autopsy of an automation disaster
play

Autopsy of an automation disaster Jean-Franois Gagn - Saturday, - PowerPoint PPT Presentation

Oct 01, 2023 •161 likes •478 views

Autopsy of an automation disaster Jean-Franois Gagn - Saturday, February 4, 2017 FOSDEM MySQL & Friends Devroom To err is human To really foul things up requires a computer [1] (or a script) [1]:

  1. Autopsy of an automation disaster Jean-François Gagné - Saturday, February 4, 2017 FOSDEM MySQL & Friends Devroom

  2. To err is human To really foul things up requires a computer [1] (or a script) [1]: http://quoteinvestigator.com/2010/12/07/foul-computer/ 2

  3. Booking.com ● Based in Amsterdam since 1996 ● Online Hotel/Accommodation/Travel Agent (OTA): ● +1.134.000 properties in 225 countries ● +1.200.000 room nights reserved daily ● +40 languages (website and customer service) ● +13.000 people working in 187 offices worldwide ● Part of the Priceline Group ● And we use MySQL: ● Thousands (1000s) of servers, ~90% replicating ● >150 masters: ~30 >50 slaves & ~10 >100 slaves 3

  4. Session Summary 1. MySQL replication at Booking.com 2. Automation disaster: external eye 3. Chain of events: analysis 4. Learning / takeaway 4

  5. MySQL replication at Booking.com ● Typical MySQL replication deployment at Booking.com: +---+ | M | +---+ | +------+-- ... --+---------------+-------- ... | | | | +---+ +---+ +---+ +---+ | S1| | S2| | Sn| | M1| +---+ +---+ +---+ +---+ | +-- ... --+ | | +---+ +---+ | T1| | Tm| +---+ +---+ 5

  6. MySQL replication at Booking.com’ ● And we use Orchestrator: 6

  7. MySQL replication at Booking.com’’ ● Orchestrator allows us to: ● Visualize our replication deployments ● Move slaves for planned maintenance of an intermediate master ● Automatically replace an intermediate master in case of its unexpected failure (thanks to pseudo-GTIDs when we have not deployed GTIDs) ● Automatically replace a master in case of a failure (failing over to a slave) ● But Orchestrator cannot replace a master alone: ● Booking.com uses DNS for master discovery ● So Orchestrator calls a homemade script to repoint DNS (and to do other magic) 7

  8. Our subject database ● Simple replication deployment (in two data centers): DNS (master) +---+ points here --> | A | +---+ | +------------------------+ | | Reads +---+ +---+ happen here --> | B | | X | +---+ +---+ | +---+ And reads | Y | <-- happen here +---+ 8

  9. Split brain: 1 st event ● A and B (two servers in same data center) fail at the same time: DNS (master) +\-/+ points here --> | A | but accesses +/-\+ are now failing Reads +\-/+ +---+ happen here --> | B | | X | but accesses +/-\+ +---+ are now failing | +---+ And reads | Y | <-- happen here +---+ (I will cover how/why this happened later.) 9

  10. Split brain: 1 st event’ ● Orchestrator fixes things: +\-/+ | A | +/-\+ Reads +\-/+ +---+ Now, DNS (master) happen here --> | B | | X | <-- points here but accesses +/-\+ +---+ are now failing | +---+ Reads | Y | <-- happen here +---+ 10

  11. Split brain: disaster ● A few things happen in this day and night, and I wake-up to this: +\-/+ | A | +/-\+ DNS +---+ +---+ points here --> | B | | X | +---+ +---+ | +---+ | Y | +---+ 11

  12. Split brain: disaster’ ● And to make things worse, reads are still happening on Y: +\-/+ | A | +/-\+ DNS (master) +---+ +---+ points here --> | B | | X | +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 12

  13. Split brain: disaster’’ ● This is not good: ● When A and B failed, X was promoted as the new master ● Something made DNS point to B (we will see what later)  writes are now happening on B ● But B is outdated: all writes to X (after the failure of A) did not reach B +\-/+ ● So we have data on X that cannot be read on B | A | +/-\+ ● And we have new data on B that is not read on Y DNS (master) +---+ +---+ points here --> | B | | X | +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 13

  14. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd one was detected and Orchestrator failed over to B ● ● So after their failures, A and B came back and formed an isolated replication chain +\-/+ | A | +/-\+ +\-/+ +---+ DNS (master) | B | | X | <-- points here +/-\+ +---+ | +---+ Reads | Y | <-- happen here +---+ 14

  15. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd one was detected and Orchestrator failed over to B ● ● So after their failures, A and B came back and formed an isolated replication chain ● And something caused a failure of A +---+ | A | +---+ | +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 15

  16. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd one was detected and Orchestrator failed over to B ● ● So after their failures, A and B came back and formed an isolated replication chain ● And something caused a failure of A ● But how did DNS end-up pointing to B ? +\-/+ | A | ● The failover to B called the DNS repointing script +/-\+ ● The script stole the DNS entry from X +---+ +---+ DNS (master) | B | | X | <-- points here and pointed it to B +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 16

  17. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd one was detected and Orchestrator failed over to B ● ● So after their failures, A and B came back and formed an isolated replication chain ● And something caused a failure of A ● But how did DNS end-up pointing to B ? +\-/+ | A | ● The failover to B called the DNS repointing script +/-\+ ● The script stole the DNS entry from X DNS (master) +---+ +---+ points here --> | B | | X | and pointed it to B +---+ +---+ | ● But is that all: what made A fail ? +---+ Reads | Y | <-- happen here +---+ 17

  18. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-slaved to X +---+ | A | +---+ | +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 18

  19. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-slaved to X ● But as A came back before re-slaving, it injected heartbeat and p-GTID to B +\-/+ | A | +/-\+ +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 19

  20. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-slaved to X ● But as A came back before re-slaving, it injected heartbeat and p-GTID to B ● Then B could have been re-cloned without problems +---+ | A | +---+ | +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 20

  21. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-slaved to X ● But as A came back before re-slaving, it injected heartbeat and p-GTID to B ● Then B could have been re-cloned without problems +---+ | A | ● But A was re-cloned instead (human error #1) +---+ +\-/+ +---+ DNS (master) | B | | X | <-- points here +/-\+ +---+ | +---+ Reads | Y | <-- happen here +---+ 21

  22. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-slaved to X ● But as A came back before re-slaving, it injected heartbeat and p-GTID to B ● Then B could have been re-cloned without problems +\-/+ | A | ● But A was re-cloned instead (human error #1) +/-\+ ● Why did Orchestrator not fail over right away ? +---+ +---+ DNS (master) | B | | X | <-- points here ● B was promoted hours after A was brought down… +---+ +---+ | ● +---+ Reads Because A was downed time only for 4 hours | Y | <-- happen here (human error #2) +---+ 22

  23. Orchestrator anti-flapping ● Orchestrator has a failover throttling/acknowledgment mechanism [1] : ● Automated recovery will happen ● for an instance in a cluster that has not recently been recovered ● unless such recent recoveries were acknowledged. ● In our case: ● the recovery might have been acknowledged too early (human error #0 ?) ● o r the “recently” timeout might have been too short ● and maybe Orchestrator should not have failed over the second time [1]: https://github.com/github/orchestrator/blob/master/docs/topology-recovery.md #blocking-acknowledgments-anti-flapping

Recommend

Autopsy of an automation disaster Simon J Mudd (Senior Database Engineer) Percona Live, 25 th

Autopsy of an automation disaster Simon J Mudd (Senior Database Engineer) Percona Live, 25 th

Autopsy of an automation disaster Simon J Mudd (Senior Database Engineer) Percona Live, 25 th April 2017 To err is human To really foul things up requires a computer [1] (or a script) [1]: http://quoteinvestigator.com/2010/12/07/foul-computer/

571 views • 39 slides
1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

Industrial Automation Spring 2019, EPFL 1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures aiming at replacing human work through machines (e.g. automation is applied science) 2) the

1.39k views • 63 slides
The S cholarly Article Autopsy Information S ources from the Inside Out Krista Bowers S harpe

The S cholarly Article Autopsy Information S ources from the Inside Out Krista Bowers S harpe

The S cholarly Article Autopsy Information S ources from the Inside Out Krista Bowers S harpe Western Illinois University Libraries 1 Presentation Overview: Background S cholarly article autopsy activity Audience Learning

489 views • 25 slides
Autopsy of a Small UST Site in Bedrock: Autopsy of a Small UST Site in Bedrock: Implications for

Autopsy of a Small UST Site in Bedrock: Autopsy of a Small UST Site in Bedrock: Implications for

Autopsy of a Small UST Site in Bedrock: Autopsy of a Small UST Site in Bedrock: Implications for Remedial Effectiveness Implications for Remedial Effectiveness Case Study, Devens, MA Case Study, Devens, MA William C. Brandon, Hydrogeologist,

1k views • 67 slides
CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and

CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and

CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and Autopsy Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Data Management for Forensics You will learn in this lecture: Command

663 views • 24 slides
Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability -

Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability -

Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability - Evaluation Estimation de la fiabilit Verlsslichkeitsabschtzung Dr. Jean-Charles Tournier CERN, Geneva, Switzerland 2015 - JCT The material

1.78k views • 91 slides
Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and standards 9.6 Analyse de scurit et normes Sicherheitsanalyse und Normen Prof Dr. Hubert Kirrmann &amp; Dr. B. Eschermann ABB Research Center,

799 views • 31 slides
Disaster Mitigation Plan Update The Pre Disaster Mitigation Program The Pre-Disaster

Disaster Mitigation Plan Update The Pre Disaster Mitigation Program The Pre-Disaster

Mountainland Pre- Disaster Mitigation Plan Update The Pre Disaster Mitigation Program The Pre-Disaster Mitigation (PDM) program provides funds to States, Territories, Federally- recognized Indian tribal governments, and communities for

322 views • 21 slides
HEALTH IT IN DISASTER RECOVERY Presenter: Alaina Lamphear HIT IN DISASTER RECOVERY HEALTH IT IN

HEALTH IT IN DISASTER RECOVERY Presenter: Alaina Lamphear HIT IN DISASTER RECOVERY HEALTH IT IN

HEALTH IT IN DISASTER RECOVERY Presenter: Alaina Lamphear HIT IN DISASTER RECOVERY HEALTH IT IN DISASTER RECOVERY AGENDA Introduction About Disaster Recovery Plans Real Life Disaster Examples Electronic Health Records and Natural Disasters

622 views • 31 slides
New Deal Financial Acts and the Business of Foreign Debt Underwriting: Autopsy of a Regime

New Deal Financial Acts and the Business of Foreign Debt Underwriting: Autopsy of a Regime

New Deal Financial Acts and the Business of Foreign Debt Underwriting: Autopsy of a Regime Change Marc Flandreau, 4th PPP Panel, The Sub-prime Crisis and How it Changed the Past Graduate Institute of International Studies and Development,

229 views • 19 slides
Autopsy of a PO Claim Exploring the Blood, Guts &amp; Consequences of the Typical (or not)

Autopsy of a PO Claim Exploring the Blood, Guts &amp; Consequences of the Typical (or not)

Autopsy of a PO Claim Exploring the Blood, Guts &amp; Consequences of the Typical (or not) Public Officials Lawsuit Presented by: Larry Simmons Deborah Bonner Stan Lewiecki Germer PLLC Claims Attorney TAC Claims Attorney TAC 713 830

368 views • 19 slides
INFECTION PRECAUTIONS Draft Guidelines on autopsy practice: : Precautions for hig igh-risk in

INFECTION PRECAUTIONS Draft Guidelines on autopsy practice: : Precautions for hig igh-risk in

INFECTION PRECAUTIONS Draft Guidelines on autopsy practice: : Precautions for hig igh-risk in infectious autopsies Sebastian Lucas Ruby Stewart St Thomas Hospital London SE1 HIV + TB [Ruby &amp; Ula Yellow Mahadeva] fever post-

609 views • 21 slides
Disaster Management Presentation by 04 BATTALION Asst Commandant Disaster The

Disaster Management Presentation by 04 BATTALION Asst Commandant Disaster The

Disaster Management Presentation by 04 BATTALION Asst Commandant Disaster The United Nations defines Disaster as: It is an event or a series of events which gives rise to casualties and/or damage or loss of property,

985 views • 62 slides
State of the Molecular Autopsy Michael J. Ackerman, MD, PhD Windland Smith Rice Cardiovascular

State of the Molecular Autopsy Michael J. Ackerman, MD, PhD Windland Smith Rice Cardiovascular

State of the Molecular Autopsy Michael J. Ackerman, MD, PhD Windland Smith Rice Cardiovascular Genomics Research Professor Professor of Medicine, Pediatrics, and Pharmacology Director, Long QT Syndrome/Genetic Heart Rhythm Clinic and the Mayo

454 views • 34 slides
Country report Disaster in Vietnam and The National Strategy for disaster mitigation and

Country report Disaster in Vietnam and The National Strategy for disaster mitigation and

ITU/ESCAP Disaster Communications Workshop 12-15 December 2006, Bangkok, Thailand ---------------------------------- Country report Disaster in Vietnam and The National Strategy for disaster mitigation and management in the decade of 2001-2010

187 views • 17 slides
Health Effects of Urban Air Pollution: An autopsy based approach Paulo Saldiva Faculty of

Health Effects of Urban Air Pollution: An autopsy based approach Paulo Saldiva Faculty of

Health Effects of Urban Air Pollution: An autopsy based approach Paulo Saldiva Faculty of Medicine University of So Paulo Background Fajersztajn et al. Nature Reviews Cancer. 2013; 13(9):674-8 Spatial distribution of nitrogen dioxide in

789 views • 9 slides
Autopsy of a multiserver deadlock in the HelenOS filesystem layer Jakub Jerm Introduction

Autopsy of a multiserver deadlock in the HelenOS filesystem layer Jakub Jerm Introduction

Autopsy of a multiserver deadlock in the HelenOS filesystem layer Jakub Jerm Introduction Microkernel + Multiserver = lots of message passing among lots of processes = breeding ground for distributed deadlocks Microkernels devroom,

445 views • 43 slides
Document Automation in Dynamics CRM Document Automation The value of Automation Reduce User

Document Automation in Dynamics CRM Document Automation The value of Automation Reduce User

Document Automation in Dynamics CRM Document Automation The value of Automation Reduce User Workload Reduce Errors by standardized processes Speeds up processes CRM Workflows are faster than users, no delay

424 views • 6 slides
Autopsy Report Seabirds killed and returned from the 20 0 8 -0 9 fishing year David Thom

Autopsy Report Seabirds killed and returned from the 20 0 8 -0 9 fishing year David Thom

Autopsy Report Seabirds killed and returned from the 20 0 8 -0 9 fishing year David Thom pson Contract INT20 0 7/ 0 2 Sum m ary 38 5 specim ens returned, 28 taxa 1 blue penguin gaffed 75 trips, 62 vessels 60 % of specim

373 views • 12 slides
Infrastructure Automation Infrastructure Automation 2 Ansible Ansible What is Ansible?

Infrastructure Automation Infrastructure Automation 2 Ansible Ansible What is Ansible?

Infrastructure Automation Infrastructure Automation 2 Ansible Ansible What is Ansible? Ansible is an open source automation engine Why Ansible? Modular Idempotent Huge support/community Agentless Simple to learn

709 views • 29 slides
Automation + Machine Learning = Hands Free NFV A Word On Automation through ML for Openstack

Automation + Machine Learning = Hands Free NFV A Word On Automation through ML for Openstack

01.11.2017 Automation + Machine Learning = Hands Free NFV A Word On Automation through ML for Openstack NFV PRAKASH RAMCHANDRAN MICHAEL TIEN JAYANTHI A GOKHALE Agenda NFV Automation Challenges? Practical Viewpoint from Dell Labs?

1.04k views • 41 slides
Emergency Alert and Disaster Mitigation A Lesson Learned From I ndonesian Disaster Experience

Emergency Alert and Disaster Mitigation A Lesson Learned From I ndonesian Disaster Experience

WORKSHOP ON DISASTER MANAGEMENT Emergency Alert and Disaster Mitigation A Lesson Learned From I ndonesian Disaster Experience BY Azhar Hasyim Deputy Director General for Standardization National Coordination Agency (BAKORNAS) and Department

479 views • 19 slides
nada technologies, inc. automation solutions and support semicon taiwan presentation automation

nada technologies, inc. automation solutions and support semicon taiwan presentation automation

nada technologies, inc. automation solutions and support semicon taiwan presentation automation products - 2007 NADAtech - automation solutions and support wafer automation company formed in 2002 comprised of former PST and Asyst

546 views • 18 slides
The ACP-EU Natural Disaster Risk Reduction Program : Supporting Disaster Risk Management and

The ACP-EU Natural Disaster Risk Reduction Program : Supporting Disaster Risk Management and

The ACP-EU Natural Disaster Risk Reduction Program : Supporting Disaster Risk Management and Climate Adaptation in African, Caribbean and Pacific countries Francis Ghesquiere, Head, Global Facility for Disaster Reduction and Recovery (GFDRR)

334 views • 20 slides

More recommend