Fail VReplication workflows on errors that persist and unrecoverable errors

[rohit-nayak-ps]

Description

As part of an initial design decision, VReplication workflows always retry in case it encounters an error after sleeping for 5 seconds. The reasoning was that, for large reshards/migrations and perpetual materialize workflows, we could often encounter recoverable errors like PRS, restarting of vttablets/mysql servers, network partitions etc. So rather than error out waiting for an operator to manually restart workflows we decided to keep retrying.

Since we only retried every five seconds any resource wastage due to continuously retrying unrecoverable workflows would be small and in most cases we would transparently recover and make forward progress with minimum downtime. This is especially important for Materialize workflows were the user is expecting near realtime performance.

Usually the vreplication workflows would be setup manually and the possibility of errors due to schema issues was minimal and so this approach worked well. However with the introduction of vreplication-based online DDL workflows we see a lot of automated use where user-specified DDLs are directly used to configure vreplication workflows. Incorrect DDLs can thus result in errors that result in prolonged retries that are not recoverable.

Error reporting in VReplication is also not great: we update the message column in the _vt.vreplication table, but that can get overwritten when we retry. We do also log errors in the _vt.vreplication_log table

A change was introduced recently in Online DDL workflows to mitigate this: we look up the error against a set of MySQL errors that we knew were not recoverable and in that case we put the workflow in an error state. Then there are no more automated retries and a manual restart after fixing the error is expected.

However there are still unrecoverable schema-related errors that are not yet mapped or do not map cleanly to MySQL errors. There could also be misconfigured workflows (example: no replicas in a keyspace when the tablet type is set to only replicas, incorrect cell settings etc). Continuously retrying workflows in such cases can delay detecting them.

This PR:

• extends the check for unrecoverable errors to all workflow types, not just Online DDLs
• for all workflows, detects errors that persist for more than the 🚩 new vttablet flag
  --vreplication_max_time_to_retry_errors (default: 15 minutes).

For above cases it directly moves the workflow to Error state, which is then reported in Workflow Show.

Checklist

• "Backport me!" label has been added if this change should be backported
  • We should backport this to 14.0.0-rc, but no further
• Tests were added or are not required
• Documentation was added or is not required

[github-actions]

Review Checklist

Hello reviewers! 👋 Please follow this checklist when reviewing this Pull Request.

General

• Ensure that the Pull Request has the correct release notes label. release notes none should only be used for PRs that are so trivial that they need not be included.
• If a new flag is being introduced, review whether it is really needed. The flag names should be clear and intuitive (as far as possible), and the flag's help should be descriptive.

Bug fixes

• There should be at least one unit or end-to-end test.
• The Pull Request description should either include a link to an issue that describes the bug OR an actual description of the bug and how to reproduce, along with a description of the fix.

Non-trivial changes

• There should be some code comments as to why things are implemented the way they are.

New/Existing features

• Should be documented, either by modifying the existing documentation or creating new documentation.
• New features should have a link to a feature request issue or an RFC that documents the use cases, corner cases and test cases.

Backward compatibility

• Protobuf changes should be wire-compatible.
• Changes to _vt tables and RPCs need to be backward compatible.
• vtctl command output order should be stable and awk-able.

[deepthi]

@ajm188 what is the guidance on new command-line flags added to binaries?
dash or underscore?

[deepthi]

Suggested change

	maxTimeToRetryErrors = flag.Duration("vreplication_max_time_to_retry_errors", 15*time.Minute, "stop trying to retry after this time")
	maxTimeToRetryErrors = flag.Duration("vreplication_max_time_to_retry_errors", 15*time.Minute, "stop retrying after this time")

[mattlord]

Should be dashes but I also think that consistency is important and that we should migrate all Vitess flag names from underscores to dashes, either early in 15.0 or 16.0 SNAPSHOT.

[deepthi]

that makes sense. we can do them all at once (and allow both versions for at least one release).

[mattlord]

I had a few questions/nits, but I LOVE this! We can then store this information e.g. in the _vt.vdiff table too.

The only thing that kept me from approving -- as most of my comments are not blockers and subjective preference -- is that I think using vterrors would be better. What do you think?

Thanks!

ℹ️ Note: I think that we should backport this to 14.0.0, but no further. I added the label and updated the description accordingly, but if you disagree I can undo those changes (already discussed with @deepthi).

[mattlord]

Suggestion:
stop automatically retrying when we've had consecutive failures with the same error for this long after the first occurrence

[mattlord]

Log flushes can potentially be slow and IMO we should avoid them in the hot path when possible. Are you adding these for local debugging during feature development? It also shouldn't be necessary, I don't think (and also may not be an issue to flush), as I believe STDERR is used for the error log and that is unbuffered by default anyway.

[shlomi-noach]

Though I'm not sure why flush is used here in particular, I think this point of code is infrequent enough that it can justify flush`.

[rohit-nayak-ps]

Was leftover from a debug session, removed

[mattlord]

Nit, but I think this method should be called shouldRetry() rather than canRetry().

[mattlord]

Can we make this a vterror instead? That way we can enforce a meaningful error type and code as part of the structure. That should make it much easier to classify different ones based on the error code.

[mattlord]

Is this intended to be a short summary or just a key?

[mattlord]

The type is lastError so using lastError in the field names feels redundant. Can we call them ~:

error         vterror
firstSeen     time.Time
mu            sync.Mutex

[mattlord]

Again, IMO we should call this shouldRetry() as we always can. It's an (annoying) nit though, I know.

[mattlord]

log.Errorf("The same error has been seen continuously since %s, we will assume this is a non-recoverable error and will not retry anymore; the workflow will need to be manually restarted once error '%s' has been addressed",

[shlomi-noach]

This looks great! The code change is small and simple and solves a big problem. My only request for change is dealing with unexpected input value for --vreplication_max_time_to_retry_errors

[mattlord]

@rohit-nayak-ps I tried to address my own nits and comments here: 6e26308

I can revert some or all of it if you disagree, but I thought you'd be fine with them so attempted to save you some time. 🙂

@shlomi-noach for the input validation, were you thinking something like this?

diff --git a/go/vt/vttablet/tabletmanager/vreplication/controller.go b/go/vt/vttablet/tabletmanager/vreplication/controller.go
index cf906cebcf..945fcc695c 100644
--- a/go/vt/vttablet/tabletmanager/vreplication/controller.go
+++ b/go/vt/vttablet/tabletmanager/vreplication/controller.go
@@ -48,7 +48,7 @@ var (
        _          = flag.Duration("vreplication_healthcheck_timeout", 1*time.Minute, "healthcheck retry delay")
        retryDelay = flag.Duration("vreplication_retry_delay", 5*time.Second, "delay before retrying a failed workflow event in the replication phase")

-       maxTimeToRetryError = flag.Duration("vreplication_max_time_to_retry_on_error", 15*time.Minute, "stop automatically retrying when we've had consecutive failures with the same error for this long after the first occurrence")
+       maxTimeToRetryError = flag.Duration("vreplication_max_time_to_retry_on_error", 15*time.Minute, "stop automatically retrying when we've had consecutive failures with the same error for this long after the first occurrence (min: vreplication_retry_delay * 5, max: 24 hours)")
 )

 // controller is created by Engine. Members are initialized upfront.
@@ -81,6 +81,11 @@ func newController(ctx context.Context, params map[string]string, dbClientFactor
        if blpStats == nil {
                blpStats = binlogplayer.NewStats()
        }
+       if *maxTimeToRetryError < *retryDelay*5 {
+               *maxTimeToRetryError = *retryDelay * 5
+       } else if *maxTimeToRetryError > 24*time.Hour {
+               *maxTimeToRetryError = 24 * time.Hour
+       }
        ct := &controller{
                vre:               vre,
                dbClientFactory:   dbClientFactory,

Or did I misunderstand? Thanks!

[shlomi-noach]

@shlomi-noach for the input validation, were you thinking something like this?

Sure! Although, I notice this adds a new dependency on --vreplication_retry_delay, which in itself isn't constrained (what happens if --vreplication_retry_delay is zero or negative?)

[shlomi-noach]

All, let's pursue this PR? As far as I'm concerned, there is just the remaining issue of validating the input; but I'm also OK to merge this as-is to get this fix sooner into main, in the assumption that we will follow up with validation on a different PR. Opinions?

[rohit-nayak-ps]

All, let's pursue this PR? As far as I'm concerned, there is just the remaining issue of validating the input; but I'm also OK to merge this as-is to get this fix sooner into main, in the assumption that we will follow up with validation on a different PR. Opinions?

Agreed that we should merge this soon. I will take a fine look at this later today to review the newer commits and aim to push this today itself.

[shlomi-noach]

flag value validation added in bd1ba9b

[mattlord]

Had a very small nit, but LGTM!

[mattlord]

Nit, but we should capitalize the beginning of log messages.

[shlomi-noach]

I thought it was the other way around? That we had to uncapitalize everything, because those messages are preceded by prefix like Error: ?

[shlomi-noach]

Capitalized per request.

[shlomi-noach]

Cluster (shardedrecovery_stress_verticalsplit_heavy) is super flaky.

[shlomi-noach]

Backport: #10573