autopsy of an automation disaster
play

Autopsy of an automation disaster Simon J Mudd (Senior Database - PowerPoint PPT Presentation

Sep 21, 2023 •177 likes •571 views

Autopsy of an automation disaster Simon J Mudd (Senior Database Engineer) Percona Live, 25 th April 2017 To err is human To really foul things up requires a computer [1] (or a script) [1]: http://quoteinvestigator.com/2010/12/07/foul-computer/

  1. Autopsy of an automation disaster Simon J Mudd (Senior Database Engineer) Percona Live, 25 th April 2017

  2. To err is human To really foul things up requires a computer [1] (or a script) [1]: http://quoteinvestigator.com/2010/12/07/foul-computer/ 2

  3. Booking.com ● Based in Amsterdam since 1996 ● Online Hotel/Accommodation/Travel Agent (OTA): ● +1,200,000 properties in 227 countries ● +1.200.000 room nights reserved daily ● +40 languages (website and customer service) ● +15.700 people working in 187 offices worldwide ● Part of the Priceline Group, PCLN on Nasdaq ● And we use MySQL: ● Thousands (1000s) of servers, ~90% replicating ● >150 masters: ~30 >50 slaves & ~10 >100 slaves 3

  4. Session Summary 1. MySQL replication at Booking.com 2. Automation disaster: external eye 3. Chain of events: analysis 4. Learning / takeaway 4

  5. MySQL replication at Booking.com ● Typical MySQL replication deployment at Booking.com: +---+ | M | +---+ | +------+-- ... --+---------------+-------- ... | | | | +---+ +---+ +---+ +---+ | S1| | S2| | Sn| | M1| +---+ +---+ +---+ +---+ | +-- ... --+ | | +---+ +---+ | T1| | Tm| +---+ +---+ 5

  6. MySQL replication at Booking.com’ ● We use and contribute to Orchestrator: 6

  7. MySQL replication at Booking.com’’ ● Orchestrator allows us to: ● Visualize our replication deployments ● Move slaves for planned maintenance of an intermediate master ● Automatically replace an intermediate master in case of its unexpected failure (thanks to pseudo-GTIDs when we have not deployed GTIDs) 7

  8. MySQL replication at Booking.com’’ 8

  9. MySQL replication at Booking.com’’ ● Orchestrator allows us to: ● Visualize our replication deployments ● Move slaves for planned maintenance of an intermediate master ● Automatically replace an intermediate master in case of its unexpected failure (thanks to pseudo-GTIDs when we have not deployed GTIDs widely though orchestrator handles both types) ● Automatically replace a master in case of a failure (failing over to a slave) 9

  10. MySQL replication at Booking.com’’ 10

  11. MySQL replication at Booking.com’’ ● Orchestrator allows us to: ● Visualize our replication deployments ● Move slaves for planned maintenance of an intermediate master ● Automatically replace an intermediate master in case of its unexpected failure (thanks to pseudo-GTIDs when we have not deployed GTIDs) ● Automatically replace a master in case of a failure (failing over to a slave) ● But Orchestrator cannot replace a master alone: ● Booking.com uses DNS for master discovery ● So Orchestrator calls custom hooks (a script) to repoint DNS (and to do other magic) 11

  12. MySQL replication at Booking.com’’ ● We also contribute to Orchestrator ● To allow for better scaling ● To improve integration with our own tooling ● To ensure that it can work on all our systems (MySQL, MariaDB) with GTID or pseudo-GTID ● To ensure it can provide us an HA service ● Shlomi has not stopped improving it and others contribute too 12

  13. MySQL replication at Booking.com’’ ● So it can handle this: 13

  14. Our subject database ● Simple replication deployment (in two data centers): DNS (master) +---+ points here --> | A | +---+ | +------------------------+ | | Reads +---+ +---+ happen here --> | B | | X | +---+ +---+ | +---+ And reads | Y | <-- happen here +---+ 14

  15. Split brain: 1 st event ● A and B (two servers in same data center) fail at the same time: DNS (master) +\-/+ points here --> | A | but accesses +/-\+ are now failing Reads +\-/+ +---+ happen here --> | B | | X | but accesses +/-\+ +---+ are now failing | +---+ And reads | Y | <-- happen here +---+ (I will cover how/why this happened later.) 15

  16. Split brain: 1 st event’ ● Orchestrator fixes things: +\-/+ | A | +/-\+ Reads +\-/+ +---+ Now, DNS (master) happen here --> | B | | X | <-- points here but accesses +/-\+ +---+ are now failing | +---+ Reads | Y | <-- happen here +---+ 16

  17. Split brain: disaster ● A few things happen overnight and we wake-up to this: +\-/+ | A | +/-\+ DNS +---+ +---+ points here --> | B | | X | +---+ +---+ | +---+ | Y | +---+ 17

  18. Split brain: disaster’ ● And to make things worse, reads are still happening on Y: +\-/+ | A | +/-\+ DNS (master) +---+ +---+ points here --> | B | | X | +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 18

  19. Split brain: disaster’’ ● This is not good: ● When A and B failed, X was promoted as the new master ● Something made DNS point to B (we will see what later) à writes are now happening on B ● But B is outdated: all writes to X (after the failure of A) did not reach B +\-/+ ● So we have data on X that cannot be read on B | A | +/-\+ ● And we have new data on B that is not read on Y DNS (master) +---+ +---+ points here --> | B | | X | +---+ +---+ | +---+ Reads | Y | <-- happen here 19 +---+

  20. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd failure was detected and Orchestrator promoted B ● ● So after their failures, A and B came back and formed an isolated replication chain +\-/+ | A | +/-\+ +\-/+ +---+ DNS (master) | B | | X | <-- points here +/-\+ +---+ | +---+ Reads | Y | <-- happen here 20 +---+

  21. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd failure was detected and Orchestrator promoted B ● ● So after their failures, A and B came back and formed an isolated replication chain ● And something caused a failure of A +---+ | A | +---+ | +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here 21 +---+

  22. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd failure was detected and Orchestrator promoted B ● ● So after their failures, A and B came back and formed an isolated replication chain ● And something caused a failure of A ● But how did DNS end-up pointing to B ? +\-/+ | A | ● The failover to B called the DNS repointing script +/-\+ ● The script stole the DNS entry from X +---+ +---+ DNS (master) and pointed it to B | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here 22 +---+

  23. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd failure was detected and Orchestrator promoted B ● ● So after their failures, A and B came back and formed an isolated replication chain ● And something caused a failure of A ● But how did DNS end-up pointing to B ? +\-/+ | A | ● The failover to B called the DNS repointing script +/-\+ ● The script stole the DNS entry from X DNS (master) +---+ +---+ and pointed it to B points here --> | B | | X | +---+ +---+ | ● But is that all: what made A fail ? +---+ Reads | Y | <-- happen here 23 +---+

  24. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-cloned under X +---+ | A | +---+ | +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here 24 +---+

  25. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-cloned under X ● But as A came back before re-cloning, it injected heartbeat and p-GTID into B +\-/+ | A | +/-\+ +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here 25 +---+

  26. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-cloned under X ● But as A came back before re-cloning, it injected heartbeat and p-GTID into B ● Then B could have been re-cloned without problems +---+ | A | +---+ | +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here 26 +---+

  27. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-cloned under X ● But as A came back before re-cloning, it injected heartbeat and p-GTID into B ● Then B could have been re-cloned without problems +---+ ● | A | But A was re-cloned instead ( human error #1 ) +---+ +\-/+ +---+ DNS (master) | B | | X | <-- points here +/-\+ +---+ | +---+ Reads | Y | <-- happen here 27 +---+

Recommend

Autopsy of an automation disaster Jean-Franois Gagn - Saturday, February 4, 2017 FOSDEM MySQL

Autopsy of an automation disaster Jean-Franois Gagn - Saturday, February 4, 2017 FOSDEM MySQL

Autopsy of an automation disaster Jean-Franois Gagn - Saturday, February 4, 2017 FOSDEM MySQL &amp; Friends Devroom To err is human To really foul things up requires a computer [1] (or a script) [1]:

478 views • 30 slides
1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

Industrial Automation Spring 2019, EPFL 1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures aiming at replacing human work through machines (e.g. automation is applied science) 2) the

1.39k views • 63 slides
The S cholarly Article Autopsy Information S ources from the Inside Out Krista Bowers S harpe

The S cholarly Article Autopsy Information S ources from the Inside Out Krista Bowers S harpe

The S cholarly Article Autopsy Information S ources from the Inside Out Krista Bowers S harpe Western Illinois University Libraries 1 Presentation Overview: Background S cholarly article autopsy activity Audience Learning

489 views • 25 slides
Autopsy of a Small UST Site in Bedrock: Autopsy of a Small UST Site in Bedrock: Implications for

Autopsy of a Small UST Site in Bedrock: Autopsy of a Small UST Site in Bedrock: Implications for

Autopsy of a Small UST Site in Bedrock: Autopsy of a Small UST Site in Bedrock: Implications for Remedial Effectiveness Implications for Remedial Effectiveness Case Study, Devens, MA Case Study, Devens, MA William C. Brandon, Hydrogeologist,

1k views • 67 slides
CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and

CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and

CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and Autopsy Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Data Management for Forensics You will learn in this lecture: Command

663 views • 24 slides
Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability -

Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability -

Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability - Evaluation Estimation de la fiabilit Verlsslichkeitsabschtzung Dr. Jean-Charles Tournier CERN, Geneva, Switzerland 2015 - JCT The material

1.78k views • 91 slides
Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and standards 9.6 Analyse de scurit et normes Sicherheitsanalyse und Normen Prof Dr. Hubert Kirrmann &amp; Dr. B. Eschermann ABB Research Center,

799 views • 31 slides
Disaster Mitigation Plan Update The Pre Disaster Mitigation Program The Pre-Disaster

Disaster Mitigation Plan Update The Pre Disaster Mitigation Program The Pre-Disaster

Mountainland Pre- Disaster Mitigation Plan Update The Pre Disaster Mitigation Program The Pre-Disaster Mitigation (PDM) program provides funds to States, Territories, Federally- recognized Indian tribal governments, and communities for

322 views • 21 slides
HEALTH IT IN DISASTER RECOVERY Presenter: Alaina Lamphear HIT IN DISASTER RECOVERY HEALTH IT IN

HEALTH IT IN DISASTER RECOVERY Presenter: Alaina Lamphear HIT IN DISASTER RECOVERY HEALTH IT IN

HEALTH IT IN DISASTER RECOVERY Presenter: Alaina Lamphear HIT IN DISASTER RECOVERY HEALTH IT IN DISASTER RECOVERY AGENDA Introduction About Disaster Recovery Plans Real Life Disaster Examples Electronic Health Records and Natural Disasters

622 views • 31 slides
New Deal Financial Acts and the Business of Foreign Debt Underwriting: Autopsy of a Regime

New Deal Financial Acts and the Business of Foreign Debt Underwriting: Autopsy of a Regime

New Deal Financial Acts and the Business of Foreign Debt Underwriting: Autopsy of a Regime Change Marc Flandreau, 4th PPP Panel, The Sub-prime Crisis and How it Changed the Past Graduate Institute of International Studies and Development,

229 views • 19 slides
Autopsy of a PO Claim Exploring the Blood, Guts &amp; Consequences of the Typical (or not)

Autopsy of a PO Claim Exploring the Blood, Guts &amp; Consequences of the Typical (or not)

Autopsy of a PO Claim Exploring the Blood, Guts &amp; Consequences of the Typical (or not) Public Officials Lawsuit Presented by: Larry Simmons Deborah Bonner Stan Lewiecki Germer PLLC Claims Attorney TAC Claims Attorney TAC 713 830

368 views • 19 slides
INFECTION PRECAUTIONS Draft Guidelines on autopsy practice: : Precautions for hig igh-risk in

INFECTION PRECAUTIONS Draft Guidelines on autopsy practice: : Precautions for hig igh-risk in

INFECTION PRECAUTIONS Draft Guidelines on autopsy practice: : Precautions for hig igh-risk in infectious autopsies Sebastian Lucas Ruby Stewart St Thomas Hospital London SE1 HIV + TB [Ruby &amp; Ula Yellow Mahadeva] fever post-

609 views • 21 slides
Disaster Management Presentation by 04 BATTALION Asst Commandant Disaster The

Disaster Management Presentation by 04 BATTALION Asst Commandant Disaster The

Disaster Management Presentation by 04 BATTALION Asst Commandant Disaster The United Nations defines Disaster as: It is an event or a series of events which gives rise to casualties and/or damage or loss of property,

985 views • 62 slides
State of the Molecular Autopsy Michael J. Ackerman, MD, PhD Windland Smith Rice Cardiovascular

State of the Molecular Autopsy Michael J. Ackerman, MD, PhD Windland Smith Rice Cardiovascular

State of the Molecular Autopsy Michael J. Ackerman, MD, PhD Windland Smith Rice Cardiovascular Genomics Research Professor Professor of Medicine, Pediatrics, and Pharmacology Director, Long QT Syndrome/Genetic Heart Rhythm Clinic and the Mayo

453 views • 34 slides
Country report Disaster in Vietnam and The National Strategy for disaster mitigation and

Country report Disaster in Vietnam and The National Strategy for disaster mitigation and

ITU/ESCAP Disaster Communications Workshop 12-15 December 2006, Bangkok, Thailand ---------------------------------- Country report Disaster in Vietnam and The National Strategy for disaster mitigation and management in the decade of 2001-2010

187 views • 17 slides
Health Effects of Urban Air Pollution: An autopsy based approach Paulo Saldiva Faculty of

Health Effects of Urban Air Pollution: An autopsy based approach Paulo Saldiva Faculty of

Health Effects of Urban Air Pollution: An autopsy based approach Paulo Saldiva Faculty of Medicine University of So Paulo Background Fajersztajn et al. Nature Reviews Cancer. 2013; 13(9):674-8 Spatial distribution of nitrogen dioxide in

789 views • 9 slides
Autopsy of a multiserver deadlock in the HelenOS filesystem layer Jakub Jerm Introduction

Autopsy of a multiserver deadlock in the HelenOS filesystem layer Jakub Jerm Introduction

Autopsy of a multiserver deadlock in the HelenOS filesystem layer Jakub Jerm Introduction Microkernel + Multiserver = lots of message passing among lots of processes = breeding ground for distributed deadlocks Microkernels devroom,

445 views • 43 slides
Document Automation in Dynamics CRM Document Automation The value of Automation Reduce User

Document Automation in Dynamics CRM Document Automation The value of Automation Reduce User

Document Automation in Dynamics CRM Document Automation The value of Automation Reduce User Workload Reduce Errors by standardized processes Speeds up processes CRM Workflows are faster than users, no delay

424 views • 6 slides
Autopsy Report Seabirds killed and returned from the 20 0 8 -0 9 fishing year David Thom

Autopsy Report Seabirds killed and returned from the 20 0 8 -0 9 fishing year David Thom

Autopsy Report Seabirds killed and returned from the 20 0 8 -0 9 fishing year David Thom pson Contract INT20 0 7/ 0 2 Sum m ary 38 5 specim ens returned, 28 taxa 1 blue penguin gaffed 75 trips, 62 vessels 60 % of specim

373 views • 12 slides
Infrastructure Automation Infrastructure Automation 2 Ansible Ansible What is Ansible?

Infrastructure Automation Infrastructure Automation 2 Ansible Ansible What is Ansible?

Infrastructure Automation Infrastructure Automation 2 Ansible Ansible What is Ansible? Ansible is an open source automation engine Why Ansible? Modular Idempotent Huge support/community Agentless Simple to learn

709 views • 29 slides
Automation + Machine Learning = Hands Free NFV A Word On Automation through ML for Openstack

Automation + Machine Learning = Hands Free NFV A Word On Automation through ML for Openstack

01.11.2017 Automation + Machine Learning = Hands Free NFV A Word On Automation through ML for Openstack NFV PRAKASH RAMCHANDRAN MICHAEL TIEN JAYANTHI A GOKHALE Agenda NFV Automation Challenges? Practical Viewpoint from Dell Labs?

1.04k views • 41 slides
Emergency Alert and Disaster Mitigation A Lesson Learned From I ndonesian Disaster Experience

Emergency Alert and Disaster Mitigation A Lesson Learned From I ndonesian Disaster Experience

WORKSHOP ON DISASTER MANAGEMENT Emergency Alert and Disaster Mitigation A Lesson Learned From I ndonesian Disaster Experience BY Azhar Hasyim Deputy Director General for Standardization National Coordination Agency (BAKORNAS) and Department

479 views • 19 slides
nada technologies, inc. automation solutions and support semicon taiwan presentation automation

nada technologies, inc. automation solutions and support semicon taiwan presentation automation

nada technologies, inc. automation solutions and support semicon taiwan presentation automation products - 2007 NADAtech - automation solutions and support wafer automation company formed in 2002 comprised of former PST and Asyst

546 views • 18 slides
The ACP-EU Natural Disaster Risk Reduction Program : Supporting Disaster Risk Management and

The ACP-EU Natural Disaster Risk Reduction Program : Supporting Disaster Risk Management and

The ACP-EU Natural Disaster Risk Reduction Program : Supporting Disaster Risk Management and Climate Adaptation in African, Caribbean and Pacific countries Francis Ghesquiere, Head, Global Facility for Disaster Reduction and Recovery (GFDRR)

334 views • 20 slides

More recommend