THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Status
Current state: Under discussion
Discussion thread:
JIRA:
PR: https://github.com/apache/lucene-solr/pull/1100
Released:
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast). Confluence supports inline comments that can also be used.
Motivation
Many common JVM resources such as CPUs, threads, file descriptors, heap, etc. are shared between multiple SolrCore-s within a CoreContainer.
Most of these resources can already be monitored for usage using metrics. However, in most cases Solr doesn't have any control mechanism to actually do something about excessive use (or extreme under-utilization) of a resource by any particular SolrCore or CoreContainer. Furthermore, even when a control mechanism exists it's usually available only as a static configuration parameter (eg. max cache size) and changing it requires at least a core reload, or restarting the JVM.
This issue is especially important for multi-tenant applications where the admin cannot assume voluntary co-operation of users and needs more fine-grained tools to prevent DOS attacks, either accidental or purposeful.
The main scenario that prompted this development was a need to control the aggregated cache sizes across all cores in a CoreContainer in a multi-tenant (uncooperative) situation. However, it seems like a similar approach would be applicable for controlling other runtime usage of resources in a Solr node - hence the attempt to come up with a generic framework.
This SIP proposes the following:
- adding a generic
ResourceManagercomponent to Solr, which will run at aCoreContainerlevel and will be able to monitor and enforce both global limits and a "fair" division of resources among competing resource usage acrossSolrCore-s. - extending key existing components so that their resource consumption aspects can be dynamically controlled.
- adding a number of management plugins that implement specific strategies for managing eg. the cache sizes according to the specified "fairness" policy and global limits.
- adding an API for monitoring and controlling the resource management (reading and setting pool and component limits).
High-level design overview
A resource manager instance is created for each CoreContainer, and it's initialized from ZK configuration file. Initialization includes creating default pools and setting their global limits.
A pool has a unique name and a type (eg. "cache"), which is defined by the pool implementation. A pool defines total limits for components of this type in this pool - e.g. "searcherFieldValueCache" pool knows how to handle components of SolrCache type, and it manages all instances of SolrCache in all SolrCore-s that are responsible for field value caching, and it defines total limits for all searcher field value caches across all SolrCore-s. There can be multiple pools of the same type (e.g. "cache") under different names and with different parameters (total limits, schedule, etc), each managing different set of components.
Limits are expressed as arbitrary name / value pairs, which make sense for the specific pool implementation - e.g. for a "cache" pool type the supported limits are "maxRamMB" and "maxSize". By convention limits use the same names as the component limits (controlled parameters - see below).
A pool manages components registered in the pool. Any component can be registered only in a single pool of the same type - eg. a SolrCache component can only be registered in one "cache" type pool. Pool management is run periodically according to a per-pool schedule. Implementation-specific logic in the pool makes decisions about adjusting the limits of individual components so that the total resource consumption stays within pool limits.
Typically it's the responsibility of the component creator to register and unregister it with a specific pool. E.g. SolrIndexSearcher registers all its caches in their respective pools, and unregisters them on close.
Managed components report two different sets of values: controlled parameters (component limits) and monitored values. Monitored values represent the actual current resource usage (eg. current cache size) while the controlled parameters represent adjustable component limits (eg. "maxSize"). These two sets are different because usually we can't control the actual resource usage (eg. current cache size depends on random usage patterns), we can only control the adjustable limits and then we can observe the impact of these changes on the actual resource usage.
A public API is provided under /admin/resources. It supports inspecting pools and components as well as setting pool limits and component limits.
Public Interfaces
Briefly list any new interfaces that will be introduced as part of this proposal or any existing interfaces that will be removed or changed. The purpose of this section is to concisely call out the public contract that will come along with this feature.
The definition of a public interface is found on the main SIP page.
Proposed Changes
Describe the new thing you want to do in appropriate detail. This may be fairly extensive and have large subsections of its own. Or it may be a few sentences. Use judgement based on the scope of the change.
Compatibility, Deprecation, and Migration Plan
- What impact (if any) will there be on existing users?
- If we are changing behavior how will we phase out the older behavior?
- If we need special migration tools, describe them here.
- When will we remove the existing behavior?
Test Plan
Describe in few sentences how the SIP will be tested. We are mostly interested in system tests (since unit-tests are specific to implementation details). How will we know that the implementation works as expected? How will we know nothing broke?
Rejected Alternatives
If there are alternative ways of accomplishing the same thing, what were they? The purpose of this section is to motivate why the design is the way it is and not some other way.