Flink: TableMaintenance Support Coordinator Lock #15151
Conversation
...link/src/main/java/org/apache/iceberg/flink/maintenance/operator/LockAcquireResultEvent.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/apache/iceberg/flink/maintenance/operator/TableMaintenanceCoordinator.java
Show resolved
Hide resolved
...link/src/main/java/org/apache/iceberg/flink/maintenance/operator/TriggerManagerOperator.java
Outdated
Show resolved
Hide resolved
| void handleLockReleaseResult(LockReleasedEvent event) { | ||
| if (event.lockId().equals(tableName)) { | ||
| this.lockHeld = false; | ||
| this.restoreTasks = false; |
There was a problem hiding this comment.
This might not be correct on recovery.
If we have an ongoing task and the recovery lock, then this might be only the "task" lock release.
Let's imagine this sequence:
- Restore with ongoing T1. We send a Trigger for restore.
restoreTasksis set totrue. - T1 lock release arrives.
restoreTasksis set tofalse. - We trigger T2, and set
lockHeldtotrue - Restore Trigger arrives to the LockRemover. We receive a
LockReleasedEvent, and setlockHeldtofalse. - We trigger T3 - which is wrong
We need to differentiate between the restoreLock release and the lockHeld release
There was a problem hiding this comment.
I think we can differentiate between the restoreLock release and the lockHeld release from the source from processWatermark or processElement, from processWatermark is recove. So I add a flag in LockReleasedEvent. And TriggerManagerOperator only release restoreTasksLock when it is from watermark
| operatorEventGateway.sendEventToCoordinator( | ||
| new LockReleasedEvent(tableName, streamRecord.getTimestamp())); |
There was a problem hiding this comment.
One of the LockReleasedEvent is unnecessary
There was a problem hiding this comment.
Now I keep the code since the reason above I use processWatermark or processElement to differentiate between the restoreLock release and the lockHeld release
There was a problem hiding this comment.
I'm not sure about the cost of sending a message, but theoretically we could differentiate between the lock release requests simply by the lockId and the timestamp. If we keep track of the release trigger timestamp on the TriggerManager side, then we could decide if this is a recovery or a task lock.
With the current solution we always send 2 release requests when a normal task is finished. Which is unnecessary, and also might cause concurrency issues, if between the 2 release message the TriggerManager triggers another Task
There was a problem hiding this comment.
I change this part to use the “lockTime” in a Long instead of two boolean flag ,and use keep only one place to send release event.
...1/flink/src/main/java/org/apache/iceberg/flink/maintenance/operator/LockRemoverOperator.java
Show resolved
Hide resolved
|
|
||
| @SuppressWarnings("FutureReturnValueIgnored") | ||
| private void registerTriggerManagerReceiveReleaseEvent(LockRegisterEvent lockRegisterEvent) { | ||
| LOCK_RELEASE_CONSUMERS.put( |
There was a problem hiding this comment.
Could we check that we don't accidentally overwrite any other consumer?
We use the JobManager's JVM, so we might get accidental issues if multiple job is registered on the same JM, or on job restart.
@mxm: Any ideas about the possible issues here?
There was a problem hiding this comment.
There is classloader-level isolation between coordinators from different jobs, which means that there will be multiple instances of the static field because every job will load this class through its user class loader.
+1 for checking for existing consumers though. Is the locking meant to be re-entrant? Even so, we should check that its actually re-entrant and not coming from a different subtask.
There was a problem hiding this comment.
TriggerManagerOperator and LockRemoverOperator both are forceNonParallel, so they will only 1 subtask, so for now I haven’t taken registrations from different subtasks into account.
If the job restarts, it will re-register during initializeState, overwriting the previous one so that we always have the latest reference.So is it still necessary to do any checks here, and if so, what exactly should we be checking for?
...link/src/main/java/org/apache/iceberg/flink/maintenance/operator/TriggerManagerOperator.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/apache/iceberg/flink/maintenance/operator/TableMaintenanceCoordinator.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/apache/iceberg/flink/maintenance/operator/TableMaintenanceCoordinator.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/apache/iceberg/flink/maintenance/operator/TableMaintenanceCoordinator.java
Outdated
Show resolved
Hide resolved
| public void checkpointCoordinator(long checkpointId, CompletableFuture<byte[]> resultFuture) { | ||
| // We don’t need to track how many locks are currently held, because when recovering from state, | ||
| // a `recover lock` will be issued to ensure all tasks finish running and then release all | ||
| // locks. | ||
| // The `TriggerManagerOperator` already keeps the `TableChange` state and related information, | ||
| // so there’s no need to store additional state here. | ||
| runInCoordinatorThread( | ||
| () -> { | ||
| resultFuture.complete(new byte[0]); | ||
| }, | ||
| String.format(Locale.ROOT, "taking checkpoint %d", checkpointId)); | ||
| } |
There was a problem hiding this comment.
Why don't we checkpoint all the locks? This will give us a precise snapshot of the current locking state. That way, we could also get rid of the recovery lock.
There was a problem hiding this comment.
In my understanding, some tasks are stateless and will not continue execution after a job failure and restart. If we remove the recovery lock, when restore this lock, then this lock would never be released. If I understand correctly.
There was a problem hiding this comment.
Stateless tasks who do not continue after restore, should send a lock release message on restore. This will ensure that the lock will get released if it was previously held.
In general, if we want table maintenance to be stateful, the lock state should be included as well. We have the option to do this now because we maintain the lock state here.
See also #15042 (comment).
There was a problem hiding this comment.
In this PR, we only have lockTime instead of a boolean flag. After restore, I reset the lock time to the current time in the TriggerManagerOperator, which is equivalent to releasing the lock. Therefore, there is no need to release the lock again from the coordinator; it has already been handled inside TriggerManagerOperator.
There was a problem hiding this comment.
Regarding recovery strategies for stateful tasks, these are two ideas:
- Current approach
The TriggerManagerOperator does not persist the historical lock state. Instead, upon recovery it acquires a new lock and sends a recover trigger downstream. Once all tasks have finished, the downstream will release the lock.
- Alternative approach
If we persist the lock state in TriggerManagerOperator, then upon task recovery there are two scenarios:
- Stateless tasks will not release the lock.
- Stateful tasks will release the lock when the task completes.
In that case, we would need to determine explicitly, based on the task type, whether we should manually trigger a lock release during recovery. Stateful tasks must not trigger this manually. This feels like it would couple the design more tightly to the task implementation, and each task would need to be modified. By contrast, approach 1 looks more generic and reusable.
Is my understanding correct? I’d like to hear your thoughts.@mxm @pvary
There was a problem hiding this comment.
I hadn't considered stateless tasks as much as stateful tasks, but I don't think it is a bad idea to make all tasks stateful in the sense that they are guaranteed to send a lock on restore. Maybe using a recovery approach is simpler after all, I just didn't find it to be very straight-forward.
|
|
||
| @SuppressWarnings("FutureReturnValueIgnored") | ||
| private void registerTriggerManagerReceiveReleaseEvent(LockRegisterEvent lockRegisterEvent) { | ||
| LOCK_RELEASE_CONSUMERS.put( |
There was a problem hiding this comment.
There is classloader-level isolation between coordinators from different jobs, which means that there will be multiple instances of the static field because every job will load this class through its user class loader.
+1 for checking for existing consumers though. Is the locking meant to be re-entrant? Even so, we should check that its actually re-entrant and not coming from a different subtask.
...src/main/java/org/apache/iceberg/flink/maintenance/operator/TableMaintenanceCoordinator.java
Outdated
Show resolved
Hide resolved
|
|
||
| @SuppressWarnings("FutureReturnValueIgnored") | ||
| private void registerTriggerManagerReceiveReleaseEvent(LockRegisterEvent lockRegisterEvent) { | ||
| LOCK_RELEASE_CONSUMERS.put( |
There was a problem hiding this comment.
Have we considered a different flow, where we confirm the lock registration? Why are we assuming that every lock register event succeeds?
| } | ||
|
|
||
| // register the lock register event | ||
| operatorEventGateway.sendEventToCoordinator(new LockRegisterEvent(tableName, current)); |
There was a problem hiding this comment.
AFAIK We register once on state restore, but never again, even after the lock has been released again. Am I missing something here?
There was a problem hiding this comment.
Here we are mainly registering something like a hook that can receive the “rock remove” signal from coordinate.
It is registered once when the job starts for the first time or when state is restored, and this registration overwrites the previous one.
...link/src/main/java/org/apache/iceberg/flink/maintenance/operator/TriggerManagerOperator.java
Show resolved
Hide resolved
| * TriggerManagerOperator sends events to the coordinator to acquire a lock, then waits for the | ||
| * response. If the response indicates that the lock has been acquired, it fires a trigger; |
There was a problem hiding this comment.
AFAIK this is no longer true for this PR.
There was a problem hiding this comment.
You are right, I still keep the old state , I have change it to new version. Thanks for point it out.
| public void checkpointCoordinator(long checkpointId, CompletableFuture<byte[]> resultFuture) { | ||
| // We don’t need to track how many locks are currently held, because when recovering from state, | ||
| // a `recover lock` will be issued to ensure all tasks finish running and then release all | ||
| // locks. | ||
| // The `TriggerManagerOperator` already keeps the `TableChange` state and related information, | ||
| // so there’s no need to store additional state here. | ||
| runInCoordinatorThread( | ||
| () -> { | ||
| resultFuture.complete(new byte[0]); | ||
| }, | ||
| String.format(Locale.ROOT, "taking checkpoint %d", checkpointId)); | ||
| } |
There was a problem hiding this comment.
Stateless tasks who do not continue after restore, should send a lock release message on restore. This will ensure that the lock will get released if it was previously held.
In general, if we want table maintenance to be stateful, the lock state should be included as well. We have the option to do this now because we maintain the lock state here.
See also #15042 (comment).
mxm
left a comment
mxm
left a comment
There was a problem hiding this comment.
Thanks @Guosmilesmile! I appreciate your work on this.
I think we can remove the recovery lock, if we switch to this design:
The important parts are that we (a) introduce ACK messages between both coordinators and the corresponding operators, (b) checkpoint the lock state on just the TriggerManager coordinator.
On the LockRemover operator side, we will need to persist outgoing lock releases in Flink state, which is checkpointed. Only once a LockReleased message has been received, we can clear this lock state. On restore, we read the pending lock release state and send corresponding LockRelease messages to the LockRemover coordinator, which clears the corresponding lock and acks the request.
On the TriggerManager operator side, we acquire the lock and will be notified by the LockAcquired message from the coordinator once the lock is available.
The TriggerManager coordinator maintains the source of truth for the lock state. Modifications to the shared lock state must be synchronized. No modifications can take place during coordinator checkpointing. The order in which coordinators are checkpointed isn't defined, so whichever coordinator comes first, must lock state updates. Any updates must be deferred to after checkpointing.
| @Override | ||
| public OperatorCoordinator.Provider getCoordinatorProvider( | ||
| String operatorName, OperatorID operatorID) { | ||
| return new TableMaintenanceCoordinatorProvider(operatorName, operatorID); |
There was a problem hiding this comment.
I noticed that we're now using the same coordinator code for both the TriggerManager and the LockRemover coordinator, albeit parameterized with the actual operator name. I found that confusing because the code executes different branches depending on which role it fulfills.
I don't really like the solution:
I don't think that the recovery lock is that complicated to make it worth to accept the messaging overhead and also add state. |
3 participants
This PR is a continuation of #15042.
In this approach, the lock is maintained inside
TriggerManagerOperator, andTableMaintenanceCoordinatoracts as a bridge. It holds a reference toTriggerManagerOperatorin a static map, and uses that to receive events fromLockRemoverOperatorand release the lock held byTriggerManagerOperator.Normal flow
TriggerManagerOperatordecides whether to fire a trigger and, if so, acquires the lock internally and sends the trigger downstream.LockRemoverOperator.LockRemoverOperatorsends an event toTableMaintenanceCoordinator.TableMaintenanceCoordinatoruses the reference stored in its static map to find the correspondingTriggerManagerOperatorand sends a “release lock” event to it.TriggerManagerOperatorreleases the lock.Recovery flow
initializeState,TriggerManagerOperatormarks itself as “in recovery” and then sends a recovery trigger downstream. While the “in recovery” flag is true, other tasks are not allowed to operate on it.LockRemoverOperator, it sends an event toTableMaintenanceCoordinatorto release the lock.TriggerManagerOperatorreleases the lock.