploy the webapp if so. Whether being in a 
> >> minority partition is inappropriate for a particular webapp is beyond 
> >> scope for mod_cluster.
> >>
> >> I'd originally thought the HA version would add benefit to the load 
> >> balance factor calculation, but that was wrong-headed.
> > 
> > I would argue that there is some (albeit small) value to the load being
> > requested on each node at the same time.  I would expect this to result
> > in slightly less load swinging than if individual nodes calculated their
> > load at different times, scattered across the status interval.
> > 
> >>> Well I prefer the JAVA code deciding if a node is broken that httpd. I 
> >>> really want to keep the complexity in httpd to minimum and the talk I 
> >>> had until now at the ApacheCon seems to show that is probably the best 
> >>> way to go.
> >>>
> >> Agreed that httpd should be as simple as possible. But to handle the 
> >> non-HAModClusterService case it will need to at least detect broken 
> >> connections and basic response timeouts, right? So depending on how long 
> >> it takes to detect hung nodes, httpd might be detecting them before 
> >> HAModClusterService. I'm thinking of 3 scenarios:
> >>
> >> 1) Node completely crashes. HAModClusterService will detect this almost 
> >> immediately; I'd think httpd would as well unless it just happened to 
> >> not have connections open.
> >>
> >> 2) Some condition that causes the channel used by HAModClusterService to 
> >> not process messages. This will lead to the node being suspected after 
> >> 31.5 seconds with the default channel config. But httpd might detect a 
> >> timeout faster than that?
> >>
> >> 3) Some condition that causes all the JBoss Web threads to block but 
> >> doesn't impact the HAModClusterService channel. (QE's Radoslav Husar, 
> >> Bela and I are trying to diagnose such a case right now.)  Only httpd 
> >> will detect this; JGroups will not. We could add some logic in JBoss Web 
> >> that would allow it to detect such a situation and then let 
> >> (HA)ModClusterService disable the node. But non-HA ModClusterService 
> >> could do that just as well as the HA version.
> > 
> > I imagine this is not uncommon, e.g. overloaded/deadlocked database
> > causing all application threads to wait.
> > 
> >> Out of these 3 cases, HAModClusterService does a better job than httpd 
> >> itself only in the #2 case, and there only if it takes httpd > 31.5 secs 
> >> to detect a hung response.
> > 
> > Although, for case #2, using the plain non-HA ModClusterService avoids
> > the problem entirely.
> > 
> 
> I wasn't clear again. :) For #2 I meant some general problem w/ the node 
> (e.g. OOM) that affects the JGroups channel and the connectors. Then 
> HAModClusterService has a benefit only if it detects that faster than 
> httpd.  If *only* the JGroups channel is disrupted, yeah, that's the 
> same as the network partition problem you raised.
> 
> >>> Cheers
> >>>
> >>> Jean-Frederic
> >>>
> >>>> Paul
> >>>>
> >>>> _______________________________________________
> >>>> mod_cluster-dev mailing list
> >>>> mod_cluster-dev at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/mod_cluster-dev
> >>>>
> >>> _______________________________________________
> >>> mod_cluster-dev mailing list
> >>> mod_cluster-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/mod_cluster-dev
> >>
> > 
> 
>

More information about the mod_cluster-dev mailing list