Redis Cluster validator
Workflow
This issue is in workflow-infraReady, and it is there because it's ready to start work.
As we work on this, we might discover more questions: in particular, whether we start with this on or off by default. But we should be able to make a start.
Description
We might need to understand better how to shard Redis on gitlab.com in order to devise our long-term Redis sharding strategy.
It is very important to understand all the operations on Redis keys that might involve operations on multiple keys. Not having this knowledge is a major blocker for us, if would like to move towards Redis sharding.
In the sharded environment Redis setup will answer with an error ERR CROSSSLOT Keys in request don't hash to the same slot if keys we want to perform some operation on do not reside on the same slot / shard.
We need to understand better how can design our sharding techniques in a way that this is not a blocker.
Proposal
Design a CROSSLOT validator, that would be an additional layer of abstraction in front of our Redis facade code, that would check if a Redis keys scheme used to perform operations on multiple keys resolves to a single shard.
Step 1: monkeypatch Redis Client calls to intercept all Redis calls
This follows the approach used in LabKit-Ruby to monkeypatch the Redis Client to intercept all Redis calls for distributed tracing.
The LabKit implementation is here: https://gitlab.com/gitlab-org/labkit-ruby/-/blob/master/lib/labkit/tracing/redis/redis_interceptor.rb. The injection occurs here: https://gitlab.com/gitlab-org/labkit-ruby/-/blob/master/lib/labkit/tracing/redis.rb.
The CROSSSLOT validator implementation would follow similar boilerplate, but obviously instead of injecting emitting tracing spans, it would validate the Redis command.
Step 2: determine whether the a call involves multiple keys
Multiple approaches could be used, but this would probably be easiest implemented with a whitelist of known multikey commands in Redis (eg MGET). When a key is not multikey, the validator skips the call.
An alternative is to check if the position of the first and last keys in the argument list are the same: https://redis.io/commands/command. This is exposed to Ruby through Redis::Cluster::CommandLoader.
Step 3: for any multikey calls, ensure that all keys are for the same slot
Using the algorithm published in the Redis documentation, the slot for each key is calculated:
def HASH_SLOT(key)
s = key.index "{"
if s
e = key.index "}",s+1
if e && e != s+1
key = key[s+1..e-1]
end
end
crc16(key) % 16384
endThis is present in two methods in two classes in redis-rb.
-
Redis::Cluster::Command#extract_first_keyto get the key for hashing -
Redis::Cluster::KeySlotConverter.convertconverts a key into a hash slot.
If the command contains keys which resolve to different hash slots, then validation fails.
The form of this failure warrants more discussion. I propose that initially,
- In development and CI, an exception is raised, with pointers to developer documentation on how to fix the problem
- In production, a log is written
Step 4: Allow exceptions inside a yield block
Similarly to the approach used by the Gitaly n+1 detector's exemption block, Gitlab::GitalyClient.allow_n_plus_1_calls, we could allow technical debt to accrue through an exception block, storing the state in a threadlocal or similar storage mechanism.
The implementation of the Gitaly version is here: https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/gitaly_client.rb#L309
Step 5: Add exemption blocks for all known violations
Add exemption block for all known violators. For third-party code, such as Rails session management, we should consider adding another Redis connection which is entirely exempt from the validator.
This could would likely not be migrated to Redis Cluster.
Activity
Thanks for the placeholder @grzesiek.
I've added the proposal.
mentioned in epic gitlab-org&2391
added to epic gitlab-org&2391
mentioned in epic &80
Another complementary approach to this would be to perform traffic analysis on the gitlab.com redis traffic.
Some tooling to do that is available in the runbook: https://gitlab.com/gitlab-com/runbooks/-/blob/master/docs/redis/redis.md#keyspace-analysis. It should be relatively straight-forward to adapt those scripts.
Note that this will not catch
pipelineinduced crossslot violations though.Edited by Igor-
@igorwwwwwwwwwwwwwwwwwwww it is an option, but I would much rather catch this early on, during development of features that may introduce regressions, rather than once it's in staging or production.
-
@andrewn Definitely agree that it's not a replacement for the in-app approach (especially for newly developed features as you said), but I think this can complement it.
Some of these violations may be in code that is not often exercised, or require data that is usually not present in development environments. By looking at production traffic, we can shine some light in those corners to make sure we don't miss anything.
mentioned in merge request gitlab-com/runbooks!2110 (merged)
mentioned in issue #300 (closed)
moved from gitlab-org/gitlab#206903 (moved)
changed epic to &211
added ServiceRedis workflow-infraProposal + 1 deleted label
added Scalability FY21-Q2 ThemeRedis Resiliency label
In production, a log is written
This triggers my spidey-sense. I think we might be ok, but for the avoidance of doubt I'll ask: is there any likelihood that we could end up with a log event from a high-frequency code path that ends up sending a huge quantity of logs into our logging infrastructure (potentially affecting indexing/throughput and ultimately visibility)? If I've understood, we'd only expect logs in production from code-paths that have not been exercised in CI or dev and thus have not been caught by the exception raising, or given an explicit exemption. Is that understanding correct?
@cmiskell that's right. In production, we could also just do nothing and let the application crash - we'd get a Sentry event in that case, and in both cases the user will receive an error.
-
@rnienaber asked if there was any prior art for this, which is a good question. I couldn't find any. https://redislabs.com/blog/redis-clustering-best-practices-with-keys/ says:
Evaluate your MULTI/EXEC transactions. See if you truly need a transaction or if a pipeline will do. Don’t forget to think about multikey commands and whether they can be replaced by multiple commands.
There's also this thread: https://groups.google.com/forum/#!topic/redis-db/un6KAUaMDLI But that seems to be someone confused about why this is the case, rather than how to validate it.
A lot of the pieces to build this are available in redis-rb so we might want to consider submitting some of this work upstream, but let's start by building it for ourselves and see how it goes.
marked this issue as related to #186 (closed)
mentioned in issue #300 (closed)
added workflow-infraReady label and removed workflow-infraProposal label
added workflow-infraIn Progress label and removed workflow-infraReady label
assigned to @smcgivern
mentioned in merge request gitlab-org/gitlab!32450 (merged)
added workflow-infraUnder Review label and removed workflow-infraIn Progress label
-
I have an MR for this at gitlab-org/gitlab!32450 (merged) and I found all the places in our specs where we use cross-slot keys. (Mostly sessions, as expected.)
Just waiting for #353 (closed) to be in place so I can make sure this check only runs on the right Redis instances. For instance, if we issue a cross-slot command to the Sidekiq Redis, that's fine: we don't plan to use Redis Cluster there
-
From the tests on gitlab-org/gitlab!32450 (merged), these places have cross-slot access:
- Sessions.
- Build trace chunks.
- Elasticsearch bookkeeping.
The next question is: how much of our shared state Redis does that represent? @cmiskell is there any way I could find that out?
is there any way I could find that out?
Absolutely. You need to know the prefixes for the keys you're interested in, then something like the following, run on the console will do it:
# A bit of a guess on the prefixes; # Not sure what prefix(es) are relevant for ElasticSearch; the only one I've seen is elasticsearch_enabled_cache:project in the cache instance prefixes = %w[ session:gitlab:2 gitlab:ci:trace ] Gitlab::Redis::SharedState.with do |redis| prefixes.each do |prefix| total_size = key_count = 0 redis.scan_each(:match => "#{prefix}*") do |key| total_size += redis.call([:memory, :usage, key]) key_count += 1 printf "." if (key_count % 100 == 0) end puts "\nPrefix #{prefix} has #{key_count} keys using #{total_size} bytes" end endThen compare to the total size which you can get that from the bigkeys reports, adding up the key counts (first numerical column) and byte counts (second numerical column) from the 'Totals/By Bytes' section. Each prefix scan will take about 11-12 minutes on production shared state, and you might prefer to run it away from peak times. Happy to do that for you at the quietest times of the day, if you can identify the relevant keys.
Edited by Craig Miskell-
@cmiskell thanks! I was wondering if that was safe to do on production (I guess this relates to a conversation we had in #362 (closed), too).
The ES ones start
elastic:paused_jobs:zset. Would you mind running this at a quiet time?
@smcgivern Sure thing. Also worth mentioning that as an SRE with shell access to all the boxes, I have the additional option of running the same basic code (just differing in how it gets the redis client) on a replica, which is another way to mitigate any impact, so I did that.
Totals across the shared state redis:
- Key count: 26291714 (~26M)
- Bytes: 5522636556 (~5.1GB)
Output:
- Prefix session:gitlab:2 has 4657750 keys using 1582285450 bytes
- 17% of total keys (21% of
stringkeys) - 28.5% of memory usage
- 17% of total keys (21% of
- Prefix gitlab:ci:trace has 98 keys using 8134 bytes
- Negligible; not worth doing a percentage number :)
- Prefix elastic:paused_jobs:zset has 0 keys using 0 bytes
- Doesn't show up either on shared state or the cache redis. Are you sure that's the key name?
-
Thanks @cmiskell!
For the record:
- Sessions we have an issue for #186 (closed)
- For traces, we aren't enabled on GitLab.com (yet): https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/4667
- I'd expect the same for Elasticsearch.
Migrating those keys from the latter two is made slightly easier by the fact that we're not currently using these on GitLab.com, so I've asked in &211 if we plan to use Redis Cluster for our shared state Redis.
mentioned in epic &211
-
I'm marking this issue as workflow-infraCancelled because the epic is closed, which in turn is because we don't see a near-term need for this: &211 (comment 364409253)
We can reopen it if we need to, of course!
-
That was quick: after a discussion with @andrewn in the epic, we'll keep the validator even though we won't be making shared state fully compatible with Redis Cluster right now.
added workflow-infraCancelled label and removed workflow-infraUnder Review label
mentioned in issue #433 (closed)
added workflow-infraUnder Review label and removed workflow-infraCancelled label
mentioned in issue gitlab-org/gitlab#224171
mentioned in issue gitlab-org/gitlab#118820
added workflow-infraVerify label and removed workflow-infraUnder Review label
-
This validator is now merged! I also created gitlab-org/gitlab#224171 for CI build trace chunks, as that's:
- Not yet enabled on GitLab.com.
- Going to be a heavy user of Redis once it's enabled.
I've also mentioned the validator in the Engineering Week-in-Review.
added workflow-infraDone label and removed workflow-infraVerify label
mentioned in issue #450 (closed)
mentioned in issue #1265 (closed)
mentioned in merge request gitlab-org/gitlab!69204 (merged)
mentioned in epic &557
