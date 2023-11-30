This post talks about a stability problem we have with Tecken, some work we're doing to make it better, and the steps to reproduce the problem in a local dev environment.

The backstory

Tecken has an upload API which takes large payloads of symbols files, processes them, and then uploads them to S3. The payload can be as big as 2 GB and can contain many symbols files. The upload handler code uses the disk to extract the files to and then process them. Processing the payload sometimes exceeds the 5 minute timeout that we have for Gunicorn workers processing HTTP requests. We theorized that when processing exceeds the 5 minute timeout, the Gunicorn manager kills the Gunicorn worker orphaning the files on disk. If this happens enough times, then the disk fills up and the instance throws out-of-disk errors and then the Symbols service starts going sideways.

There are a handful of problems here.

Gunicorn workers sometimes take too long to process an upload request.

When a Gunicorn worker takes more than 5 minutes to process an upload request, the Gunicorn manager kills it off.

We don't know in what scenarios this happens--we have no metrics or logging or anything to tell us how often it happens or in what circumstances.

How often are Gunicorn workers killed because they exceeded the timeout?

What does the payload look like when a Gunicorn worker is killed? Are they big? Do they have a lot of files? Do they have specific kinds of files?

More recently, I wonder whether it happens frequently on Tecken instances that have exceeded the disk iops allotment and are being throttled--instances are c5.large and thus are using EBS disk. Changing that is covered in OBS-68 .

We should look into providing more visibility here. Generally, we need more visibility into the health of the upload API. This is covered in bug 1847235.

Instances that are hitting "disk is full" errors never indicate they're unhealthy in either the ``/__heartbeat__`` or ``/__lbheartbeat__`` endpoints so they never get taken out of service.

This is tricky.

First, there are multiple Gunicorn workers that come and go and there's no centralized place to keep track of how many times a "disk is full" error is kicked up for an instance.

Second, a "disk is full" error could be ephemeral and the Tecken instance could recover. We don't want to mark the instance unhealthy the first time it happens--we probably want to mark it unhealthy if it happens multiple times in a short period of time.

This is an unsolved problem.

Instances run out of disk.

If multiple Gunicorn workers are terminated, an instance accumulates orphaned files on disk and eventually we hit a point where the instance can't handle uploads. There was nothing to reclaim that disk space.

We have mitigated this by adding a disk manager which runs remove_orphaned_files periodically.

This has been working, but it kicks in too slowly. Here's an event in early November where we see instances running out of disk and we see the remove_orphaned_files reclaim disk an hour later.

Grafana panel showing disk usage over two hours for multiple Tecken instances.

Grafana dashboard

When the lines go up, disk is being used for processing files. When an upload request is done being processed, the files are removed, so the line should go back down again.

The problem scenario is when the line goes up and then stays there and doesn't come back down again.

remove_orphaned_files will kick in and delete files that have been on disk for an hour--clearly they've been orphaned at this point. Then the lines will drop precipitously back to normal levels.

In bug 1863007, I dropped the cutoff time from 60 minutes to 15 minutes. That will reduce the time it takes to recoup disk and make it more likely instances won't run out of disk without accidentally incorrectly removing files that are being processed.

The disk manager isn't resilient to ephemeral service issues and silently fails.

We had an incident on September 9th, 2023 where I pushed a crummy change to production that caused the db to be tied up.

The remove_orphaned_files command is a Django command. When it runs, it would first do Django checks one of which was to check if it could connect to the database.

In the case of September 9th, the bug caused the db to be tied up. Then this happened:

remove_orphaned_files would go to do the Django checks and try to connect to the database it would fail to connect to the database, so remove_orphaned_files would exit with a non-zero exit code the script that runs remove_orphaned_files had set -e , so it would exit because remove_orphaned_files exited with a non-zero exit code Honcho would see the disk manager process exit, so it would shut down the web process then Honcho would exit and the Docker container would stop the Tecken instance would then restart the Docker container and we repeat all these steps again

We don't see anything in Sentry because no Sentry events are emitted, but we do see the Docker container flapping in the logs.

So that's bad. We can make this less bad.

remove_orphaned_files doesn't need the database, so we needed to call it with --skip-checks so the Django checks aren't run. That allows it to run even if the db (which it doesn't use) isn't available.

The script shouldn't exit in the case of an error running remove_orphaned_files which eventually leads to the Docker container shutting down. I removed the set -e .

Further, when remove_orphaned_files fails, we need some signal in Sentry about it. I wrap the remove_orphaned_files invocation with a sentry-wrap script we have so if remove_orphaned_files terminates and doesn't manage to send a Sentry event, we still get a Sentry event.

Improving the disk manager's resilience is covered in bug 1853962.

That's the backstory.