Is there a way to throttle or stagger ILM?

jerrac · November 2, 2023, 10:32pm

So, a system I'm building that uses ES heavily has been periodically not getting the data that it should out of ES. After digging in a bit, I finally noticed that there was a pattern.

The elastic agent queue depth keeps spiking periodically. A bit more digging and my logs showed me that those spikes are when ILM is rolling over indices and downsampling my data.

I'm guessing that a large part of the problem is that I'm running a single ES node. Long story short, we need to trim down as much as possible if we're going to keep using ES. So, increasing my ES nodes is not an ideal solution.

My thought would be to stagger ILM jobs somehow so it's doing a few at a time all day long instead of all of them all at once. Is there a way to do that?

My other (not ideal) thought would be to add extra processing nodes, while keeping only one master/data node, but would ILM even be able to run on a non-data node?

Any other ideas?

Thanks!

DavidTurner · November 2, 2023, 11:11pm

Hmm ILM-triggered activities should be trying to stay out of the way of your production workload, it sounds like we might need a bit more throttling on the downsampling action. Yet it's only supposed to use a tiny threadpool, 1/8th of your CPUs, so I wonder why it's having such a big impact.

Could you grab GET _nodes/hot_threads?threads=9999 from a time when it's struggling, and share it here (or likely on https://gist.github.com/ since it'll be too big)?

jerrac · November 6, 2023, 10:06pm

@DavidTurner Here are a few different runs of that command.

gist.github.com

https://gist.github.com/jerrac/20f71080b0ce75c38338db384b1655db

Output of hot_threads.md

Output of `GET _nodes/hot_threads?threads=9999`

From 113pm PST:

```
::: {alertdrop-es}{1ZxSdN2tRqucThMpGoC1pA}{pNkQJ5TeRsmcU9t1f3gLkg}{alertdrop-es}{172.23.12.99}{172.23.12.99:9300}{cdfhimsw}{8.10.4}{7000099-8100499}{xpack.installed=true, transform.config_version=10.0.0, ml.config_version=10.0.0}
   Hot threads at 2023-11-06T21:12:40.229Z, interval=500ms, busiestThreads=9999, ignoreIdleThreads=true:
   
   100.5% [cpu=100.5%, other=0.0%] (502.4ms out of 500ms) cpu usage by thread 'elasticsearch[alertdrop-es][refresh][T#4]'
     10/10 snapshots sharing following 54 elements

This file has been truncated. show original

DavidTurner · November 7, 2023, 1:58pm

Thanks, that's helpful. Are you running on spinning disks or SSDs?

jerrac · November 7, 2023, 2:22pm

Data is on an iscsi lun backed by SSD's. I believe they are pretty fast SSD's as well. You ever hear of an Kaminario? That's what the storage is on.

Edit:

Also, possibly relevant, ES is running in a single node Docker stack service. We have 3 Docker Swarm nodes it can run on, so each of those nodes mounts the lun, and we have OCFS configured for the filesystem. The idea being if the 1 instance of ES has to be restarted on another node, it will be using the same data as the old instance.

DavidTurner · November 7, 2023, 2:51pm

Hmm. These stack dumps show that your system is heavily bottlenecked on IO, with many threads stuck for several hundreds of milliseconds waiting for a write() or similar to complete. I don't think your storage is performing as well as you think it should.

jerrac · November 18, 2023, 2:05am

Well, I am 90% sure the issue is OCFS2. I moved the ES instance to a different server where I could use a normal xfs iscsi lun, and that seems to have resolved the issues I was having.

Thanks for the help @DavidTurner !

DavidTurner · November 18, 2023, 7:11am

Ah yes that'd explain it indeed, thanks for closing the loop. Clustered filesystems seem to be a rich source of performance (and sometimes correctness) issues, and the complexity they add is largely unnecessary when Elasticsearch is also doing its own clustering and replication work. XFS is a better choice IMO.

DavidTurner · November 18, 2023, 7:13am

Closing another loop on the ES side, we still think it might be a good idea to limit the resources needed by downsampling anyway:

github.com/elastic/elasticsearch

Downsampling bulk indexing throttling

opened 03:00PM - 09 Nov 23 UTC

salvatore-campagna

>enhancement Team:Analytics :Analytics/Downsampling

### Description The downsampling task is a single thread task when it comes t…o metric aggregations. Anyway, indexing documents into the target index happens using the `BulkProcessor2`. The downsampling thread submits indexing requests without waiting for a response so to achieve maximum throughput. As a result of that, normally, there are multiple outstanding indexing requests consuming threads from the search/indexing thread pool. That can result in using all available threads for downsampling (indexing) without leaving room for other tasks, like regular indexing, to be executed. Ideally we would like to implement a mechanism by which we limit the number of outstanding indexing requests so to limit the number of threads used for indexing by the downsampling thread. Also we would like to expose this limit as a setting that users can control. A possibility would be to expose the `maxBytesInFlight` of `BulkProcessor2` as a setting (instead of setting it as a constant as it is right now).

system · December 16, 2023, 7:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.