Validating Apache Pulsar’s Behavior under Failure Conditions - Pulsar Summit SF 2022

Pulsar Summit
San Francisco
Hotel Nikko
August 18 2022
Tech Deep Dive
Validating Apache
Pulsar’s Behavior
under Failure
Conditions
Lari Hotari
Engineering Coach • DataStax
1

Lari Hotari is an Apache Pulsar
committer and PMC member. He has
worked on the Java platform since 1997
and has contributed to open source for
over 20 years.
Lari Hotari
Engineering Coach, Streaming
Customer Reliability Engineering
DataStax
Lari.Hotari@datastax.com
@lhotari
2

3
Validating Apache Pulsar’s Behavior
under Failure Conditions
“Apache Pulsar is a highly available,
distributed messaging system that provides
guarantees of no message loss and strong
message ordering with predictable read and
write latency.”

Validating Apache Pulsar’s Behavior under Failure Conditions
write latency.”
Expectation: Provided service meets
the service consumer’s requirements
with very low downtime.
4
Expectation: “two nines”
(99% available) or more.

Availability
5
Availability %
Downtime per day
(24 hours)
99% ("two nines") 14.4 minutes
99.5% ("two and a half nines") 7.20 minutes
99.9% ("three nines") 1.44 minutes
99.95% ("three and a half nines") 43.2 seconds
99.99% ("four nines") 8.64 seconds
99.995% ("four and a half nines") 4.32 seconds
99.999% ("five nines") 864 milliseconds
● During uptime, the provided service meets the
agreed level of operational quality and
performance defined in operational SLA
● The service consumer’s needs are met when
service disruptions don’t cause essential
negative business impact.
Some factors impacting the availability figures
● Reporting interval
● What is considered as downtime?
○ Total Failure vs Service Degradation / Partial
Failure
○ High error rate? Exceeding latency requirements?

write latency.”
Expectation: At-least-once
message delivery. Published
messages aren’t lost in the system
in any case.
6
Consuming state is
preserved so that the
messages aren’t
skipped in
consuming.
The system will
redeliver messages
which aren’t
acknowledged.

write latency.”
Expectation: Messages are delivered
to a consumer in the same order as
the publisher has published them in to
a single topic.
7

write latency.”
Expectation: The messaging
system can be used for use cases
where there is a low latency
requirement.
8
Applications can expect messages to
be published with low latency and the
end-to-end latency from publishing to
consuming is expected to be low and
predictable.

Highly available
Summary of Expectations
9
No message loss
Strong message ordering
Predictable read and
write latency

10

Failure Conditions
What could possibly go wrong?
11

How to think about the different ways and decide what to validate?
● Learning from real production systems
○ Incident reports / post mortems
● System analysis methods coming from
○ Reliability Engineering
■ Reliability Modeling
○ Systems Reliability Theory
■ FMEA/FMECA (Failure mode and effects analysis)
○ Risk assessment theory
■ Risk analysis 12

Examples of failure conditions for Pulsar validation
● Broker/Bookie/Zookeeper node fails
● All components in an availability zone fail
● Network disconnected -> Network partitioning / Split-Brain
● Network limited bandwidth / increased latency
● Network flappy connectivity
● Network packet loss
● Bookie/Zookeeper disk fails
13

Examples of other conditions for Pulsar validation
● Broker scale-up / scale-down
● Bookie scale-up / scale-down
● Broker/Bookie/Zookeeper software upgrade
Performance / Load testing related failure conditions:
● Message publishing overload
● Message consuming overload
14

Unknown failure conditions - these will always exist
“Reports that say that something hasn't happened are always
interesting to me, because as we know, there are known knowns;
there are things we know we know. We also know there are known
unknowns; that is to say we know there are some things we do not
know. But there are also unknown unknowns—the ones we don't
know we don't know. And if one looks throughout the history of our
country and other free countries incident reports*
, it is the latter
category that tends to be the difficult ones.”
- Donald Rumsfeld
*, adapted to SRE
15

16

● Useful for collaboration and communicating with stakeholders
● Written test plan with specific test cases and documented
expectations
○ Test case descriptions include the definition of the failure
condition
● Test reports that capture essential results for analysis
17
Test plans and test reports

Test plan example
18
Test case format:
- Test case identifier + title
- Description and intent
- Procedure
- Expected outcome

Test report example
19
Analysis and
status update to
stakeholders

Validation approaches
20
Test Environment with Test Workload
● Resilience Testing
● Chaos Testing
Production Environment with Production Workload
● Resilience Engineering
● Chaos Testing

Chaos Testing
● Requires test tooling for fault injection
● Fault injection can be used to put specific infrastructure
components into a failed or degraded state which can be
controlled by the chaos testing framework
21

Test workload
22
Simulated
Workload Created
With Test Tooling
Test Applications In
A Test Environment
Anonymized /
Shadowed
Production Traffic

Test workload generation
● NoSQLBench, ASL 2.0 license,
https://github.com/nosqlbench/nosqlbench
○ Originally created for testing nosql
databases, but has been since then
adapted for testing messaging systems
● pulsar-perf
○ Comes with Apache Pulsar distribution
● Custom test workload generator applications
23

Tooling requirement for validating Pulsar’s behavior
● end-to-end observability
○ NoSQLBench pulsar driver features:
■ Measure End-to-end Message
Processing Latency
■ Detect Message Out-of-order,
Message Loss, and Message
Duplication
24
Highly
available
No message
loss
Strong
message
ordering
Predictable
read and write
latency

Example of NoSQLBench Pulsar driver metrics rendered with Grafana
25
End-to-end publish-to-consume latency and error metrics

Message Error Rate (zoomed in)
26

Detecting ordering issues
27
Pulsar Java client ordering issues fixed since Pulsar version 2.8.2:
● [Java Client] Remove data race in MultiTopicsConsumerImpl to ensure correct message order #12456
● [Java Client] Use epoch to version producer's cnx to prevent early delivery of messages #12779

Automation choices
● No automation - interactive testing
● Custom script / in-house test framework
● Fallout
○ Open source test orchestration harness
○ Automates creation of environment, workload
execution, data collection and analysis
○ Plugin architecture integrates with common tools
28

29
Example of a testing setup for Pulsar validation

k8s cluster
Deployment view of example setup
30
Chaos Mesh
Pulsar deployment:
brokers, bookies,
zookeepers
Test workload: Nosqlbench
jobs run as k8s jobs on
dedicated k8s node pool
Prometheus Graphite
Exporter
Prometheus
Grafana
Grafana
dashboards
Grafana renderer
Test control scripts

Demo recording
31

Lari Hotari
Thank you!
Lari.Hotari@datastax.com
@lhotari
Pulsar Summit
San Francisco
Hotel Nikko
August 18 2022
32

Four Cornerstones of Resilience
34
Knowing what to
EXPECT
Knowing what to
DO
Knowing what has
HAPPENED
Knowing what to
LOOK FOR
Anticipation Monitoring Response Learning
Erik Hollnagel’s Four Cornerstones of Resilience

Validating Apache Pulsar’s Behavior under Failure Conditions - Pulsar Summit SF 2022

More Related Content

What's hot (20)

Similar to Validating Apache Pulsar’s Behavior under Failure Conditions - Pulsar Summit SF 2022 (20)

More from StreamNative (20)

Recently uploaded (20)

Validating Apache Pulsar’s Behavior under Failure Conditions - Pulsar Summit SF 2022