Add cleanup logic for corrupted index filesets

[notbdu]

What this PR does / why we need it:

Adds cleanup logic for corrupted index filesets.

Special notes for your reviewer:

Does this PR introduce a user-facing and/or backwards incompatible change?:

NONE

Does this PR require updating code package or user-facing documentation?:

NONE

[linasm]

IMHO to preserve these ordering guarantees (that info file is the first to be persisted), we may need to fsync (File.Sync() call) info file immediately after the first write.

[notbdu]

Do we? The info file is the first file we attempt to write. Shouldn't the OS flush buffered info file (from first write) pages to disk first before flushing other buffered pages for other files to disk that we've written later? Or does this happen out of order?

[linasm]

I have seen in practice a corrupt fileset where checkpoint file was fully persisted, but some other files were incomplete, even though checkpoint file is the last to be written and closed.
So I think that without fsyncing info file we can end up in a situation where the first part of info file has been written, we continue with further writing of other files, cleanup process picks up this fileset, but it does not see the info file yet and so it deletes other files.

[vpranckaitis]

I have some concerns about reading info files which haven't yet been fully written (see comments). Though I'm not sure if it's something to worry about.

[vpranckaitis]

I wonder if it is possible that the info file will be read after it was created, but before the contents were written? Not sure about filesystem atomicity guarantees, but at least WriteFile() implementation [1, 2] hints that there might be a gap.

A comment above says that we intentionally skip latest block start. Could we accidentally violate this by reading info file which haven't been written yet and assuming it's corrupted? If that file belonged to the latest block start, we wouldn't even know.

[notbdu]

Hmm yea, I'm not sure - maybe @robskillington can comment on this.

We could err on the side of caution and not attempt to delete filesets w/ a potentially corrupt index info file.

[codecov]

Codecov Report

Merging #3430 (98c8f25) into master (93aef73) will decrease coverage by 0.0%.
The diff coverage is 65.3%.

@@            Coverage Diff            @@
##           master    #3430     +/-   ##
=========================================
- Coverage    72.4%    72.4%   -0.1%     
=========================================
  Files        1100     1100             
  Lines      102736   102830     +94     
=========================================
+ Hits        74479    74529     +50     
- Misses      23158    23196     +38     
- Partials     5099     5105      +6     

Flag	Coverage Δ
aggregator	76.9% <ø> (-0.1%)	⬇️
cluster	84.9% <ø> (-0.1%)	⬇️
collector	84.3% <ø> (ø)
dbnode	79.0% <65.3%> (-0.1%)	⬇️
m3em	74.4% <ø> (ø)
m3ninx	73.6% <ø> (-0.1%)	⬇️
metrics	19.7% <ø> (ø)
msg	74.5% <ø> (-0.2%)	⬇️
query	67.1% <ø> (ø)
x	80.5% <ø> (+0.1%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 93aef73...98c8f25. Read the comment docs.

[linasm]

I have seen in practice a corrupt fileset where checkpoint file was fully persisted, but some other files were incomplete, even though checkpoint file is the last to be written and closed.
So I think that without fsyncing info file we can end up in a situation where the first part of info file has been written, we continue with further writing of other files, cleanup process picks up this fileset, but it does not see the info file yet and so it deletes other files.

[linasm]

This makes me think why does is the cleanup process called from WarmFlushCleanup. It would clean up cold flush index filesets as well, right? Also, from what I can see it covers all namespaces, including computed namespaces which perform no warm/cold flushing. Which makes the code somewhat confusing. Perhaps some refactoring/naming improvement could be useful here.

[notbdu]

It's not just this fn, all of the index file cleanup fns are the same. We only cleanup data files in the cold flush loop and index files in the warm flush loop. IIRC we only have cold flush cleanup because it was not safe to cleanup data files in the warm flush loop (can't remember the exact reason). Otherwise, we would've done all cleanup in the warm flush loop.

[linasm]

Nit: maybe worth adding an invariant check in the loop to guarantee this?

[vpranckaitis]

a3f7f73#diff-6fedd1c6b4deb503fca7c3a8a8d2fbedf6abeeccfcbc90d2d239a6c72cb12199R2128-R2140

[linasm]

But for cold flush (or computed namespace), active block may not necessarily be the latest one?

[notbdu]

Hmm maybe I should remove this comment - it's a little confusing, it's fine even if we iterate over the active block or any block for that matter that we're actively writing to (we check against latest vol idx).

I had the comment for why we're not running the cleanup logic for all blocks. Would need to wrap it in a fn and run it outside of the loop to cover all blocks. But running against the active block is essentially a no-op so I put the comment in.

[codecov]

Codecov Report

Merging #3430 (d395a4e) into master (d395a4e) will not change coverage.
The diff coverage is n/a.

❗ Current head d395a4e differs from pull request most recent head beb5139. Consider uploading reports for the commit beb5139 to get more accurate results

@@          Coverage Diff           @@
##           master   #3430   +/-   ##
======================================
  Coverage    56.3%   56.3%           
======================================
  Files         548     548           
  Lines       61902   61902           
======================================
  Hits        34898   34898           
  Misses      23886   23886           
  Partials     3118    3118           

Flag	Coverage Δ
aggregator	57.3% <0.0%> (ø)
cluster	∅ <0.0%> (∅)
collector	54.3% <0.0%> (ø)
dbnode	60.9% <0.0%> (ø)
m3em	46.4% <0.0%> (ø)
metrics	19.8% <0.0%> (ø)
msg	74.7% <0.0%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d395a4e...beb5139. Read the comment docs.

I'm taking over the work on this PR

[linasm]

Nit: this comment appears twice (and in general doesn't look like it is adding value).

[vpranckaitis]

d1bb8db#diff-c024dc7e9c9d21a78ce06c867813ca611ce5b80218c36536347a27638a6ccf67L63-L64

[linasm]

Nit: maybe try formatting these Sets differently for easier readability.

[vpranckaitis]

d1bb8db#diff-c024dc7e9c9d21a78ce06c867813ca611ce5b80218c36536347a27638a6ccf67R52-R61

[linasm]

Could we check the len(filesets) here instead?

[vpranckaitis]

d1bb8db#diff-c024dc7e9c9d21a78ce06c867813ca611ce5b80218c36536347a27638a6ccf67R100

[linasm]

There is no error returned by the code above.

[vpranckaitis]

d1bb8db#diff-c024dc7e9c9d21a78ce06c867813ca611ce5b80218c36536347a27638a6ccf67L101

[linasm]

Nit: could you move this declaration closer to where it is being used (for readability)?

[vpranckaitis]

d1bb8db#diff-c024dc7e9c9d21a78ce06c867813ca611ce5b80218c36536347a27638a6ccf67L95

[linasm]

Nit: this part of code is exactly the same as in readAndValidate. Might be worth extracting something like func bufferForEntireFile(filePath string) ([]byte, error)

[vpranckaitis]

bca22e4#diff-78d9cf687193bca4cdc4ae73e54059f6a3b3ab4360a627c4bf26c070b8a0f909R1430-R1440

[linasm]

Nit: I think this loop would be more readable in this form:

Suggested change

	for j := 0; j+1 < len(filesets); j++ {
	for j := 1; j < len(filesets); j++ {

And then adjusting the indexes in the loop body accordingly.

[vpranckaitis]

bca22e4#diff-6fedd1c6b4deb503fca7c3a8a8d2fbedf6abeeccfcbc90d2d239a6c72cb12199L2127-R2134

[linasm]

Can you be more specific about what you call "conflicting information" here?

[vpranckaitis]

Reworded it to "inconsistent". E.g. block start is written in filename and inside info file, and if those don't match, we might not be able to trust the other information, too.

bca22e4#diff-6fedd1c6b4deb503fca7c3a8a8d2fbedf6abeeccfcbc90d2d239a6c72cb12199R2149-R2150
92966b6#diff-6fedd1c6b4deb503fca7c3a8a8d2fbedf6abeeccfcbc90d2d239a6c72cb12199R2149-R2155

[vpranckaitis]

Though maybe it would be better return more info from ReadIndexInfoFiles() itself? Instead of simply returning corrupted bool, we could make it an enum and describe the type of corruption. There seems to be a handful corruption modes that we care about:

• not corrupted – volume type known;
• info file is missing / can't be parsed – volume type unknown;
• info file is fine, though some other file is corrupted – volume type known.

[linasm]

What is the meaning behind f.ID.BlockStart.Equal(xtime.FromNanoseconds(f.Info.BlockStart)) check?

[vpranckaitis]

Checks for consistency of info file. IIUC, f.ID.BlockStart is extracted from filename while f.Info.BlockStart is read from info file.

[linasm]

Suggested change

	// Delete corrupted filesets if there are more recent volumes with with the same volume type.
	// Delete corrupted filesets if there are more recent volumes with the same volume type.

[vpranckaitis]

bca22e4#diff-6fedd1c6b4deb503fca7c3a8a8d2fbedf6abeeccfcbc90d2d239a6c72cb12199L2167-R2168

[linasm]

LGTM

[soundvibe]

Could it be possible to somehow get rid of this bool arg? To me, it doesn't look very clean. Maybe this corrupted flag could be embedded in FileSetFile?

[vpranckaitis]

I agree that corrupted could be placed in FileSetFile struct. Though I'm not sure if now it's a good time to do that. FileSetFile struct is used in many functions across this file, most of which do not deal with corrupted filesets. We currently only care about corrupted filesets when calling ReadIndexInfoFiles().

So I guess it would make sense to move corrupted into FileSetFile if it was more widely used, but for now having it separate makes the notion of corrupted filesets more contained.