Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: prevent failovers when disk space is exhausted #4404

Merged
merged 23 commits into from
Jun 4, 2024
Merged

feat: prevent failovers when disk space is exhausted #4404

merged 23 commits into from
Jun 4, 2024

Conversation

leonardoce
Copy link
Contributor

@leonardoce leonardoce commented Apr 29, 2024
edited

PostgreSQL will shut down cleanly when there is not enough disk space to store WAL files.

The operator did not recognize this condition and, since the primary failed, was performing a failover to the most advanced replica. This action will not fix the underlying issue.

Only a manual disk resize, initiated by the user, can ultimately lead to a fully working PostgreSQL cluster.

This patch makes the instance manager recognize this condition and report it to the operator. Upon detecting it, the operator will not trigger a switchover and set a phase describing the situation.

After the PVCs are resized, the cluster will restart working correctly.

Closes: #4521

@github-actions github-actions bot added backport-requested ◀️ This pull request should be backported to all supported releases release-1.21 release-1.22 release-1.23 labels Apr 29, 2024
@github-actions GitHub Actions
Copy link
Contributor

❗ By default, the pull request is configured to backport to all release branches.

  • To stop backporting this pr, remove the label: backport-requested ◀️ or add the label 'do not backport'
  • To stop backporting this pr to a certain release branch, remove the specific branch label: release-x.y

@leonardoce leonardoce force-pushed the dev/space branch 3 times, most recently from 4012706 to 126566d Compare May 13, 2024 09:54
@leonardoce leonardoce marked this pull request as ready for review May 13, 2024 10:02
@leonardoce leonardoce requested a review from a team as a code owner May 13, 2024 10:02
@leonardoce
Copy link
Contributor Author

I tested this using Longhorn in a Fedora VM, but any storage enforcing the PV capacity will do the trick.

To test the patch, you need to finish your WAL storage. To keep things easy, I used:

apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: cluster-example
spec:
  instances: 1

  storage:
    size: 256Mi

And then:

CREATE TABLE storage_area (t text);

-- repeat the following query 20-30 times (you need to be fast!)
INSERT INTO storage_area (t) (select repeat('Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do', 5*1024*1024));

With the predefined WAL settings, you'll finish your WAL disk space before you finish the space for PGDATA.

@armru armru force-pushed the dev/space branch 2 times, most recently from 9b2cea6 to e625d8f Compare May 15, 2024 15:25
@armru
Copy link
Member

armru commented May 16, 2024

/test limit=local

@github-actions GitHub Actions
Copy link
Contributor

@armru, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/9110497781

@github-actions github-actions bot added the ok to merge 👌 This PR can be merged label May 16, 2024
jsilvela
jsilvela reviewed May 20, 2024
View reviewed changes
Copy link
Collaborator

@jsilvela jsilvela left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

About to start adding documentation and going over the E2E, but left a few comments on the implementation bits.
IMO the "WALDisk" nomenclature could get confusing as it seems to imply there is a separate WAL volume, which may or may not be the case.

internal/cmd/manager/instance/run/lifecycle/run.go Outdated Show resolved Hide resolved
pkg/fileutils/directory.go Outdated Show resolved Hide resolved
pkg/fileutils/directory.go Outdated Show resolved Hide resolved
pkg/fileutils/directory.go Outdated Show resolved Hide resolved
pkg/management/postgres/instance.go Outdated Show resolved Hide resolved
pkg/management/postgres/instance.go Outdated Show resolved Hide resolved
pkg/utils/fencing.go Outdated Show resolved Hide resolved
@leonardoce leonardoce force-pushed the dev/space branch 2 times, most recently from 172cfe7 to 3cdc43a Compare May 21, 2024 09:47
jsilvela
jsilvela approved these changes May 21, 2024
View reviewed changes
Copy link
Collaborator

@jsilvela jsilvela left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still think it's worth renaming the ensureSufficientDiskSpace method, but otherwise give this an enthusiastic 👍

@leonardoce leonardoce added do not backport This PR must not be backported - it will be in the next minor release and removed release-1.23 labels Jun 4, 2024
Leonardo Cecchi and others added 23 commits June 4, 2024 13:53
@leonardoce
feat: automatically fence the primary when no disk space is left
651faf0 
PostgreSQL will shutdown cleanly when there is no enough disk space to
store WAL files.

The operator was not recognizing this condition and, since the primary
failed, was performing a failover to the most advanced replica. This
action will not fix the underlying issue.

Only a manual disk resize, initiated by the user, can ultimately lead
to a fully working PostgreSQL cluster.

This patch makes the instance manager recognize this condition, and
report it back to the operator. Upon detecting it, the operator will
fence the primary instance and set a phase describing the situation.
Since the primary instance is fenced, no failovers will be done.

Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enteprisedb.com>
@fcanovai @leonardoce
test: out of disk space recovery scenario
eb6f98c 
Add an e2e to test the recovery in case a primary runs out of disk
space.

Signed-off-by: Francesco Canovai <francesco.canovai@enterprisedb.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enteprisedb.com>
@armru @leonardoce
review: bulk fencing and noWalDiskSpace status
5a8789f 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru @leonardoce
chore: more structured approach to size probing
c943173 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru @leonardoce
chore: rename size_probe -> directory
0b4fa29 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@jsilvela @leonardoce
docs: add top-level documentation
e0b076e 
Signed-off-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
@jsilvela @leonardoce
docs: commas
cbcdbb7 
Signed-off-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
@leonardoce @jsilvela
chore: fix grammar in pkg/fileutils/directory.go
71562a9 
Co-authored-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@gmail.com>
@leonardoce @jsilvela
chore: fix grammar in pkg/fileutils/directory.go
bc9b8bc 
Co-authored-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@gmail.com>
@leonardoce @jsilvela
chore: fix pkg/utils/fencing.go
5c3ffa0 
Co-authored-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@gmail.com>
@leonardoce
chore: address Gabriele's comments
2664c9e 
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
@leonardoce
chore: address Jaime's comments
b7b57c0 
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
@leonardoce
chore: improve naming
c9fd9a9 
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
@jsilvela @leonardoce
review: clarify documentation
f99b807 
Signed-off-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
@jsilvela @leonardoce
Update docs/src/instance_manager.md
1fcbcaf 
Signed-off-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
@jsilvela @leonardoce
Update docs/src/troubleshooting.md
120456e 
Signed-off-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
@leonardoce
chore: directory vs diskprobe
5e2c31c 
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
@leonardoce
chore: rename ensureSufficientDiskSpace to ensureNoFailoverOnFullDisk to
304ee69 
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
@gbartolini @leonardoce
docs: cosmetic changes
f8c1263 
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
@leonardoce
feat: implementation using exit codes and no fencing
3a3ec2a 
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
@fcanovai @leonardoce
fix: reduce required space to a single wal
1bb5ac2
@fcanovai @leonardoce
docs: improve documentation
bdc766d
@leonardoce
chore: remove WALSpaceAvailable field
f98905a 
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enteprisedb.com>
@leonardoce
Copy link
Contributor Author

E2e tests are fine!

@leonardoce leonardoce removed the do not merge 🙅 This PR cannot be merged (yet) label Jun 4, 2024
@leonardoce leonardoce merged commit bf42946 into cloudnative-pg:main Jun 4, 2024
25 checks passed
dougkirkley pushed a commit to dougkirkley/cloudnative-pg that referenced this pull request Jun 11, 2024
@leonardoce @fcanovai
@armru @jsilvela @gbartolini
feat: prevent failovers when disk space is exhausted (cloudnative-pg#…
32ee889 
…4404)

PostgreSQL will shut down cleanly when there is not enough disk space to
store WAL files.

The operator did not recognize this condition and, since the primary
failed, was performing a failover to the most advanced replica. This
action will not fix the underlying issue.

Only a manual disk resize, initiated by the user, can ultimately lead to
a fully working PostgreSQL cluster.

This patch makes the instance manager recognize this condition and
report it to the operator. Upon detecting it, the operator will not
trigger a switchover and set a phase describing the situation.

After the PVCs are resized, the cluster will restart working correctly.

Closes: cloudnative-pg#4521

Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enteprisedb.com>
Signed-off-by: Francesco Canovai <francesco.canovai@enterprisedb.com>
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Signed-off-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enteprisedb.com>
Co-authored-by: Francesco Canovai <francesco.canovai@enterprisedb.com>
Co-authored-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Co-authored-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
Co-authored-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Signed-off-by: Douglass Kirkley <dkirkley@eitccorp.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsilvela jsilvela jsilvela approved these changes

@gbartolini gbartolini gbartolini approved these changes

@armru armru armru approved these changes

@NiccoloFei NiccoloFei Awaiting requested review from NiccoloFei NiccoloFei is a code owner

@litaocdl litaocdl Awaiting requested review from litaocdl litaocdl is a code owner

Assignees

@leonardoce leonardoce

Labels
do not backport This PR must not be backported - it will be in the next minor release ok to merge 👌 This PR can be merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Feature]: Graceful handling of WAL disk space exhaustion
5 participants
@leonardoce @armru @gbartolini @jsilvela @fcanovai