Handle commit log files with corrupt info headers during cleanup and bootstrap

[richardartoul]

• Automatically delete commit log files with corrupt info headers during cleanup instead of erroring out forever and requiring manual intervention.
• Add static configuration for whether or not commitlog bootstrapping corruption should return unfulfilled or not for the whole thing (default to return unfulfilled)
• Always read all the commit log files we intended to read anyways, regardless of that config.
• Auto-detect in commitlog bootstrapper if it is possible for the peers bootstrapper to satisfy requests. If not, return fulfilled instead of unfulfilled because the peers bootstrapper cant perform a repair anyways.
• Don't return errors from the commitlog bootstrapper for corrupt files
• Emit logs for all encountered corrupted files
• Emit metrics for all encountered corrupt files

[codecov]

Codecov Report

Merging #1066 into master will increase coverage by 2.03%.
The diff coverage is 82.44%.

@@            Coverage Diff             @@
##           master    #1066      +/-   ##
==========================================
+ Coverage    75.3%   77.34%   +2.03%     
==========================================
  Files         569      578       +9     
  Lines       48213    48590     +377     
==========================================
+ Hits        36307    37580    +1273     
+ Misses       9640     8642     -998     
- Partials     2266     2368     +102

Flag	Coverage Δ
#aggregator	81.59% <ø> (ø)	⬆️
#collector	59.23% <ø> (ø)	⬆️
#dbnode	81.39% <82.44%> (+3.89%)	⬆️
#m3em	73.21% <ø> (ø)	⬆️
#m3ninx	75.25% <ø> (+4.02%)	⬆️
#m3nsch	51.19% <ø> (ø)	⬆️
#msg	74.98% <ø> (ø)	⬆️
#query	63.67% <ø> (-1.65%)	⬇️
#x	75.1% <ø> (+5.74%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2eb71f7...b8020fe. Read the comment docs.

[prateek]

super nit: mind making a union type instead of this just to be clear to users. something like:

type File struct {
  FilePath string
  Start time.Time
  Duration time.Duration
  Index int64
}

type FileOrError struct {
  Path string
  File File
  Error error
}

[richardartoul]

Sure, I could also do something like:

type FileOrError struct {
    file File
    err Error
}


func (f *FileOrError) FIle() (File, Error) {
    return f.file, f.err
}

And then its basically impossible to misuse it

[prateek]

i don't like that people could use the Path regardless of error in that scheme – (e.g. the cleanup manager still has to delete the file regardless of err). In addition to what you suggested, could you expose a typed error with the path available to get around that?

[richardartoul]

Just to clarify, are you saying you don’t like the idea of someone receiving an error but then still needing to access the File object to get at the path, so we should export an error struct that include the file path, correct? Yeah that seems better to me too

[prateek]

Yep, exactly.

[prateek]

We can't skip corrupt commit log files like they didn't exist w/o risking data loss. It'd be much safer to see if any corrupt commit logs exist and if so fall back to the peers bootstrapper (in the case there are peers), and if there are no peers allow users to opt in to skip corrupt commit log files but don't do it by default.

[richardartoul]

I'm ok with making this opt-outable for users who really care about data integrity, but I think by default it should skip them. If you can't even read the info part of the commitlog, then (barring true corruption of the filesystem unrelated to M3DB shutdown) your commitlog isn't missing any data anyways other than the standard amount you would be missing due to the writebehind strategy. I don't think this is a situation where we need to involve operators in the general case.

[richardartoul]

by putting the commitlog bootstrapper before peers bootstrapper you're basically accepting losing the last few writes that occurred right before shutdown due to the writebehind strategy (as well as any writes that were issued while you were down) anyways.

In my mind we should emit a log, skip over bad commitlog files, and then eventually address this issue with the corruption APIs / a background repair process.

[richardartoul]

The other reason I think it sucks to push this burden down to the operators is that basically by the time this happen and you realize whats going on, there are only two options:

1. Disable commitlog bootstrapper and replace it with peers bootstrapper, which is fine, but only viable in non-catastrophic scenarios where all the other nodes are up.

2. Go and delete the bad commitlog file and then restart with the commitlog bootstrapper, at which point you've probably written out enough commit log files that what should have been 6->8 minutes of downtime turns into an hour-long ordeal.

[prateek]

For the peers case: how about just returning returning all requested shard ranges as unfullfilled in the commit log bootstrapper (won't need any interface changes from the way things are now) when the commit log runs into an error and that way we'll fall back to peers automatically.

For the single node case: we can have a new RunOption to control the behaviour of whether to skip or not and the bootstrap process can be configured from the top level to specify what to pass it. That way the single node config we put out can default to come up but we can put a WARNING next to it and in docs.

[richardartoul]

Spoke offline and settled on:

1. Add static configuration for whether or not commitlog bootstrapping corruption should return unfulfilled or not for the whole thing (default to return unfulfilled)
2. Always read all the commit log files we intended to read anyways, regardless of that config.
3. Add exception in commitlog bootstrap for single node deployment which will detect that this is the only node in the placement and default to returning fulfilled because there is nothing else you could possibly do to recover data
4. Don't return errors from the commitlog bootstrapper for corrupt files
5. Emit metrics / logs for all encountered corrupt files.

This gives us a good mix between maintaining data integrity as much as we can, but also not imposing undue operational burden.

In single node failures, the issue will just resolve itself.
In a single node failure within a multi-node cluster, the issue will just resolve itself.
In a multi-node failure within a multi-node cluster, some nodes with corrupt commitlog files may get stuck in the peer bootstrapping phase, but they can be "released" with a K.V change to the peer bootstrapper consistency level and come online without requiring an additional costly restart.

[prateek]

nit move these error types to the bottom of the file

[prateek]

same for this ctor, move it next to the associated type at the bottom of the file

[prateek]

why sort at all? and if you're going to sort - you can sort errors first (or last) and then guarantee order too.

or better yet change the return type for this function: ([]File, []ErrorWithPath, error) and then won't need the FileOrError type.

[richardartoul]

Sorting is important because you want to try and read the commit log files in order in the bootstrapper

[richardartoul]

Your interface change suggestion is good though, just made it

[prateek]

lol is this no longer flaky?

[richardartoul]

yeah I fixed it

[robskillington]

👍

[prateek]

ah is this the fix?

[richardartoul]

yep

[prateek]

as above, can move this to be used within the Files() method.

[prateek]

huge +1 to this.

[prateek]

could you do same thing we normally do - use an atomic and have a background routine emitting the guage regularly. that way you'd get more than a single datapoint indicating what's going on.

[prateek]

+1 for type safety

[prateek]

lol what i wouldn't give for macros.

[prateek]

hm - i thought you were going to check if it's a single node for this case. why use the more extended peer condition?

[richardartoul]

Seemed like it was slightly better to not hand off to the peers bootstrapper if it can't help anyways. Think I should remove it?

[prateek]

+1

[robskillington]

👍

[robskillington]

Can you add a different tag for each one? Otherwise they'll overwrite each other's metrics.

e.g.

data:  newCommitLogSourceMetrics(scope.Tagged(map[string]string{"source_type": "data"})),
index:  newCommitLogSourceMetrics(scope.Tagged(map[string]string{"source_type": "index"})),

[richardartoul]

oh duh, thanks

[robskillington]

Can you type-ify this function so it's a little cleaner, e.g.:

type closerFn func()

func (m commitLogSourceMetrics) emitReadingSnapshots() closerFn {
	return m.gaugeLoop(m.readingSnapshots)
}

[robskillington]

Is it a waste to just emit the gauges the whole time this function is running? Then we could do it all at the start and defer all these cleanups. It would be better mainly because it would defend against an early return not stopping the loop which would cause a memory leak (for loop continuing to hold ref to the commit log source forever.

[richardartoul]

see comment below

[robskillington]

If we could do this with a defer somehow that would also be nicer, is there some state it can just read for the whole execution of the function and emit one or zero instead of needing to explicitly emit based on control flow?

[richardartoul]

Yeah there isn't any obvious state we could read to make a decision (any state we could read would have to be added based on control flow.)

I think we either leave it as is, or we can simplify it by not distinguishing between reading commitlogs and snapshotting and just having a gauge for "commitlog bootstrapping data" and "commitlog bootstrapping index"

[richardartoul]

honestly, making the distinction between commitlogs and snapshots is not worth it because once I land the perf improvement reading snapshots will take like 20-30 seconds so not worth separating the two. I'll make the change

[robskillington]

We still return our data right? (I know this is likely true, just want to verify). That way we can join whatever we had at least.

[richardartoul]

Yeah this should have no effect on what data we return (pretty sure my prop test still verifies the data is there) so as long as the caller doesn't ignore the data it will get merged in

[robskillington]

Can you add a note to the issue to "be sure to re-enable test TestCleanupManagerDeletesCorruptCommitLogFiles with the same PR that fixes this issue".

[richardartoul]

sure

[robskillington]

Hm, did you mean this?:

		doneBootstrapping      = s.metrics.data.emitBootstrapping()

[robskillington]

Re: why didn't this break, as a meta point if we wanted to be more "type safe" about it we could make it return an io.Closer than calls the method.

import "github.com/m3db/m3x/close"

var _ close.Closer = closerFn(nil)

// Implement close.Closer
func (f closerFn) Close() {
	f()
}

// Now to call it

func myThing() close.Closer {
	return closerFn(func() { /* code */})
}

[richardartoul]

Fixed the function call. I get what you're saying, but seems like it really hurts readability for something that would have been caught by a test if it was really important (we don't currently test whether metrics are being emitted properly.) I think I'm just gonna make the fix and leave as is for now

[robskillington]

Other than final comment, LGTM