Understanding failure detection in Infinispan and JGroups

Keycloak uses Infinispan to store session related information in distributed caches both within Keycloak, and in external instances of Infinispan. Keycloak instances as well as external Infinispan instances form clusters, and the communication between the nodes of a cluster is handled by JGroups. The communication between different external Infinispan clusters in a multi-site setup is also handled by JGroups.

Each node in such a cluster is serving session data, which is important for Keycloak to serve requests. An unresponsive node leads to blocked requests, and possibly timeouts and errors on the caller’s side. If a node fails, requests need to be redirected to the remaining nodes, and its data needs to be re-distributed from backup nodes in the cluster.

A broken TCP connection has a performance impact on the cluster, and it is necessary to detect it, so the connection can be closed and new ones may be established. Note that TCP is a blocking/synchronous protocol, and if the connection is not working properly, threads will be blocked in the Socket::write operation. The kernel parameter tcp_retries2 configures the amount failed retries until the Kernel force closes the connection. Quoting the Kernel Documentation:

During this period, the cluster performance is degraded. Changing Kernel parameters in an image or container is not desired, but JGroups has attributes that can be configured to detect and force-close these broken connections.

For cross-site network communication, which uses the TUNNEL protocol in Kubernetes, Infinispan Pod traffic is forwarded through JGroups Gossip Router Pods. The timeouts are configured in the Infinispan CR YAML file as shown below:

Reducing the interval and timeout will increase how fast JGroups detects a broken connection. However, it also increases the network usage due to the increase frequency of heartbeats. Note that all Infinispan Pods in both clusters will send heartbeats to all the configured Gossip Router Pods.

For intra cluster communication in Infinispan or Keycloak cluster, broken TCP connections are detected and closed by the failure detection. See section Detecting non-responsive nodes for more information.

Nodes in a cluster can fail, and traffic and data need to be redirected once that happens. Failure detection in JGroups is provided by the protocol FD_ALL3 present in the default JGroups configuration shipped with Infinispan.

FD_ALL3 is a simple heartbeat protocol where every member periodically multicasts a heartbeat. When data or a heartbeat from another Pod is received, that Pod is considered alive, otherwise the Pod is considered suspected and may be removed from the group view.

The heartbeat interval and timeout are configured as shown:

For a cluster of M Pods, each Pod will generate M-1 heartbeat message at each interval. Reducing the interval and timeout improves the detection speed of the crashed Pod, but has a greater impact in the network with the extra message transmitted around.

If cross-site is enabled, FD_ALL3 heartbeats also flow to the remote cluster(s). The cross-site channel has its own configuration that can be configured independently of the intra-cluster communication.

After a Pod is suspected, a new group view change is triggered without the crashed member. This even will close any broken TCP connection with that Pod and unblock possible blocked threads.

Infinispan has three configurable timeouts that affect the read or write operations, in both Keycloak and Infinispan clusters. Those are the lock timeout, remote timeout and cross-site remote timeout.

If the timeouts are aligned with each other and the failure detection timeouts and intervals described above, they allow at least one retry after a connection or node failure. This allows providing a valid response to the caller and hiding the error that occurred.

The lock timeout is the waiting time that an operation waits for a lock to be released. This should be the smallest of all.

The remote timeout is the time an Infinispan Pod waits for the replies from other Pods in the same cluster. It affects both writes, when replicating the data, and reads, where a Pod fetches the data from other Pods if a copy does not exist locally.

Finally, for a multi-site deployment, the cross-site remote timeout is the wait time for the other cluster to acknowledge the update.

Changing these values may have a direct impact on the response time. Although during normal operation Infinispan replies in a couple milliseconds, these timeouts may be reached if the workload is higher, a Pod crashes or during a network outage.

Decreasing the timeout reduces the response time; Infinispan will give up sooner but increase the error rate reported to the user. Increasing these values may reduce the amount of errors, since it gives more time to Infinispan to go through the workload, but will increase the response time observed by the end user.

To update any timeout value in an Infinispan cluster deployed with the Infinispan Operator, update your CacheCR as follows:

For the Infinispan cluster running in the Keycloak servers, a customized Infinispan XML file is required. Change the cache configuration as show and add the attributes (in bold) you want to update: