I recently worked on a case where one node of a Galera cluster had its schema desynchronized with the other nodes. And that was although Total Order Isolation method was in effect to perform the schema changes. Let’s see what happened.
Background
For those of you who are not familiar with how Galera can perform schema changes, here is a short recap:
- Two methods are available depending on the value of the
wsrep_OSU_methodsetting. Both have benefits and drawbacks, it is not the main topic of this post. - With TOI (Total Order Isolation), a DDL statement is performed at the same point in the replication flow on all nodes, giving strong guarantees that the schema is always identical on all nodes.
- With RSU (Rolling Schema Upgrade), a DDL statement is not replicated to the other nodes. Until the DDL statement has been executed on all nodes, the schema is not consistent everywhere (so you should be careful not to break replication).
You can look at the official document here.
If you read carefully the section on TOI, you will see that “[…] TOI transactions will never fail certification and are guaranteed to be executed.” But also that “The system replicates the TOI query before execution and there is no way to know whether it succeeds or fails. Thus, error checking on TOI queries is switched off.”
Confusing? Not really. It simply means that with TOI, a DDL statement will always pass certification. But if for some reason, the DDL statement fails on one of the nodes, it will not be rolled back on the other nodes. This opens the door for schema inconsistencies between nodes.
A test case
Let’s create a table on a 3-node Percona XtraDB Cluster 5.6 cluster and insert a few rows:
|
1 2 |
pxc1> create table t (id int not null auto_increment primary key, c varchar(10)); pxc1> insert into t (c) values ('aaaa'),('bbbb'); |
Then on node 3, let’s introduce a schema change on t that can make other schema changes fail:
|
1 2 3 4 5 |
pxc3> set global wsrep_OSU_method=RSU; pxc3> alter table t add d int; pxc3> set global wsrep_OSU_method=TOI; |
As the schema change was done on node 3 with RSU, it is not replicated to the other nodes.
Now let’s try another schema change on node 1:
|
1 2 3 |
pxc1> alter table t add d varchar(10); Query OK, 0 rows affected (0,14 sec) Records: 0 Duplicates: 0 Warnings: 0 |
Apparently everything went well and indeed on node 1 and 2, we have the correct schema:
|
1 2 3 4 5 6 7 8 9 |
pxc2>show create table tG *************************** 1. row *************************** Table: t Create Table: CREATE TABLE t ( id int(11) NOT NULL AUTO_INCREMENT, c varchar(10) DEFAULT NULL, d varchar(10) DEFAULT NULL, PRIMARY KEY (id) ) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1 |
But on node 3, the statement failed so the schema has not been changed:
|
1 2 3 4 5 6 7 8 9 |
pxc3> show create table tG *************************** 1. row *************************** Table: t Create Table: CREATE TABLE t ( id int(11) NOT NULL AUTO_INCREMENT, c varchar(10) DEFAULT NULL, d int(11) DEFAULT NULL, PRIMARY KEY (id) ) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1 |
The error is visible in the error log of node 3:
|
1 2 3 |
2014-07-18 10:37:14 9649 [ERROR] Slave SQL: Error 'Duplicate column name 'd'' on query. Default database: 'repl_test'. Query: 'alter table t add d varchar(10)', Error_code: 1060 2014-07-18 10:37:14 9649 [Warning] WSREP: RBR event 1 Query apply warning: 1, 200 2014-07-18 10:37:14 9649 [Warning] WSREP: Ignoring error for TO isolated action: source: 577ffd51-0e52-11e4-a30e-4bde3a7ad3f2 version: 3 local: 0 state: APPLYING flags: 65 conn_id: 3 trx_id: -1 seqnos (l: 17, g: 200, s: 199, d: 199, ts: 7722177758966) |
But of course it is easy to miss. And then a simple INSERT can trigger a shutdown on node3:
|
1 2 |
pxc2> insert into t (c,d) values ('cccc','dddd'); Query OK, 1 row affected (0,00 sec) |
will trigger this on node 3:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
2014-07-18 10:42:27 9649 [ERROR] Slave SQL: Column 2 of table 'repl_test.t' cannot be converted from type 'varchar(10)' to type 'int(11)', Error_code: 1677 2014-07-18 10:42:27 9649 [Warning] WSREP: RBR event 3 Write_rows apply warning: 3, 201 2014-07-18 10:42:27 9649 [Warning] WSREP: Failed to apply app buffer: seqno: 201, status: 1 at galera/src/trx_handle.cpp:apply():340 [...] 2014-07-18 10:42:27 9649 [Note] WSREP: Received NON-PRIMARY. 2014-07-18 10:42:27 9649 [Note] WSREP: Shifting SYNCED -> OPEN (TO: 201) 2014-07-18 10:42:27 9649 [Note] WSREP: Received self-leave message. 2014-07-18 10:42:27 9649 [Note] WSREP: Flow-control interval: [0, 0] 2014-07-18 10:42:27 9649 [Note] WSREP: Received SELF-LEAVE. Closing connection. 2014-07-18 10:42:27 9649 [Note] WSREP: Shifting OPEN -> CLOSED (TO: 201) 2014-07-18 10:42:27 9649 [Note] WSREP: RECV thread exiting 0: Success 2014-07-18 10:42:27 9649 [Note] WSREP: recv_thread() joined. 2014-07-18 10:42:27 9649 [Note] WSREP: Closing replication queue. 2014-07-18 10:42:27 9649 [Note] WSREP: Closing slave action queue. 2014-07-18 10:42:27 9649 [Note] WSREP: bin/mysqld: Terminated. |
Conclusion
As on regular MySQL, schema changes are challenging with Galera. Some subtleties can create a lot of troubles if you are not aware of them. So before running DDL statement, make sure you fully understand how TOI and RSU methods work.
About the Author
Stephane CombaudonStéphane joined Percona in July 2012, after working as a MySQL DBA for leading French companies such as Dailymotion and France Telecom. In real life, he lives in Paris with his wife and their twin daughters. When not in front of a computer or not spending time with his family, he likes playing chess and hiking.
Thanks for share, but i confused about how certification works
could you introduce some articles?
Shawn,
A good place to start is the official documentation of Galera:
http://galeracluster.com/documentation-webpages/certificationbasedreplication.html
I don’t understand. You said “Galera cluster had its schema desynchronized with the other nodes. And that was although Total Order Isolation method was in effect”. But in your example, you disable TOI. So which one is it? Does TOI guarantee consistency or not?
@burn: right, this is confusing… TOI guarantees that a DDL is executed on all nodes at the same point in time. However Galera cannot check whether the DDL ran successfully on all nodes.
So if for instance, you first desynchronize the schema under RSU (which is allowed and expected), forget about the change and then change the schema of the same table under TOI, the 2nd DDL may not be executed correctly on all nodes.
Then you might think that TOI was not able to change the schema properly, while the real issue is somewhere else (schema change under RSU was not performed on all nodes).
@Stephane: When this happened, was the failed node able to come back up and get the old schema via an SST? I replicated this on a Galera cluster and noticed that the failing node deleted the DB and the table, but the other node kept the DB (even after an SST happened).
@adityaanchuri: in the case demoed in the post, you want to resync the failed node with an SST against a node that has the correct schema.
If it does not succeed on a few nodes:
– Does the replication quit or continue?
– Can you monitor this by the galera status (wsrep…)?
Is there any way to prevent this?
I am having an issue where, in my 3 node system, some bad drupal SQL is causing the nodes to hang and eventually fail bringing down the cluster
TOI is running on all the nodes, but since the failed SQL statement can go to any mysql server because of round robin all of them can fail.