Fix how we cancel the context in the builtin backup engine

[frouioui]

Description

This PR makes sure we cancel the context only at the correct time. It was getting canceled too early which could lead to incomplete/failing backups with storage implementations that write concurrently (Ceph and S3).

This regression was introduced by: #16856, backporting this to release-21.0 as the issue was introduced there. It would lead to the following error:

commerce/0 (zone1-0000000102): time:{seconds:1732657021 nanoseconds:695573000} file:"builtinbackupengine.go" line:509 value:"resetting mysqld super_read_only to true"
commerce/0 (zone1-0000000102): time:{seconds:1732657021 nanoseconds:696651000} file:"builtinbackupengine.go" line:526 value:"restarting mysql replication"
E1126 15:37:02.757871   98619 main.go:56] rpc error: code = Unknown desc = TabletManager.Backup on zone1-0000000102: operation error S3: PutObject, https response error StatusCode: 0, RequestID: , HostID: , canceled, context canceled;operation error S3: PutObject, https response error StatusCode: 0, RequestID: , HostID: , canceled, context canceled;operation error S3: PutObject

[vitess-bot]

Review Checklist

Hello reviewers! 👋 Please follow this checklist when reviewing this Pull Request.

General

• Ensure that the Pull Request has a descriptive title.
• Ensure there is a link to an issue (except for internal cleanup and flaky test fixes), new features should have an RFC that documents use cases and test cases.

Tests

• Bug fixes should have at least one unit or end-to-end test, enhancement and new features should have a sufficient number of tests.

Documentation

• Apply the release notes (needs details) label if users need to know about this change.
• New features should be documented.
• There should be some code comments as to why things are implemented the way they are.
• There should be a comment at the top of each new or modified test to explain what the test does.

New flags

• Is this flag really necessary?
• Flag names must be clear and intuitive, use dashes (-), and have a clear help text.

If a workflow is added or modified:

• Each item in Jobs should be named in order to mark it as required.
• If the workflow needs to be marked as required, the maintainer team must be notified.

Backward compatibility

• Protobuf changes should be wire-compatible.
• Changes to _vt tables and RPCs need to be backward compatible.
• RPC changes should be compatible with vitess-operator
• If a flag is removed, then it should also be removed from vitess-operator and arewefastyet, if used there.
• vtctl command output order should be stable and awk-able.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.39%. Comparing base (8648264) to head (4cc10e5).
Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #17285      +/-   ##
==========================================
- Coverage   67.40%   67.39%   -0.02%     
==========================================
  Files        1574     1574              
  Lines      253205   253217      +12     
==========================================
- Hits       170676   170643      -33     
- Misses      82529    82574      +45     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[shlomi-noach]

Please see inline question - I unfortunately do not follow the logic.

[shlomi-noach]

I'm not sure I follow:

• It looks as if the function can exit and still leave the context active, in which case, what is cancelling it?
• If we still have operations in flight, why would we exit the function? Should we not wait until everything is complete?

Something feels off here, as an anti-pattern.

[frouioui]

The S3 and Ceph uploads may be incomplete by the time we return from this function. Writing to the buffers used by these storage implementation will be complete (which is how we're able to return from be.backupFile and be.backupFiles), but the actual reading from the buffer and uploading to the remote storage will/may not be complete. If we cancel the context too early, unfinished uploads will be canceled and marked as failed.

It is only at a later stage where we wait for all the uploads to be finished with the EndBackup method on the backup handle:

vitess/go/vt/mysqlctl/backup.go

Lines 190 to 191 in 16fa7a3

	case BackupUsable:
	finishErr = bh.EndBackup(ctx)

At this stage we will observe the failures created by the S3 or Ceph storage implementation and will decide to fail - even though we have already uploaded the backup (including the MANIFEST) and restarted MySQL.

There is definitely something off with this code. We must wait for the full backup (writing to the backend storage included) to complete before going forward with writing the MANIFEST and assuming the backup is useable. This is something that I am implementing along with a retry mechanism on: #17271.

[frouioui]

what is cancelling it?

The caller of ExecuteBackup will eventually cancel it, whether it is through a gRPC call or through vtbackup, the context always gets canceled.

[shlomi-noach]

Thank you for the clarity! ❤️

[dbussink]

@frouioui How can it ever cancel it? ctx might be cancelled, but ctxCancel is not? That leads to a memory leak.

So even if the outer context is cancelled, we still need to cancel this inner one to avoid the memory leak.