Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Meta] Plugin sandboxing: Step towards modular architecture in OpenSearch #1422

Open
11 of 15 tasks
saratvemulapalli opened this issue Oct 22, 2021 · 4 comments
Open
11 of 15 tasks
Assignees
Labels
enhancement Enhancement or improvement to existing feature or request extensions Meta Meta issue, not directly linked to a PR Priority-High Roadmap:Modular Architecture Project-wide roadmap label

Comments

@saratvemulapalli
Copy link
Member

saratvemulapalli commented Oct 22, 2021

Problem

Plugin architecture enables extending core features of OpenSearch. There are various kinds of plugins which are supported.
But, the architecture has significant problems for OpenSearch customers. Mainly, plugins can fatally impact the cluster
e.g critical workloads like ingestion/search traffic would be impacted because of a non-critical plugin like s3-repository failed with an exception.
The problem multiplies exponentially when we would like to run an arbitrary plugin as OpenSearch core and system resources are not protected well enough.

Zooming in technically, Plugins run with-in the same process as OpenSearch. As OpenSearch process is bootstrapping, it initializes PluginService.java via
Node.java. All plugins are classloaded via loadPlugin during the bootstrap of PluginService.
It looks for plugins directory and loads the classpath where all the plugin jar and its dependencies are already present. During the bootstrap, each plugin is initialized and they do have various interfaces through which they could choose to subscribe to state changes within the cluster e.g ClusterService.java.

Resources on the system for Plugins in OpenSearch are managed via Java Security Manager. It is initialized during the bootstrap of OpenSearch process.
Each plugin defines a security.policy file e.g Anomaly Detection Plugin

As we can see, plugins are loaded into OpenSearch process which fundamentally needs to change.

Objective

This feature enables any plugin to run safely without impacting the cluster and the system.

Design

PLEASE NOTE: THIS DOCUMENT IS WORK IN PROGRESS AND DOES NOT REPRESENT THE FINAL DESIGN.

Plugins Sandboxing_today

Requirements

TBD (Define what we would like to accomplish and whats not changing in the system).

The high level thoughts for plugin sandboxing is basically trying to isolate plugin interactions with OpenSearch.
All the interactions for plugins are via extension points.
If we can modularize these extension points, I believe we can achieve isolation for plugins.

Proposal

Plugin Sandboxing New World

Plugins run with the OpenSearch process today. We are proposing running plugins through (thanks to dblock@):

  • OpenSearch process
  • Independent process
  • Remote node

We see value in offering an option to run the plugin in different parts of the system. Some plugins would like run within the process (like searching, indexing), in an independent process (like snapshot repository) and on a remote node (like machine learning).

We will build a new Plugins Orchestrator which will facilitate running plugins in all 3 ways. New interfaces will be defined to establish communication between extension and OpenSearch.

Proof of Concept

To explore this idea more, we would like to have a plugin running in an independent process.

Tracking Issues

Learn and Share:

Milestones:

Meta: #1632

Back Burner:

FAQ

  • How would an extension communicate with OpenSearch

We are exploring to use a light weight form of Transport which will help bi-directional communication. Transport is the communication mechanism OpenSearch uses between nodes.

  • How is the latency of an extension compared to a plugin loaded in memory?

AD Extension with create detector functionality latency: opensearch-project/opensearch-sdk-java#24 (comment)
AD plugin latency: opensearch-project/opensearch-sdk-java#24 (comment)
With an example extension point onIndicesModule(), we see about 8-11% depending on workload and the throughput decrease is between .05%-7%.

#2231
#3012

  • Would the extensions framework offer both methods for extensions i.e. same process and another process as alternatives

Now as we have the numbers for latency, we see there is value running plugins in process and we will continue to support it for critical workloads in the cycle of querying, indexing.

  • When will Extension framework and OpenSearch SDK be released?

We are working towards OpenSearch 3.0 to have the initial framework to support extensions and release the first version of SDK support default extension points.

  • Have you tried migrating a plugin into an extension?

We are working on anomaly detector backend plugin as prototype and run it as an extension.
#5224

@saratvemulapalli saratvemulapalli added enhancement Enhancement or improvement to existing feature or request untriaged and removed untriaged labels Oct 22, 2021
@saratvemulapalli saratvemulapalli changed the title Issue to track design plugin sandboxing [Meta] Issue to track design plugin sandboxing Nov 17, 2021
@saratvemulapalli saratvemulapalli self-assigned this Nov 17, 2021
@saratvemulapalli saratvemulapalli added the Meta Meta issue, not directly linked to a PR label Nov 17, 2021
@CEHENKLE CEHENKLE pinned this issue Jan 25, 2022
@saratvemulapalli saratvemulapalli changed the title [Meta] Issue to track design plugin sandboxing [Meta] Plugin sandboxing: Step towards modular architecture in OpenSearch Feb 8, 2022
@CEHENKLE CEHENKLE unpinned this issue Feb 11, 2022
@pjfitzgibbons
Copy link

Could you tell us - what is the plan for "updating" a plugin? Assuming plugin-X is not fully complete on first release, how can users of the plugin update that plugin on their own instance of Core and Dashboard?

@dblock
Copy link
Member

dblock commented Jun 21, 2022

@pjfitzgibbons Extensions will work like in VSCode or any other sane system, where they will declare a minimum (and sometimes a max) version of OpenSearch required. Then you'll be able to upgrade them to a newer release assuming it's compatible with your current version of OpenSearch at runtime, without restarting a cluster. Does this answer your question?

@pjfitzgibbons
Copy link

@dblock Yes, understood. Is there a specific task above that you believe implicitly includes upgrading functionality (or version detection or ... ?)

@owaiskazi19
Copy link
Member

owaiskazi19 commented Jun 21, 2022

@dblock Yes, understood. Is there a specific task above that you believe implicitly includes upgrading functionality (or version detection or ... ?)

Hey @pjfitzgibbons! You can find more details on API Versioning here: #2447

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Enhancement or improvement to existing feature or request extensions Meta Meta issue, not directly linked to a PR Priority-High Roadmap:Modular Architecture Project-wide roadmap label
Projects
Status: New
Development

No branches or pull requests

7 participants