kvserver: reliably detect when a replica is unavailable

[tbg]

Is your feature request related to a problem? Please describe.
When an outage occurs, one of the most interesting questions (as far as the KV team is concerned) is whether any ranges in the system are unable to serve reads and/or writes. We further want to distinguish between ranges that are actively failing to do so and ranges that likely would (but are not currently being asked to do so). There is further a distinction between replicas and ranges - a range may have replicas that work just fine, but specific replicas could be unable to participate in, say, follower reads, or are unable to forward to the leader successfully.

We want to be able to write robust metrics-based alerting rules for unavailable ranges. When these signal, we also want to be able to discover easily which ranges/replicas are currently in trouble, and which kind of trouble they're in to determine next steps.

Currently none of this is trivial to determine. To determine whether a range is unable to make progress, one can look for messages like these (which indicate nonzero values for the correspondingly named metrics):

[‹n1,summaries›] ‹health alerts detected: {Alerts:[{StoreID:1 Category:METRICS Description:requests.slow.latch Value:82}]}›

[n6,summaries] health alerts detected: ‹{Alerts:[{StoreID:6 Category:METRICS Description:requests.slow.raft Value:1} {StoreID:6 Category:METRICS Description:requests.slow.lease Value:127}]}›

(NB: leases have a one minute timeout, so often they do not trigger this gauge in the first place, as the gauge is basically "lease proposals that have been taking longer than a minute").

or

[n4,summaries] health alerts detected: ‹{Alerts:[{StoreID:4 Category:METRICS Description:requests.slow.raft Value:23}

(NB: this metric is often not triggered when the range loses the lease, as then the only ongoing proposal is a lease, which as mentioned above has the 1min timeout)

or the ranges.unavailable metric (which however only counts replicas for which it believes a quorum of nodes is offline, which is only one possible reason for a range to be unavailable; additionally this metric does not track ranges for which all nodes are offline!)

Conceivably one could add an alerting rule on the sum combination of these metrics (they are all gauges).

This would leave open the problem of determining the ranges that triggered the metric. In practice, for that we refer to the logs, concretely: look for messages that take the form have been waiting. By convention, these are emitted whenever one of the metrics feeding into a "health alert " message is triggered, and refer to a source replica via the log tags.

Additionally, we are currently adding a black box kv probing mechanism which comes with additional metrics that indicate range issues. Its introduction was driven by frustration around the status quo and in particular the desire to have a clear source for alerting rules.

We arrive at the following picture:

| metric | populated via | misses | replica discovery |
|---|---|
| above subset of requests.slow.* | hanging requests | replicas without traffic | from log messages
| (prober metrics) | on failed probes | ranges it hasn't probed recently | from log messages
| ranges.unavailable | periodically by each node based on its replicas, but misses livelocks | ranges that have lost all replicas | probably the system.reports_* tables or problem ranges report; problems here typically affect large numbers of ranges

Describe the solution you'd like

TBD, for now just documenting the status quo and how it is lacking. One could make the argument that the mechanisms above complement each other and that all that's needed is some cleanup. One could also argue that this is a hodge-podge and makes alerting and quick debugging difficult.

At the very least, consistent structured logging should be applied to any of these alerts firing.
Likely for alerting purposes, all of these gauges should be converted to counters and should fire more aggressively, as I believe this to be better for alerting purposes (cc @joshimhoff). For example, the current lease timeout of 1min and the current gauge bump timeout of 1min for requests.slow.* likely give us false positives. An aggressive counter (10s) would avoid that.

Describe alternatives you've considered

TBD

Additional context

#33007 is related. It discusses circuit-breaking writes to ranges we know are unavailable.

Jira issue: CRDB-3066

[joshimhoff]

Overall I see three basic ways to measure availability:

1. Probing -> send queries just to generate metric data, e.g. kvprober: implement a prober that sends queries to KV in order to generate signal on the healthiness of KV client & below #61074 & kvprober: introduce a package for probing the KV layer that does reads only #58124.
2. User-traffic instrumentation -> set metrics from user-facing code paths as queries are served, e.g. measure the number of requests to & errors returned by kvclient.DB.
3. Cause-based -> metrics tracking things that are themselves not something a user experiences but can be cause of a particular user experience, e.g. divergent uncommitted Raft log tails with a large number of entries leading to unavailability as per that CloudKitchens outage.

For CRDB alerting specifically, right now I lean towards a mix of blackbox & whitebox probing. (Yes, whitebox probing, since probing but based in part on knowledge about how CRDB works. KV is not a client facing thing anyway. Thanks, @bdarnell, for helping me make this distinction.)

User-traffic instrumentation is powerful. IMO we should think more about it. It's also tough in this particular context; SQL workloads are so complicated and so customers could probably trigger pages SRE doesn't want in various ways. Also the single tenant model implies very low user-traffic load on some prod CRDB clusters thus leading to poor signal. Still, we should think about this more, and we should have do user-traffic instrumentation even if we don't alert on these metrics in the end, as it will help with debugging.

Also, one truism is that user-traffic instrumentation & probing go well together, for two reasons: (1) Probers can sit outside the system under test thus alerting in case servers are crashing or down, and (2) probes establish a baseline of load necessary for high signal to noise alerting.

Cause-based is not my cup of tea as there are so many (infinite) possible causes of outages, making it very very hard to get good coverage this way, if it's even possible (I doubt it). Re: the weak coverage of ranges.unavailable, consider that it is a deeply caused-based alert essentially, despite its lofty (and confusing) name.

Again even if no cause-based alerting, need metrics measuring different possible causes, so we can make sense of outages once alerts fire. Also need some cause-based alerts to detect outages before they have big effects, e.g. a basic one in that category is being almost out of disk. But we should first focus on detecting outages as they are happening. Once we do that consistently, then we can think more about detecting outages before they happen. IMHO.

I wonder what @andreimatei thinks about ^^! Also @bdarnell.

but specific replicas could be unable to participate in, say, follower reads, or are unable to forward to the leader successfully.

Current KV prober design would catch later but not the former, correct? One can imagine sending follower reads eventually.

requests.slow.*

I don't understand the concrete meaning of this metric and I want to very much. Are you able to say more about what it tracks exactly?

Likely for alerting purposes, all of these gauges should be converted to counters and should fire more aggressively, as I believe this to be better for alerting purposes (cc @joshimhoff).

I can't tell yet what I think about this; I want to better understand the meaning of requests.slow.*.

I don't quite get how ranges.unavailable can be made a counter. It tracks a quantity that goes up and down, hence a gauge. It doesn't track a rate of something happening, as nothing is happening really. This is one reason I like metrics that track error rates, whether prober or user-traffic based. But it's fun to find weird ways to express things with a time-series DB so maybe I'm just not yet seeing what you have in mind?

ranges.unavailable

My view of this metric is if it fires, there's almost certainly a problem, so we should alert; OTOH, it catches a very small slice of outages as per your point that it only "counts replicas for which it believes a quorum of nodes is offline".

ranges it hasn't probed recently

This is an interesting point! I wonder how fast we can detect outages given this point. One thing worth keeping in mind is the CC pager SLA, which is 50m to keyboard today (I expect ~30m within a year or so.) Also, I think we can accept detecting large outages (many ranges) faster than small outages (single range), even though in the context of a highly reliable SQL DB either is quite bad.

I can imagine that the cluster setting that controls the probe rate tracks the time it takes to probe all ranges, rather than a probes per second per node rate or anything similar. Then prober works backwards from number of probes and number of nodes to determine a probe rate! We'll need to experiment to balance coverage goals & resource usage but we shouldn't be afraid to spend resources on alerting IMHO, especially in a cloud env.

I can also imagine a smarter prober that when it hits an error probing some range keeps probing that range for some period in a separate goroutine. Something like that! Sounds fun.

[bdarnell]

For CRDB alerting specifically, right now I lean towards a mix of blackbox & whitebox probing.

Cause-based is not my cup of tea as there are so many (infinite) possible causes of outages, making it very very hard to get good coverage this way

I wonder what @andreimatei thinks about ^^! Also @bdarnell.

I agree.

I can't tell yet what I think about this; I want to better understand the meaning of requests.slow.*.

requests.slow* is a gauge of pending requests that have been waiting for a very long time (looks like a minute by default; lowering that probably makes sense), so it's effectively tracking things that are hung more or less indefinitely. I think it makes sense to have a counter of requests that are entering the "slow" state, but it's nice to keep the gauge too so we can tell whether there are still hung requests or if they've resolved.

My view of this metric is if it fires, there's almost certainly a problem, so we should alert; OTOH, it catches a very small slice of outages as per your point that it only "counts replicas for which it believes a quorum of nodes is offline".

I'd ignore ranges.unavailable, I think. It was created so we'd have a definition of unavailable ranges so we'd be able to display "0 unavailable ranges" on the web console. We expected it to rarely if ever be non-zero (it happens more often in practice than we expected), and it doesn't have very good diagnostic value.

ranges.underreplicated, on the other hand, is a useful one to alert on since it catches cases of reduced reliability that may not show up in other metrics.

I can imagine that the cluster setting that controls the probe rate tracks the time it takes to probe all ranges, rather than a probes per second per node rate or anything similar. Then prober works backwards from number of probes and number of nodes to determine a probe rate!

The range scanner and consistency checker configuration works this way (there's a max and min rate but the primary knob is "target time to scan all ranges"). Perhaps this should use the range scanner? OTOH, for this kind of monitoring I think a constant rate may make more sense. You have to be able to detect problems promptly even in a small cluster; you don't want the probes to slow down to a pace that is sustainable for a larger one.

[joshimhoff]

Thanks, Ben!
Linking the KV prober specific master issue from here: #61074

[erikgrinaker]

Related to #33007.