Clustering issues leading to all nodes being downed #578
Comments
|
I have extra logs that may be useful:
|
|
I also encountered the same problem, which caused my cluster to keep restarting. Is there a plan to fix it? When is it expected to be repaired? |
|
@fredfp Can you give us more info on this - akka/akka#31095 (comment) On the Apache Pekko side, we can read the Akka issues but not the Akka PRs (due to the Akka license not being compatible with Apache Pekko). The issue appears to be with split brain scenarios from my reading of akka/akka#31095 - specifically DownSelfQuarantinedByRemote events. Is it possible that we should just ignore DownSelfQuarantinedByRemote events when it comes to deciding to shut down the cluster? |
|
@pjfanning I think the issue can happen when a node shutsdown during a partition. Still, DownSelfQuarantinedByRemote events cannot be ignored. The root cause is that nodes should not know they were quanrantined by others in some harmless cases. Indeed, some quarantines are harmless (as indicated by the method argument: https://github.com/apache/pekko/blob/main/remote/src/main/scala/org/apache/pekko/remote/artery/Association.scala#L534). And the issue is that such harmless quarantine should not be be communicated to the other side i.e., the quarantined association. However, they currently always are: https://github.com/apache/pekko/blob/main/remote/src/main/scala/org/apache/pekko/remote/artery/InboundQuarantineCheck.scala#L47 |
|
@pjfanning |
|
I also experienced the same issue, leading to continuous restarts of my cluster. Is there a scheduled resolution for this? When can we anticipate a fix? |
|
@pjfanning Can you suggest a way to fix this bug as soon as possible, thank you very much. |
|
This bug should hit quite seldom, if it happens often it most likely means something is not right with your cluster and you should fix that first in all cases. Especially, make sure:
|
The issue appear also in systems with heavy memory usage and long GC pauses. It is worth to check gc strategy, gc settings, gc metrics etc |
|
how about use the classical transport for now? seems the issue in lives in artery only |
|
|
IIRC, Akka 2.8.x requires an BSL :) I don't have an env to reproduce the problem, maybe you can work out a multi-jvm test for that? and still super busy at work:( |
|
目前我的k8s集群有26个pod运行,当其中某一个pod因为资源不足重启的时候,常常会导致整个集群挂调,我们处理数据量比较大,资源占用比较高,目前在其他集群上(比如docker运行注册到nacos上),暂时没有出现这个问题 |
|
Hello, has there been any progress on this issue? Is there a plan for when it will be fixed?😀 |
|
For Kubernetes users, we would suggest using the Kubernetes Lease described here: Pekko Management 1.1.0-M1 has a 2nd implementation of the Lease - the legacy one is CRD based while the new one uses Kubernetes native leases. |
That's what we use already and it didn't help in the current case. Do you expect it resolves (or avoids) this issue? I think the lease helps the surviving partition confirm it can indeed stay up, it hoever doesn't help the nodes downing themselves, which is the observed behaviour described above.
Thank you for pointing it out, looking forward to it! |
|
@fredfp It's good to hear that using the Split Brain Resolver with a Kubernetes Lease stops all the nodes from downing themselves. When you lose some of the nodes, are you finding that you have to manually restart them or can Kubernetes handle automatically restarting them using liveness and/or readiness probes? |
Sorry, let me be clearer: using the SBR with a Kubernetes Lease does not stop all the nodes from downing themselves.
When a node downs itself, the java process (running inside the container) terminates. The container is then restarted by k8s as usual, the liveness/readiness probes do not play a part in that. Does that answer your question? |
|
I think the main issue is Association.quarantine where the harmless flag is not passed on here: Since GracefulShutdownQuarantinedEvent only appears to be used for harmless=true quarantine events, we might be able to find the event subscribers and have them handle GracefulShutdownQuarantinedEvent in a different way to standard QuarantinedEvent instances. For example, I found 3 places where harmless=true quarantine events can be kicked off - but there could be more. https://github.com/search?q=repo%3Aapache%2Fpekko%20%22harmless%20%3D%20true%22&type=code |
|
I tried yesterday to write a unit test that does artificially causes a harmless quarantine and that examines the results but so far, I haven't reproduced the issue with the cluster shut down. I think having a reproducible case is the real blocker on this issue. |
|
Here's my understanding:
About reproducing, I'm not sure because it's not clear to me how a node, when shutting down, can quarantine associations to others with
|
I'm reopening here an issue that I reported at the time under the akka repo.
We had a case where an issue on a single node lead to the whole akka-cluster being taken down.
Here's a summary of what happened:
Discussions, potential issues:
Considering the behaviour of CoordinatedShutdown (phases can time out and shutdown continues), shouldn't the leader ignore unreachabilities added by a Leaving node and be allowed to perform its duties?
At step 6 above, the Leader was blocked from removing A, but A still continued its shutdown process. The catastrophic ending could have been stopped here.
DownSelfQuarantinedByRemote: @patriknw 's comment seems spot on.
At step 9, nodes B, C, D, E should probably not take into account the
Quarantinedfrom a node that is Leaving.DownSelfQuarantinedByRemote: another case where Patrik's comment also seems to apply,
Quarantinedfrom nodes downing themselves because of DownSelfQuarantinedByRemote should probably not be taken into account.At steps 10 and 12. Any cluster singletons running on affected nodes wouldn't be gracefully shutdown using the configured termination message. This is probably the right thing to do but I'm adding this note here nonetheless.
The text was updated successfully, but these errors were encountered: