grastate.dat zeroed on misconfiguration in my.cnf

http://sprunge.us/dPFQ

I can repeat this.

I think this should be repeatable in vanilla galera/wsrep as well.

This requires a node A which

a) Has a state preserved in grastate.dat
b) Shutdown this node A and add some junk to its my.cnf
c) Get The other node some additional data.
d) On startup, A will require IST but due to race condition between variable verifier/cnf parser and SST mechanism, the grastate.dat file gets zeroed.

I will also attach the debug trace (obtained with --debug)

Debug trace obtained with

mysqld-debug --debug --user=mysql

for the grastate.dat zeroing.

a)

The fact that variable is unknown is known only after plugin
initialization in init_server_components. However, wsrep_init is
done before plugin initialisation in same function. I don't think
it is possible to do it after plugin initialisation. So, this
limitation remains.

b) Having said that, it still shouldn't overwrite the
grastate.dat, particularly when wsrep-start-position has been
provided.

c) http://sprunge.us/TeSh has the backtrace. mark_unsafe is what
zeroes the file.

d) Also note, this not only applies to incorrect variable, but any other error during IST can produce similar results.

Raghavendra,

The logic is this: we start state transfer - and we crash before we know how it ended. So we have no idea what state datadir is in. In this situation we technically cannot leave grastate.dat valid. That's why mark_unsafe() was strategically (and deliberately) placed so, that in case of any state transfer error we have invalidated grastate file. It also gets deliberately invalidated in case any inconsistency is detected (e.g. duplicate key) when applying writesets, including IST.

@Alexey,

Got it. But in this case I presume, the IST doesn't start its
apply yet, so data shouldn't be touched yet. I wonder if it is
possible to mark_unsafe just before any changes are made or run
it transactionally ie. if something goes wrong to revert
grastate/gcache to earlier state.

That is the problem - SST is not transactional. And until we initialize storage engines we cannot know how it went. We could notify wsrep provider before initializing storage engines, but it means a whole new call in wsrep API just to gracefully handle MySQL-specific misconfiguration. Sounds like an overkill to me.

@Alexey,

Yes, in this case it may be an overkill since misconfiguration is
not done often. However, I wonder if this can happen in other
contexts (while testing this I may have stumbled onto one or
other) where a failure during IST (due to network etc.) also
resulted in same state.

I wonder if lp:1147066 will require a similar fix.

@Raghavendra,

this should not happen on IST failure, UNLESS, this failure is due to inability to apply a writeset. Aside from possible bugs in parallel applying it is a sure sign of DB corruption. So only network failure with IST should not result in in zeroing grastate.dat.

@Alex,

Ack, I will try to reproduce the other IST issues in a separate
issue.

While testing crash safety for another issue, I noticed that
during IST if a node crashes, its grastate is zeroed and it needs
to do full SST. Granted that it is not often that crash happens
precisely at that moment, however, this makes IST crash
vulnerable. I presume since the database itself is ACID at IST
stage, is it better to keep a backup of the file - grastate.dat,
so that if there is a crash, it can be restored back and IST
done?

The thing is that IST failure may also mean database inconsistency. In this case SST is the safest choice for automatic recovery.

I can see the same problem when, for example SST configuration is incompatible between the donor and joiner, but even in a situation where IST would be completely enough to join the cluster (tested on PXC 5.6.26 and MariaDB Cluster 10.0.21):

[root@percona2 ~]# /etc/init.d/mysql stop
Shutting down MySQL (Percona XtraDB Cluster)..... SUCCESS!

[root@percona2 ~]# cat /data/myisam/grastate.dat
# GALERA saved state
version: 2.1
uuid: fadf885a-490b-11e4-9e13-27f574d828b6
seqno: 449486
cert_index:

-- edit my.cnf on joiner only:
[sst]
#streamfmt=xbstream
streamfmt=tar

error log fragment on restart:

2015-10-24 14:43:38 19271 [Note] WSREP: Requesting state transfer: success, donor: 0
tar: This does not look like a tar archive
tar: Exiting with failure status due to previous errors
2015-10-24 14:43:40 19271 [Note] WSREP: 0.0 (percona1): State transfer to 1.0 (percona2) complete.
2015-10-24 14:43:40 19271 [Note] WSREP: Member 0.0 (percona1) synced with group.
WSREP_SST: [ERROR] Error while getting data from donor node: exit codes: 0 2 (20151024 14:43:40.673)
WSREP_SST: [ERROR] Cleanup after exit with status:32 (20151024 14:43:40.679)
2015-10-24 14:43:40 19271 [ERROR] WSREP: Process completed with error: wsrep_sst_xtrabackup-v2 --role 'joiner' --address '192.168.99.3:4444' --datadir '/data/myisam/' --defaults-file '/etc/my.cnf' --defaults-group-suffix '' --parent '19271' '' : 32 (Broken pipe)
2015-10-24 14:43:40 19271 [ERROR] WSREP: Failed to read uuid:seqno from joiner script.
2015-10-24 14:43:40 19271 [ERROR] WSREP: SST script aborted with error 32 (Broken pipe)
2015-10-24 14:43:40 19271 [ERROR] WSREP: SST failed: 32 (Broken pipe)
2015-10-24 14:43:40 19271 [ERROR] Aborting
...

[root@percona2 ~]# cat /data/myisam/grastate.dat
# GALERA saved state
version: 2.1
uuid: 00000000-0000-0000-0000-000000000000
seqno: -1
cert_index:

Should the SST misconfiguration lead to IST failure and grastate.dat reset? IMHO not.

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PXC-1049