Enforce query response size limit after decompression in query-frontend

[afhassan]

What this PR does:
Add new config max_query_response_size that limits the total response size of instant and range queries after decompression. The limit is applied to the total response size of all query shards.

Which issue(s) this PR fixes:
Fixes #

Checklist

• Tests updated
• Documentation added
• CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

[yeya24]

If we apply the limit only on instant query and range query tripperware, then we don't have a way to protect us for large response from GetSeries and GetLabels API.

Do we plan to do something there? Or rely on the existing gRPC message size limit.

[yeya24]

Can we add an integration test?

[harry671003]

Thanks for the PR.
I believe the intend is to protect QFEs from OOMs. Could you test this and validate if it works as intended? Maybe reproduce a case where QFEs are getting OOMed and check whether the limit prevents this from happening.

[afhassan]

Added a new config for max_query_response_size that tracks the total response size of all query shards.

I will reproduce QFE OOM and test the new limit + add integration test

Thanks for the feedback!

[afhassan]

Addressed the previous feedback.

I think the PR is in a good place for a second review now

[harry671003]

nit: Extract the logic to estimate the uncompressed size into its own function.
What happens when it overflows? For example if the uncompressed size is 5GB, what will be these last 4 bytes be?

[afhassan]

It is a 32-bit unsigned integer. When it overflows it should loop around so it will show 1 GB instead of 5 GB. It will not be a negative value.

The only risk in that case is not enforcing the limit when we should have.

[harry671003]

Overall great work! Left some optional nit comments.

[harry671003]

nit: Does this method need to be renamed?

[afhassan]

The function does not return body buffer. It returns body bytes array. I made that distinction when I split it into two functions, but even as one function it didn't make sense to me that it is called BodyBuffer() when it does not return a body buffer.

I am okay with keeping the name or changing it to something else, but what is the reason for using BodyBuffer()

[justinjung04]

Thanks for a great feature! I just have few minor comments

[justinjung04]

How do we double check if this is safe to be removed?

[afhassan]

We set the compression headers for instant and range query requests here https://github.com/afhassan/cortex/blob/be0fc7f216589a3e9cb66af85ee25cf192fd533b/pkg/querier/tripperware/query.go#L762

We currently only support gzip compression (default) or no compression. We never set any other Accept-Encoding header.

Use compression for metrics query API or instant and range query APIs.
Supports 'gzip' and '' (disable compression)
CLI flag: -querier.response-compression
[response_compression: | default = "gzip"]

Snappy was added because we planned to potentially support it as well, but I think that can be left for a future PR to do.

[afhassan]

Rebased the changes and force pushed

[justinjung04]

Nice! Thanks a lot!

[yeya24]

Thanks and great work. Most of the comments are nits I think

[yeya24]

Is the error message clear enough to tell it is the total response size for sharded queries?

[afhassan]

Maybe the total received query response size exceeds limit (limit: %d bytes)? II don't know if we should explicitly mention shards since it is an internal detail.

[yeya24]

I am a bit worried that the query response size exceeds limit might be a bit misleading to users as it reads as the query response size in their result. People will be confused that how their query exceeds several GBs even though the final size is only several MBs.

If we don't have a better error message we can go with what you have now