This chapter describes the features that WebLogic Server has for detecting, avoiding, and recovering from overload conditions. WebLogic Server's overload protection features help prevent the negative consequences that can result from continuing to accept requests when the system capacity is reached. These consequences are degraded application performance and stability.
This chapter includes the following sections:
When system capacity is reached, if an application server continues to accept requests, application performance and stability can deteriorate. The following sections demonstrate how you can configure WebLogic Server to minimize the negative results of system overload.
In WebLogic Server, all requests, whether related to system administration or application activity—are processed by a single thread pool. An administrator can throttle the thread pool by defining a maximum queue length. Beyond the configured value, WebLogic Server will refuse requests, except for requests on administration channels.
Administration channels allow access only to administrators. The limit you set on the execute length does not effect administration channel requests, to ensure that reaching the maximum thread pool length does not prevent administrator access to the system. To limit the number of administration requests allowed in the thread pool, you can configure an administration channel, and set the MaxConnectedClients attribute for the channel.
When the maximum number of enqueued requests is reached, WebLogic Server immediately starts rejecting:
Web application requests.
Non-transactional RMI requests with a low fair share, beginning with those with the lowest fair share.
If the overload condition continues to persist, higher priority requests will start getting rejected, with the exception of JMS and transaction-related requests, for which overload management is provided by the JMS and the transaction manager.
Throttle the thread pool by setting the
Shared Capacity For Work Managers field in the Administration Console (see Environments > Servers > server_name > Configuration > Overload). The default value of this field is 65536.
An administrator can configure Work Managers to manage the thread pool at a more granular level, for sets of requests that have similar performance, availability, or reliability requirements. A Work Manager can specify the maximum requests of a particular request class that can be queued. The maximum requests defined in a Work Manager works with the global thread pool value. The limit that is reached first is honored.
An administrator can limit the number of active HTTP sessions based on detection of a low memory condition. This is useful in avoiding out of memory exceptions.
WebLogic Server refuses requests that create new HTTP sessions after the configured threshold has been reached. In a WebLogic Server cluster, the proxy plug-in redirects a refused request to another Managed Server in the cluster. A non-clustered server instance can redirect requests to alternative server instance.
The Servlet container takes one of the following actions when maximum number of sessions is reached:
If the server instance is in a cluster, the servlet container throws a
SessionCreationException. Your application code should handle this run-time exception and send a relevant response.
To implement overload protection, you should handle this exception and send a 503 response explicitly. This response can then be handled by the proxy or load balancer.
You set a limit for the number of simultaneous HTTP sessions in the deployment descriptor for the Web application. For example, the following element sets a limit of 12 sessions:
<session-descriptor> <max-in-memory-sessions>12</max-in-memory-sessions> </session-descriptor>
Administrators can configure WebLogic Server to exit upon an out of memory exception. This feature allows you to minimize the impact of the out of memory condition—automatic shutdown helps avoid application instability, and you can configure Node Manager or another high availability (HA) tool to automatically restart WebLogic Server, minimizing down-time.
You can configure this using the Administration Console, or by editing the following elements in config.xml:
<overload-protection> <panic-action>system-exit</panic-action> </overload-protection>
For more information, see the attributes of the OverloadProtectionMBean.
WebLogic Server checks for stuck threads periodically. If all application threads are stuck, a server instance marks itself failed, if configured to do so, exits. You can configure Node Manager or a third-party high-availability solution to restart the server instance for automatic failure recovery.
You can configure these actions to occur when not all threads are stuck, but the number of stuck threads have exceeded a configured threshold:
Shut down the Work Manager if it has stuck threads. A Work Manager that is shut down will refuse new work and reject existing work in the queue by sending a rejection message. In a cluster, clustered clients will fail over to another cluster member.
Shut down the application if there are stuck threads in the application. The application is shutdown by bringing it into admin mode. All Work Managers belonging to the application are shut down, and behave as described above.
Mark the server instance as failed and shut it down it down if there are stuck threads in the server. In a cluster, clustered clients that are connected or attempting to connect will fail over to another cluster member.
For more information, see the attributes of the OverloadProtectionMBean
The following sections describe WebLogic Server features that aid in determining and reporting overload conditions.
WebLogic Server has a health state—
OVERLOADED—which is returned by the
ServerRuntimeMBean.getHealthState() when a server instance whose life cycle state is
RUNNING becomes overloaded. This condition occurs as a result of low memory.
Upon entering the
OVERLOADED state, server instances start rejecting requests from the Work Manager queue (if a Work Manager is configured), HTTP requests return a 503 Error (Service Unavailable), and RMI requests fail over to another server if clustered, otherwise, a remote exception is returned to the client.
The server instances health state returns to
OK after the overload condition passes. An administrator can suspend or shut down an
OVERLOADED server instance.
When WebLogic Server exits it returns an exit code. The exit codes can be used by shell scripts or HA agents to decide whether a server restart is necessary. See "WebLogic Server Exit Codes and Restarting After Failure" in Managing Server Startup and Shutdown for Oracle WebLogic Server.