Page MenuHomePhabricator
Create Task
Maniphest T188991

Eventlogging mysql consumers inserted rows on the analytics slave (db1108) for two hours
Closed, ResolvedPublic5 Estimated Story Points
Actions

Description

Preliminary info:

  • As part of regular database maintenance, db1107 (eventlogging master database) needed to be rebooted to allow kernel and mariadb updates.
  • We run a proxy in front of the eventlogging database, called m4-master, that is responsible to send traffic to db1107. If the host goes down, it fails over to db1108 (analytics-slave).

Maintenance steps performed:

  1. Stopped replication on db1108 (eventlogging_sync) and disabled puppet.
  2. Stopped Eventlogging Mysql Consumers on eventlog1001, so mysql traffic to db1107 stopped.
  3. Performed maintenance on db1107.
  4. re-enabled replication on db1108 and also mysql consumers on eventog1001.

The main issue is that before 4) we didn't re-set db1107 as m4-master, so db1108 remained the target. Once mysql traffic restarted, then new events were inserted on db1108.

So now we are in this state:

  • eventlogging mysql traffic stopped.
  • after 1), some new rows have been inserted to db1107 that have not been replicated to db1108
  • after 4), 2h of eventlogging data have been inserted to db1108.

Ideally we could drop this two hours of new data, move the consumer groups' offsets for an earlier stage and then restart everything to replay the data, but not sure how feasible it is.

Details

SubjectRepoBranchLines +/-
Set m4-master to db1107 rather than dbproxyoperations/dnsmaster+1 -1
Customize query in gerrit

Event Timeline

elukey triaged this task as High priority.Mar 6 2018, 12:46 PM
elukey created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 6 2018, 12:46 PM
Marostegui subscribed.Mar 6 2018, 12:46 PM
elukey updated the task description. (Show Details)Mar 6 2018, 1:01 PM
Ottomata added a comment.Mar 6 2018, 2:19 PM

We run a proxy in front of the eventlogging database, called m4-master

If we can't write to the failover, then we probably shouldn't use the failover proxy name for the EventLogging mysql writer, eh? Let's change that to db1107.

Marostegui added a comment.Mar 6 2018, 2:29 PM
In T188991#4027078, @Ottomata wrote:

We run a proxy in front of the eventlogging database, called m4-master

If we can't write to the failover, then we probably shouldn't use the failover proxy name for the EventLogging mysql writer, eh? Let's change that to db1107.

I don't really get that comment :-)
Can you explain a bit what you mean?

elukey added a comment.Mar 6 2018, 2:34 PM
In T188991#4027191, @Marostegui wrote:
In T188991#4027078, @Ottomata wrote:

We run a proxy in front of the eventlogging database, called m4-master

If we can't write to the failover, then we probably shouldn't use the failover proxy name for the EventLogging mysql writer, eh? Let's change that to db1107.

I don't really get that comment :-)
Can you explain a bit what you mean?

Basically that as follow up step the log db on db1108 should be able to accept writes, or that we hardcode db1107 instead of m4-master on Eventlogging's config to avoid this in the future. But we'll have a lot of time to follow up on this, let's focus on recovering the data first :)

Marostegui added a comment.Mar 6 2018, 2:46 PM
In T188991#4027223, @elukey wrote:
In T188991#4027191, @Marostegui wrote:
In T188991#4027078, @Ottomata wrote:

We run a proxy in front of the eventlogging database, called m4-master

If we can't write to the failover, then we probably shouldn't use the failover proxy name for the EventLogging mysql writer, eh? Let's change that to db1107.

I don't really get that comment :-)
Can you explain a bit what you mean?

Basically that as follow up step the log db on db1108 should be able to accept writes, or that we hardcode db1107 instead of m4-master on Eventlogging's config to avoid this in the future. But we'll have a lot of time to follow up on this, let's focus on recovering the data first :)

gotcha - thanks.
Let's follow up after the whole thing is recovered.

Stashbot subscribed.Mar 6 2018, 7:06 PM

Mentioned in SAL (#wikimedia-analytics) [2018-03-06T19:06:21Z] <elukey> cleaned up id=0 rows on db1108 (log database) for T188991

elukey added a comment.Mar 6 2018, 7:40 PM

It seems that we were (kind of) lucky. For some reason that we don't know (it predates most of us), the tables on the slave db do not have the id field with AUTO-INCREMENT, meanwhile by default on the master this is the case. When the Eventlogging Mysql consumers were pushing new rows to db1108 (the slave) they ended up not specifying any id, and the one that was picked up was 0 (not present in any table on the master since the ids all starts from 1). For each table, once the first row was inserted (with id 0) then the other ones were failing because they were trying to override the same id 0 one, returning (only sometimes) a "Duplicate row etc.." on the eventlogging logs.

So we ended up deleting on the slave all the rows with id 0 (one for each table more or less), and we moved the Eventlogging Mysql Kafka consumers' committed offset in the past via a script that @Ottomata wrote to replay all the data. No duplicates were inserted because of the uuid field of the eventlogging tables.

Data should now be recovered.

Ottomata added a comment.Mar 6 2018, 7:41 PM

For posterity, here's the script I used: https://gist.github.com/ottomata/d69ba72313c44e8e45e6453f4ea97074

elukey set the point value for this task to 5.Mar 6 2018, 7:41 PM

Before closing this task:

  1. review the m4-master failover policy.
  2. document this procedure on wikitech
elukey moved this task from Next Up to In Progress on the Analytics-Kanban board.Apr 10 2018, 8:02 AM
elukey added a comment.Apr 10 2018, 8:11 AM

A bit of historic context about the why db1108 is not read-only:

# History context: there used to be a distinction between
# EL master and slaves, namely that only the master was not
# in read only mode. The Analytics team removed this constraint
# before deploying the eventlogging_cleaner script (T156933),
# that needed to DELETE/UPDATE rows on the job database without
# running as root for obvious reasons.

So what we could do, in theory, is to change the m4-master endpoint with something that is not dbproxied (namely that ends up to db1107 only, so if it goes down no automatic failover happens).

In case of db1107 failure, the mysql consumers would keep failing to insert data and eventually the analytics alarms would trigger. Resetting the consumer groups to a previous/earlier state would ensure that no data is lost.

gerritbot subscribed.Apr 10 2018, 8:31 AM

Change 425231 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/dns@master] Set m4-master to db1107 rather than dbproxy

https://gerrit.wikimedia.org/r/425231

gerritbot added a project: Patch-For-Review.Apr 10 2018, 8:31 AM
gerritbot added a comment.Apr 10 2018, 8:44 AM

Change 425231 merged by Elukey:
[operations/dns@master] Set m4-master to db1107 rather than dbproxy

https://gerrit.wikimedia.org/r/425231

elukey added a comment.Apr 10 2018, 8:57 AM

Created https://wikitech.wikimedia.org/wiki/Analytics/Systems/EventLogging/Administration#Mysql_insertion_rate_dropping_to_zero_due_to_db_failures

Stashbot added a comment.Apr 10 2018, 9:00 AM

Mentioned in SAL (#wikimedia-analytics) [2018-04-10T09:00:44Z] <elukey> restart eventlogging mysql consumers on eventlog1002 to pick up new DNS changes for m4-master - T188991

elukey moved this task from In Progress to Done on the Analytics-Kanban board.Apr 10 2018, 9:01 AM
Nuria closed this task as Resolved.Apr 12 2018, 10:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits