OOM Protection Using Automatic Query Killing

Pinot's built in heap usage monitoring and OOM protection

Pinot has implemented a mechanism to monitor the total jvm heap size and per query memory allocation approximation for server (see https://github.com/apache/pinot/pull/9727). If enabled, this mechanism can help to protect the server from OOM caused by expensive queries (e.g. distinctcount + group by on high cardinality columns). Upon an immediate risk of heap depletion, this mechanism will kick in and kill from the most expensive query(s). Here are the server configurations:
 
Config
Default
Description
pinot.query.scheduler.accounting.factory.name
DefaultThreadResourceUsageAccountant which only hardens timeout but no preemption
Use org.apache.pinot.core.accounting.PerQueryCPUMemAccountantFactoryIf one intend to enable this feature
pinot.query.scheduler.accounting.enable.thread.memory.sampling
false
Account for threads' memory usage of a query, works only for hotspot jvm. If enabled, the killing decision will be based on memory allocated.
pinot.query.scheduler.accounting.enable.thread.cpu.sampling
false
Account for threads' cpu time of a query. If memory sampling is disabled/unavailable, the killing decision will be based on CPU time. If both are disabled, the framework will not able to pick the most expensive query.
pinot.query.scheduler.accounting.oom.enable.killing.query
false
Whether the framework will actually commit to kill queries. If disabled, only error message will be logged.
pinot.query.scheduler.accounting.publishing.jvm.heap.usage
false
Whether the framework periodically publishes the heap usage to Pinot metrics.
pinot.query.scheduler.accounting.accounting.oom.panic.heap.usage.ratio
0.99
When the heap usage exceeds this ratio, the frame work will kill all the queries. This can be set to be >1 to prevent a full killing from happening.
pinot.query.scheduler.accounting.accounting.oom.critical.heap.usage.ratio
0.96
When the heap usage exceeds this ratio, the frame work will kill the most expensive query.
pinot.query.scheduler.accounting.accounting.oom.alarming.heap.usage.ratio
0.75
When the heap usage exceeds this ratio, the framework will run more frequently to gather stats and prepare to kill queries timely.
pinot.query.scheduler.accounting.sleep.ms
30ms
The periodical task for query killing wakes up every 30ms
pinot.query.scheduler.accounting.sleep.time.denominator
3 (corresponding to 10ms sleep time at alarming level heap usage)
When the heap usage exceeds this alarming level, the sleep time will be 
sleepTime/denominator
pinot.query.scheduler.accounting.min.memory.footprint.to.kill.ratio
0.025
If a query allocates memory below this ratio of total heap size (Xmx) it will not be killed. This is to prevent aggressive killing when the heap memory is not mainly allocated for queries
pinot.query.scheduler.accounting.gc.backoff.count
5
When the framework consecutively kills this many expensive queries it will explicitly trigger gc to reclaim the memory.
​

Config	Default	Description
pinot.query.scheduler.accounting.factory.name	`DefaultThreadResourceUsageAccountant` which only hardens timeout but no preemption	Use `org.apache.pinot.core.accounting.PerQueryCPUMemAccountantFactory`If one intend to enable this feature
pinot.query.scheduler.accounting.enable.thread.memory.sampling	false	Account for threads' memory usage of a query, works only for hotspot jvm. If enabled, the killing decision will be based on memory allocated.
pinot.query.scheduler.accounting.enable.thread.cpu.sampling	false	Account for threads' cpu time of a query. If memory sampling is disabled/unavailable, the killing decision will be based on CPU time. If both are disabled, the framework will not able to pick the most expensive query.
pinot.query.scheduler.accounting.oom.enable.killing.query	false	Whether the framework will actually commit to kill queries. If disabled, only error message will be logged.
pinot.query.scheduler.accounting.publishing.jvm.heap.usage	false	Whether the framework periodically publishes the heap usage to Pinot metrics.
pinot.query.scheduler.accounting.accounting.oom.panic.heap.usage.ratio	0.99	When the heap usage exceeds this ratio, the frame work will kill all the queries. This can be set to be >1 to prevent a full killing from happening.
pinot.query.scheduler.accounting.accounting.oom.critical.heap.usage.ratio	0.96	When the heap usage exceeds this ratio, the frame work will kill the most expensive query.
pinot.query.scheduler.accounting.accounting.oom.alarming.heap.usage.ratio	0.75	When the heap usage exceeds this ratio, the framework will run more frequently to gather stats and prepare to kill queries timely.
pinot.query.scheduler.accounting.sleep.ms	30ms	The periodical task for query killing wakes up every 30ms
pinot.query.scheduler.accounting.sleep.time.denominator	3 (corresponding to 10ms sleep time at alarming level heap usage)	When the heap usage exceeds this alarming level, the sleep time will be `sleepTime/denominator`
pinot.query.scheduler.accounting.min.memory.footprint.to.kill.ratio	0.025	If a query allocates memory below this ratio of total heap size (Xmx) it will not be killed. This is to prevent aggressive killing when the heap memory is not mainly allocated for queries
pinot.query.scheduler.accounting.gc.backoff.count	5	When the framework consecutively kills this many expensive queries it will explicitly trigger gc to reclaim the memory.

Managing Logs

Next - For Operators

Command-Line Interface (CLI)

Last modified 3mo ago