kvserver: limit MVCC scan in Raft Entries retrieval

[erikgrinaker]

In a recent customer escalation, we saw a newly elected Raft leader spend so long to send 100 log entries to catch up a follower that it missed its heartbeat. The log entries were found to be about 132 kb each, and we limit these messages to be a maximum of 32 kb (but at least 1 entry), so responses were being sent with a single entry each. It seemed to be taking 60 ms to retrieve a single entry, totalling 6s for 100 log entries. The log was also huge, at ~900,000 entries, with the current commit index at 1500.

Digging into the Raft code, we find that raft.maybeSendAppend() calls int raftLog.entries() to fetch entries to send to the follower. Notice how it limits this solely by maxsize (32 kb), otherwise using the entire Raft log (lastIndex()+1) as an upper bound:

https://github.com/cockroachdb/vendored/blob/310ea3cd09b55055b290f0a4cf9991a91725797e/go.etcd.io/etcd/raft/v3/log.go#L287-L292

This in turn gets passed into Storage.Entries():

https://github.com/cockroachdb/vendored/blob/310ea3cd09b55055b290f0a4cf9991a91725797e/go.etcd.io/etcd/raft/v3/log.go#L350

Our implementation of Entries(), however, does not pass the max size bound to the MVCC iterator, only the key bounds, instead relying on the passed scan function to error when the size limit is exceeded:

cockroach/pkg/kv/kvserver/replica_raftstorage.go

Lines 236 to 243 in 6b9168d

	_, err := storage.MVCCIterate(
	ctx, reader,
	keys.RaftLogKey(rangeID, lo),
	keys.RaftLogKey(rangeID, hi),
	hlc.Timestamp{},
	storage.MVCCScanOptions{},
	scanFunc,
	)

The problem is that MVCCIterate will actually fetch 1000 entries before calling scanFunc:

cockroach/pkg/storage/mvcc.go

Lines 2662 to 2666 in 8f5231d

	const maxKeysPerScan = 1000
	opts := opts
	opts.MaxKeys = maxKeysPerScan
	res, err := mvccScanToKvs(
	ctx, iter, key, endKey, timestamp, opts)

cockroach/pkg/storage/mvcc.go

Lines 2679 to 2686 in 8f5231d

	for i := range res.KVs {
	if err := f(res.KVs[i]); err != nil {
	if iterutil.Done(err) {
	return intents, nil
	}
	return nil, err
	}
	}

Since we're using the entire Raft log as an upper bound, not passing in a MVCCScanOptions.MaxSize for the iterator, and only doing size limiting in the passed scanFunc, this means that every time we fetch a single log entry we're actually fetching and decoding 1000 entries, each 132 kb large.

The simplest fix here is probably to just pass in the max size from Raft in MVCCScanOptions.

/cc @cockroachdb/kv

[aayushshah15]

this means that every time we fetch a single log entry we're actually fetching and decoding 1000 entries

Very cool find! For my understanding, what led you towards this^? Did it show up in a CPU profile?

[nvb]

Here's a look at the CPU profiles we were looking at:

And here's a bundle of them from each node:

8sdprof.zip

The simplest fix here is probably to just pass in the max size from Raft in MVCCScanOptions.

We looked into this briefly, but it wasn't quite as trivial as it sounds. As we saw in 9d46451, we need to be precise about the sizes of these entries. MVCCScanOptions.TargetBytes doesn't mean quite the same thing as the maxBytes passed to entries. We'll either need to reconcile this difference, or maybe just use a raw iterator instead of MVCCIterate.

There are a pair of other issues coming that will expand on why this resulted in leadership instability.

[nvb]

There are a pair of other issues coming that will expand on why this resulted in leadership instability.

Here's the other issue that exacerbated this: #66686.

We were also thinking that a third issue could be to merge continuous MsgAppResps on a leader in Store.processRequestQueue because the leader only cares about the last one. I was hoping that this would help avoid the kind of quadratic behavior we saw here (on top of the rest of this fix). However, I think this would have just shifted the quadratic behavior to this loop. So it's likely not worth the extra complexity in CRDB code.

[nvb]

For my understanding, what led you towards this^? Did it show up in a CPU profile?

It was a combination of log spy and CPU profiles. In log spy, we saw sequences like the following on a node that could not become the leader:

I210621 18:43:42.916725 2590 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:43.116803 2602 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:43.316831 2610 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:43.516833 2567 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:43.716769 2537 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:43.916819 2545 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:44.116952 2587 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:44.316735 2563 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:44.516655 2545 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:44.716692 2575 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:44.916762 2588 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:45.116969 2541 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:45.316989 2599 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:45.516933 2563 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:45.716882 2542 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:45.916917 2536 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:46.116609 2582 kv/kvserver/replica_raft_quiesce.go:256 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] not quiescing: replication quota outstanding
I210621 18:43:46.116719 2582 vendor/go.etcd.io/etcd/raft/v3/raft.go:767 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] 3 is starting a new election at term 17249
I210621 18:43:46.116757 2582 vendor/go.etcd.io/etcd/raft/v3/raft.go:709 ⋮ [n8,s8,r4408/3:‹/Table/25{6/1/6679…-7}›] 3 became pre-candidate at term 17249

So a follower was waiting for heartbeats, getting impatient, then calling an election that the other follower would eventually win. This caused the leadership ping-ponging.

We then looked at logspy on the leader and saw 10s gaps between not quiescing: not leaseholder lines, which indicate Raft ticks. We tracked this to 9+ seconds spent receiving new Raft messages in Store.processRequestQueue:

I210621 18:56:48.254602 2609 kv/kvserver/store_raft.go:229 ⋮ [n5,s5,r4408/1:‹/Table/25{6/1/6679…-7}›] incoming raft message:
‹3->1 MsgAppResp Term:17267 Log:0/2080›
...
I210621 18:56:56.971938 2609 kv/kvserver/store_raft.go:229 ⋮ [n5,s5,r4408/1:‹/Table/25{6/1/6679…-7}›] incoming raft message:
‹3->1 MsgAppResp Term:17267 Log:0/2178›
I210621 18:56:57.042814 2609 kv/kvserver/store_raft.go:229 ⋮ [n5,s5,r4408/1:‹/Table/25{6/1/6679…-7}›] incoming raft message:
‹3->1 MsgAppResp Term:17267 Log:0/2179›
I210621 18:56:57.123789 2609 kv/kvserver/replica_raft_quiesce.go:296 ⋮ [n5,s5,r4408/1:‹/Table/25{6/1/6679…-7}›] not quiescing: not leaseholder

Each of these calls to processRaftRequestWithReplica was taking about 60-70ms.

This led to CPU profiles, which eventually led us to the problem.