Incidents/2025-03-12 ExternalStorage Database Cluster Overload

Template:Irdoc

Template:Incident scorecard

…

During the scheduled PHP 8.1 Scap rollout for mw-{api-int,parsoid, jobrunner}, on March 12th & 13th 2025, we found ourselves having said deployments running without access to the Memcached cluster and without a valid prometheus StatsD address.

Without Memcached access, MediaWiki had to query the databases for objects that would typically be cached, leading to increased database load. At the time, MediaWiki was pushing stats to both Graphite and prometheus-statsd-exporter, thus the lack of a valid prometheus statsd address had no impact.  

During the incidents, we observed high load and a sharp increase in connections to the External Storage cluster, while the majority of MediaWiki errors (channel: error) visible at the time, were database related. The External Storage hosts are used to store the compressed text content of wiki page revisions

However, there was an overwhelming volume of memcached errors events (channel: memcached, ~2mil/min) which logstash was unable to process quickly enough, resulting in an observability gap where:

• Logstash itself probably was not able to render the channel:memcached logstash dashboard, until after the incident, allowing it to consume all its backlog
• Delays in the s${\displaystyle \mathtt{\text{mw}}\to \mathtt{\text{logstash}}\to \mathtt{\text{prometheus-es-exporter}}\to \mathtt{\text{prometheus}}}$ pipeline pipeline caused the MediaWikiMemcachedHighErrorRate alert to be missing, while the corresponding Grafana graph displayed no data during the incidents.

Both days, after reverting said patches and running helmfile or re-running scap, everything went back to normalTemplate:TOC

All times in UTC.

12th March 2025

• 10:44 Template:Ircnick runs scap to deploy 1126607^[puppet] and 1126650 ^{[deployment-charts]}, for the mw-{api-int,parsoid, jobrunner} PHP 8.1 rollout

• 10:58 UTC: alerts for high backend response times started coming in
• 13:19 Template:Ircnick and Template:Ircnick deployed a patch in cirrus-streaming-updater to reduce SUP parallelism 1126988^{[deployment-charts]}
• 13:33 Template:Ircnick reduces the concurrency of categoryMembershipChange job in changeprop-jobqueue 1127000^{[deployment-charts]}
• 13:44 Template:Ircnick re-run Scap after revering  1126607^[puppet] and 1126650 ^{[deployment-charts]}

13th March 2025

• 11:15 Template:Ircnick begins a scap deployment (yes, again), to deploy 1127476^[puppet] and 1127478^{[deployment-charts]} for the mw-{api-int,parsoid, jobrunner} PHP 8.1 rollout
• 11:34 Template:Ircnick performs a rolling restart on changeprop-jobqueue
• 11:43 Template:Ircnick: rolling restarting mw-api-int
• 11.44 Template:Ircnickdisables the categorymembership job in changeprop-jobqueue 1127500^{[deployment-charts]}
• 11:46 Template:Ircnick reverts 1127476^[puppet] and 1127478^{[deployment-charts]}
• 11:58 Template:Ircnick redeploys mw-api-int to pick up the revert
• 12:07 Template:Ircnick bumps the number of replicas for mw-api-int
• 12:28 Template:Ircnick redeploys mw-jobrunner to pick up the revert
• 14:06 Template:Ircnick redeploys mw-parsoid to pick up the revert

TBA

Key factors that contributed in causing this incident, as well as delaying its root cause, were: scap, php-fpm envvars.inc include file, and the logstash-prometheus pipeline.

Scap is our deployment tool for MediaWiki. Scap takes care of 3 very important steps:

• build and push MediaWiki images
• Update helmfile-defaults with the latest image version tag per deployment, and per release.
  • The image flavour (if it is a 7.4 or a 8.1 image) of each deployment-release combination is defined in puppet in kubernetes.yaml
• Runs helmfile on all deployments running MediaWiki

To provide a visual example, the latest scap run updated the  helmfile-defaults for the main release of mw-parsoid (aka mw-parsoid-main) as follows:

docker:
  registry: docker-registry.discovery.wmnet
main_app:
  image: restricted/mediawiki-multiversion:2025-03-18-101751-publish-81
mw:
  httpd:
    image_tag: restricted/mediawiki-webserver:2025-03-18-101751-webserver

We are exporting two very important environmental variables to php-fpm

• MCROUTER_SERVER: static IP address defined in deployment-charts, essentially the memcached/mcrouter address, defaults to 127.0.0.1:11213
• STATSD_EXPORTER_PROMETHEUS_SERVICE_HOST: populated and injected into pods by the k8s api, unset by default

In kubernetes, we put both variables in a ConfigMap called mediawiki-main-php-envvars, which in turn mount in the container as  /etc/php/<X.Y>/fpm/env/envvars.inc

PHP-FPM reads the enviromental variables from a hardcoded include directory, whose exact location depends on the PHP version.

In the publish-74 container image, that would be:

[www]
listen = ${FCGI_URL}
<snip>
; MediaWiki helm chart via the php.envvars value.
include = /etc/php/7.4/fpm/env/*.inc

In the publish-81 container image, that would be:

[www]
listen = ${FCGI_URL}
<snip>
; MediaWiki helm chart via the php.envvars value.
include = /etc/php/8.1/fpm/env/*.inc

Our PHP 8.1 mw-{api-int,parsoid, jobrunner} rollout consisted of two sister patches:

• 1126607^[puppet] switching  mw-{api-int,parsoid, jobrunner} the MediaWiki image flavour from publish-74 to  publish-81
• 1126650 ^{[deployment-charts]} which in practice would change the mount location of envvars.inc from /etc/php/7.4/fpm/env/envvars.inc to /etc/php/8.1/fpm/env/envvars.inc

We performed a scap deployment to deploy the above. Our expectation was that after the deployment, was that we would have:

• mw-{api-int,parsoid, jobrunner} running the mediawiki-multiversion publish-81 image and
• The mediawiki-main-php-envvars configMap mounted as  /etc/php/8.1/fpm/env/envvars.inc

Due to an unexpected Scap behavior, explained below, what was actually rolled out in production was :

• mw-{api-int,parsoid,jobrunner} running the mediawiki-multiversion publish-74
• The mediawiki-main-php-envvars configMap , mounted at /etc/php/8.1/fpm/env/envvars.inc

As the PHP 7.4 image (publish-74) was in use, the includes under /etc/php/7.4/fpm/env/*.inc, contained default values, so they were not useful.

During the scheduled deployment, the Scap command was executed with the flag -Dbuild_mw_container_image:False. This flag is commonly utilised by Site Reliability Engineers (SREs) as, in most cases, our changes do not necessitate rebuilding container images. Specifically, transitioning the main release of mw-{api-int,parsoid, jobrunner} to the publish-81 image would not require an image rebuild as we have already publish-81 built and cached.

However, this transition would necessitate updates to the helmfile-defaults of the main releases for mw-{api-int,parsoid,jobrunner} so to replace  the latest -publish-74 image tag with the latest -publish-81 . Unfortunately, it was  not immediately apparent that using the flag -Dbuild_mw_container_image:False would additionally cause scap to skip the helmfile-defaults update.

OPTIONAL: General conclusions (bullet points or narrative)

• …

OPTIONAL: (Use bullet points) for example: automated monitoring detected the incident, outage was root-caused quickly, etc

• …

OPTIONAL: (Use bullet points) for example: documentation on the affected service was unhelpful, communication difficulties, etc

• …

OPTIONAL: (Use bullet points) for example: user's error report was exceptionally detailed, incident occurred when the most people were online to assist, etc

• …

Add links to information that someone responding to this alert should have (runbook, plus supporting docs). If that documentation does not exist, add an action item to create it.

• …

Create a list of action items that will help prevent this from happening again as much as possible. Link to or create a Phabricator task for every step.

Add the #Sustainability (Incident Followup) and the #SRE-OnFire Phabricator tag to these tasks.