autopsy of an automation disaster
play

Autopsy of an automation disaster Jean-Franois Gagn - Saturday, - PowerPoint PPT Presentation

Oct 01, 2023 •161 likes •478 views

Autopsy of an automation disaster Jean-Franois Gagn - Saturday, February 4, 2017 FOSDEM MySQL & Friends Devroom To err is human To really foul things up requires a computer [1] (or a script) [1]:

  1. Autopsy of an automation disaster Jean-François Gagné - Saturday, February 4, 2017 FOSDEM MySQL & Friends Devroom

  2. To err is human To really foul things up requires a computer [1] (or a script) [1]: http://quoteinvestigator.com/2010/12/07/foul-computer/ 2

  3. Booking.com ● Based in Amsterdam since 1996 ● Online Hotel/Accommodation/Travel Agent (OTA): ● +1.134.000 properties in 225 countries ● +1.200.000 room nights reserved daily ● +40 languages (website and customer service) ● +13.000 people working in 187 offices worldwide ● Part of the Priceline Group ● And we use MySQL: ● Thousands (1000s) of servers, ~90% replicating ● >150 masters: ~30 >50 slaves & ~10 >100 slaves 3

  4. Session Summary 1. MySQL replication at Booking.com 2. Automation disaster: external eye 3. Chain of events: analysis 4. Learning / takeaway 4

  5. MySQL replication at Booking.com ● Typical MySQL replication deployment at Booking.com: +---+ | M | +---+ | +------+-- ... --+---------------+-------- ... | | | | +---+ +---+ +---+ +---+ | S1| | S2| | Sn| | M1| +---+ +---+ +---+ +---+ | +-- ... --+ | | +---+ +---+ | T1| | Tm| +---+ +---+ 5

  6. MySQL replication at Booking.com’ ● And we use Orchestrator: 6

  7. MySQL replication at Booking.com’’ ● Orchestrator allows us to: ● Visualize our replication deployments ● Move slaves for planned maintenance of an intermediate master ● Automatically replace an intermediate master in case of its unexpected failure (thanks to pseudo-GTIDs when we have not deployed GTIDs) ● Automatically replace a master in case of a failure (failing over to a slave) ● But Orchestrator cannot replace a master alone: ● Booking.com uses DNS for master discovery ● So Orchestrator calls a homemade script to repoint DNS (and to do other magic) 7

  8. Our subject database ● Simple replication deployment (in two data centers): DNS (master) +---+ points here --> | A | +---+ | +------------------------+ | | Reads +---+ +---+ happen here --> | B | | X | +---+ +---+ | +---+ And reads | Y | <-- happen here +---+ 8

  9. Split brain: 1 st event ● A and B (two servers in same data center) fail at the same time: DNS (master) +\-/+ points here --> | A | but accesses +/-\+ are now failing Reads +\-/+ +---+ happen here --> | B | | X | but accesses +/-\+ +---+ are now failing | +---+ And reads | Y | <-- happen here +---+ (I will cover how/why this happened later.) 9

  10. Split brain: 1 st event’ ● Orchestrator fixes things: +\-/+ | A | +/-\+ Reads +\-/+ +---+ Now, DNS (master) happen here --> | B | | X | <-- points here but accesses +/-\+ +---+ are now failing | +---+ Reads | Y | <-- happen here +---+ 10

  11. Split brain: disaster ● A few things happen in this day and night, and I wake-up to this: +\-/+ | A | +/-\+ DNS +---+ +---+ points here --> | B | | X | +---+ +---+ | +---+ | Y | +---+ 11

  12. Split brain: disaster’ ● And to make things worse, reads are still happening on Y: +\-/+ | A | +/-\+ DNS (master) +---+ +---+ points here --> | B | | X | +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 12

  13. Split brain: disaster’’ ● This is not good: ● When A and B failed, X was promoted as the new master ● Something made DNS point to B (we will see what later)  writes are now happening on B ● But B is outdated: all writes to X (after the failure of A) did not reach B +\-/+ ● So we have data on X that cannot be read on B | A | +/-\+ ● And we have new data on B that is not read on Y DNS (master) +---+ +---+ points here --> | B | | X | +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 13

  14. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd one was detected and Orchestrator failed over to B ● ● So after their failures, A and B came back and formed an isolated replication chain +\-/+ | A | +/-\+ +\-/+ +---+ DNS (master) | B | | X | <-- points here +/-\+ +---+ | +---+ Reads | Y | <-- happen here +---+ 14

  15. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd one was detected and Orchestrator failed over to B ● ● So after their failures, A and B came back and formed an isolated replication chain ● And something caused a failure of A +---+ | A | +---+ | +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 15

  16. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd one was detected and Orchestrator failed over to B ● ● So after their failures, A and B came back and formed an isolated replication chain ● And something caused a failure of A ● But how did DNS end-up pointing to B ? +\-/+ | A | ● The failover to B called the DNS repointing script +/-\+ ● The script stole the DNS entry from X +---+ +---+ DNS (master) | B | | X | <-- points here and pointed it to B +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 16

  17. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd one was detected and Orchestrator failed over to B ● ● So after their failures, A and B came back and formed an isolated replication chain ● And something caused a failure of A ● But how did DNS end-up pointing to B ? +\-/+ | A | ● The failover to B called the DNS repointing script +/-\+ ● The script stole the DNS entry from X DNS (master) +---+ +---+ points here --> | B | | X | and pointed it to B +---+ +---+ | ● But is that all: what made A fail ? +---+ Reads | Y | <-- happen here +---+ 17

  18. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-slaved to X +---+ | A | +---+ | +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 18

  19. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-slaved to X ● But as A came back before re-slaving, it injected heartbeat and p-GTID to B +\-/+ | A | +/-\+ +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 19

  20. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-slaved to X ● But as A came back before re-slaving, it injected heartbeat and p-GTID to B ● Then B could have been re-cloned without problems +---+ | A | +---+ | +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 20

  21. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-slaved to X ● But as A came back before re-slaving, it injected heartbeat and p-GTID to B ● Then B could have been re-cloned without problems +---+ | A | ● But A was re-cloned instead (human error #1) +---+ +\-/+ +---+ DNS (master) | B | | X | <-- points here +/-\+ +---+ | +---+ Reads | Y | <-- happen here +---+ 21

  22. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-slaved to X ● But as A came back before re-slaving, it injected heartbeat and p-GTID to B ● Then B could have been re-cloned without problems +\-/+ | A | ● But A was re-cloned instead (human error #1) +/-\+ ● Why did Orchestrator not fail over right away ? +---+ +---+ DNS (master) | B | | X | <-- points here ● B was promoted hours after A was brought down… +---+ +---+ | ● +---+ Reads Because A was downed time only for 4 hours | Y | <-- happen here (human error #2) +---+ 22

  23. Orchestrator anti-flapping ● Orchestrator has a failover throttling/acknowledgment mechanism [1] : ● Automated recovery will happen ● for an instance in a cluster that has not recently been recovered ● unless such recent recoveries were acknowledged. ● In our case: ● the recovery might have been acknowledged too early (human error #0 ?) ● o r the “recently” timeout might have been too short ● and maybe Orchestrator should not have failed over the second time [1]: https://github.com/github/orchestrator/blob/master/docs/topology-recovery.md #blocking-acknowledgments-anti-flapping

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Autopsy of an automation disaster Simon J Mudd (Senior Database Engineer) Percona Live, 25 th

Autopsy of an automation disaster Simon J Mudd (Senior Database Engineer) Percona Live, 25 th

Autopsy of an automation disaster Simon J Mudd (Senior Database Engineer) Percona Live, 25 th April 2017 To err is human To really foul things up requires a computer [1] (or a script) [1]: http://quoteinvestigator.com/2010/12/07/foul-computer/

571 views • 39 slides
1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

Industrial Automation Spring 2019, EPFL 1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures aiming at replacing human work through machines (e.g. automation is applied science) 2) the

1.39k views • 63 slides
The S cholarly Article Autopsy Information S ources from the Inside Out Krista Bowers S harpe

The S cholarly Article Autopsy Information S ources from the Inside Out Krista Bowers S harpe

The S cholarly Article Autopsy Information S ources from the Inside Out Krista Bowers S harpe Western Illinois University Libraries 1 Presentation Overview: Background S cholarly article autopsy activity Audience Learning

489 views • 25 slides
Autopsy of a Small UST Site in Bedrock: Autopsy of a Small UST Site in Bedrock: Implications for

Autopsy of a Small UST Site in Bedrock: Autopsy of a Small UST Site in Bedrock: Implications for

Autopsy of a Small UST Site in Bedrock: Autopsy of a Small UST Site in Bedrock: Implications for Remedial Effectiveness Implications for Remedial Effectiveness Case Study, Devens, MA Case Study, Devens, MA William C. Brandon, Hydrogeologist,

1k views • 67 slides
CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and

CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and

CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and Autopsy Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Data Management for Forensics You will learn in this lecture: Command

663 views • 24 slides
Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability -

Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability -

Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability - Evaluation Estimation de la fiabilit Verlsslichkeitsabschtzung Dr. Jean-Charles Tournier CERN, Geneva, Switzerland 2015 - JCT The material

1.78k views • 91 slides
Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and standards 9.6 Analyse de scurit et normes Sicherheitsanalyse und Normen Prof Dr. Hubert Kirrmann &amp; Dr. B. Eschermann ABB Research Center,

799 views • 31 slides
Disaster Mitigation Plan Update The Pre Disaster Mitigation Program The Pre-Disaster

Disaster Mitigation Plan Update The Pre Disaster Mitigation Program The Pre-Disaster

Mountainland Pre- Disaster Mitigation Plan Update The Pre Disaster Mitigation Program The Pre-Disaster Mitigation (PDM) program provides funds to States, Territories, Federally- recognized Indian tribal governments, and communities for

322 views • 21 slides
HEALTH IT IN DISASTER RECOVERY Presenter: Alaina Lamphear HIT IN DISASTER RECOVERY HEALTH IT IN

HEALTH IT IN DISASTER RECOVERY Presenter: Alaina Lamphear HIT IN DISASTER RECOVERY HEALTH IT IN

HEALTH IT IN DISASTER RECOVERY Presenter: Alaina Lamphear HIT IN DISASTER RECOVERY HEALTH IT IN DISASTER RECOVERY AGENDA Introduction About Disaster Recovery Plans Real Life Disaster Examples Electronic Health Records and Natural Disasters

622 views • 31 slides
New Deal Financial Acts and the Business of Foreign Debt Underwriting: Autopsy of a Regime

New Deal Financial Acts and the Business of Foreign Debt Underwriting: Autopsy of a Regime

New Deal Financial Acts and the Business of Foreign Debt Underwriting: Autopsy of a Regime Change Marc Flandreau, 4th PPP Panel, The Sub-prime Crisis and How it Changed the Past Graduate Institute of International Studies and Development,

229 views • 19 slides
Autopsy of a PO Claim Exploring the Blood, Guts &amp; Consequences of the Typical (or not)

Autopsy of a PO Claim Exploring the Blood, Guts &amp; Consequences of the Typical (or not)

Autopsy of a PO Claim Exploring the Blood, Guts &amp; Consequences of the Typical (or not) Public Officials Lawsuit Presented by: Larry Simmons Deborah Bonner Stan Lewiecki Germer PLLC Claims Attorney TAC Claims Attorney TAC 713 830

368 views • 19 slides
INFECTION PRECAUTIONS Draft Guidelines on autopsy practice: : Precautions for hig igh-risk in

INFECTION PRECAUTIONS Draft Guidelines on autopsy practice: : Precautions for hig igh-risk in

INFECTION PRECAUTIONS Draft Guidelines on autopsy practice: : Precautions for hig igh-risk in infectious autopsies Sebastian Lucas Ruby Stewart St Thomas Hospital London SE1 HIV + TB [Ruby &amp; Ula Yellow Mahadeva] fever post-

609 views • 21 slides
Disaster Management Presentation by 04 BATTALION Asst Commandant Disaster The

Disaster Management Presentation by 04 BATTALION Asst Commandant Disaster The

Disaster Management Presentation by 04 BATTALION Asst Commandant Disaster The United Nations defines Disaster as: It is an event or a series of events which gives rise to casualties and/or damage or loss of property,

985 views • 62 slides
State of the Molecular Autopsy Michael J. Ackerman, MD, PhD Windland Smith Rice Cardiovascular

State of the Molecular Autopsy Michael J. Ackerman, MD, PhD Windland Smith Rice Cardiovascular

State of the Molecular Autopsy Michael J. Ackerman, MD, PhD Windland Smith Rice Cardiovascular Genomics Research Professor Professor of Medicine, Pediatrics, and Pharmacology Director, Long QT Syndrome/Genetic Heart Rhythm Clinic and the Mayo

451 views • 34 slides
Country report Disaster in Vietnam and The National Strategy for disaster mitigation and

Country report Disaster in Vietnam and The National Strategy for disaster mitigation and

ITU/ESCAP Disaster Communications Workshop 12-15 December 2006, Bangkok, Thailand ---------------------------------- Country report Disaster in Vietnam and The National Strategy for disaster mitigation and management in the decade of 2001-2010

187 views • 17 slides
Health Effects of Urban Air Pollution: An autopsy based approach Paulo Saldiva Faculty of

Health Effects of Urban Air Pollution: An autopsy based approach Paulo Saldiva Faculty of

Health Effects of Urban Air Pollution: An autopsy based approach Paulo Saldiva Faculty of Medicine University of So Paulo Background Fajersztajn et al. Nature Reviews Cancer. 2013; 13(9):674-8 Spatial distribution of nitrogen dioxide in

789 views • 9 slides
Inside IHE: Pathology and Laboratory Medicine Webinar Series 2018 Presented by Raj Dash,

Inside IHE: Pathology and Laboratory Medicine Webinar Series 2018 Presented by Raj Dash,

Inside IHE: Pathology and Laboratory Medicine Webinar Series 2018 Presented by Raj Dash, MD, Duke - Planning Committee Co-Chair Riki Merrick, MPH Vernetzt, LLC - Planning Committee Co-Chair Agenda o Intro to IHE Pathology and

710 views • 33 slides
Disclosures Redefining Sudden Cardiac Death: Insights from the San Francisco Industry PO

Disclosures Redefining Sudden Cardiac Death: Insights from the San Francisco Industry PO

Disclosures Redefining Sudden Cardiac Death: Insights from the San Francisco Industry PO stmortem S ystematic None inves T igation of Grants S udden C ardiac D eath Study NIH/NHLBI: R01 HL 102090 NIH/NHLBI: R01 HL 126555 14

412 views • 14 slides
1 Sudden Cardiac Death: Definitions Sudden Cardiac Death: Definitions VALIANT trial:

1 Sudden Cardiac Death: Definitions Sudden Cardiac Death: Definitions VALIANT trial:

Disclosures Redefining Sudden Cardiac Death: Major Insights from the Research grant: R01 HL102090 (NIH / NHLBI) San Francisco POST SCD Study Research grant: R01 HL126555 (NIH / NHLBI) Research grant: DP14-1403 (CDC)

268 views • 11 slides
Managing Your Learning During BST - Outcome Based Education Keith Farrington Education

Managing Your Learning During BST - Outcome Based Education Keith Farrington Education

Managing Your Learning During BST - Outcome Based Education Keith Farrington Education Specialist 17 July 2019 OBE For Histopathology, BST, 2019 What is OBE? Curriculum comprised of goals, and goals broken down into outcomes

168 views • 13 slides
Reconstructing the Scene of the Crime Reconstructing the Scene of the Crime Who are they? STEVE

Reconstructing the Scene of the Crime Reconstructing the Scene of the Crime Who are they? STEVE

Reconstructing the Scene of the Crime Reconstructing the Scene of the Crime Who are they? STEVE DAVIS PETER SILBERMAN STEVE DAVIS PETER SILBERMAN Security Consultant / Engineer / Researcher Security Consultant / Engineer / Researcher

795 views • 54 slides
About me Whos me? Ezequiel ZequiV azquez Backend Developer Sysadmin &amp; DevOps

About me Whos me? Ezequiel ZequiV azquez Backend Developer Sysadmin &amp; DevOps

About me Whos me? Ezequiel ZequiV azquez Backend Developer Sysadmin &amp; DevOps Hacking &amp; Security @RabbitLair About me Index Introduction 1 Analysis of Vulnerabilities 2 What if I dont patch? 3 Index Introduction

985 views • 35 slides
Work Group Considerations: Proposed Recommendation Text for Policy Options Mary Choi, MD, MPH

Work Group Considerations: Proposed Recommendation Text for Policy Options Mary Choi, MD, MPH

National Center for Emerging and Zoonotic Infectious Diseases Work Group Considerations: Proposed Recommendation Text for Policy Options Mary Choi, MD, MPH Viral Special Pathogens Branch Centers for Disease Control and Prevention Advisory

369 views • 19 slides
Suicide Prevention: A community effort Zachary K. Parrett, PsyD Clinical Psychologist, Suicide

Suicide Prevention: A community effort Zachary K. Parrett, PsyD Clinical Psychologist, Suicide

Suicide Prevention: A community effort Zachary K. Parrett, PsyD Clinical Psychologist, Suicide Prevention Coordinator Kansas City VAMC 1 Disclosure I have no actual or potential conflict of interest in relation to this

715 views • 50 slides

More recommend