loadbalancer: Add a P2C host selector

[bryce-anderson]

Motivation

We have a round-robin selector but also want to support
a form of random selection. P2C is a common random
selection algorithm that gives us the ability to also distinguish
hosts based on a load metric, or score, which can help us
distribute load more evenly and avoid hosts that can be
considered outliers by a variety of mechanisms.

Modifications

• Make Host an interface and rename the existing version
  to DefaultHost to make testing easier and the contract
  explicit. This doesn't mean the contract won't change as we
  continue to iterate.
• Add the P2CSelector type and it's tests.

Note: we are not yet integrating this selection algorithm into the
NewRoundRobinLoadBalancer which will entail a bunch of
questions around the API for doing so. That will be done as a
followup to minimize the patch size.

[bryce-anderson]

With the exception of implementing address(), marking the methods public and @Override, this should just be a rename.

[bryce-anderson]

Right now this follows the pattern set by the RoundRobinSelector which is to consider health only for making new connections. I think that is born of the only current circuit breaker being the L4 consecutive failures and the current hesitancy to mark a connection as inactive.
I think we should change that behavior in that we should consider health for any connections and also allow an unhealthy connection to be selected as a last resort (likely configurable). This allows us to have the same expected behavior for all circuit breakers and we don't need to special case the L4. Additionally, I think the L4 case is even improved because if we can't connect to a host there is a good chance existing connections are either not responsive or draining.
However, that is a reasonably big reinterpretation of what health means. I'd like to change it for RR and P2C at the same time, or maybe switch RR first and then merge this. Feedback appreciated on that.

[tkountis]

I agree on that - RR is a good battle tested source for feedback, but if we are designing building blocks of a LB abstraction we should re-consider some of the design decisions and evaluate tradeoffs.
My mental model about this was

• List of hosts as seen from SD
• Subset of hosts as identified by any feedback controller (e.g., L4 / L7)
• Select among these
• Fallback strategy (default to what RR is doing)

[bryce-anderson]

I agree. I think we can potentially go further than RR and offer a panic mode, maybe in two flavors: existing connections only and even for new connections, that at least lets the LB try. At least for the latter it's probably important to add some restrictions at the connection factory level to avoid connection storms so we should proceed with caution there.

[idelpivnitskiy]

+1 for improving and interating on this area and shaping definition of "unhealthy" state.

if we can't connect to a host there is a good chance existing connections are either not responsive or draining

In order to keep track of use-cases and make sure we don't miss anything, it's worth mentioning that ServerListenContext API allows users to pause acceptance of new connections without affecting pre-existing connections. We should account for that as well.

[tkountis]

It's not a comment for this PR but the overall effort.
I think we can provide a richer API that closer resembles what a control plane could also advertise about an endpoint (ie. Condition enum -- Terminating, NotReady, Ready) and a separate binary data plane status (healthy / unhealthy)

[bryce-anderson]

+1. I had some thoughts about already but agree that we should change it in it's own PR.

[mgodave]

Agree as well. To add some context from xDS/EDS we definitely have this information available. "Health" from the perspective of the protocol is richer than a binary decision so it could be an interesting exercise understanding if we care.

[tkountis]

I agree on that - RR is a good battle tested source for feedback, but if we are designing building blocks of a LB abstraction we should re-consider some of the design decisions and evaluate tradeoffs.
My mental model about this was

• List of hosts as seen from SD
• Subset of hosts as identified by any feedback controller (e.g., L4 / L7)
• Select among these
• Fallback strategy (default to what RR is doing)

[mgodave]

nit: this isn't an exception it's a failed Single. I might expect return noActiveHosts(hosts).

[bryce-anderson]

Sorry, I didn't see this until I had merged. I'll clean it up in a follow up.

[bryce-anderson]

The failing checks were flaky tests, so merging.

[idelpivnitskiy]

LGTM, have 2 questions:

[idelpivnitskiy]

This method always returns a non-null value, this annotation is not required

[idelpivnitskiy]

Will it make sense to limit efforts based on number of hosts? For example, if there are only 2 hosts with maxEffort > 1, should we try again or fail fast?

[idelpivnitskiy]

While you clarified reasoning to move re-iteration in a separate big redesign, will it make sense for the time being to follow the following logic?

1. Try t1.pickConnection, if not
2. Check t1 health, if ok do t1.newConnection if not:
3. Try t2.pickConnection, if not
4. Check t2 health, if ok do t1.newConnection if not:
5. go to the next effort