KAFKA-18058: Share group state record pruning impl.

[smjn]

What

• In this PR, we've added a class ShareCoordinatorOffsetsManager, which tracks the last redundant offset for each share group state topic partition. We have also added a periodic timer job in ShareCoordinatorService which queries for the redundant offset at regular intervals and if a valid value is found, issues the deleteRecords call to the ReplicaManager via the PartitionWriter. In this way the size of the partitions is kept manageable.
• Introduced new config share.coordinator.state.topic.prune.interval.ms (default 5 mins).

Why

• Currently, the SharePartition invokes the DefaultStatePersister to write data into the internal share group topic __share_group_state. This topic is not eligible for compaction.
• If the kafka cluster is run for a long period of time, the topic partitions in __share_group_state will be populated with gigantic amount of records.
• In the above scenario if a broker/cluster restarts, all the records will need to be replayed on the leader ShareCoordinatorShard resulting in extensive latency during startup.
• One observation is that the records follow a periodic snapshot approach. A snapshot record gets created and then a few incremental updates and after a threshold number, a snapshot again for each share partition key.
• This implies that older records become redundant after a while since they've been superseded by new snapshots. This provides us an opportunity to relieve some pressure from the partitions.

Testing

• Added appropriate tests for CoordinatorPartitionWriter, ShareCoordinatorOffsetsManager, ShareCoordinatorService and ShareCoordinatorShard.
• Extensive manul testing

Sample o/p

Broker logs

[2024-11-29 15:21:38,289] INFO [UnifiedLog partition=__share_group_state-3, dir=/tmp/kraft-combined-logs] Incremented log start offset to 10 due to client delete records request (kafka.log.UnifiedLog)

Records before prune

{"key":{"version":0,"data":{"groupId":"gs1","topicId":"o_eD4bB7RNauIV7oPkNRCA","partition":0}},"value":{"version":0,"data":{"snapshotEpoch":0,"stateEpoch":0,"leaderEpoch":0,"startOffset":5,"stateBatches":[{"firstOffset":5,"lastOffset":6,"deliveryState":2,"deliveryCount":1}]}}}{"key":{"version":1,"data":{"groupId":"gs1","topicId":"o_eD4bB7RNauIV7oPkNRCA","partition":0}},"value":{"version":1,"data":{"snapshotEpoch":0,"leaderEpoch":0,"startOffset":7,"stateBatches":[{"firstOffset":7,"lastOffset":8,"deliveryState":2,"deliveryCount":1}]}}}{"key":{"version":1,"data":{"groupId":"gs1","topicId":"o_eD4bB7RNauIV7oPkNRCA","partition":0}},"value":{"version":1,"data":{"snapshotEpoch":0,"leaderEpoch":0,"startOffset":9,"stateBatches":[{"firstOffset":9,"lastOffset":9,"deliveryState":2,"deliveryCount":1}]}}}{"key":{"version":1,"data":{"groupId":"gs1","topicId":"o_eD4bB7RNauIV7oPkNRCA","partition":0}},"value":{"version":1,"data":{"snapshotEpoch":0,"leaderEpoch":0,"startOffset":10,"stateBatches":[{"firstOffset":10,"lastOffset":11,"deliveryState":2,"deliveryCount":1}]}}}{"key":{"version":0,"data":{"groupId":"gs1","topicId":"o_eD4bB7RNauIV7oPkNRCA","partition":0}},"value":{"version":0,"data":{"snapshotEpoch":1,"stateEpoch":0,"leaderEpoch":0,"startOffset":12,"stateBatches":[{"firstOffset":12,"lastOffset":14,"deliveryState":2,"deliveryCount":1}]}}}{"key":{"version":1,"data":{"groupId":"gs1","topicId":"o_eD4bB7RNauIV7oPkNRCA","partition":0}},"value":{"version":1,"data":{"snapshotEpoch":1,"leaderEpoch":0,"startOffset":15,"stateBatches":[{"firstOffset":15,"lastOffset":16,"deliveryState":2,"deliveryCount":1}]}}}{"key":{"version":1,"data":{"groupId":"gs1","topicId":"o_eD4bB7RNauIV7oPkNRCA","partition":0}},"value":{"version":1,"data":{"snapshotEpoch":1,"leaderEpoch":0,"startOffset":17,"stateBatches":[{"firstOffset":17,"lastOffset":19,"deliveryState":2,"deliveryCount":1}]}}}{"key":{"version":0,"data":{"groupId":"gs1","topicId":"o_eD4bB7RNauIV7oPkNRCA","partition":0}},"value":{"version":0,"data":{"snapshotEpoch":2,"stateEpoch":0,"leaderEpoch":0,"startOffset":20,"stateBatches":[{"firstOffset":20,"lastOffset":21,"deliveryState":2,"deliveryCount":1}]}}}{"key":{"version":1,"data":{"groupId":"gs1","topicId":"o_eD4bB7RNauIV7oPkNRCA","partition":0}},"value":{"version":1,"data":{"snapshotEpoch":2,"leaderEpoch":0,"startOffset":22,"stateBatches":[{"firstOffset":22,"lastOffset":27,"deliveryState":2,"deliveryCount":1}]}}}{"key":{"version":1,"data":{"groupId":"gs1","topicId":"o_eD4bB7RNauIV7oPkNRCA","partition":0}},"value":{"version":1,"data":{"snapshotEpoch":2,"leaderEpoch":0,"startOffset":28,"stateBatches":[{"firstOffset":28,"lastOffset":28,"deliveryState":2,"deliveryCount":1}]}}}{"key":{"version":0,"data":{"groupId":"gs1","topicId":"o_eD4bB7RNauIV7oPkNRCA","partition":0}},"value":{"version":0,"data":{"snapshotEpoch":3,"stateEpoch":0,"leaderEpoch":0,"startOffset":29,"stateBatches":[{"firstOffset":29,"lastOffset":29,"deliveryState":2,"deliveryCount":1}]}}}

Records after prune

{"key":{"version":0,"data":{"groupId":"gs1","topicId":"o_eD4bB7RNauIV7oPkNRCA","partition":0}},"value":{"version":0,"data":{"snapshotEpoch":3,"stateEpoch":0,"leaderEpoch":0,"startOffset":29,"stateBatches":[{"firstOffset":29,"lastOffset":29,"deliveryState":2,"deliveryCount":1}]}}}

[dajac]

In my opinion, this is the wrong approach because it will allow users of the cluster to delete too. When I suggested it, I thought that we would add a boolean to the method, e.g. allowInternalTopics, and use it from the component doing the deletion.

[smjn]

Understood, will rectify

[AndrewJSchofield]

Thanks for the PR. I have done a partial review and left some comments.

[AndrewJSchofield]

This should be STATE_TOPIC_PRUNE_INTERVAL_MS_CONFIG I think. All three of these should have _MS_ as part of the name.

[AndrewJSchofield]

probably "unless allowInternalTopicDeletion is true" is clearer.

[AndrewJSchofield]

I suggest deleteBeforeOffset rather than deleteUntilOffset. The latter is clearly non-inclusive, while the latter is a bit more ambiguous. I think the effect we want here is that if I provide offset 10, then offsets up to and including 9 may be deleted, but not 10.

[AndrewJSchofield]

This parameter is missing from the javadoc.

[AndrewJSchofield]

Would It not be the case that each shard should set up the pruning for its owned partitions? Shouldn't the pruning stop when a shard loses leadership of a partition?

[smjn]

No - the shard (state machine) does not maintain that mapping. The information is maintained by the runtime which calls the appropriate shards, based on the context. This information is not exposed outside. We need access to https://github.com/apache/kafka/blob/trunk/coordinator-common/src/main/java/org/apache/kafka/coordinator/common/runtime/CoordinatorRuntime.java#L1877 to expose this information. Even then the shard cannot do this.

The runtime is encapsulated in the ShareCoordinatorService and only it can issue calls to the runtime. The Shard only serves to provide data related to partitions.

Using the loop approach - for a specific internal topic-partition only the correct Shard will honour the request and the others will fail silently due to NOT_COORDINATOR.

Flow is

                               ShareCoordinatorShard.callback
                                                     |
                                                     |  
                      add task      task with correct shard         
ShareCoordinatorService ---->   Runtime -----> ==================== ----> EventProcessor
                                   |                   QUEUE
                                   |
                             obtain shard from TP in task

[AndrewJSchofield]

Thanks for the explanation.

[dajac]

I wonder if we should expose a method to get the list of active state machines/shards from the runtime. This would allow you to just iterate on it instead of having to list all the possibilities.

[AndrewJSchofield]

Yes, I've been thinking about this. I'm not entirely comfortable with every broker starting a timer for every partition. I know it's harmless, but it's not exactly elegant.

[smjn]

@dajac we don't need the coordinators, but the list of topic partitions whose coordinators are ACTIVE at the point of execution of the timer job.

CoordinatorRuntime

    public List<TopicPartition> activeTopicPartitions() {
        return coordinators.entrySet().stream()
            .filter(entry -> entry.getValue().state.equals(CoordinatorState.ACTIVE))
            .map(Map.Entry::getKey)
            .toList();
    }

Caller:

activeTopicPartitions.forEach(tp -> runtime.scheudle(tp, ...)

[smjn]

@AndrewJSchofield @dajac removed the loop in favor of active tps

[dajac]

Here, I suggest to handle the known errors such as NOT_COORDINATOR, COORDINATOR_LOADING, etc. As you optimistically send the write operations to all the possible shards, you will get many "unknown" ones.

[smjn]

I will remove the logging for above errors - they will happen in every case. Since they timer job is periodic, we do not need any special handling anyway.

[dajac]

I wonder if we could just set it to true here as this class is only used by the coordinator.

[dajac]

nit: We usually have an empty line at the end.

[junrao]

@smjn : Thanks for the updated PR. Made a pass of all files. A few more comments.

[junrao]

If a topic doesn't exist, we should get an unknown topic exception.

[junrao]

becomeLeaderOrFollower is only used in ZK based controller, which won't be supported in 4.0. We need to use the cod path for KRaft based controller.

[junrao]

This test result is counter intuitive. I'd expect lastRedundantOffset for all three to be 10L since we should be able to truncate the log at offset 10.

[smjn]

Small efficiency gain here as the offsets will be applied in increasing order (partition records auto inc offset) to the updateState method. If the case is such that 10L is the smallest one - it means there are no offsets smaller than that present in the topic partition, hence returning 10L will be of no consequence and save an extra deleteRecords call.

In the algorithm we have chosen to get at least 2 offsets for any key before exposing the redundant offset.

Also since we are exposing the offset only once and then setting the boolean flag, the 2nd and 3rd line should be empty.

[junrao]

What does cold partition mean?

[smjn]

infrequently written

[junrao]

extra new line

[junrao]

Could we import MockTime?

[junrao]

This method is ok, but is very customized for the usage in the current only caller. If there is another caller, it can unexpectedly break the existing caller. A better api is probably to always expose the lastRedundantOffset and let the caller handle the case when the same value is returned.

[smjn]

@smjn : Thanks for the updated PR. Made a pass of all files. A few more comments.

@junrao Thanks again for the review, incorporated all comments.

[junrao]

@smjn : Thanks for the updated PR. A few more comments.

[junrao]

minOffset => lastRedundantOffset ?

[junrao]

deleteTillOffset => redundantOffset ?

[junrao]

This test seems redundant since ShareCoordinatorOffsetsManager.lastRedundantOffset does that already.

[junrao]

1. offsets => lastPrunedOffsets?
2. Would it be better to make that an instance val so that we don't have to pass it around?
3. Should we remove entries when onResignation is called?

[junrao]

There are lots of existing usage of rm.becomeLeaderOrFollower. It would be useful to clean them up in a followup jira.

[smjn]

perhaps

[junrao]

This call doesn't do any writes in runtime. Should we use scheduleReadOperation? Similarly, I also don't understand why readState calls runtime.scheduleWriteOperation.

[smjn]

No, the write operation used here is for the write consistency offered by the method.

The ShareCoordinatorShard.replay calls offsetsManager.updateState with various last written offset values. The replay method itself is called when other write RPCs produce records. However, it does not mean the offset set in replay has been committed.

Now, the coordinator enqueues the write operations in a queue and guarantees that when the scheduleWriteOperation completes, the records it generated have been replicated, even those which were written before it.

The framework however, gives no consistency guarantees between write and read operations. Consider, a write op writing an offset into the offset manager. We only know that this offset is written but not replicated. A subsequent read could give us back the same offset but still there is no guarantee that this offset has been replicated. It is only when the next write operation completes, do we have a guarantee that the previous offset has been committed.

This was extensively discussed with the coordinator framework owner @dajac and we arrived at this solution.

[junrao]

Since this is called from the purgatory thread, it's possible when this call occurs, the partition leader has already resigned and we need to handle that accordingly.

[smjn]

I don't foresee any consistency issues with that - at max a repeated delete call might be made which is acceptable since the frequency of these calls is very low (in minutes).
Whoever the leader, the partition offsets will not change.

[smjn]

@smjn : Thanks for the updated PR. A few more comments.

@junrao Thanks for the review, incorporated few changes. Replied to some suggestions.

[junrao]

@smjn : Thanks for the updated PR. Just one more comment.

[junrao]

We should only clear the entry for partitionIndex, right?

[smjn]

Yes, makes sense

[smjn]

@smjn : Thanks for the updated PR. Just one more comment.

@junrao Thanks for the review, incorporated change

[junrao]

@smjn : Thanks for the updated PR. LGTM. @AndrewJSchofield and @dajac, any other comments from you?

[dajac]

@junrao No. All good to me. Thanks!

[AndrewJSchofield]

@junrao Thanks for the review. I'll take another look this evening and merge once I'm happy.

[AndrewJSchofield]

A handful of final review comments. I've been running with the pruning enabled and it's happily deleting records as intended.

[AndrewJSchofield]

I suggest lastPrunedOffsets.get(tp).longValue() == off. Using the generic object equality method seems odd for just a pair of longs.

[AndrewJSchofield]

nit: New line please so the arguments and the method body do not run into each other.

[AndrewJSchofield]

share-group state topic is what we use in most places.

[AndrewJSchofield]

share-group state topic

[AndrewJSchofield]

You've used till in most places, so I'd replace the at here too.

[AndrewJSchofield]

This class doesn't contain any tests, so calling it XYZTest is peculiar. Please rename to ShareCoordinatorTestUtils or similar.

[smjn]

A handful of final review comments. I've been running with the pruning enabled and it's happily deleting records as intended.

@AndrewJSchofield Thanks for the review, incorporated comments.

[junrao]

This approach is ok, but it breaks the pattern in CoordinatorRuntime that all internal states are updated by CoordinatorRuntime threads since lastPrunedOffsets is now updated by the request io threads. We probably could follow the approach of how CoordinatorRuntime waits for a record to be replicated. It appends the record to local log and registers a PartitionListener for onHighWatermarkUpdated(). Once a new HWM is received, CoordinatorRuntime.onHighWatermarkUpdated enqueues a CoordinatorInternalEvent, the processing of which will trigger the update of the internal state. We could follow a similar approach for LowWaterMark. This can be done in a follow up jira.

[smjn]

While my initial approach was to add functionality in CoordinatorRuntime - the requirement wasn't general enough to modify the runtime.

[AndrewJSchofield]

I'm sure this is not the final state of this code, but it's definitely a fine starting point.