5636 Commits

Author SHA1 Message Date
antirez
821a986643 Sentinel: fix bug in config rewriting during failover
We have a check to rewrite the config properly when a failover is in
progress, in order to add the current (already failed over) master as
slave, and don't include in the slave list the promoted slave itself.

However there was an issue, the variable with the right address was
computed but never used when the code was modified, and no tests are
available for this feature for two reasons:

1. The Sentinel unit test currently does not test Sentinel ability to
persist its state at all.
2. It is a very hard to trigger state since it lasts for little time in
the context of the testing framework.

However this feature should be covered in the test in some way.

The bug was found by @badboy using the clang static analyzer.

Effects of the bug on safety of Sentinel
===

This bug results in severe issues in the following case:

1. A Sentinel is elected leader.
2. During the failover, it persists a wrong config with a known-slave
entry listing the master address.
3. The Sentinel crashes and restarts, reading invalid configuration from
disk.
4. It sees that the slave now does not obey the logical configuration
(should replicate from the current master), so it sends a SLAVEOF
command to the master (since the slave master is the same) creating a
replication loop (attempt to replicate from itself) which Redis is
currently unable to detect.
5. This means that the master is no longer available because of the bug.

However the lack of availability should be only transient (at least
in my tests, but other states could be possible where the problem
is not recovered automatically) because:

6. Sentinels treat masters reporting to be slaves as failing.
7. A new failover is triggered, and a slave is promoted to master.

Bug lifetime
===

The bug is there forever. Commit 16237d78 actually tried to fix the bug
but in the wrong way (the computed variable was never used! My fault).
So this bug is there basically since the start of Sentinel.

Since the bug is hard to trigger, I remember little reports matching
this condition, but I remember at least a few. Also in automated tests
where instances were stopped and restarted multiple times automatically
I remember hitting this issue, however I was not able to reproduce nor
to determine with the information I had at the time what was causing the
issue.
2015-06-12 18:36:17 +02:00
Salvatore Sanfilippo
4b5a0f0376 Merge pull request #2614 from linfangrong/patch-1
Update t_zset.c
2015-06-11 15:15:22 +02:00
antirez
8366907bed Use best effort address binding to connect to the master
We usually want to reach the master using the address of the interface
Redis is bound to (via the "bind" config option). That's useful since
the master will get (and publish) the slave address getting the peer
name of the incoming socket connection from the slave.

However, when this is not possible, for example because the slave is
bound to the loopback interface but repliaces from a master accessed via
an external interface, we want to still connect with the master even
from a different interface: in this case it is not really important that
the master will provide any other address, while it is vital to be able
to replicate correctly.

Related to issues #2609 and #2612.
2015-06-11 14:34:38 +02:00
antirez
a017b7ec0e anet.c: new API anetTcpNonBlockBestEffortBindConnect()
This performs a best effort source address binding attempt. If it is
possible to bind the local address and still have a successful
connect(), then this socket is returned. Otherwise the call is retried
without source address binding attempt.

Related to issues #2609 and #2612.
2015-06-11 14:34:38 +02:00
antirez
8fa8b251a9 anetTcpGenericConnect(), jump to error not end on error
Two code paths jumped to the "ok, return the socket to the user" code
path to handle error conditions.

Related to issues #2609 and #2612.
2015-06-11 14:34:38 +02:00
antirez
a401a84eb2 Don't try to bind the source address for MIGRATE
Related to issues #2609 and #2612.
2015-06-11 14:34:38 +02:00
Ben Murphy
ffd6637e90 hide access to debug table 2015-06-03 13:33:28 +02:00
Ben Murphy
fdf9d45509 disable loading lua bytecode 2015-06-03 13:33:28 +02:00
antirez
357a40c4fc Scripting: Lua cmsgpack lib updated to include str8 support 2015-06-03 08:44:43 +02:00
linfangrong
0dc6a5d497 Update t_zset.c 2015-06-02 18:12:57 +08:00
antirez
28a250d9e4 Merge branch 'zaddnx' into unstable 2015-05-29 12:26:27 +02:00
antirez
39b49bcaaf Test: ZADD CH tests 2015-05-29 11:34:43 +02:00
antirez
d8a8dca7fd ZADD RETCH option renamed CH
From Twitter:

    "@antirez that’s an awfully-named command :(
     http://en.wikipedia.org/wiki/Retching"
2015-05-29 11:32:22 +02:00
antirez
23ba5c1092 Test: ZADD INCR test 2015-05-29 11:28:52 +02:00
antirez
910e72d1c1 Test: ZADD NX and XX options tests 2015-05-29 11:23:49 +02:00
antirez
c043a4e6f4 ZADD RETCH option: Return number of elements added or updated
Normally ZADD only returns the number of elements added to a sorted
set, using the RETCH option it returns the sum of elements added or
for which the score was updated.
2015-05-29 11:22:03 +02:00
antirez
5d32abbb9e ZADD NX and XX options 2015-05-29 09:59:42 +02:00
antirez
382a943414 ZADD implemenation able to take options. 2015-05-28 18:10:51 +02:00
Salvatore Sanfilippo
a391c36324 Merge pull request #2586 from huachaohuang/patch-1
Update anet.c
2015-05-28 15:10:25 +02:00
Salvatore Sanfilippo
c3297a7292 Merge pull request #2587 from itamarhaber/patch-5
Removed incorrect suggestion
2015-05-28 15:09:51 +02:00
Salvatore Sanfilippo
4082c38a60 Merge pull request #2571 from therealbill/sentinel-flushconfig-command
adding a sentinel command: "flushconfig" per RCP4
2015-05-25 12:06:25 +02:00
antirez
20700fe566 Sentinel: clarify effect of resetting failover_start_time. 2015-05-25 10:32:28 +02:00
antirez
5080f2d699 Sentinel: help subcommand in simulate-failure command 2015-05-25 10:24:27 +02:00
antirez
fb3af75f74 Sentinel: initial failure simulator implemented
This commit adds the SENTINEL simulate-failure, that sets specific
hooks inside the state machine that will crash Sentinel, for testing
purposes.
2015-05-22 11:49:11 +02:00
Itamar Haber
575eeb1a1c Removed incorrect suggestion
DEL/INCR/DECR and others could be NTH but apparently never made it to the implementation of SORT
2015-05-21 13:24:51 +03:00
Huachao Huang
8c423c0bd6 Update anet.c 2015-05-21 17:40:17 +08:00
antirez
c54de703f2 Sentinel: fix sentinelTryConnectionSharing() by checking for no match
Trivial omission of the obvious no-match case.
2015-05-20 09:59:55 +02:00
antirez
164b6bbab5 Merge branch 'sentinel-32' into unstable 2015-05-19 12:26:57 +02:00
antirez
d614f1c37e Sentinel: CKQUORUM tests 2015-05-19 12:26:09 +02:00
antirez
abc65e8987 Sentinel: SENTINEL CKQUORUM command
A way for monitoring systems to check that Sentinel is technically able
to reach the quorum and failover, using the currently visible Sentinels.
2015-05-18 12:57:47 +02:00
antirez
eb138f1511 Rewrite smoveCommand test with ternary operator 2015-05-15 17:38:48 +02:00
Salvatore Sanfilippo
cb9a5a7821 Merge pull request #2529 from gnethercutt/issue_2517
Issue #2517, smove contract violation
2015-05-15 17:36:18 +02:00
Salvatore Sanfilippo
7f7ddbba3c Merge pull request #2573 from HeartSaVioR/fix-protocol-error-log-level
protocol error log should be seen by debug/verbose level
2015-05-15 17:06:18 +02:00
antirez
b43431ac25 Sentinel: port address update code to shared links logic 2015-05-15 09:47:05 +02:00
antirez
4dee18cb66 Sentinel: config-rewrite unique ID just one time 2015-05-14 17:45:09 +02:00
antirez
f9e942d4ae Sentinel: remove debugging message from releaseInstanceLink() 2015-05-14 14:12:45 +02:00
antirez
b44c37482c Sentinel: fix access to NULL link->cc in releaseInstanceLink() 2015-05-14 14:08:23 +02:00
antirez
87b6013adb Sentinel: remove SHARED! debugging printf 2015-05-14 13:40:23 +02:00
antirez
5a0516b5b9 Sentinel: rewrite callback chain removing instances with shared links
Otherwise pending commands callbacks will fire with a reference that no
longer exists.
2015-05-14 13:39:26 +02:00
antirez
05dbc82005 Sentinel: debugging code removed from sentinelSendPing() 2015-05-14 10:52:32 +02:00
antirez
58d2bb951a Sentinel: use active/last time for ping logic
The PING trigger was improved again by using two fields instead of a
single one to remember when the last ping was sent:

1. The "active" ping is the time at which we sent the last ping that
still received no reply. However we continue to ping non replying
instances even if they have an old active ping: the link may be
disconnected and reconencted in the meantime so the older pings may get
lost even if it's a TCP socket.

2. The "last" ping is the time at which we really sent the last ping
on the wire, and this is used in order to throttle the amount of pings
we send during failures (when no pong is received).

All in all the failure detector effectiveness should be identical but we
avoid to flood instances with pings during failures or when they are
slow.
2015-05-14 09:56:23 +02:00
antirez
3ab49895b4 Sentinel: limit reconnection frequency to the ping period 2015-05-13 14:23:57 +02:00
antirez
0eb0b55ff0 Sentinel: PING trigger improved
It's ok to ping as soon as the ping period has elapsed since we received
the last PONG, but it's not good that we ping again if there is a
pending ping... With this change we'll send a new ping if there is one
pending only if two times the ping period elapsed since the ping which
is still pending was sent.
2015-05-12 17:03:53 +02:00
antirez
9d5e2ed392 Sentinel: same-Sentinel link sharing across masters 2015-05-12 17:03:00 +02:00
antirez
e0a5246f06 Sentinel: add sentinelGetInstanceTypeString() fuction
This is useful for debugging and logging activities: given a
sentinelRedisInstance object returns a C string representing the
instance type: master, slave, sentinel.
2015-05-12 12:12:25 +02:00
Jungtaek Lim
6b953a2681 protocol error log should be seen debug/verbose level 2015-05-12 10:04:52 +09:00
antirez
d6e1347869 Sentinel: add link refcount to instance description 2015-05-11 23:49:19 +02:00
therealbill
4e8ccbe7ea adding a sentinel command: "flushconfig"
This new command triggers a config flush to save the in-memory config to
disk. This is useful for cases of a configuration management system or a
package manager wiping out your sentinel config while the process is
still running - and has not yet been restarted. It can also be useful
for scripting a backup and migrate or clone of a running sentinel.
2015-05-11 14:08:57 -05:00
antirez
1029276c0d Sentinel: connection sharing WIP #1 2015-05-11 13:15:26 +02:00
antirez
611283f743 Sentinel: suppress warnings for not used args. 2015-05-08 17:17:59 +02:00