storage: outside-of-raft snapshots put consistency in jeopardy #7619
Assignees
Labels
C-bug
Code not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior.
S-1-stability
Severe stability issues that can be fixed by upgrading, but usually don’t resolve by restarting
Milestone
Comments
tbg
added
the
C-bug
|
Specifically, there are some checks on the snapshot metadata in Alternately, we could reorganize the checks in |
|
OK. I already have a WIP for this: On Wed, Jul 6, 2016 at 8:46 AM, Tobias Schottdorf [email protected]
|
tbg
added a commit
to tbg/cockroach
that referenced
this issue
Jul 6, 2016
Ensure that a new HardState does not break promises made by an existing one during snapshot application. Update the HardState for both preemptive (where they're required both from an updating and error checking perspective) and Raft-delivered snapshots (where it must never error out and should never have to update anything since the supplied HardState is fresh out of Raft). Fixes cockroachdb#7619.
|
Snagging this issue from you as believed fixed in #7598 (won't merge without a test for this added). |
bdarnell
added a commit
to bdarnell/cockroach
that referenced
this issue
Jul 7, 2016
Fixes cockroachdb#7659 Updates cockroachdb#7600 Updates cockroachdb#7619
tbg
added a commit
to tbg/cockroach
that referenced
this issue
Jul 8, 2016
As discovered in cockroachdb#6991 (comment), it's possible that we apply a Raft snapshot without writing a corresponding HardState since we write the snapshot in its own batch first and only then write a HardState. If that happens, the server is going to panic on restart: It will have a nontrivial first index, but a committed index of zero (from the empty HardState). This change prevents us from applying a snapshot when there is no HardState supplied along with it, except when applying a preemptive snapshot (in which case we synthesize a HardState). Ensure that a new HardState does not break promises made by an existing one during preemptive snapshot application. Fixes cockroachdb#7619.
tbg
added a commit
to tbg/cockroach
that referenced
this issue
Jul 8, 2016
As discovered in cockroachdb#6991 (comment), it's possible that we apply a Raft snapshot without writing a corresponding HardState since we write the snapshot in its own batch first and only then write a HardState. If that happens, the server is going to panic on restart: It will have a nontrivial first index, but a committed index of zero (from the empty HardState). This change prevents us from applying a snapshot when there is no HardState supplied along with it, except when applying a preemptive snapshot (in which case we synthesize a HardState). Ensure that a new HardState does not break promises made by an existing one during preemptive snapshot application. Fixes cockroachdb#7619.
tbg
added a commit
to tbg/cockroach
that referenced
this issue
Jul 8, 2016
As discovered in cockroachdb#6991 (comment), it's possible that we apply a Raft snapshot without writing a corresponding HardState since we write the snapshot in its own batch first and only then write a HardState. If that happens, the server is going to panic on restart: It will have a nontrivial first index, but a committed index of zero (from the empty HardState). This change prevents us from applying a snapshot when there is no HardState supplied along with it, except when applying a preemptive snapshot (in which case we synthesize a HardState). Ensure that a new HardState does not break promises made by an existing one during preemptive snapshot application. Fixes cockroachdb#7619.
tbg
added a commit
to tbg/cockroach
that referenced
this issue
Jul 8, 2016
As discovered in cockroachdb#6991 (comment), it's possible that we apply a Raft snapshot without writing a corresponding HardState since we write the snapshot in its own batch first and only then write a HardState. If that happens, the server is going to panic on restart: It will have a nontrivial first index, but a committed index of zero (from the empty HardState). This change prevents us from applying a snapshot when there is no HardState supplied along with it, except when applying a preemptive snapshot (in which case we synthesize a HardState). Ensure that a new HardState does not break promises made by an existing one during preemptive snapshot application. Fixes cockroachdb#7619.
tbg
added a commit
to tbg/cockroach
that referenced
this issue
Jul 8, 2016
As discovered in cockroachdb#6991 (comment), it's possible that we apply a Raft snapshot without writing a corresponding HardState since we write the snapshot in its own batch first and only then write a HardState. If that happens, the server is going to panic on restart: It will have a nontrivial first index, but a committed index of zero (from the empty HardState). This change prevents us from applying a snapshot when there is no HardState supplied along with it, except when applying a preemptive snapshot (in which case we synthesize a HardState). Ensure that the new HardState and Raft log does not break promises made by an existing one during preemptive snapshot application. Fixes cockroachdb#7619. storage: prevent loss of uncommitted log entries
tbg
added a commit
to tbg/cockroach
that referenced
this issue
Jul 11, 2016
As discovered in cockroachdb#6991 (comment), it's possible that we apply a Raft snapshot without writing a corresponding HardState since we write the snapshot in its own batch first and only then write a HardState. If that happens, the server is going to panic on restart: It will have a nontrivial first index, but a committed index of zero (from the empty HardState). This change prevents us from applying a snapshot when there is no HardState supplied along with it, except when applying a preemptive snapshot (in which case we synthesize a HardState). Ensure that the new HardState and Raft log does not break promises made by an existing one during preemptive snapshot application. Fixes cockroachdb#7619. storage: prevent loss of uncommitted log entries
petermattis
added
the
S-1-stability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When we send a snapshot around outside of Raft (preemptive snapshot), we don't check whether the state we're overwriting is ahead of us.
This could lead to a replica being created, acknowledging progress, and then being reset through a snapshot.
Perhaps
canApplySnapshotis a good place to check that. The necessary information should be deducible from the respectiveHardStates.The text was updated successfully, but these errors were encountered: