Skip to content

readonly cluster configs#43422

Merged
fspmarshall merged 1 commit intomasterfrom
fspmarshall/singleton-caching
Jul 2, 2024
Merged

readonly cluster configs#43422
fspmarshall merged 1 commit intomasterfrom
fspmarshall/singleton-caching

Conversation

@fspmarshall
Copy link
Copy Markdown
Contributor

@fspmarshall fspmarshall commented Jun 24, 2024
edited
Loading

This PR aims to reduce excess CPU/memory usage caused by large numbers of concurrent loads of certain cluster configuration resources. Most notably, values such as auth preference that are loaded for basically any RBAC check performed by a teleport instance. This is typically an inconsequential cost, but on auth servers handling many thousands of concurrent requests, the resource consumption of constantly deserializing these values can be non-trivial.

This PR moves a number of hot paths over to using shared in-memory values rather than loading a separate copy per goroutine. In order to facilitate doing this sharing safely, a new package readonly has been added which provides readonly subsets of certain common cluster configuration interfaces as well as a basic ttl-cache that stores readonly copies in-memory.

Currently, the implementation of readonly.Cache is fairly tightly coupled with the needs of lib/authz and lib/auth/clusterconfig. These two packages were selected as the starting point/proof of concept for this idea. In the long run, we'll likely either want to have a family of different specialized readonly caches, or a way to toggle on and off which resources the cache is configured to handle (much like how the primary cache in lib/cache currently works).

changelog: reduced CPU usage in auth servers experiencing very high concurrent request load.

@fspmarshall fspmarshall force-pushed the fspmarshall/singleton-caching branch 3 times, most recently from dd92225 to 44f245b Compare June 24, 2024 17:56
@fspmarshall fspmarshall marked this pull request as ready for review June 24, 2024 18:28
@github-actions github-actions Bot requested review from greedy52 and probakowski June 24, 2024 18:28
@github-actions github-actions Bot added database-access Database access related issues and PRs size/md labels Jun 24, 2024
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 24, 2024

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

greedy52
greedy52 approved these changes Jun 26, 2024
View reviewed changes
Comment thread lib/auth/clusterconfig/clusterconfigv1/service.go
Comment thread lib/auth/grpcserver.go Outdated
Comment thread lib/services/readonly/readonly.go Outdated
Comment thread lib/services/readonly/readonly.go
Comment on lines +32 to +35
// AuthPreference is a read-only subset of types.AuthPreference used on certain hot paths
// to ensure that we do not modify the underlying AuthPreference as it may be shared across
// multiple goroutines.
type AuthPreference interface {
Copy link
Copy Markdown
Contributor

@greedy52 greedy52 Jun 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alternatively, the readonly interfaces could be put in api/types and let AuthPreference inherits it. Otherwise, it is easy to miss this interface when adding new functions to AuthPreference. Though even if you miss it, it won't break anything unless you really need the new function. I don't have a strong opinion on this though.

Copy link
Copy Markdown
Contributor Author

@fspmarshall fspmarshall Jun 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I considered this, but opted against it for the time being mostly because once this is in api it has to obey major version compatibility. This is a somewhat experimental pattern. I don't want it leaking into api until we're confident that this is the right way to handle this kind of problem going forward.

@fspmarshall fspmarshall force-pushed the fspmarshall/singleton-caching branch 2 times, most recently from 501b810 to 7b519d5 Compare June 28, 2024 22:12
@fspmarshall fspmarshall enabled auto-merge June 28, 2024 22:12
@fspmarshall fspmarshall force-pushed the fspmarshall/singleton-caching branch 2 times, most recently from f18d000 to 08d308b Compare July 1, 2024 17:46
@fspmarshall fspmarshall force-pushed the fspmarshall/singleton-caching branch from 08d308b to ee888f1 Compare July 2, 2024 17:02
@fspmarshall fspmarshall added this pull request to the merge queue Jul 2, 2024
Merged via the queue into master with commit 1742c46 Jul 2, 2024
@fspmarshall fspmarshall deleted the fspmarshall/singleton-caching branch July 2, 2024 17:41
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Jul 2, 2024

@fspmarshall See the table below for backport results.

Branch Result
branch/v14 Failed
branch/v15 Failed
branch/v16 Create PR

@fspmarshall fspmarshall mentioned this pull request Jul 2, 2024
Merged
fspmarshall added a commit that referenced this pull request Jul 2, 2024
@fspmarshall
readonly shared cluster configs (#43422)
6b982d1
@fspmarshall fspmarshall mentioned this pull request Jul 2, 2024
Merged
github-merge-queue Bot pushed a commit that referenced this pull request Jul 2, 2024
@fspmarshall
readonly shared cluster configs (#43422) (#43760)
f380246
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@probakowski probakowski probakowski approved these changes

@greedy52 greedy52 greedy52 approved these changes

Assignees

No one assigned

Labels

database-access Database access related issues and PRs size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fspmarshall @probakowski @greedy52