tablet should stay healthy while running xtrabackup

[deepthi]

Fixes #5062.
As documented in the issue, here's how we address this:

• don't take actionMutex lock while running xtrabackup
• introduce a boolean _isBackupRunning
• only allow a backup to start if _isBackupRunning is false
• protect updates to boolean using the mutex lock
• export this boolean to debug/vars so that there is a way for people to know that a backup is running

Signed-off-by: deepthi deepthi@planetscale.com

[enisoc]

Just had a thought: Should we have a separate lock to allow only one backup at a time? I guess technically it might work to have multiple xtrabackups running, but it's probably not a good idea?

[derekperkins]

Would not locking allow it to be promoted to master? Is that ok?

[morgo]

+1 for cluster backup lock. It is unlikely you would want a new backup if one is already running, and limiting it helps ensure service only degrades so much.

[enisoc]

Hm as far as the tablet is concerned, I think that would be acceptable. It's better than blocking promotion to master because xtrabackup is running; presumably you are promoting this one because the current master is in bad shape anyway. WDYT?

I don't know for sure if XtraBackup will still produce a consistent snapshot in that case, but I would expect it to.

[derekperkins]

I don't know a specific reason for it to not be promoted to master, just bringing it up for discussion. Would the tablet type still read BACKUP? My guess is that would prevent most workloads from choosing it to failover to, even though they probably should like you said.

[deepthi]

we are not changing the tablet type to BACKUP while xtrabackup is running, which means a REPLICA would be eligible for master promotion.

[derekperkins]

That makes sense. Will there be any knowledge that a backup is running? I would imagine that when selecting a tablet for master promotion, you'd want to prefer a replica not currently running a backup. I would hope to get that info in wr.ShardReplicationStatuses or something like it.

[deepthi]

there should be, but I don't think there is now. Another thing we should fix.

[enisoc]

I tried out this patch with a set of 250G shards that take 1.5hrs to back up, and the tablets stayed healthy.

[deepthi]

I think we'll need to rework this. Apparently the actionMutex that agent.lock() acquires a lock on is the right one, because it prevents two actions from running in parallel. This means that we need to find out why healthcheck is blocked when the actionMutex is locked.

[deepthi]

Testing update:

• unit test for stats - turns out there is a reason we can't unit test action_agent stats. It is because stats vars are global and we create >1 TestActionAgent in the tests.
• test that tablet actually stays healthy - verified by @enisoc
• test that a call to Backup fails if a backup is already running - verified on local cluster
• sanity test of debug/vars - verified on local cluster

[deepthi]

@enisoc @sougou this is ready for review. Let me know if you feel that we need an integ test for multiple backups running at one time.
cc @rafael

[sougou]

One nit. I'll let @enisoc do the full review.

[sougou]

This should be done while holding the lock. Same thing while exporting stats. And same comments in Backup

[enisoc]

+1 but be careful to release the lock before returning. I recommend a pair of helpers like agent.beginOnlineBackup() and agent.endOnlineBackup() to handle the locking and stats update. Then you can use defer agent.mutex.Unlock() inside each helper, and I think you can also defer agent.endOnlineBackup() here so it's guaranteed for any return path.

[deepthi]

I have called them beginBackup and endBackup. we set _isBackupRunning to true or false and then export the right value in the stats so that regardless of online/offline, we can see the stats in /debug/vars or prometheus metrics.

[enisoc]

+1 but be careful to release the lock before returning. I recommend a pair of helpers like agent.beginOnlineBackup() and agent.endOnlineBackup() to handle the locking and stats update. Then you can use defer agent.mutex.Unlock() inside each helper, and I think you can also defer agent.endOnlineBackup() here so it's guaranteed for any return path.

[enisoc]

lgtm