[mod_cluster-dev] Handling crashed/hung AS nodes

jean-frederic clere jfclere at gmail.com
Fri Mar 27 17:45:29 EDT 2009 

Brian Stansberry wrote:
> Paul Ferraro wrote:
>> On Fri, 2009-03-27 at 09:15 -0500, Brian Stansberry wrote:
>>> jean-frederic clere wrote:
>>>> Paul Ferraro wrote:
>>>>> Currently, the HAModClusterService (where httpd communication is
>>>>> coordinated by an HA singleton) does not react to crashed/hung 
>>>>> members.
>>>>> Specifically, when the HA singleton gets a callback that the group
>>>>> membership changes, it does not send any REMOVE-APP messages to 
>>>>> httpd on
>>>>> behalf of the member that just left.  Currently, httpd will detect the
>>>>> failure (via a disconnected socket) on its own and sets its internal
>>>>> state accordingly, e.g. a STATUS message will return NOTOK.
>>>>>
>>>>> The non-handling of dropped members is actually a good thing in the
>>>>> event of a network partition, where communication between nodes is 
>>>>> lost,
>>>>> but communication between httpd and the nodes is unaffected.  If we 
>>>>> were
>>>>> handling dropped members, we would have to handle the ugly scenario
>>>>> described here:
>>>>> https://jira.jboss.org/jira/browse/MODCLUSTER-66
>>>>>
>>>>> Jean-Frederic: a few questions...
>>>>> 1. Is it up to the AS to drive the recovery of a NOTOK node when it
>>>>> becomes functional again?
>>>> Yes.
>>>>
>>>>>  In the case of a crashed member, fresh
>>>>> CONFIG/ENABLE-APP messages will be sent upon node restart.  In the 
>>>>> case
>>>>> of a re-merged network partition, no additional messages are sent.  Is
>>>>> the subsequent STATUS message (with a non-zero lbfactor) enough to
>>>>> trigger the recovery of this node?
>>>> Yes.
>>
>> Good to know.
>>  
>>>>> 2. Can httpd detect hung nodes?  A hung node will not affect the
>>>>> connected state of the AJP/HTTP/S connector - it could only detect 
>>>>> this
>>>>> by sending data to the connector and timing out on the response.
>>>> The hung node will be detected and marked as broken but the 
>>>> corresponding request(s) may be delayed or lost due to time-out.
>>>>
>>> How long does this take, say in a typical case where the hung node 
>>> was up and running with a pool of AJP connections open? Is it the 10 
>>> secs, the default value of the "ping" property listed at 
>>> https://www.jboss.org/mod_cluster/java/properties.html#proxy ?
>>
>> I think he's talking about "nodeTimeout".
>>
> 
> There's also the mod_proxy ProxyTimeout directive which might???

Not if you set nodeTimeout.

> apply 
> since mod_proxy is what is being used. From the mod_proxy docs:
> 
> "This directive allows a user to specifiy a timeout on proxy requests. 
> This is useful when you have a slow/buggy appserver which hangs, and you 
> would rather just return a timeout and fail gracefully instead of 
> waiting however long it takes the server to return."
> 
> Default there is 300 seconds!!
> 
> It would be good to beef up the docs of this quite a bit. From the 
> mod_jk docs at 
> http://tomcat.apache.org/connectors-doc/reference/workers.html I can get 
> a pretty good idea of all the details of how mod_jk works in this area. 
> Not so much from 
> https://www.jboss.org/mod_cluster/java/properties.html#proxy 
> particularly when I factor in that it's mod_proxy/mod_proxy_ajp that's 
> actually handling requests.

Yep few lines more could help.

>>> Also, if a request is being handled by a hung node and the 
>>> HAModClusterService tells httpd to stop that node, the request will 
>>> fail, yes? It shouldn't just fail over, as it may have already caused 
>>> the transfer of my $1,000,000 to my secret account at UBS. Failing 
>>> over would cause transfer of a second $1,000,000 and sadly I don't 
>>> have that much.
>>
>> Not unlike those damn double-clickers...
>>
> 
> Ah, that's what happened to my second $1,000,000! Thanks!
> 
>>>>> And some questions for open discussion:
>>>>> What does HAModClusterService really buy us over the normal
>>>>> ModClusterService?  Do the benefits outweigh the complexity?
>>>>>  * Maintains a uniform view of proxy status across each AS node
>>>>>  * Can detect and send STOP-APP/REMOVE-APP messages on behalf of
>>>>> hung/crashed nodes (if httpd cannot already do this) (not yet
>>>>> implemented)
>>>>>    + Requires special handling of network partitions
>>>>>  * Potentially improve scalability by minimizing network traffic for
>>>>> very large clusters.
>>> Assume a near-term goal is to run a 150 node cluster with say 10 
>>> httpd servers. Assume the background thread runs every 10 seconds. 
>>> That comes to 150 connections per second across the cluster being 
>>> opened/closed to handle STATUS. Each httpd server handles 15 
>>> connections per second.
>>>
>>> With HAModClusterService the way it is now, you get the same, because 
>>> besides STATUS each node also checks its ability to communicate w/ 
>>> each httpd in order to validate its ability to become master. But 
>>> let's assume we add some complexity to allow that health check to 
>>> become much more infrequent. So ignore those ping checks. So, w/ 
>>> HAModClusterService you get 1 connection/sec being opened closed 
>>> across the cluster for status, 0.1 connection/sec per httpd.  But the 
>>> STATUS request sent across each connection has a much bigger payload.
>>
>> True, the STATUS request body is larger than the INFO request (no body),
>> but the resulting STATUS-RSP is significantly smaller than the
>> corresponding INFO-RSP.
>>
> 
> Ah, we're still using INFO for the connectivity checks? That's not good; 
> for sure we'd want to make that happen less often.

I though we agreed to add a new message/response for that in the next 
release.

Cheers

Jean-Frederic

More information about the mod_cluster-dev mailing list