GitHub Outage - How databases are managed in production



1165 views Outage Dissections



Managing databases in production is not easy and it does require a lot of tooling to keep it up and running. GitHub had an outage that gives us a glimpse of the toolings they use in production. So, here’s what happened

Incident Summary

The GitHub team updated the ProxySQL and a week later a master node in a critical database cluster crashed. A replica was promoted as the new master, and it also crashed. The team tried to manually recover, but the manually promoted replica also crashed.

Finally, the GitHub team did a full revert - reverted all the code changes, and also downgraded the ProxySQL version. Post this, things become normal and the master did not crash.

ProxySQL

ProxySQL is a database proxy that sits between the servers and the database cluster. The server seamlessly connects to the ProxySQL and fires the usual SQL queries and the proxy forwards it to the data node as per the configuration.

Why do we need ProxySQL

  • better connection management
  • as a cache for SQL query responses
  • a gatekeeper to handle security and routing

Orchestrator

Orchestrator is a MySQL topology management tool that helps us achieve High Availability on a MySQL cluster. It keeps an eye on all the nodes and takes corrective actions whenever something goes wrong.

We configure Orchestrator to keep an eye on the master node and as the node crashers, it promotes a replica to become the new master. Given that all of this happens automatically, it just takes a few seconds for the cluster to recover from the master crash.

Anti-flapping policy

A very common cascading failure happens when the master fails and a replica is promoted to be the new master. Due to the high load, say the new master also crashed. The cycle thus continues until all nodes crash leading to a complete outage.

The anti-flapping policy of Orchestrator prevents this complete outage by not promoting replica to master until the cool-off period ends. Once the replica is promoted to be the new master, Orchestrator does not promote another replica until the cool-off period ends.

Although the master is down, this anti-flapping policy ensures that we are at least partially functional and can continue serving some reads. Along with this, we see only a small subset of nodes are thrown in the fire and hence have fewer data nodes to recover.

Mitigation

To mitigate the issue, the GitHub team

  • reverted the ProxySQL version
  • reverted the code that required an upgraded version of ProxySQL

With this full revert, the master node stopped crashing and things become normal again.


Arpit Bhayani

Arpit's Newsletter

CS newsletter for the curious engineers

❤️ by 17000+ readers

If you like what you read subscribe you can always subscribe to my newsletter and get the post delivered straight to your inbox. I write essays on various engineering topics and share it through my weekly newsletter.




Other essays that you might like


So, the outage is mitigated, now what?

500 views 24 likes 2022-07-08

Outages happen and in such a tense situation, the main priority is to get the system back up, but is that it? Is everyth...

Control an outage by localizing the failures

444 views 31 likes 2022-07-06

Outages are inevitable; but we should design our architecture such that if a component is down, it should not lead to a ...

Dissecting GitHub Outage - Multiple Leaders in Zookeeper Cluster

1059 views 58 likes 2022-07-01

Distributed Systems are prone to problems that seem very obscure. GitHub had an outage because a set of nodes in the Zoo...

GitHub Outage - How databases are managed in production

1165 views 81 likes 2022-06-29

So, how are databases managed in production? When the master goes down, how a replica is chosen and promoted to be the n...


Be a better engineer

A set of courses designed to make you a better engineer and excel at your career; no-fluff, pure engineering.


System Design Masterclass

A masterclass that helps you become great at designing scalable, fault-tolerant, and highly available systems.

Enrolled by 700+ learners

Details →

Designing Microservices

A free course to help you understand Microservices and their high-level patterns in depth.

Enrolled by 17+ learners

Details →

GitHub Outage Dissections

A free course to help you learn core engineering from outages that happened at GitHub.

Enrolled by 67+ learners

Details →

Hash Table Internals

A free course to help you learn core engineering from outages that happened at GitHub.

Enrolled by 25+ learners

Details →

BitTorrent Internals

A free course to help you understand the algorithms and strategies that power P2P networks and BitTorrent.

Enrolled by 42+ learners

Details →

Topics I talk about

Being a passionate engineer, I love to talk about a wide range of topics, but these are my personal favourites.




Arpit's Newsletter read by 17000+ engineers

🔥 Thrice a week, in your inbox, an essay about system design, distributed systems, microservices, programming languages internals, or a deep dive on some super-clever algorithm, or just a few tips on building highly scalable distributed systems.



  • v12.4.4
  • © Arpit Bhayani, 2022

Powered by this tech stack.