Sorry, I don't quite get what you mean by this:

Zookeeper should be run in more than 3 DCs, e.g. '2.5' DCs.

I'm a bit confused by the reference for more than 3 DCs? - does that mean that we would be better having zookeeper stretched across 5 DCs?
Or would we be fine with zookeeper instances in 2 primary DCs and running a single tie-breaker instance in a third, smaller DC? Should we have three additional brokers in smaller DCs?

@BTullis oopos typo! fixed. Should have said 'more than 2'.

Ah great, sorry I feel like a pedant now. :-)

I emailed the kafka mailing list with some of these questions and got a really nice response from Guoazhang Wang from Confluent.

I wrote:

I'm evaluating the feasibility of setting up a cross datacenter Kafka 'stretch' cluster at The Wikimedia Foundation.

I've found docs here and there, but they are pretty slim. My biggest concern is the fact that while Follower Fetching helps with potential consumer latency in a stretch cluster, there is nothing that addresses producer latency. I'd have expected the docs I've read to mention this if it was a concern, but I haven't seen it.

Specifically, let's say I'm a producer in DC-A, and I want to produce to partition X with acks=all. Partition X has 3 replicas, on brokers B1 in DC A, B2 in DC-A and B3 in DC-B. Currently, the replica on B3(DC-B) is the partition leader. IIUC, when I produce my message to partition X, that message will cross the DC boundary for my produce request to B3(DC-B), then back again when replica B1(DC-A) fetches, and also when replica B2(DC-A) fetches, for a total of 3 times between DCs.

Questions:

• Am I correct in understanding that each one of these fetches contributes to the ack latency?

• And, as the number of brokers and replica increases, the number of times a message crosses the DC (likely) increases too?

• When replicas are promoted to be a partition leader, producer clients will shuffle their connections around, often resulting in them connecting to the leader in a remote datacenter. Should I be worried about this unpredictability in cross DC network connections and traffic?

I'm really hoping that a stretch cluster will help solve some Multi DC streaming app architecture woes, but I'm not so sure the potential issues with partition leaders is worth it!

Thanks for any insight y'all have,

Guoazhang's response:

Hello Andrew.

Just to answer your questions first, yes that's correct in your described
settings that three round-trips between DCs would incur, but since the
replica fetches can be done in parallel, the latency is not a sum of all
the round-trips. But if you stay with 2 DCs only, the number of round-trips
would only depend on the number of follower replicas that are on
different DCs with the leader replica.

Jumping out of the question and your described settings, there are a couple
of things you can consider for your design:

1. For the producer -> leader hop, could you save the cross-DC network? For

example, if your message can potentially go to any partitions (such as it
is not key-ed), then you can customize your partitioner as a "rack-aware"
one that would always try to pick the partition whose leader co-exist
within the same DC as the producer client; even if your message's partition
has to be determined deterministically by the key, in operations you can
still see if most of your active producers are from one DC, then configure
your topic partitions to be hosted by brokers within the same DC. Generally
speaking, there are various ways you can consider saving this hop from
across DCs.

2. For the leader -> follower hop, you can start from first validating how

many failures cross DCs that you'd like to tolerate. For example, let's say
you have 2N+1 replicas per partition, with N+1 replicas including the
leader on one DC and N other replicas on the other DC, if we can set the
acks to N+2 then it means we will have the data replicated at least on one
remote replica before returning the request, and hence the data would not
be lost if the one whole DC fails, which could be sufficient from many
stretching and multi-colo cases. Then in practice, since the cross-colo
usually takes more latency, you'd usually get much fewer round-trips than N
across DC before satisfying the acks. And your average/p99 latencies would
not increase much compared with just one cross-DC replica.

Quick stats check on revision sizes and diff sizes:

 select year(parse_datetime(event_timestamp, 'YYYY-MM-DD HH:mm:ss.s')) rev_year,
        max(revision_text_bytes) as maximum

   from mediawiki_history
  where snapshot='2022-04'
    and event_entity='revision'
  group by 1
;

And average for 2021 for estimating above:

presto:wmf> select avg(revision_text_bytes) from mediawiki_history where snapshot='2022-04' and event_timestamp like '2021%' and event_entity = 'revision';
       _col0        
--------------------
 20623.541023758615

@Milimetric got me the avg revision byte size in 2021:

presto:wmf> select avg(revision_text_bytes) from mediawiki_history where snapshot='2022-04' and event_timestamp like '2021%' and event_entity = 'revision';
       _col0        
--------------------
 20623.541023758615

Hm, looks like there may be some bugs in Follower Fetching atm. Let's keep an eye on that.

Had a really helpful meeting today with @BBlack, @BTullis, @ayounsi, @cmooney and @NOkafor-WMF. Took some rough notes:

BB: very similar looking to cassandra. Will be good to look at that world too.
internal replication traffic, who cares.
concerning aspect: if necessity of reliable write queue could add latency.
Some producers may not be able to tolerate. Could cause backlog on e.g. MW.
Cache servers?
Been pushing to make MW active/active? Better to keep kafka leaders active/active too.

BT:: What is the expected content? migrating kafka main? or new only?

AO: in terms of traffic?

AY: looks okay.
CM: longer term, maybe we need to prioritize traffic?
CM: Most things are 10 or 40Gig between DCs.
CM: Depends on failure scenarios. If latency shoots up, or if site goes offline.
Generally the looser systemms can be coupled. Our latency is 30ms now, but things can happen
on carrier side or us, different path, could get longer. Woul be hard to put constraints.

BB: we have 3 direct links. Even a 4th through chicago. Most realistic problem would be
saturating link with traffic, getting packet loss.

CM: links are on a fixed path. Can break. Not impossible for those paths to change. Carrier
can experience something and flip to a protected link, rerouting the traffic.

BB: If corner cases destroy everything, this might be a bad idea.

AY: Link failures are auutomated, but latency increases on a link are hard to be proactive about.

AO: Consumers will consume cross DC if local replicas fall out of sync.

AY: How does the failure risk change for other types of bugs, e.g. something on one DC, OS upgrades, etc.

BB: Clearly this is very complicated to evaluate the impact. Complicated and tricky. Not clearly wrong,
can't reject it out of hand. Doubt we can figure this out by just spending more time evaluating.
Should try it and gain opeational experience. Maybe a year later we decide its a dumb experiment.

BT: I have the same feeling, Are there other tools? that can help us? App servers will be producing to it
we need to think carefully about why we are introducing additional latency.

BB: Could look at it in capabilities sense. Not just about this one use case. As the owners of the kafka
infra, I would like to experiment to see if we can use this provide. If it doesn't work we can move on.

CM: Do we know people in other orgs that have done this? Real world experience. Find someone to ask.

AO: TODO reach out to mailing list folks.

AY: Zookeeper? We are trying to keep the POPs quite lean.

BB: Interesting, q. What matters to us about edge sites is that they don't have PII.
Could maybe put ZK in chicago.

BT: only a tiebreaker roll.

BT: we need to predict all the bad failure cases.

BB: this might push on netops to do traffic management and prioritization.

BB: 100MB is 800mb which is 1/10 of a link right now. Upgrading to 100Gb link. \
BB: the saturation problem causes.

In summary, NetOps/Traffic folks are okay with this from the WAN perspective. We came to the conclusion that it is worth trying this. It'll be difficult to know how well or poorly this will work from just reading and thinking about it, we need to get our hands dirty.

So, we should go ahead and request hardware to try this out for T307959: [Event Platform] Design and Implement realtime enrichment pipeline for MW page change with content. Since we'll be in experimental mode, let's just go with 4 brokers for now, 2 in each datacenter.

We still have some outstanding research to do:

• Reach out to users@kafka.apache.org mailing list to see if there is anyone with experience running a Kafka Stretch cluster we can talk to.
• Understand leadership promotion better, make sure we know how this works in potential failure (and high latency) cases.
• We still need to think about what the streaming app multi DC-ness would look like. @JAllemandou pointed out that we certainly won't run Flink itself in a 'stretch' mode. So, what does that mean for the output of the application? The easiest to do will be to run it active/passive. Failover will much be easier with a Kafka stretch cluster. We could figure out a fancy way to run an active/active single compute by partitioning the work between the two streaming app instances in each DC (e.g. one instance works odd numbered page_ids, the other even).

@gmodena @lbowmaker @dcausse, @JAllemandou, FYI I added a hardware request for 2 new nodes in each DC, slated for Q2 FY2022-2023. Let's discuss tomorrow.

Oh, hm, we need a new ZK cluster!

Or if we want to try KRaft, just another kafka node.

I'm inclined to try KRaft since this is a brand new (experimental) Kafka cluster, and will not require us to create a new ZK cluster. KRaft is not marked as 'production ready' but it is likely to be in Kafka 3.3, slated to be released in August 2022.

I added a request for a tiebreaker controller Kafka node in ulsfo (or eqord).

CC @herron and @elukey on this ticket too, since they also do Kafka SRE work.

I added a request for a tiebreaker controller Kafka node in ulsfo (or eqord).

If the tie-breaker node (whether it's zookeeper or a KRaft node) is in ulsfo it could presumably be run on the ganeti400x cluster couldn't it?

If we do go with eqord (for the lowest possible latency) then we would definitely need hardware because there is no ganeti there.
Just a thought.

Oh that is a great point. It certainly could. I'll note that in the request.

FYI Jira for DC level rack awareness: https://issues.apache.org/jira/browse/KAFKA-14281