Thank you for mentioning the use case. I will try to summarize what you mentioned above in my own words to ensure that I have understood this correctly. There are practical use cases where the user application has a dependency on Kafka producer and requires very quick cold starts. In such cases, CRaC could be used to restore the user application. However, since Kafka clients do not support CRaC, they become a bottleneck for snapshotting the user application. With this change, we will provide the ability for user applications to snapshot including a clean restore of the kafka clients.
Now, having understood the motivation, I have the following comments: #1 I think we need to make it very clear that a snapshot of a kafka producer will mean: - Losing all records which are waiting to be sent to the broker (stored in RecordAccumulator). Perhaps, we need to print logs (warn level) and emit metrics on suspend wrt how many requests were waiting to be sent. #2 We need to document all customer facing changes in the KIP. As an example, the metrics that will be added, changes to any interface that is public facing (I don't think any public interface change is required) and changes to customer facing behaviour (we need to add documentation around this). #3 We need to document what happens to existing uncommitted transactions. I think the answer would probably be that the behaviour will be similar to a client closing an existing connection but if we don't close things properly (such as in transactionManager), there may be lingering effects. Question: #4 Does this JDK feature retain the state of the local data structures such as a Map/List? If yes, do we want to add validation of recovered data as part of the startup process? #5 How do we plan to test the correctness of the recovery/restore? Overall, I think that simply restoring the Sender might not work. We will probably need to devise a clean "suspend" mechanism for the entire producer including components such as TransactionManager, Partitioner, Record Accumulator etc. Additionally, Justine (github: jolshan) is our expert on producer side things, perhaps, they have a better idea to create a clean producer suspension. -- Divij Vaidya On Thu, May 25, 2023 at 11:15 AM Radim Vansa <rva...@azul.com.invalid> wrote: > Hi Divij, > > I have prototyped this using Quarkus Superheroes [1], a demo application > consisting of several microservices that communicate with each other > using both HTTP and Kafka. I wanted to add the ability to transparently > checkpoint and restore this application - while the regular startup > takes seconds, the restore could bring this application online in the > order of tens of milliseconds. > > I agree that the change will not help Kafka itself to get any faster; it > will enable CRaC for the whole application that, amongst other > technologies, uses Kafka. You're saying that the clients are not > supposed to be re-created quickly, I hope that a use case where the app > is scaled down if it's idle e.g. 60 seconds and then needs to be started > on a request (to serve it ASAP) would make sense to you. It's really not > about Kafka per-se - it's about the needs of those who consume it. Of > course, I'll be glad for any comments pointing out difficulties e.g. if > the producer is replicated. > > An alternative, and less transparent approach, would handle this in the > integration layer. However from my experience this can be problematic if > the integration layer provides Kafka API directly, losing control over > the instance - it's not possible to simply shutdown the client and > reopen the instance, and some sort of proxy would be needed that > prevents access to this closed instance. And besides complexity, proxy > means degraded performance. > > Another motivation to push changes as far down the dependency tree is > the fan-out of these changes: we don't want to target Quarkus > specifically, but other frameworks (Spring Boot, ...) and stand-alone > applications as well. By keeping it low level we can concentrate the > maintenance efforts to once place. > > Thank you for spending time reviewing the proposal and let me know if I > can clarify this further. > > Radim > > > [1] https://quarkus.io/quarkus-workshops/super-heroes/ > > On 24. 05. 23 17:13, Divij Vaidya wrote: > > Caution: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > > > > > Hey Radim > > > > After reading the KIP, I am still not sure about the motivation for this > > change. The bottleneck in starting a producer on Kafka is setup of the > > network connection with the broker (since it performs SSL + AuthN). From > > what I understand, checkpoint and restore is not going to help with that. > > Also, Kafka clients are supposed to be long running clients which aren't > > supposed to be destroyed and re-created quickly in a short span. I fail > to > > understand the benefit of using CRaC for the producer. Perhaps I am > missing > > something very obvious here, but please help me understand more. > > > > I was wondering if you are aware of any Kafka user use cases which could > be > > positively impacted by this change? Adding these use cases to the > > motivation will greatly help in convincing the community about the impact > > of this change. > > > > A use case that I can think of is to aid debugging of a faulty cluster. > If > > we get the ability to snapshot a broker when it is mis-behaving, then we > > could re-use the snapshot to re-create the exact production setup in a > > local environment where we can test things. But that would be a larger > > change since capturing the state of a broker is much more than in-memory > > Java objects. Perhaps, you can try approaching the usefulness of this new > > technology from this lens? > > > > -- > > Divij Vaidya > > > > > > > > On Thu, May 11, 2023 at 2:33 PM Radim Vansa <rva...@azul.com.invalid> > wrote: > > > >> Thank you, Divij. I'll give it more time and remind the list in that > >> timeframe, then. > >> > >> Radim > >> > >> On 11. 05. 23 13:47, Divij Vaidya wrote: > >>> Caution: This email originated from outside of the organization. Do not > >> click links or open attachments unless you recognize the sender and know > >> the content is safe. > >>> > >>> Hey Radim > >>> > >>> One of the reasons for the slowdown is preparation of upcoming releases > >>> (the community is currently in code freeze/resolve release blockers > mode) > >>> and preparation for Kafka Summit next week. I would suggest giving > >> another > >>> 2-3 weeks for folks to chime in. I would personally visit this KIP in > the > >>> last week of May. > >>> > >>> -- > >>> Divij Vaidya > >>> > >>> > >>> > >>> On Thu, May 11, 2023 at 1:34 PM Radim Vansa <rva...@azul.com.invalid> > >> wrote: > >>>> Hello all, > >>>> > >>>> it seems that this KIP did not sparkle much interest, not sure if > people > >>>> just don't care or whether there are any objections against the > >>>> proposal. What should be the next step, I don't think it has been > >>>> discussed enough to proceed with voting. > >>>> > >>>> Cheers, > >>>> > >>>> Radim > >>>> > >>>> On 27. 04. 23 8:39, Radim Vansa wrote: > >>>>> Caution: This email originated from outside of the organization. Do > >>>>> not click links or open attachments unless you recognize the sender > >>>>> and know the content is safe. > >>>>> > >>>>> > >>>>> Thank you for those questions, as I've mentioned, my knowledge of > Kafka > >>>>> is quite limited so these are the things that need careful thinking! > >>>>> Comments inline. > >>>>> > >>>>> On 26. 04. 23 16:28, Mickael Maison wrote: > >>>>>> Hi Radim, > >>>>>> > >>>>>> Thanks for the KIP! CRaC is an interesting project and it could be a > >>>>>> useful feature in Kafka clients. > >>>>>> > >>>>>> The KIP is pretty vague in terms of the expected behavior of clients > >>>>>> when checkpointing and restoring. For example: > >>>>>> > >>>>>> 1. A consumer may have pre-fetched records in memory. When it is > >>>>>> checkpointed, its group will rebalance and another consumer will > >>>>>> consume the same records. When the initial consumer is restored, > will > >>>>>> it process its pre-fetched records and basically reprocess record > >>>>>> already handled by other consumers? > >>>>> How would the broker (?) know what records were really consumed? I > >> think > >>>>> that there must be some form of Two Generals Problem. > >>>>> > >>>>> The checkpoint should keep as much of the application untouched as it > >>>>> could. Here, I would expect that the prefetched records would be > >>>>> consumed after the restore operation as if nothing happened. I can > >>>>> imagine this could cause some trouble if the data is dependent on the > >>>>> 'external' world, e.g. other members of the cluster. But I wouldn't > >>>>> break the general guarantees Kafka provides if we can avoid it. We > >>>>> certainly have an option to do the checkpoint more gracefully, > >>>>> deregistering with the group (the checkpoint is effectively blocked > by > >>>>> the notification handler). > >>>>> > >>>>> If we're talking about using CRaC for boot speedup this is not that > >>>>> important - when the app is about to be checkpointed it will likely > >> stop > >>>>> processing data anyway. For other use-cases (e.g. live migration) it > >>>>> might matter. > >>>>> > >>>>> > >>>>>> 2. Producers may have records in-flight or in the producer buffer > when > >>>>>> they are checkpointed. How do you propose to handle these cases? > >>>>> If there's something in flight we can wait for the acks. > Alternatively > >>>>> if the receiver guards against double receive using unique > ids/sequence > >>>>> numbers we could resend that after restore. As for the data in the > >>>>> buffer, IMO that can wait until restore. > >>>>> > >>>>> > >>>>>> 3. Clients may have loaded plugins such as serializers. These > plugins > >>>>>> may establish network connections too. How are these expected to > >>>>>> automatically reconnect when the application is restored? > >>>>> If there's an independent pool of connections, it's up to the plugin > >>>>> author to support CRaC, I doubt there's anything that the generic > code > >>>>> could do. Also it's likely that the plugins won't need any extension > to > >>>>> the SPI; these would register its handlers independently (if ordering > >>>>> matters there are ways to prioritize one resource over another). > >>>>> > >>>>> Cheers! > >>>>> > >>>>> Radim Vansa > >>>>> > >>>>> > >>>>>> Thanks, > >>>>>> Mickael > >>>>>> > >>>>>> > >>>>>> On Wed, Apr 26, 2023 at 8:27 AM Radim Vansa <rva...@azul.com.invalid > > > >>>>>> wrote: > >>>>>>> Hi all, > >>>>>>> > >>>>>>> I haven't seen much reactions on this proposal. Is there any > general > >>>>>>> policy regarding dependencies, or a prior decision that would hint > >>>>>>> on this? > >>>>>>> > >>>>>>> Thanks! > >>>>>>> > >>>>>>> Radim > >>>>>>> > >>>>>>> > >>>>>>> On 21. 04. 23 10:10, Radim Vansa wrote: > >>>>>>>> Caution: This email originated from outside of the organization. > Do > >>>>>>>> not click links or open attachments unless you recognize the > sender > >>>>>>>> and know the content is safe. > >>>>>>>> > >>>>>>>> > >>>>>>>> Thank you, > >>>>>>>> > >>>>>>>> now to be tracked as KIP-921: > >>>>>>>> > >> > https://cwiki.apache.org/confluence/display/KAFKA/KIP-921%3A+OpenJDK+CRaC+support > >>>>>>>> > >>>>>>>> Radim > >>>>>>>> > >>>>>>>> On 20. 04. 23 15:26, Josep Prat wrote: > >>>>>>>>> Hi Radim, > >>>>>>>>> You should have now permissions to create a KIP. > >>>>>>>>> > >>>>>>>>> Best, > >>>>>>>>> > >>>>>>>>> On Thu, Apr 20, 2023 at 2:22 PM Radim Vansa > >> <rva...@azul.com.invalid > >>>>>>>>> wrote: > >>>>>>>>> > >>>>>>>>>> Hello, > >>>>>>>>>> > >>>>>>>>>> upon filing a PR [1] with some initial support for OpenJDK CRaC > >>>>>>>>>> [2][3] I > >>>>>>>>>> was directed here to raise a KIP (I don't have the permissions > in > >>>>>>>>>> wiki/JIRA to create the KIP page yet, though). > >>>>>>>>>> > >>>>>>>>>> In a nutshell, CRaC intends to provide a way to checkpoint > >>>>>>>>>> (snapshot) > >>>>>>>>>> and persist a running Java application and later restore it, > >>>>>>>>>> possibly on > >>>>>>>>>> a different computer. This can be used to significantly speed up > >> the > >>>>>>>>>> boot process (from seconds or minutes to tens of milliseconds), > >> live > >>>>>>>>>> replication or migration of the heated up application. This is > not > >>>>>>>>>> entirely transparent to the application; the application can > >>>>>>>>>> register > >>>>>>>>>> for notification when this is happening, and sometime has to > >> assist > >>>>>>>>>> with > >>>>>>>>>> that to prevent unexpected state after restore - e.g. close > >> network > >>>>>>>>>> connections and files. > >>>>>>>>>> > >>>>>>>>>> CRaC is not integrated yet into the mainline JDK; JEP is being > >>>>>>>>>> prepared, > >>>>>>>>>> and users are welcome to try out our builds. However even when > >> this > >>>>>>>>>> gets > >>>>>>>>>> into JDK we can't expect users jump onto the latest release > >>>>>>>>>> immediately; > >>>>>>>>>> therefore we provide a facade package org.crac [4] that > delegates > >> to > >>>>>>>>>> the > >>>>>>>>>> implementation, if it is present in the running JDK, or > provides a > >>>>>>>>>> no-op > >>>>>>>>>> implementation. > >>>>>>>>>> > >>>>>>>>>> With or without the implementation, the support for CRaC in the > >>>>>>>>>> application should be designed to have a minimal impact on > >>>>>>>>>> performance > >>>>>>>>>> (few extra objects, some volatile reads...). On the other hand > the > >>>>>>>>>> checkpoint operation itself can be non-trivial in this matter. > >>>>>>>>>> Therefore > >>>>>>>>>> the main consideration should be about the maintenance costs - > >>>>>>>>>> keeping a > >>>>>>>>>> small JAR in dependencies and some extra code in networking and > >>>>>>>>>> persistence. > >>>>>>>>>> > >>>>>>>>>> The support for CRaC does not have to be all-in for all > >> components - > >>>>>>>>>> maybe it does not make sense to snapshot a Broker. My PR was for > >>>>>>>>>> Kafka > >>>>>>>>>> Clients because the open network connections need to be handled > >> in a > >>>>>>>>>> web > >>>>>>>>>> application (in my case I am enabling CRaC in Quarkus Superheros > >> [5] > >>>>>>>>>> demo). The PR does not handle all possible client-side uses; as > I > >> am > >>>>>>>>>> not > >>>>>>>>>> familiar with Kafka I follow the whack-a-mole strategy. > >>>>>>>>>> > >>>>>>>>>> It is possible that the C/R could be handled in a different > >>>>>>>>>> layer, e.g. > >>>>>>>>>> in Quarkus integration code. However our intent is to push the > >>>>>>>>>> changes > >>>>>>>>>> as low in the technology stack as possible, to provide the best > >>>>>>>>>> fanout > >>>>>>>>>> to users without duplicating maintenance efforts. Also having > the > >>>>>>>>>> support higher up can be fragile and break encapsulation. > >>>>>>>>>> > >>>>>>>>>> Thank you for your consideration, I hope that you'll appreciate > >> our > >>>>>>>>>> attempt to innovate the Java ecosystem. > >>>>>>>>>> > >>>>>>>>>> Radim Vansa > >>>>>>>>>> > >>>>>>>>>> PS: I'd appreciate if someone could give me the permissions on > >>>>>>>>>> wiki to > >>>>>>>>>> create a proper KIP! Username: rvansa (both Confluence and > JIRA). > >>>>>>>>>> > >>>>>>>>>> [1] https://github.com/apache/kafka/pull/13619 > >>>>>>>>>> > >>>>>>>>>> [2] https://wiki.openjdk.org/display/crac > >>>>>>>>>> > >>>>>>>>>> [3] https://github.com/openjdk/crac > >>>>>>>>>> > >>>>>>>>>> [4] https://github.com/CRaC/org.crac > >>>>>>>>>> > >>>>>>>>>> [5] https://quarkus.io/quarkus-workshops/super-heroes/ > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> -- > >>>>>>>>> [image: Aiven] <https://www.aiven.io> > >>>>>>>>> > >>>>>>>>> *Josep Prat* > >>>>>>>>> Open Source Engineering Director, *Aiven* > >>>>>>>>> josep.p...@aiven.io | +491715557497 > >>>>>>>>> aiven.io <https://www.aiven.io> | > >>>>>>>>> <https://www.facebook.com/aivencloud> > >>>>>>>>> <https://www.linkedin.com/company/aiven/> > >>>>>>>>> <https://twitter.com/aiven_io> > >>>>>>>>> *Aiven Deutschland GmbH* > >>>>>>>>> Alexanderufer 3-7, 10117 Berlin > >>>>>>>>> Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen > >>>>>>>>> Amtsgericht Charlottenburg, HRB 209739 B > >>>>>>>>> >
