[RFC] Scalability improvement for large amount of indexes

[middelink]

This is a request for comment to improve the startup time of most CLI commands.

Background

Currently restic interleaves tree information with their data blobs in packs. File operations do a treewalk to get to the next level of directories. Access to those blobs (any blobs for that matter) is sped up by using an index which maps blob hashes to pack file/offsets. Each backup creates a new indexes which are kept around until either one of rebuild_indexes or prune cli commands is used.

Issue

At the end of each backup, a new index is created which contains the set of all previous indexes plus the new blobs written for this backup. This new index has a field, telling which other indexes it supersedes. Mainly this is done so that if 2 backups run at the roughly same time, each can write it's own index without interfering with the other backup. As a consequence one ends up with a large amount of superseded indexes, which, during startup of a cli cmd, ALL need to be read and determined for applicability.

Idea

Somewhere after reading of the available indexes, we remove indexes who are marked superseded. This removal should be non-fatal as 2 backups started at the same time, after reading all the indexes, might start removing the same indexes. Also, when reading all indexes and then failing to open them (aka, a race condition with another ReadIndexes() instance who deleted it), should be ignored, as long as in the end ReadIndexes() finds at least one non superseded index to work with.
This would not need an update of the locking strategy, a backup already has a non exclusive lock and since we are sure that the superseded indexes do not play a role in the resulting index , we do not need to upgrade our backup lock, even though it is a mutating operation.

Rationale

These superseded indexes are no longer needed as their mapping are by definition already contained any one the indexes marked as superseding them. (Note I'm only arguing to remove indexes where their superseding index is already committed to disk).

Some senseless ascii art.

A -> B(A) -> D(B,C) -> F(D,C)         -> H(F,G)
  -> C(A) ->       E(B,C)* -> G(D,E)  -|
Note that backup E took a long time, overlapping with the start of backup F. When E finishes, F has not finished so G does not see F's index.

[fd0]

You got a tiny detail wrong: At the end of a backup, restic writes a new index containing all new blobs added for that backup run, with an empty supersedes field. So we can neither just remove the previous indexes, nor the new index, the intersection of the blobs/pack files in the indexes is empty. In addition, no destructive modification of the repository should be done without an exclusive lock in place, at least that's what restic does at the moment. The backup operation doesn't need an exclusive lock because it just adds new data, never deletes or modifies old data.

The supersedes field is only set when a new index is built by rebuild-index or prune.

Thoughts?

[fd0]

FYI: In #842 I'm working on refactoring the Repository object. I've added some kind of Session data structure which tracks new data added, and I'm thinking about saving tree objects in separate pack files (so e.g. caching becomes easier).

[middelink]

Ah. right. I see now.

Ok, then I do not get it. When I run rebuild-index or prune, rebuildIndex() builds a new, combined index and removes ALL indexes mentioned in the supersedes field. Based on what you said, there is no need to persist that field at all, right? It will by definition point to removed indexes. (And since both rebuild-index or prune are running with an exclusive lock, I don't expect race conditions with other backups which want to store new indexes.)

However, I'm not sure that invalidates my idea, right? The LoadIndex() used in cmd_backup() and others can be made a little smarter and build a "supersedes" on the fly (as it knows which indexes it loads) which idx.Save() can later on persist.

[middelink]

Re #842, Ah, you stole my thunder, I was about to write a RFC for putting the treedata into the snapshot object as they have the same lifecycle and having a single (albeit slightly large json file) is way better than having to seek through the repository a million times :)

PS. #842 is becoming very hard to read, it looks like a refactor to me, not seeing that Session object just now.

[fd0]

Ok, then I do not get it. When I run rebuild-index or prune, rebuildIndex() builds a new, combined index and removes ALL indexes mentioned in the supersedes field.

Correct.

Based on what you said, there is no need to persist that field at all, right? It will by definition point to removed indexes. (And since both rebuild-index or prune are running with an exclusive lock, I don't expect race conditions with other backups which want to store new indexes.)

Also correct. My idea was that restic keeps a list of old index IDs around so that it can detect when an old index is present in the repo. Otherwise attackers with access to the backend could keep index files around, wait for content (and index files) being removed and afterwards and move the index files back to the backend. The next time restic runs a backup it will think that old (=removed) content is still present in the repo because the index file says so. I'm not sure how relevant this is any more.

Re #842, Ah, you stole my thunder, I was about to write a RFC for putting the treedata into the snapshot object as they have the same lifecycle and having a single (albeit slightly large json file) is way better than having to seek through the repository a million times :)

That's a neat idea, but I don't think that this scales. Decoding large JSON objects in Go is very memory-intensive, that'll also become a problem for the index files soon.

PS. #842 is becoming very hard to read, it looks like a refactor to me, not seeing that Session object just now.

I know, I'm sorry. I still haven't figured out the right size for a PR yet. The object is not yet called Session but ContentManager: a68613f

[middelink]

That's a neat idea, but I don't think that this scales. Decoding large JSON objects in Go is very memory-intensive, that'll also become a problem for the index files soon.

/me grins and points to #838, (I actually implemented this and it seems that even gobing the same structure results in a big speed improvement. None the less, let me address your concern more realistically.)

I don't think a single - one time - json decode even comes close to the memory fragmentation resulting from loading say 30k blobs and 30k smaller json decodes just to list or find a file in a snapshot. Not to mention speed. Loading a single full filesystem tree decodes in ~5s on my machine, a restic find takes about 3m.

Re #842

So, now I'm curious as to how the content manager helps here. I see it maintains a set of pack files, which it uploads when full or finishes. But it still looks there will be an index file per backup. Which means if the user does not run restic rebuild-index often enough, the cli will bog down again.
I probably missed something in the code though which makes it all better. :(

[fd0]

Ah, I thought I already added the code which uses separate pack files for tree objects, but it seems I haven't done that yet. I apologize :)

[aawsome]

There are two problems about many index files:

• all files need to be loaded which may take some time for high-latency backends
• index operations even slow down once the index is loaded, as they are ATM stored in memory like saved in the repository.

The first point is by design and yes, this can be only curated by regularly running rebuild-index or prune (I would suggest prune after #2718 is merged).

The second point is addressed by #2818.