Over Erik J. Groeneveld

I love beautiful software.

Sensing and Acting (about systems failure)

This is a story about the failure of a large computer system the day before it went live.  I am telling this story to give others the opportunity to learn from it.  It does not name nor blame people or organizations. In fact, all people involved are highly skilled professionals who learn every day from events like these. My duty is to share.

Response Times

Since the system we talk about is not an end-user system but instead an API to be used to create mash-ups that serve end-users, performance is very important.  That is because you have twice the internet latency: first between user and mash-up, next between mash-up and API.

Gut feeling

As we were nearing the end of the project, performance tests became a more regular item on our backlog. Both the overall tests and our component test showed figures within the desired range.  We aimed for 80% within 400ms, and 99% within 5s as that were the official targets.  Although we were well within range, I felt that the system could do better. The 95% percentile was about 2s, while I felt it could be close to 500ms. It was just a gut feeling based on previous experience with similar systems and I just could not figure out if there was a reason why this time we did not achieve the superb response times we were used to.

Never one problem

But, as said, it was well in range. People even complimented me personally and, most importantly, there were other things on my mind: I couldn’t log in to the VPN anymore.  This proved to be a serious problem as all machines making up the system were only reachable over the VPN. This needed fixing first.

The VPN connection wasn’t really stable. Apart from the first few days after it got delivered, it never was. Connecting was often slow, it requested my password twice although I was sure to have typed it in correctly the first time.  Also, logging in via SSH was also very slow, and public key authentication worked intermittently. But now it didn’t connect at all.  But heck, other people still had access, so let’s use their accounts.  After all, they were the ones who needed it most, and they were OK.

After a week I was able to connect again. It was still slow but it worked. So let’s forget this misery and go on. There is a system that must go live!

Almost live

Friday night all machines in the system ran on the latest version and all databases were properly populated. All looked fine for the release next monday.  Only the DNS entries had to be switched and the system would be live.

The gates open

Saturday morning I got a text message from the project manager.  The system was working, but horribly slow.  Requests took seconds, tens of seconds, up to a minute. Consistently. Adrenaline! I ran to my computer, called my colleague and started investigating.  Within minutes we knew that something was badly wrong and we called all hands to battle stations.  Software developers, system maintainers, the customers support center, about ten people from five organizations on it.

We went deep, deep down into the systems guts and after three hours we found a problem.  The internal DNS system was responding slow; too slow.  Requests took one second to complete, on average, and this caused the socket library to block while waiting for an answer every time it wanted to communicate with another system. This, it turned out, slowed down almost everything.

The software engineers knew what to do immediately: at those places where the DNS was time-critical, replace all host names with IP addresses.  And that we did.  While we worked the VPN connection kept failing, but we fixed the problem.  It was eight o’clock PM.  I took a drink and went to sleep.

Hell breaks loose

Next morning, on a beautiful Sunday, the project manager sent me another text message: the system spet out incomplete data. Again, I launched myself towards my laptop, and gazed at our monitoring system: nine of 13 services were gone. Dead. Red flags all over.  And not a single message on my phone. Oh dear, oh dear.

My first reflex was to try to login to one of these systems that hosted one or more of these dead services.  But the VPN did not connect. Trying…. connecting…. no luck.

Again I called all hands on deck.  But this time, I couldn’t do nothing else. I had to wait for the VPN access to get fixed first. After three hours the problem was found and fixed.  The LDAP service failed and hence authentication could not proceed properly. Rebooting the LDAP service brought everything online again.

Saved

Everything?  Yes everything.  Also the nine dead services were running happily.  There was no need for me to login or even connect to the VPN.  Even the response times were better. The previously unsatisfying 95% percentile was now down to 350ms. Much more what I expected.

What happened?

LDAP can back a DNS service and so it did here. For a still unknown reason it became slower and slower until it eventually collapsed completely.  Since DNS is really a fundamental systems component, its malfunctioning affects almost all other services.  VPN went down.  Nine of our services went down.  The only four remaining were the ones we poked the IP addresses in the day before.  Did you wonder why we did not get notifications before the project manager texted me?  Because e-mail and messaging services were also down. There is almost nothing that works without DNS.

What do I take away from this story?  First of all, there is the obvious single point of failure: the DNS services.  While it is not in my capacity to fix that, we did fix the dependency on it.  However, this has its limitations. Using IP addresses instead of host names limits load balancing and name-based routing. So in the end, every system needs a reliable DNS.  But this is not the most powerful lesson to take away.

What did I learn?

The must fundamental and most potent lesson I have learned, or in fact re-learned is: if you see something strange, investigate! It is clear from this story that there were early warnings that could have prevented disaster. First, the VPN connections were slow and failed often. Second, we felt that the performance could be better. We ignored both signals for considerable time.  Both signals clearly hinted at the same problem.

The most powerful lesson

Now this is not a new lesson.  If fact, almost everyone who has some experience in systems maintenance already knows this. So what I am actually learning is how difficult it can be to apply what you know to be good.  Circumstances, context, people dynamics, pressure and even personal well-being and fitness are strong forces that influence people’s ability to sense the often small signals and act on it. You can’t ignore these forces by stating that people must act ‘professional’.  Both sensing and acting are crucial human activities that only happen when the circumstances are right. No matter how obvious and well-known a rule can be; applying it consistently is a whole different ball-game.

A Faster Join for Solr/Lucene

Reducing Index Maintenance Costs with Join.

The previous post introduced the reasons why we want blazingly fast join functionality in Lucene: reduction of index maintenance costs.

This post details how we improved the speed of Lucene’s Query-Time Join a thousandfold.  We achieved this by looking at usage patterns instead of looking at the technology. Lucene’s default Join is a truly Lucene way of performing Joins between arbitrary terms in arbitrary fields in two indexes. Our Join more or less turns a Lucene index into a relational table and provides Join functionality as you would expect from a relational database.  That might sound restrictive to Lucene-adepts, but it offers unprecedented possibilities.

Keys, keys, keys

Lucene joins indexes based on terms. Our first observation is that these terms in fact play the role of keys. In database-lingo you would call them primary or foreign keys. Nowadays, most people use either UUIDs or URIs to identify things, but these are hard to deal with: they occupy much space, are expensive to compare and do not compress well.  Data management software internally always translates long, text based identifiers to small integers. (As a matter of fact, Lucene also uses them and calls them docid and ord.) Our Join implementation is based on such small monotonically increasing numbers and we call them keys.

Multiple Values

The second observation is that lucene supports join on fields that contain multiple values for one document.  But key cells in databases always contain exactly one value for each row.  If you need multiple values, you’d create a separate table containing multiple entries containing the same (foreign) key and then… join it.  Since join is a database concept after all, we might want to consider to be consequent and use single valued fields exclusively. If we need multiple values, we’ll create a separate index and then… join it!  So in our Join implementation, every document in a Lucene index gets one and only one (non-unique though) key.   This is not restricting you as long as you are prepared to adapt your data model.  Read on.

Performance

The performance gain of using small integers over strings is tremendous.  Small integers use significantly less memory and can be fetched, stored and compared with a single machine instruction. Having only single values (one key) per field per document means they can be organized efficiently in one-dimensional arrays or bitsets.  Much research in the domain of Information Retrieval deals with fast storage and intersection of these arrays and bitsets, and much of the research results are available in Lucene! It works marvelous with our keys.

Translate Identifiers to Single Valued Keys

So how do we go about translating string identifiers to numeric keys?  The implementation of this is downright easy in Lucene if you use the new Taxonomy functionality.  The taxonomy is a proper dictionary, mapping every term onto a small number: the key.  Lucene can store this key very efficiently using the relatively new NumericDocValuesField feature. During indexing, we use it like this to store a key in field key (pseudo-code):

TaxonomyWriter keysDict = new DirectoryTaxonomyWriter(...);
Document doc = new Document();
long key = keyDict.addCategory(new CategoryPath());
doc.add(new NumericDocValuesField("key", key));
indexWriter_A.addDocument(doc);

It is essential that one uses the same TaxonomyWriter for every index so that identifiers in all indexes get mapped onto the same keys.

(A completely different way of creating keys is using another database’s key generation mechanism.  Virtuoso for example exposes its IRI_TO_ID and ID_TO_IRI functions.  Using these to obtain keys gives the opportunity to Join between Lucene and Virtuoso.  Expect a blog about that!)

Create Single Valued Keys

The problem of having single valued keys may require changes to the data model. In our case we had the denormalized form in one index:

id:<uri_1>  title:"The Hobbit"  location:<loc_1>,<loc_2>, ...

We split this into two indexes:

id:<uri_1>  title:"The Hobbit"

and:

id:<uri_1>  location:<loc_1>
id:<uri_1>  location:<loc_2>

Querying

Now we have two or more indexes in which the terms we wish to use for joining are replaced by keys.  We can now join these indexes during queries by specifying which fields to use for joining. To keep things simple, we assume that one index A simply filters the results from another index B.  In practise things are (much) more complicated; too complicated for a blog.

Expressing Join

For join to really work well, we will need a query language that supports join. The query language built into Lucene offers no support for this, but luckily we can do without.  There is another language that does support joins and that is the language consisting of Java classes centered around Query, Filter and Collector.

Collecting Terms… eh Keys

The first step is to collect the keys for the terms we want to match between indexes. This step is straight forward (if you leave out caching and all the devious Java markup, it is just two lines of useful code.).  We created a Collector that for each hit, looks up the key and stores it into a bitset.  It needs to know the name of the field containing the key. Use it as follows:

KeyCollector keyCollector = new KeyCollector("key");
indexSearcher_A.search(<query_a>, keyCollector);

Filtering Terms… eh Keys

The second step is to ask the KeyCollector for a KeyFilter to be used in another index. The filter is also not too complicated if you leave out caching and Java markup. It needs to know the name of the field containing the key.  Use it as follows:

KeyFilter keyFilter = keyCollector.getFilter("otherKey");
TopDocs results = indexSearcher_B.search(<query_b>, keyFilter);

Done. Now the results in index B are filtered based on a query on index A.  And it is fast, blazingly fast, thanks to Lucene’s excellent DocValues and Collector APIs.

But it needs to be faster, even more

Although this duo of KeyCollector and KeyFilter improve the speed of Lucene’s built-in Join with a factor 50 or so, it is not fast enough.  It would get the raw processing time for our 8-second query down to 160 ms, but that is still too much. You’ll need to add all kinds of post-processing to this 160 ms and then you’ll end up way to close to 1s. Any raw processing time not substantially under 100 ms makes me personally very nervous. It would require many machines to deal with the loads we have.

Caching

With caching, we can get the processing times down by a factor 20, leaving a mere 8 ms. That yields a total 1000-fold speedup compared to where we started.

How that is achieved might be the subject of the next blog. But you might peek at Meresco’s Lucene code at GitHub.

Conclusion

By making some observations about the nature of joins and by making a firm decision to follow the relational interpretation of join and by assuming that anything is still possible by adapting your data model, we managed to speed up joins 1000-fold.

The result is completely orthogonal to other Lucene functionality such as faceting, sorting, scoring, filtering, etc. All intermediate steps and results are in the hands of the programmer.

The results are about to go in production (March) on a Dutch national library search engine, joining 12.000.000+ titles with 25.000.000+ holdings. The contribution of join to the query response times are deep down on the list of bottlenecks: a few ms.

Reducing Index Maintenance Costs with Query-Time Join for Solr/Lucene

Index Maintenance: Cheaper and Better

Last year Seecr has been on a quest to make maintenance of large integrated search engines easier, cheaper and at the same time better.

We achieved that goal by reorganizing the indexing process and applying a technique called Late Integration.  We created an exciting extension for the Solr/Lucene search engine to make that possible.

In a series of blogs, we will present the problem, the solution and the code. This completes our previous series of blogs about the Open Index: Late IntegrationQuery Resolving and how to find relevant indexes.

Relations and Denormalization

Traditionally (that is, during the last decade), integrated search meant collecting data from various sources and integrating it in an central search engine. This approach works well but runs into problems when the data sets become larger and more divers. And what finally kills this approach is the presence of 1:n relations between data sets.

Traditional databases and triple stores deal with relations explicitly and provide query languages (SQL and SPARQL) that incorporate the notion of relations. With Lucene, the predominant approach is to de-normalize the data in order to create one big index. This denormalization is what becomes the bottleneck when the index grows.

Denormalizing: The Problem

Suppose you have a corporate catalogue of product descriptions and each local branch maintains a database, linking to this central catalogue, adding information about the local stock, price, promotions, reservation, et cetera.  Providing Solr/Lucene-based search functionality spanning both the central catalogue as well as the local database would require both data sources to be de-normalized.  Doing so runs into a few problems:

  1. The 1-N nature of the relationship yields an explosion of data. That’s the nature of denormalization. The most prominent example I know of is the travel agency that maintained one index with over 109 trips, resulting from heavy denormalizing destinations, hotels, dates, lengths and features like dog admittance and smoking rooms.
  2. Both sources have their own update cycle (life cycle). Some data might be constantly updated, for example room availability, while other data is rather stable, such as room descriptions. Feeding both into the same update cycle often limits the update rate of more volatile data.
  3. Both sources require their own specific expertise. The extraction of the data out of its original environment poses a problem: away from the experts that know it by heart and into the centrally managed domain of the generalists.

It would be so much nicer to have separate indexes: one for the corporate catalogue and one for the local stock.  Each update in local stock would require just one simple update in the stock index, just as one item update in the catalogue requires only one update in the catalogue index. So, an catalogue item update need not to go through the denormalize process, avoiding the forced update of all local stock related to this item.

Having separate indexes makes it almost trivial to differentiate the calculation of fields (tokenization, ranking, normalization etc) per index. Also, the update rate can vary easily between indexes, simply because they are independent.

If we only could join the indexes during query time…

Relations in Lucene: Join

If we could bring the notion of relations to Lucene, and we are able to efficiently query along relations, we could avoid denormalization, making the indexing process easier while at the same time creating opportunities to have more specialized indexing when needed.

What is Join?

The idea of joins stems from relational databases (RDBMS) and the structured query language (SQL).  The main idea is to normalize the data into separate tables, and to re-combine these tables during queries. Queries express relations between those tables and data is recombined based on the relations.  This is called joining.

The same idea is present in RDF triple stores. The Sparql query language allows queries to span multiple relations between concepts. The actual join however is much more natural: it happens implicitly because of the notion of everything being a relation, even individual properties.

Lucene Join

Coincidentally, last years, Solr/Lucene has seen the addition of functionality for joining. This allows one to indicate a specific field in one index, and one specific field in another index, and Lucene would then join documents from both indexes if and when they contain the same value in the indicated fields. But since it is not fast enough, we had to rethink and redesign it for us to work. We needed it to be as fast as any other query in Lucene. So we made it that way.

Speed?

In Solr/Lucene a special utility helps an application programmer to create a query that under the hood collects terms in one index and filters on these terms in another. Using this utility (JoinUtil.createJoinQuery) we run a typical query on our indexes: one containing 12,000,000+ book titles and one containing 25,000,000+ individual books held by libraries in the Netherlands.  The question is: for a certain selection, which books are present at a certain library or group of libraries?

This query took 8679 ms to execute.

Regardless of hardware, this is too much. Way too much, as each and every query will come with such a filter.  We need it down to 8 ms. That is our target.

A 1000 times faster

The reasons Lucene’s Join is not fast enough lays in the generic nature of it’s approach. It works on terms: strings of random length. It builds sets of terms and makes intersections or unions of them.  However, for computers, dealing with strings is expensive. They take a lot of memory, and comparison is slow, especially if almost every string is an URI, with long common prefixes. Secondly, the intersections and unions are made by scanning the terms of an index, which is a slow process.

But Lucene is open source, is rather well though-about, and has healthy discussions between experts.  So we started reading and we improved the speed of joining by doing the following:

  1. Translate terms (strings) into numbers. This will speed up the creation of sets as well as taking the intersection.
  2. Closely follow the Lucene segmenting architecture to exploit caching per segment on a lowest possible level.

We set out to do so and learned a lot about Lucene and joining algorithms!

Results

We were very surprised by the results: joining has become so fast, it is now a non-issue for us. This means we can use it whenever we decide that maintaining a separate index is beneficial, without worrying about the performance loss of queries.

Exactly how we did it will be the subject of a following, more technical, blog post.

In the next post, we will outline our approach, with real working code, and show how join can be combined orthogonally with other Lucene functionality. At the end, we will contribute this code to the marvellous Lucene-community.

Softwarekwaliteit volgens Seecr

Softwarekwaliteit is een van Seecrs belangrijkste drijfveren om zich te ontwikkelen. We hebben ons hier in de laatste jaren dan ook sterk op toegelegd. Er is al het één en ander bereikt, maar toch willen we verder professionaliseren. We lichten een tipje van de sluier op.

Correcte software
kwaliteitAlles begint bij software zonder fouten, zonder bugs. Wij vinden het niet kunnen dat gebruikers in een testfase de meest onnozele bugs moeten rapporteren. Zij moeten zich kunnen richten op de toepassing van de software, niet op de software zelf.

De centrale vraag is hier: “Hoe voorkom je bugs in het systeem?” Het antwoord ligt in de ontwikkeling van vaardigheden. Bij de IT leverancier, welteverstaan.

Eén van de vaardigheden is Test Driven Development; er wordt geen regel code geschreven zonder dat er een automatische test voor is. Op deze manier kun je grote complexe systemen bouwen zonder een bugtracking systeem.

Functionele software
Hoe vaak komt het niet voor dat software niet kan wat je wilt maar wel allerlei dingen doet die je niet nodig hebt? Of dat het iets doet wat niet past bij jouw manier van werken? Goede software doet precies wat je nodig hebt. Hoe krijg je dat voor elkaar?

De centrale vraag is: “Wat moet het systeem doen?” Het antwoord ligt in de juiste processen.

Een belangrijk proces is het beschrijven en tot stand komen van een functionaliteit. Let er hierbij allereerst op dat de juiste mensen aan tafel zitten: betrokken, deskundig en creatief. Houdt regelmatig (elke twee weken) een workshop van een dagdeel waarin creativiteit voorop staat. Laat die goed faciliteren. Neem geen genoegen met halve antwoorden of verwijzigingen naar documenten of standards; help elke betrokkene met het articuleren van zijn of haar vragen of opmerkingen, net zo lang tot het bij iedereen duidelijk is. Pas als je het allemaal eens bent en het goed begrijpt, beschrijf je een stukje functionaliteit en laat je het direct bouwen en de volgende workshop opleveren.

Relevante software
Een systeem kan nog zo goed zijn en een nog zo mooie functionaliteit bevatten, de werkelijke waarde wordt bepaald door wat het toevoegt of verandert in het domein van de gebruiker. Biedt het geleverde ook daadwerkelijk meerwaarde? Maakt het dat de gebruiker trots kan zijn op zijn of haar werk en geeft het een gevoel dat hij of zij er toe doet.

De centrale vraag is: “Hoe wordt het leven van een gebruiker makkelijker, efficiënter, plezieriger?” Het antwoord ligt hier in nauwe samenwerking, gedurende het hele traject, met de gebruikers; de specialisten in hun vakgebied. Zo wordt elk stukje functionaliteit relevant voor de doelgroep.

Garantie
Bij goede software hoort garantie.  Het maken van software zonder bugs is een hele kunst, maar je kunt er zo ver in gaan dat je er 100% garantie op kunt geven. Dat is wat Seecr gelukt is, en daar zijn we best trots op.

Als je als IT leverancier niet maakt wat er van je verwacht wordt heb je niet goed doorgevraagd.  Lastig, met al die vage wensen, maar bij Seecr vinden we dat daar ook garantie bij hoort:  tevredenheidsgarantie.

Of we ook garantie kunnen leveren op relevantie…?  Dat weten we nog niet.  Daar gaan we de komende jaren naar op zoek.  Ik hoop van wel natuurlijk.

Heb je ideeen?  Laat het ons weten.