[
https://issues.apache.org/jira/browse/KUDU-2195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16219472#comment-16219472
]
David Alves commented on KUDU-2195:
-----------------------------------
As a final note I should add that the known consequences of these happened
before relationships not being enforced are not data corruption.
- We've seen 1) manifest as the wal having entries of a term that is higher
than the term in consensus metadata. On boot the tablet server verifies this
invariant and causes the replica of the tablet to fail to boot. Even though the
reported status is Status::Corruption the underlying data was not corrupted and
this replica isn't going to be working anyway. If there are other replicas
available the tablet will be available and working.
- We've never seen 2) manifest, but the current consequences of this would be
hard to trigger and even harder to detect. This might manifest as a "row
already present" error when retrying an insert on a server that had a hard
reboot, or as a double update with the same value or on a failed "delete" that
had previously succeeded. These conditions are hard to trigger as they depend
on bringing the server (that necessarily had a hard reboot) up in time for it
to be elected leader while the client is still retrying the same request.
> Enforce durability happened before relationships on multiple disks
> ------------------------------------------------------------------
>
> Key: KUDU-2195
> URL: https://issues.apache.org/jira/browse/KUDU-2195
> Project: Kudu
> Issue Type: Bug
> Components: consensus, tablet
> Reporter: David Alves
>
> When using weaker durability semantics (e.g. when log_force_fsync is off) we
> should still enforce certain happened before relationships which are not
> currently being enforced when using different disks for the wal and data.
> The two cases that come to mind where this is relevant are:
> 1) cmeta (c) -> wal (w) : We flush cmeta before flushing the wal (for
> instance on term change) with the intention that either {}, \{c} or \{c, w}
> were made durable.
> 2) wal (w) -> tablet meta (t): We flush the wal before tablet metadata to
> make sure that that all commit messages that refer to on disk row sets (and
> deltas) are on disk before the row sets they point to, i.e. with the
> intention that either {}, \{w} or \{w, t} were made durable.
> With strong durability semantics these are always made durable in the right
> order. With weaker semantics that is not the case though. If using the same
> disk for both the wal and data then the invariants are still preserved, as
> buffers will be flushed in the right order but if using different disks for
> the wal and data (and because cmeta is stored with the data) that is not
> always the case.
> 1) in ext4 is actually safe, because we perform an fsync (indirect, rename()
> implies fsync in ext4) when flushing cmeta. But it is not for xfs.
> 2) Is not safe in either filesystem.
> --- Possible solutions --
> For 1): Store cmeta with the wal; actually always fsync cmeta.
> For 2): Store tablet meta with the wal; always fsync the wal before flushing
> tablet meta.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
