You are browsing a read-only backup copy of Wikitech. The live site can be found at

Incidents/2022-08-10 cassandra disk space

From Wikitech-static
< Incidents
Revision as of 21:17, 12 August 2022 by imported>Eevans (Correct phabricator ticket)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

document status: draft


Incident metadata (see Incident Scorecard)
Incident ID 2022-08-10 cassandra disk space Start 2022-08-10 12:55:00
Task T314941 End 2022-08-10 18:22:00
People paged Responder count
Coordinators Eric Evans Affected metrics/SLOs
Impact Hosts that were administratively shutdown to conduct power maintenance in codfw were powered back up, and the maintenance delayed while troubleshooting took place. No user-facing impact occurred.

A number of Cassandra hosts in codfw (RESTBase cluster) were administratively taken down to conduct PDU maintenance. The downtime scheduled was limited to hosts in the same row, a condition this cluster has been configured to tolerate; There was no impact expected. However, during the planned outage hinted-handoff writes resulted in unexpectedly high utilization of the corresponding storage volumes on hosts in the eqiad datacenter.

From the Cassandra documentation:

Hinting is a data repair technique applied during write operations. When replica nodes are unavailable to accept a mutation, either due to failure or more commonly routine maintenance, coordinators attempting to write to those replicas store temporary hints on their local filesystem for later application to the unavailable replica.

As eqiad was the active data-center at the time of the maintenance, nodes there served as coordinators for codfw replicas, and as such were tasked with storing hinted writes for the down hosts. Hints are stored for a configurable period of time (max_hint_windowin_ms), 3 hours in our configuration, after which they are truncated. While the loss of an entire row is something we had designed/planned for, it is not something that we have ever tested, and the storage volume assigned is simply not large enough to hold the needed data.


Link to relevant source code, graphs, or logs


Create a list of action items that will help prevent this from happening again as much as possible. Link to or create a Phabricator task for every step.

Add the #Sustainability (Incident Followup) and the #SRE-OnFIRE (Pending Review & Scorecard) Phabricator tag to these tasks.


Incident Engagement ScoreCard
Question Answer


People Were the people responding to this incident sufficiently different than the previous five incidents?
Were the people who responded prepared enough to respond effectively
Were fewer than five people paged?
Were pages routed to the correct sub-team(s)?
Were pages routed to online (business hours) engineers? Answer “no” if engineers were paged after business hours.
Process Was the incident status section actively updated during the incident? yes
Was the public status page updated?
Is there a phabricator task for the incident? yes
Are the documented action items assigned?
Is this incident sufficiently different from earlier incidents so as not to be a repeat occurrence? yes
Tooling To the best of your knowledge was the open task queue free of any tasks that would have prevented this incident? Answer “no” if there are

open tasks that would prevent this incident or make mitigation easier if implemented.

Were the people responding able to communicate effectively during the incident with the existing tooling? yes
Did existing monitoring notify the initial responders? yes
Were the engineering tools that were to be used during the incident, available and in service? yes
Were the steps taken to mitigate guided by an existing runbook? no
Total score (count of all “yes” answers above)