You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
Incidents/2022-08-10 cassandra disk space
document status: draft
Summary
| Incident ID | 2022-08-10 cassandra disk space | Start | 2022-08-10 12:55:00 |
|---|---|---|---|
| Task | T314941 | End | 2022-08-10 18:22:00 |
| People paged | Responder count | ||
| Coordinators | Eric Evans | Affected metrics/SLOs | |
| Impact | Hosts that were administratively shutdown to conduct power maintenance in codfw were powered back up, and the maintenance delayed while troubleshooting took place. No user-facing impact occurred. | ||
A number of Cassandra hosts in codfw (RESTBase cluster) were administratively taken down to conduct PDU maintenance. The downtime scheduled was limited to hosts in the same row, a condition this cluster has been configured to tolerate; There was no impact expected. However, during the planned outage hinted-handoff writes resulted in unexpectedly high utilization of the corresponding storage volumes on hosts in the eqiad datacenter.
From the Cassandra documentation:
Hinting is a data repair technique applied during write operations. When replica nodes are unavailable to accept a mutation, either due to failure or more commonly routine maintenance, coordinators attempting to write to those replicas store temporary hints on their local filesystem for later application to the unavailable replica.
As eqiad was the active data-center at the time of the maintenance, nodes there served as coordinators for codfw replicas, and as such were tasked with storing hinted writes for the down hosts. Hints are stored for a configurable period of time (max_hint_windowin_ms), 3 hours in our configuration, after which they are truncated. While the loss of an entire row is something we had designed/planned for, it is not something that we have ever tested, and the storage volume assigned is simply not large enough to hold the needed data.
Documentation:
- …
Link to relevant source code, graphs, or logs
Actionables
- …
Create a list of action items that will help prevent this from happening again as much as possible. Link to or create a Phabricator task for every step.
Add the #Sustainability (Incident Followup) and the #SRE-OnFIRE (Pending Review & Scorecard) Phabricator tag to these tasks.
Scorecard
| Question | Answer
(yes/no) |
Notes | |
|---|---|---|---|
| People | Were the people responding to this incident sufficiently different than the previous five incidents? | ||
| Were the people who responded prepared enough to respond effectively | |||
| Were fewer than five people paged? | |||
| Were pages routed to the correct sub-team(s)? | |||
| Were pages routed to online (business hours) engineers? Answer “no” if engineers were paged after business hours. | |||
| Process | Was the incident status section actively updated during the incident? | yes | |
| Was the public status page updated? | |||
| Is there a phabricator task for the incident? | yes | ||
| Are the documented action items assigned? | |||
| Is this incident sufficiently different from earlier incidents so as not to be a repeat occurrence? | yes | ||
| Tooling | To the best of your knowledge was the open task queue free of any tasks that would have prevented this incident? Answer “no” if there are
open tasks that would prevent this incident or make mitigation easier if implemented. |
yes | |
| Were the people responding able to communicate effectively during the incident with the existing tooling? | yes | ||
| Did existing monitoring notify the initial responders? | yes | ||
| Were the engineering tools that were to be used during the incident, available and in service? | yes | ||
| Were the steps taken to mitigate guided by an existing runbook? | no | ||
| Total score (count of all “yes” answers above) | |||