Skip to content

RabbitMQ Microservice reliability

YANG YANG edited this page Jan 3, 2023 · 3 revisions

This is a condensation of a short tech talk discussing findings and recommendations from issue #565.

RabbitMQ uses acknowledgments to ensure that queue consumers reliably receive messages. A consumer can listen for messages on a queue using one of two settings:

  • Auto-ack (no-ack) - Once RabbitMQ has successfully written a message to the TCP socket, its job is done and it forgets about the message. From RabbitMQ's perspective, it does not expect any acknowledgment back from the consumer. From the consumer's perspective, the receipt of the message comes with an implication of acknowledgment (courtesy of TCP's syn-ack handshake); no further action is needed to tell RabbitMQ to forget about the message.
  • Explicit ack - The consumer is responsible for explicitly sending an acknowledgment back to RabbitMQ. If it doesn't (due to buggy code, or a system failure that the consumer can't handle), RabbitMQ will wait a certain amount of time (30 minutes by default), then re-queue the message for delivery to another consumer. Note that an ack can mean: (1) a consumer received the message (redundancy for the TCP syn-ack) or (2) consumer successfully processed the message (may not be needed if the caller is expecting a response to the request) -- the semantics is for us to decide but we should be consistent.

The remainder of this page describes a few scenarios for how VRO microservices could interact with RabbitMQ to ensure reliability (or not), starting with some obviously unworkable ones.

No acknowledgment

The microservice consumes requests with auto-ack on, and performs the work without communicating out about any success or failure.

sequenceDiagram
    App->>RabbitMQ: publish request
    RabbitMQ->>Microservice: consume & auto-ack request
    Note right of Microservice: do some work
Loading

This does not provide any safeguards in case of failure, and should only be used if the microservice is intended to perform optional "best-effort" work.

Explicit acknowledgment

The most basic way to address the above issue is to have the microservice explicitly acknowledge that it performed its work successfully.

sequenceDiagram
    App->>RabbitMQ: publish request
    RabbitMQ->>Microservice: consume request
    Note right of Microservice: do some work
    Microservice->>RabbitMQ: ack request
Loading

See the re-queuing section below for a description of RabbitMQ's behavior if it never receives the explicit ack.

Responding to app

Currently, every microservice in VRO is invoked by a caller (for example the API server, labeled here as "App") that depends on some sort of result from the microservice. As with the request sent to the microservice, the response is published to RabbitMQ, and subsequently consumed by the caller.

sequenceDiagram
    App->>RabbitMQ: publish request
    RabbitMQ->>Microservice: consume & auto-ack request
    Note right of Microservice: do some work
    Microservice->>RabbitMQ: publish response
    RabbitMQ->>App: consume response
Loading

In this case, the response message also serves conceptually as an acknowledgment from the microservice that it performed its work successfully. The next two scenarios describe what happens when a failure occurs.

Responding to App with error

If the microservice encounters a failure and can recover (in Java and Python microservices that wrap the entire task in a try/catch, this likely accounts for nearly all failures), the microservice can send an error response back to the app.

sequenceDiagram
    App->>RabbitMQ: publish request
    RabbitMQ->>Microservice: consume & auto-ack request
    Note right of Microservice: try to do some work
    Note right of Microservice: handle a failure
    Microservice->>RabbitMQ: publish error response
    RabbitMQ->>App: consume error response
Loading

This is nearly identical to the previous scenario, just with different content in the response message -- the error response acts like the ack.

Letting the App time out

Occasionally there are failures can't be handled by the microservice, e.g. if its container gets killed by OOM. In this case, the microservice isn't able to send back any response, so it's up to the App to time-out after a reasonable amount of time.

sequenceDiagram
    App->>RabbitMQ: publish request
    RabbitMQ->>Microservice: consume & auto-ack request
    Note right of Microservice: unhandled failure
    Note left of App: timeout waiting for response
Loading

This works well when the App itself is bound by a request/response context that is expected to return within a reasonable amount of time. Other callers/requesters must ensure to set a response timeout and handle it by resubmitting the request (itself or via RabbitMQ's features) or raising an error for the originating caller to handle.

Re-queuing asynchronous work

In the event that the microservice is responsible for work that finishes at some indeterminate time in the future, RabbitMQ's re-queuing of unacknowledged messages can be used. When the microservice consumes messages with explicit acks, RabbitMQ will wait a certain amount of time (30 minutes by default) for the ack, and re-queue and re-deliver the message after a time-out.

sequenceDiagram
    participant App
    participant RabbitMQ
    participant MS1 as Microservice
    participant MS2 as Microservice
    App->>RabbitMQ: publish request
    RabbitMQ->>MS1: consume request
    Note right of MS1: unhandled failure
    Note right of RabbitMQ: timeout waiting for ack
    RabbitMQ->>MS2: consume request
    Note right of MS2: do some work
    MS2->>RabbitMQ: ack request
Loading

This sequence diagram shows the flow when a second microservice is available to consume the message.

Clone this wiki locally