Filesystem buffering filter extension

[ravenblackx]

The idea of this extension is to add more flow control filters to support buffering to disk.

The filesystem access will be asynchronous (using a small thread pool) so as not to block the envoy worker.

This would be a filter you could place before a buffer_filter, which waits for its predecessor to have buffered an entire request then potentially injects content_length into the headers.

To avoid degrading performance, the proposed storage_buffer_filter should not place anything into storage until a configured memory cache limit is reached (i.e. it should act as a simple pass-through filter if it is not needed for a given stream).

An additional concern is if the disk writing is blocked (e.g. by other IO) for an extended period, the behavior could degrade into an unintentional all-memory cache. As such an additional configurable value might be required for when to consider that the buffer itself requires sending a HighWatermark alert.

Suggested configuration options for this filter:

• memory_buffer_bytes_limit
• storage_buffer_bytes_limit
• storage_buffer_queue_high_watermark_bytes (defaulting to == memory_buffer_bytes_limit, signifying how far over memory_buffer_bytes_limit can be queued in memory for writing to disk)

It should be possible for memory and storage buffers in the same filter to be interleaved, to account for a sequence such as:

1. configuration is 4 units of memory, 64 units of storage
2. source provides 8 units. 4 units are cached in memory, 4 units are cached to storage
3. recipient accepts 2 units. Now 2 units are cached in memory, 4 are cached in storage.
4. source provides 4 more units. 2 can be cached in the freed up memory, 2 in storage.
5. Now the desired output order is the first 2 from memory, 4 from storage, the other 2 from memory, the other 2 from storage.

Without allowing interleaving, the additional 2 units that only went in memory would have had to pass through storage unnecessarily.

Further, ideally it would be possible to abort queued file system writes, to account for

1. configuration is 4 units of memory, 64 units of storage, 4 units of storage-queue
2. source provides 8 units. 4 units are cached in memory, 4 are queued to storage (but not yet written)
3. recipient accepts 4 units from memory. If we can't abort the queued writes we're now blocked until someone else's IO completes, then we write, then we read back (also extending the block on anyone else's IO-bound buffers).

That last element might not want to be in a first pass implementation, but I'll be bearing it in mind while implementing the async file manager.

This initial issue is functioning mostly as an announcement that I am starting work on this. A more complete design for comment will follow once I have an initial prototype working. (But early comments are welcome too!)

[rojkov]

/cc @alyssawilk @danzh2010

[alyssawilk]

Just to understand the use case here, the deal is we want to handle requests lager than we're willing to hold in memory, and buffering to disk is preferable to using the existing network backup logic? That's a unique case to my experience so I'd be interested in hearing more. Generally when we're dealing with large responses we'd just use network backup but this feels like something we could maybe use chunked cache storage for? cc @toddmgreer @penguingao

[KBaichoo]

This seems pretty cool.

Could this be described as a filter that’s essentially “swap space” for the dataplane that does a few tricks to avoid thrashing such as interleaving ordering of bytes between memory and storage, cancellable writes incase we get new capacity before we’ve flushed the data to disk?

What’s the plan for failure scenarios for late term failed streams? E.g. if a stream gets reset by downstream, etc.

[ravenblackx]

I think there's at least two use-cases - one is wanting to handle requests/responses bigger than we're willing to hold in memory, that we want to pass through buffer_filter (i.e. to measure and inject content_length). The other use case is if we have a data supply that's much faster than the data consumer, too large to buffer in memory at the proxy, we might want to allow that data supply to fully offload its stream rather than being forced to operate at the speed of the client. It could also potentially alleviate server-side timeouts for slow clients.

Yes, it's essentially acting like swap space with more control. I hadn't really thought about abandoned streams yet, but it seems similar to downstream instantly consuming all buffered data. Ideally we would also abort any now-unnecessary reads/writes.

[ravenblackx]

From discussion with Alyssa yesterday and Matt on Friday, there's a speedbump in here; in my mind state signals would travel through filters to the things they control, but it turns out many of the signals are more "connection global" than that, e.g. a high watermark event goes to every filter and source effectively simultaneously, where for this buffering filter to make sense it would need to be able to consume a high watermark event (and stop streaming to the recipient) while also not having it passed on to the sender, because if the sender stops sending then the buffer stops buffering, or if the buffer doesn't get a signal to stop sending then it just empties into the memory buffer 'below' and never offloads the buffer contents.

The proposed solution is to add a boolean "continue" return value to onAboveWriteBufferHighWatermark and onBelowWriteBufferLowWatermark, order the callback calls from the filter nearest the output to the filter nearest the input, and stop calling the series of callbacks when one returns false. The buffer limit, since it's also connection-global, would need to be ignored by the buffering filter, since if the buffering filter sets that value to its own buffer size then the recipient would never send "high watermark" and everything would just end up in the memory buffer.

This option may also make it necessary to add an "inject" version of sending high watermark events, so that the buffer filter can send one upstream of itself in the event that the storage buffer itself gets backed up. (Or it could potentially just send one the regular way and not intercept its own one.)

This all seems a little bit risky in terms of potential interactions with other filters in the same chain. Alyssa's suggestion was to just put prominent warnings around the filter (and the new bool return value) that it's an exception to the common filter shared-buffer flow control behavior and should not be combined with any other filters that are also making this exception.

[ravenblackx]

Another issue making the current iteration of this filter less capable than it ought to be is that onAboveWriteBufferHighWatermark and onBelowWriteBufferLowWatermark events are only delivered on the response stream, not on the request stream, so the filter is unable to stream-buffer large requests if the server can't keep up (there is no way for the filter to detect if upstream is congested - it just constantly flushes into a maybe-oversized memory buffer.)

Or put another way, there is DownstreamWatermarkCallbacks::onBelowWriteBufferLowWatermark() and DownstreamWatermarkCallbacks::onAboveWriteBufferHighWatermark() that are used to detect that write-to-downstream is congested, but there is no equivalent UpstreamWatermarkCallbacks or addUpstreamWatermarkCallbacks.

Alyssa says there would be no philosophical objection to adding these.