autopsy of an automation disaster
play

Autopsy of an automation disaster Simon J Mudd (Senior Database - PowerPoint PPT Presentation

Sep 21, 2023 •177 likes •571 views

Autopsy of an automation disaster Simon J Mudd (Senior Database Engineer) Percona Live, 25 th April 2017 To err is human To really foul things up requires a computer [1] (or a script) [1]: http://quoteinvestigator.com/2010/12/07/foul-computer/

  1. Autopsy of an automation disaster Simon J Mudd (Senior Database Engineer) Percona Live, 25 th April 2017

  2. To err is human To really foul things up requires a computer [1] (or a script) [1]: http://quoteinvestigator.com/2010/12/07/foul-computer/ 2

  3. Booking.com ● Based in Amsterdam since 1996 ● Online Hotel/Accommodation/Travel Agent (OTA): ● +1,200,000 properties in 227 countries ● +1.200.000 room nights reserved daily ● +40 languages (website and customer service) ● +15.700 people working in 187 offices worldwide ● Part of the Priceline Group, PCLN on Nasdaq ● And we use MySQL: ● Thousands (1000s) of servers, ~90% replicating ● >150 masters: ~30 >50 slaves & ~10 >100 slaves 3

  4. Session Summary 1. MySQL replication at Booking.com 2. Automation disaster: external eye 3. Chain of events: analysis 4. Learning / takeaway 4

  5. MySQL replication at Booking.com ● Typical MySQL replication deployment at Booking.com: +---+ | M | +---+ | +------+-- ... --+---------------+-------- ... | | | | +---+ +---+ +---+ +---+ | S1| | S2| | Sn| | M1| +---+ +---+ +---+ +---+ | +-- ... --+ | | +---+ +---+ | T1| | Tm| +---+ +---+ 5

  6. MySQL replication at Booking.com’ ● We use and contribute to Orchestrator: 6

  7. MySQL replication at Booking.com’’ ● Orchestrator allows us to: ● Visualize our replication deployments ● Move slaves for planned maintenance of an intermediate master ● Automatically replace an intermediate master in case of its unexpected failure (thanks to pseudo-GTIDs when we have not deployed GTIDs) 7

  8. MySQL replication at Booking.com’’ 8

  9. MySQL replication at Booking.com’’ ● Orchestrator allows us to: ● Visualize our replication deployments ● Move slaves for planned maintenance of an intermediate master ● Automatically replace an intermediate master in case of its unexpected failure (thanks to pseudo-GTIDs when we have not deployed GTIDs widely though orchestrator handles both types) ● Automatically replace a master in case of a failure (failing over to a slave) 9

  10. MySQL replication at Booking.com’’ 10

  11. MySQL replication at Booking.com’’ ● Orchestrator allows us to: ● Visualize our replication deployments ● Move slaves for planned maintenance of an intermediate master ● Automatically replace an intermediate master in case of its unexpected failure (thanks to pseudo-GTIDs when we have not deployed GTIDs) ● Automatically replace a master in case of a failure (failing over to a slave) ● But Orchestrator cannot replace a master alone: ● Booking.com uses DNS for master discovery ● So Orchestrator calls custom hooks (a script) to repoint DNS (and to do other magic) 11

  12. MySQL replication at Booking.com’’ ● We also contribute to Orchestrator ● To allow for better scaling ● To improve integration with our own tooling ● To ensure that it can work on all our systems (MySQL, MariaDB) with GTID or pseudo-GTID ● To ensure it can provide us an HA service ● Shlomi has not stopped improving it and others contribute too 12

  13. MySQL replication at Booking.com’’ ● So it can handle this: 13

  14. Our subject database ● Simple replication deployment (in two data centers): DNS (master) +---+ points here --> | A | +---+ | +------------------------+ | | Reads +---+ +---+ happen here --> | B | | X | +---+ +---+ | +---+ And reads | Y | <-- happen here +---+ 14

  15. Split brain: 1 st event ● A and B (two servers in same data center) fail at the same time: DNS (master) +\-/+ points here --> | A | but accesses +/-\+ are now failing Reads +\-/+ +---+ happen here --> | B | | X | but accesses +/-\+ +---+ are now failing | +---+ And reads | Y | <-- happen here +---+ (I will cover how/why this happened later.) 15

  16. Split brain: 1 st event’ ● Orchestrator fixes things: +\-/+ | A | +/-\+ Reads +\-/+ +---+ Now, DNS (master) happen here --> | B | | X | <-- points here but accesses +/-\+ +---+ are now failing | +---+ Reads | Y | <-- happen here +---+ 16

  17. Split brain: disaster ● A few things happen overnight and we wake-up to this: +\-/+ | A | +/-\+ DNS +---+ +---+ points here --> | B | | X | +---+ +---+ | +---+ | Y | +---+ 17

  18. Split brain: disaster’ ● And to make things worse, reads are still happening on Y: +\-/+ | A | +/-\+ DNS (master) +---+ +---+ points here --> | B | | X | +---+ +---+ | +---+ Reads | Y | <-- happen here +---+ 18

  19. Split brain: disaster’’ ● This is not good: ● When A and B failed, X was promoted as the new master ● Something made DNS point to B (we will see what later) à writes are now happening on B ● But B is outdated: all writes to X (after the failure of A) did not reach B +\-/+ ● So we have data on X that cannot be read on B | A | +/-\+ ● And we have new data on B that is not read on Y DNS (master) +---+ +---+ points here --> | B | | X | +---+ +---+ | +---+ Reads | Y | <-- happen here 19 +---+

  20. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd failure was detected and Orchestrator promoted B ● ● So after their failures, A and B came back and formed an isolated replication chain +\-/+ | A | +/-\+ +\-/+ +---+ DNS (master) | B | | X | <-- points here +/-\+ +---+ | +---+ Reads | Y | <-- happen here 20 +---+

  21. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd failure was detected and Orchestrator promoted B ● ● So after their failures, A and B came back and formed an isolated replication chain ● And something caused a failure of A +---+ | A | +---+ | +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here 21 +---+

  22. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd failure was detected and Orchestrator promoted B ● ● So after their failures, A and B came back and formed an isolated replication chain ● And something caused a failure of A ● But how did DNS end-up pointing to B ? +\-/+ | A | ● The failover to B called the DNS repointing script +/-\+ ● The script stole the DNS entry from X +---+ +---+ DNS (master) and pointed it to B | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here 22 +---+

  23. Split-brain: analysis ● Digging more in the chain of events, we find that: After the 1 st failure of A, a 2 nd failure was detected and Orchestrator promoted B ● ● So after their failures, A and B came back and formed an isolated replication chain ● And something caused a failure of A ● But how did DNS end-up pointing to B ? +\-/+ | A | ● The failover to B called the DNS repointing script +/-\+ ● The script stole the DNS entry from X DNS (master) +---+ +---+ and pointed it to B points here --> | B | | X | +---+ +---+ | ● But is that all: what made A fail ? +---+ Reads | Y | <-- happen here 23 +---+

  24. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-cloned under X +---+ | A | +---+ | +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here 24 +---+

  25. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-cloned under X ● But as A came back before re-cloning, it injected heartbeat and p-GTID into B +\-/+ | A | +/-\+ +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here 25 +---+

  26. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-cloned under X ● But as A came back before re-cloning, it injected heartbeat and p-GTID into B ● Then B could have been re-cloned without problems +---+ | A | +---+ | +---+ +---+ DNS (master) | B | | X | <-- points here +---+ +---+ | +---+ Reads | Y | <-- happen here 26 +---+

  27. Split-brain: analysis’ ● What made A fail ? ● Once A and B came back up as a new replication chain, they had outdated data ● If B would have come back before A, it could have been re-cloned under X ● But as A came back before re-cloning, it injected heartbeat and p-GTID into B ● Then B could have been re-cloned without problems +---+ ● | A | But A was re-cloned instead ( human error #1 ) +---+ +\-/+ +---+ DNS (master) | B | | X | <-- points here +/-\+ +---+ | +---+ Reads | Y | <-- happen here 27 +---+

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Autopsy of an automation disaster Jean-Franois Gagn - Saturday, February 4, 2017 FOSDEM MySQL

Autopsy of an automation disaster Jean-Franois Gagn - Saturday, February 4, 2017 FOSDEM MySQL

Autopsy of an automation disaster Jean-Franois Gagn - Saturday, February 4, 2017 FOSDEM MySQL &amp; Friends Devroom To err is human To really foul things up requires a computer [1] (or a script) [1]:

478 views • 30 slides
1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

Industrial Automation Spring 2019, EPFL 1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures aiming at replacing human work through machines (e.g. automation is applied science) 2) the

1.39k views • 63 slides
The S cholarly Article Autopsy Information S ources from the Inside Out Krista Bowers S harpe

The S cholarly Article Autopsy Information S ources from the Inside Out Krista Bowers S harpe

The S cholarly Article Autopsy Information S ources from the Inside Out Krista Bowers S harpe Western Illinois University Libraries 1 Presentation Overview: Background S cholarly article autopsy activity Audience Learning

489 views • 25 slides
Autopsy of a Small UST Site in Bedrock: Autopsy of a Small UST Site in Bedrock: Implications for

Autopsy of a Small UST Site in Bedrock: Autopsy of a Small UST Site in Bedrock: Implications for

Autopsy of a Small UST Site in Bedrock: Autopsy of a Small UST Site in Bedrock: Implications for Remedial Effectiveness Implications for Remedial Effectiveness Case Study, Devens, MA Case Study, Devens, MA William C. Brandon, Hydrogeologist,

1k views • 67 slides
CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and

CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and

CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and Autopsy Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Data Management for Forensics You will learn in this lecture: Command

663 views • 24 slides
Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability -

Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability -

Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability - Evaluation Estimation de la fiabilit Verlsslichkeitsabschtzung Dr. Jean-Charles Tournier CERN, Geneva, Switzerland 2015 - JCT The material

1.78k views • 91 slides
Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and standards 9.6 Analyse de scurit et normes Sicherheitsanalyse und Normen Prof Dr. Hubert Kirrmann &amp; Dr. B. Eschermann ABB Research Center,

799 views • 31 slides
Disaster Mitigation Plan Update The Pre Disaster Mitigation Program The Pre-Disaster

Disaster Mitigation Plan Update The Pre Disaster Mitigation Program The Pre-Disaster

Mountainland Pre- Disaster Mitigation Plan Update The Pre Disaster Mitigation Program The Pre-Disaster Mitigation (PDM) program provides funds to States, Territories, Federally- recognized Indian tribal governments, and communities for

322 views • 21 slides
HEALTH IT IN DISASTER RECOVERY Presenter: Alaina Lamphear HIT IN DISASTER RECOVERY HEALTH IT IN

HEALTH IT IN DISASTER RECOVERY Presenter: Alaina Lamphear HIT IN DISASTER RECOVERY HEALTH IT IN

HEALTH IT IN DISASTER RECOVERY Presenter: Alaina Lamphear HIT IN DISASTER RECOVERY HEALTH IT IN DISASTER RECOVERY AGENDA Introduction About Disaster Recovery Plans Real Life Disaster Examples Electronic Health Records and Natural Disasters

622 views • 31 slides
New Deal Financial Acts and the Business of Foreign Debt Underwriting: Autopsy of a Regime

New Deal Financial Acts and the Business of Foreign Debt Underwriting: Autopsy of a Regime

New Deal Financial Acts and the Business of Foreign Debt Underwriting: Autopsy of a Regime Change Marc Flandreau, 4th PPP Panel, The Sub-prime Crisis and How it Changed the Past Graduate Institute of International Studies and Development,

229 views • 19 slides
Autopsy of a PO Claim Exploring the Blood, Guts &amp; Consequences of the Typical (or not)

Autopsy of a PO Claim Exploring the Blood, Guts &amp; Consequences of the Typical (or not)

Autopsy of a PO Claim Exploring the Blood, Guts &amp; Consequences of the Typical (or not) Public Officials Lawsuit Presented by: Larry Simmons Deborah Bonner Stan Lewiecki Germer PLLC Claims Attorney TAC Claims Attorney TAC 713 830

368 views • 19 slides
INFECTION PRECAUTIONS Draft Guidelines on autopsy practice: : Precautions for hig igh-risk in

INFECTION PRECAUTIONS Draft Guidelines on autopsy practice: : Precautions for hig igh-risk in

INFECTION PRECAUTIONS Draft Guidelines on autopsy practice: : Precautions for hig igh-risk in infectious autopsies Sebastian Lucas Ruby Stewart St Thomas Hospital London SE1 HIV + TB [Ruby &amp; Ula Yellow Mahadeva] fever post-

609 views • 21 slides
Disaster Management Presentation by 04 BATTALION Asst Commandant Disaster The

Disaster Management Presentation by 04 BATTALION Asst Commandant Disaster The

Disaster Management Presentation by 04 BATTALION Asst Commandant Disaster The United Nations defines Disaster as: It is an event or a series of events which gives rise to casualties and/or damage or loss of property,

985 views • 62 slides
State of the Molecular Autopsy Michael J. Ackerman, MD, PhD Windland Smith Rice Cardiovascular

State of the Molecular Autopsy Michael J. Ackerman, MD, PhD Windland Smith Rice Cardiovascular

State of the Molecular Autopsy Michael J. Ackerman, MD, PhD Windland Smith Rice Cardiovascular Genomics Research Professor Professor of Medicine, Pediatrics, and Pharmacology Director, Long QT Syndrome/Genetic Heart Rhythm Clinic and the Mayo

452 views • 34 slides
Country report Disaster in Vietnam and The National Strategy for disaster mitigation and

Country report Disaster in Vietnam and The National Strategy for disaster mitigation and

ITU/ESCAP Disaster Communications Workshop 12-15 December 2006, Bangkok, Thailand ---------------------------------- Country report Disaster in Vietnam and The National Strategy for disaster mitigation and management in the decade of 2001-2010

187 views • 17 slides
Health Effects of Urban Air Pollution: An autopsy based approach Paulo Saldiva Faculty of

Health Effects of Urban Air Pollution: An autopsy based approach Paulo Saldiva Faculty of

Health Effects of Urban Air Pollution: An autopsy based approach Paulo Saldiva Faculty of Medicine University of So Paulo Background Fajersztajn et al. Nature Reviews Cancer. 2013; 13(9):674-8 Spatial distribution of nitrogen dioxide in

789 views • 9 slides
Introduction to Artificial Intelligence CS540-1 Yingyu Liang slide 1 Logistics Course

Introduction to Artificial Intelligence CS540-1 Yingyu Liang slide 1 Logistics Course

Introduction to Artificial Intelligence CS540-1 Yingyu Liang slide 1 Logistics Course website: logistic info, schedules, coursework http://pages.cs.wisc.edu/~cs540-1/ TA, Graders, Peer Mentors Grading policy Homework A lot

826 views • 58 slides
Algorithms for NLP CS 11711, Spring 2020 Lecture 1: Introduction Yulia Tsvetkov 1 Welcome!

Algorithms for NLP CS 11711, Spring 2020 Lecture 1: Introduction Yulia Tsvetkov 1 Welcome!

Algorithms for NLP CS 11711, Spring 2020 Lecture 1: Introduction Yulia Tsvetkov 1 Welcome! Yulia Chan Lexi David 2 Course Website http://demo.clab.cs.cmu.edu/algo4nlp20/ 3 Communication with Machines ~50s-70s 4 Communication

1.26k views • 71 slides
Algorithms for NLP Lecture 1: Introduction Yulia Tsvetkov CMU Slides: Nathan Schneider

Algorithms for NLP Lecture 1: Introduction Yulia Tsvetkov CMU Slides: Nathan Schneider

Algorithms for NLP Lecture 1: Introduction Yulia Tsvetkov CMU Slides: Nathan Schneider Georgetown, Taylor Berg-Kirkpatrick CMU/UCSD, Dan Klein, David Bamman UC Berkeley Course Website http://demo.clab.cs.cmu.edu/11711fa18/

1.36k views • 56 slides
RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie adam@algroup.co.uk http://rfidiot.org 20 th Annual FIRST Conference Vancouver, BC June 2008 Who Am I? Co-Publisher APACHE-SSL DEFCON 'goon'

739 views • 53 slides
6hp http://www.ida.liu.se/~patla00/courses/BDA Teachers Lectures: Patrick Lambrix,

6hp http://www.ida.liu.se/~patla00/courses/BDA Teachers Lectures: Patrick Lambrix,

Big Data Analytics 6hp http://www.ida.liu.se/~patla00/courses/BDA Teachers Lectures: Patrick Lambrix, Christoph Kessler, Jose Pena, Valentina Ivanova, Labs: Zlatan Dragisic, Huanyu Li NSC: Rickard Armiento 2

2.32k views • 63 slides
CS885 Reinforcement Learning Module 3: July 5, 2020 Imitation Learning Torabi, F., Warnell, G.,

CS885 Reinforcement Learning Module 3: July 5, 2020 Imitation Learning Torabi, F., Warnell, G.,

CS885 Reinforcement Learning Module 3: July 5, 2020 Imitation Learning Torabi, F., Warnell, G., &amp; Stone, P. (2018). Behavioral cloning from observation. In IJCAI (pp. 4950-4957). Ho, J., &amp; Ermon, S. (2016). Generative adversarial

464 views • 14 slides
Understanding Git Nelson Elhage Anders Kaseorg Student Information Processing Board September

Understanding Git Nelson Elhage Anders Kaseorg Student Information Processing Board September

Understanding Git Nelson Elhage Anders Kaseorg Student Information Processing Board September 29, 2009 Nelson Elhage, Anders Kaseorg (SIPB) Understanding Git September 29, 2009 1 / 41 The Git model Outline The Git model 1 Using Git 2

974 views • 70 slides
Model-Agnostic Meta-Learning Universality, Inductive Bias, and Weak Supervision Chelsea Finn

Model-Agnostic Meta-Learning Universality, Inductive Bias, and Weak Supervision Chelsea Finn

Model-Agnostic Meta-Learning Universality, Inductive Bias, and Weak Supervision Chelsea Finn Why Learn to Learn? - e ff ectively reuse data on other tasks - replace manual engineering of architecture, hyperparameters, etc. - learn to quickly

915 views • 30 slides

More recommend