Some recommendations
-keep scheduling independent; make it something that people can experiment with new algorithms, history based scheduling, etc. This is a very hard problem.

-Pay-as-you-go job submission, in which users have a budget of CPU time, has worked well for managing resources since the days of the mainframe. It's a good way of limiting abuse.

-long haul GUI/tools could be useful; assume the client is on a laptop behind a firewall. This could be a good opportunity to make the client-API RESTy, against the web interface only.

Also 11.3 Security: you can only isolate work on the same CPU by running each job in a JVM sandbox with no networking or exec() capabilities. That may be something more broadly useful than just the RM.

>> the scheduler people want fully deterministic "when will this job finish" information, which the Halting Problem says isnt on the table
It seems even tougher for MR jobs which are very elastic. Maybe it's good enough for users to get a sense of when their job will run (and if it's not running, why) and see progress. But it certainly is a challenging problem to figure out when a MR job will run. Perhaps statistical prediction might be a good start?

>> -keep scheduling independent; make it something that people can experiment with new algorithms, history based scheduling, etc. This is a very hard problem.
Agreed. Scheduling itself is a complex, fascinating area. As you point out, it's important to keep it separate and make it easy to experiment with various algorithms. That's an architectural requirement we fully intend to respect.

>> Pay-as-you-go job submission, in which users have a budget of CPU time, has worked well for managing resources since the days of the mainframe. It's a good way of limiting abuse.
Yes. I can easily see a resource management system where user/org resource consumption is tracked over time and we can have quotas or billing or priority changes based on these usage patterns. For now though, to keep things simple and to get started, I think that between guaranteed capacities for Orgs (and dynamic redistribution of free resources), user limits, and job priorities, we can significantly improve utilization of Grid resources while maintaining fairness.

>> long haul GUI/tools could be useful; assume the client is on a laptop behind a firewall. This could be a good opportunity to make the client-API RESTy, against the web interface only.
Tools, GUI, and transparency are going to be critical. It's vital that users get a sense of what's going on, get a sense that scheduling is fair, rational, and deterministic, and that they don't just sit around wondering when things will run. I agree that a REST-like Web interface to the job queues makes a lot of sense, especially given that jobs and queues lend themselves very well to be modelled as resources. In fact, it'll be awesome if someone can work out a good Web-based interface to allow users to interact with the queue. It doesn't have to be REST, but REST does feel like the right model here.

A lot of the scheduling code already works well in the JT, and we've been achieving decent data locality, so it'd be silly to throw that away. Adding support for queues, orgs, and quotas to this code makes sense to me.

I think that the scheduling part will be easy to implement, but it raises other concerns that we might need to discuss. When they'll be solved, the rest could take less than a week.
Those things are :

• Assigning organisation to users, and authenticating users.
  Since we will need support in HDFS for authentication, a way to do that could be to delegate the authentification to the FS. A user's JobClient would confirm the fact he made a request by writing a cookie in a file owned by that user before submiting the job.
  Organisations would be described by files owned by the organisation and containing the list of their users.
  A little class "FsGateKeeper" would wrap around that mecanism in a convenient way.
  The problem is that I'm really unaware of what's being done on the HDFS side. I heard about it on the mailing list but that's all.
• Insulating tasks from each other.
  If we want to allow different tasks from different organisations and to do resource allocation enforcement, we might want to ensure that they have only the needed privileges. It is a more complex issue.
  A first, almost good enough, step could be to write an basic "Insulator" that would use a provision of local accounts (users hadoopClient0 to N), and run each tasks with that users credential. On Linux, CPUsets could be used to reliably clean the working space after the end of a task.
  A more powerful solution would be build a sandboxing daemon around seccomp(). That kind of solution would be light and could be useful to a lot of other projects but would take a lot of time (if someone want more information about that I think that I have a file about this idea somewhere :-P).
• Balancing the different kind of resources.
  I am working on that with Jaideep. I hope that we will have a first concrete proposition and a prototype by Tuesday.

If you agree with that vision, I'll create issues for each of those steps.
If we work together we might be able to do it quickly ^^ (I think it should be less than a month, but I tend to be very optimistic xD).

PS: I have problems with conditionals in English, and I'm unsure of using "might" "should" and "could" in the right way. Please forbid me.

Perhaps it would be good to agree on the requirements that are motivating this design. We may find that there are some requirements that aren't that important that make the design more complicated than it needs to be.

Reading between the lines it sounds like you have the following requirements:

These are the requirements that seem basic:

• Guarantee a certain level of service to users - minimum number of cpus available and a bound on the time needed to acquire the cpus.
• Keep grid utilization high - enable users to use more than their guaranteed level in a fair manner if extra resources are available .
• Some jobs are more important than others, so should have a priority.
• The resource manager figures out the best number of machines to allocate to a job.
• Basic accounting for the resources used by a user

These seem to be motivating your design, but I can't understand why they are needed. (Perhaps I'm misreading the implied requirement.)

• Even if resources are available and fairness is met still limit the number of resources used by a job (4.1)
• Abstractions of organizations and queues are needed for ... (Is this an ops requirement? or a client usability requirement?)

There are probably other requirements we are missing that you have in mind. (Perhaps they would clear up the last two.) It would be great to get them documented.

IMO, these really are requirements. It's not very useful to say, for example, that a requirement is that a system be highly available. Yes, there are different ways to make it highly available, but it seems perfectly fine to provide some more detail if that's how you want the system to behave as a black box. Otherwise the requirements don't add a lot of value - they end up being fairly obvious. What's more important, again IMO, is that requirement be phrased in terms of usage, i.e., they should specify how external systems (users, etc) interact with the system. And it's important to specify in detail how user interaction will be affected. By explicitly mentioning 'guaranteed capacities' for Orgs and how excess capacity is redistributed and reclaimed, we're letting users know that that is exactly how the system will behave. By just saying the the utilization should be high, you open the door for the architecture/design to influence basic user interaction, which I don't think is right. There have also been some pains taken to make sure we don't talk about Hadoop components specifically, or that the requirements don't influence the design.

>> Even if resources are available and fairness is met still limit the number of resources used by a job (4.1)

Not sure I fully understand your concern. If resources are available, limits will not be enforced. The end of the first sentence for 4.1 says "if there is competition for them". User limits are applied only if there are more tasks than queue resources. Maybe that's not fully clear in the writeup, but that's the intention.

>> Abstractions of organizations and queues are needed for ... (Is this an ops requirement? or a client usability requirement?)

It's a bit of both. Orgs let us reason about policies, quotas, access control, accounting etc. Queues give you granularity within Orgs to support different scheduling policies. These abstractions affect client usability as users need to knwo which queue to submit jobs to, and hence need to be aware and in agreement with the queue's (and hence the Org's) policies.

I'm not saying it's wrong to have orgs, but I don't see the requirement motivating the design. (You've stated it as a requirements, so perhaps I should say I don't see the motivation for the requirement.)

I have similar thoughts about priorities. It seems reasonable to have priorities associated with a queue, so why do you also need it with a job? Some designs would define job priority as the queue the job is in.

I realize you see some things as obvious, but these obvious requirements aren't clear from your design. It is interesting you bring up "highly available". It appears that HA is not a requirement. Correct? Your only availability requirement, which is in the parenthesis, is that a server can restart. If a server fails, the system can hang until it is restarted. Correct? The requirement under Availability is more of a persistence guarantee.

The relationship between Orgs and queues, at least in the way we've been discussing it between a few of us, is that Orgs 'control' Grid resources ('guaranteed capacity' is one way to do that). And users belong to Orgs. Queues are a way for an an Org to divide its resources. We see an Org eventually having multiple queues. There may be a queue for very high priority jobs, which may get first dibs on an Org's resources, for example.You can imagine other kinds of queues as well, based on other scheduling criteria. Access control happens at both levels. Users can only submit jobs to the queues in their Orgs, and can submit to more than one queue. Individual queues may also control who is allowed to use them. Basically, Orgs and queues provide a hierarchy that we hope helps with configuration (you can have some configuration of policies at Org levels that applies to all queues, and some of these policies may be overridden at the queue levels). There are other ways to do this. You could just have queues in the system, but configuration and management would probably be harder when compared to a more hierarchical structure.

It's fair to argue whether we need any hierarchy at all, and if we do, why just restrict it to Orgs and queues. Why can't queues have sub-queues, for example? My personal view is that these things will become more clear as we start using this system. It intuitively feels right to have Orgs and queues right now, and there are a number of use cases to justify it, some of which I've mentioned in this discussion. But, partly in deference to the fact that it may be too premature to work out the exact details between Orgs, queues, sub-queues, and what not, we'd like to build V1 with one queue per Org, basically equating the two. It's quite possible, and as you point out somewhat, that Orgs manifest themselves more outside the RM (in fact, in the design for V1, we really just deal with queues). I expect that over the course of the next many weeks/months, we'll be able to define a more concrete relationship between all these entities. IMO, it's premature to spend too much time on that for V1.

Regarding priorities: queues only decide if they look at job priorities. Jobs always set their own priorities. If a queue respects priorities, it will order jobs based on job priorities. If it does not, it will order jobs based on when they were submitted.

Regarding HA: there are lots of ways to build HA into the system. What we're suggesting for V1 is for the ability to restart the RM and continue from where it left off (i.e., users do not have to resubmit jobs). This adds a level of HA to the existing HOD system today. So rather than say 'HA is a requirement' (which, as I've mentioned earlier, does not buy us anything), we're specifying exactly what is a requirement in V1 to improve the system's HA. as a user, you're guaranteed that your jobs will persist after you submit them. That is the HA-related requirement this system will enforce. Yes, this is technically a guarantee of persistence, but that in turn gets you some level of availability. There is also some level of HA built into the JTs and TTs today, which will continue. if you're concerned whether Req 7.1 technically falls under 'HA', that's a different discussion. I think it does, but I also think it doesn't matter much whether you group it under 'Availability' or 'Persistence' or something else. But, you might differ.

3.1. Jobs have priorities associated with them (users can optionally assign a priority to a job, or else the system assigns a default priority). For V1, we support the same set of priorities available to MR jobs today.
3.2. Queues can optionally support priorities for jobs. By default, a queue does not support priorities, in which case it will ignore (with a warning) any priority levels specified by jobs submitted to it. If a queue does support priorities, it will respect the priority set for the job.

I realize that we're tweaking a requirement based on current implementation, but spirit of the requirement was that we continue letting users submit jobs as before, and the system's behavior does not change. I think that is captured better with the newer set of requirements.

IMO, it might be cleaner to have one scheduler for each org, and the interface of the scheduler consists of two API: "scheduleIn(Job, Priority)" and "Job scheduleOut()", where Priority is an opaque object specific to the particular scheduler used by org. Having one queue, multiple queues, what kind of queues is a decision inside the implementation of a particular type of scheduler.

The good thing about this design is that it decouples the scheduling from the already ambitious requirements. We can start with FIFO scheduler or strict priority scheduler and evolve in the long run.

>> Having one queue, multiple queues, what kind of queues is a decision inside the implementation of a particular type of scheduler.
Again, there is a difference between a 'queue' in the requirements and queues in implementation. The way the RM is visualized, you configure a Hadoop installation to support one or more 'queues' (post-V1, you'd likely have one or more 'queues' grouped into an Org), and you configure a bunch of stuff for each 'queue': access control, capacity, etc (see HADOOP-3479 for details). You can certainly configure your system to have as many, or as few, 'queues' as you want, and I don't see them as directly linked to the Scheduler implementation. There are certain queue configuration values that may affect scheduling decisions: for example, you may want to give more weight to some 'queues', so they have greater access to free resources. But it seems like you're suggesting a much stronger connection between the number of queues and the scheduler implementation. If so, can you elaborate? Perhaps a use case would help?

>> The requirements do not include how jobs/resources are prioritized across queues.
Req 3.3 says that "comparison of priorities makes sense within queues, and not across them". what this means is that it doesn't make sense for jobs to be prioritized across queues. Since a user submits a job to a particular queue, he/she really only cares where the job ends up in that queue. Maybe what you're asking is how are free resources (Map/Reduce slots, in V1) distributed across queues. For example, if a TT has a free Map slot, which queue does the RM look at? The requirements don't address that (maybe they should). There are a few options for implementation, which are discussed in HADOOP-3445 (see point #2 under the section 'When a TT has a free Map slot'). If you have some other ideas in this respect, I'd love to hear them on that Jira.

>> The good thing about this design is that it decouples the scheduling from the already ambitious requirements. We can start with FIFO scheduler or strict priority scheduler and evolve in the long run.
Exactly. It's important to keep the Scheduler piece (the component that decides which free resource to be allocated to which job/task) separate enough. Some scheduling algos work well with a full view of the system. Some may work well by looking only at their own Org, as you suggest. For now, the Scheduler algorithm continues to be the same - use priorities and FIFO to sort jobs, then use data locality and some other stuff to decide which task to assign the TT. This seems to be working reasonably well (we've been getting good data locality hits) so far, but can evolve if needed.

I hope I didn't go off on a tangent here.

If we support multiple "Job Queues" for each org, the scheduler in each may be oblivious to each other and thus it could be harder to implement intelligent scheduling (due to unpredictable interferance).

So the reason I see you want to have multiple "Job Queue" is that you can associate access and capacity control at the "Job Queue" level (instead of at the job level). What I am thinking is that we can provide only one "Job Queue" per org, but inside each "Job Queue", we can have job classes, and we associate resource allocation, prioritization of jobs in the same class, access/capacity control a the job class level. Admittedly, it is just a change of view. If we can clearly define how resources are allocated among different "Job Queues" and use a single scheduler to drive all Job queues in one Org, then we get mostly the same thing...

>> 1) I would be interested to know why preempting a running job has been excluded from the design. I can imagine use cases (say in a production environment) where a high-priority job should be executed basically instantaneously at the expense of running jobs at lower priority.

You're right - there are legitimate use cases where you want to preempt running jobs for others. But we need to be clear on the exact semantics for preemption, especially since we're doing task level scheduling. What Req 3.3 implies is that if a job with a higher priority comes in while a job with a lower priority is running (i.e., some of its tasks have run, or are running), then going forward, the runnable tasks of the higher priority job will be scheduled before the runnable tasks of the lower priority job. What we will not do is kill the running tasks of the lower priority job (except in the case of Req 1.6). This becomes an issue only if the tasks of the lower priority job are long running. Essentially, what we're trying to limit in V1 is the killing of running tasks. Otherwise, you do get preemption in the sense that tasks of the higher priority jobs run earlier, or to put it more generically, the higher priority job has higher/earlier access to a queue's resources than the lower priority job. The flip side here is that you will may end up with a large number of running jobs (which are jobs with at least one task running or having run). This can cause a strain in resources (running jobs use up temp disk space and have a higher memory footprint in today's JT).

>> 2) Will the job scheduler at least be able to kill individual tasks of running jobs to get resources back?

Only to satisfy Req 1.6 for now. It's possible that we kill tasks in more situations, in later versions.

>> 3) Is 'N minutes' in 1.6 configurable per org?

Right now, the thinking is to keep things simple (just so we can get something out soon), which means that we're leaning towards global configuration values rather than per Org, in many cases. However, it'd be cool if folks can submit patches to add more finer-grained options. Clearly, having a per-Org value of N makes sense. See HADOOP-3479 for more details on the implementation effort for configuration.

>> 4) 8.1: shouldn't the RM be able to allow 20k+ nodes?

The 3K value is for V1. It ties in to the scale we can support with Hadoop in general. Clearly, as HDFS and MR, and Hadoop as a whole, start scaling to more and more nodes, the Resource Manager will have to keep pace. It doesn't make sense to actually implement V1 to handle 20K+ nodes when other Hadoop components do not scale that much. But yes, the RM architecture should be able to handle numbers like 10K or 20K. Maybe that req can be rephrased to say that the 3K number is for now, and we expect it to grow to 10 K or 20K soon?

4.2. Memory limits.

• There is a cap, MAX_MEM, on the total memory used by all Hadoop tasks and their descendants on a node. This cap applies to virtual memory size, not to resident size. MAX_MEM is configurable for each node.
• Each task, including its dependents, has a limit MAX_MEM_PER_TASK, which by default is equal to MAX-MEM/N, where N is the total number of tasks that the TT is configured for. A task that exceeds its memory cap will be killed.
• Users can, however, optionally provide their own MAX_MEM_PER_TASK limit for each task in a job. The RM will take into account available memory on a TT as well as a task's specified limit when scheduling.