Cassandra

There are three distinct production Cassandra clusters in use at WMF.

RESTBase

Originally dedicated to RESTBase for caching of service responses (and still colloquially referred to as the RESTBase cluster). With the deprecation of RESTBase, this cluster is earmarked as multi-tenant, general purpose storage. In addition to the traditional RESTBase datasets, this cluster also provides storage for: the Echo extension (last-seen timestamps).

AQS / Generated Dataset Platform

Originally dedicated to storage of the Analytics Query Service (AQS) datasets (and still frequently referred to as the AQS cluster), this cluster has since been repurposed for multi-tenant storage of generated datasets (which includes the legacy AQS datasets). In addition to AQS, it also serves as storage for: Image suggestions.

Sessionstore

Sessionstore uses Kask with Cassandra (a dedicated cluster for security reasons) as a key-value store for session data.

Cassandra's tunable consistency provides much flexibility, allowing to you to pick and choose amongst the trade-offs commonly associated with replicated storage (see: CAP theorem). However, quorum-based consistency for both reads and writes —which provides strong consistency guarantees, and availability— has proven so compelling that it is has come to be used exclusively at the WMF. As a result, every application at the WMF utilizes a replication factor of 3, per data-center (in support of LOCAL_QUORUM).

Within WMF data-centers, the largest unit of failure we plan for is the row.  As a result, we configure replication in Cassandra such that it never places more than a single replica in the same row; We map rows in our data-centers to Cassandra's notion of a "rack".

RESTBase

AQS / Generated Dataset Platform

Sessionstore

Clusters at the WMF utilize a configuration that permits an arbitrary number of Cassandra nodes (instances) to be ran from a single host. This creates some noteworthy differences when compared to a typical Cassandra install:

• Each configured instance is given a unique identifier, typically from the set [a, z] (hereafter referred to as id)
• Configuration files are located in /etc/cassandra-{id}
• Instances are each assigned a dedicated IPv4 interface (with DNS in the form of {hostname}-{id})
• Each instance has its own systemd unit (named in the form of cassandra-{id})
• A /etc/cassandra-{id}/cqlshrc file is created —readable only by root— populated with superuser credentials and TLS configuration
• Logs are written as /var/log/cassandra/{system,debug}-{id}.log
• As JMX is bound to 0.0.0.0, each instance is given a unique JMX port number
• As a convenience, wrappers for nodetool are installed as nodetool-{id}

See the Tools section below for a number of utilities aimed at easing the administrative burden of a multi-instance configuration.

Rolling restart

Cassandra will take a while (minutes) to start up when the dataset per instance is large. During this time, it is not part of the cluster and does not respond to client requests. It is therefore important to wait for each node to come fully up before proceeding with another node.

There is a cookbook for this, sre.cassandra.roll-restart, which should be run from the cumin server. Example:

cookbook -v sre.cassandra.roll-restart --query restbase1.eqiad.wmnet,restbase2.eqiad.wmnet -r "why we are doing this"

This takes a good while to run. Make sure you're in a screen or tmux.

Restart & check status

(Re)start cassandra: systemctl restart cassandra. The command

nodetool status

should return information and show your node (and the other nodes) as being up. Example output:

root@xenon:~# nodetool status
Datacenter: datacenter1
=======================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
--  Address       Load       Tokens  Owns   Host ID                               Rack
UN  10.64.16.149  91.4 KB    256     33.4%  c72025f6-8ad8-4ab6-b989-1ce2f4b8f665  rack1
UN  10.64.0.200   30.94 KB   256     32.8%  48821b0f-f378-41a7-90b1-b5cfb358addb  rack1
UN  10.64.16.147  58.75 KB   256     33.8%  a9b2ac1c-c09b-4f46-95f9-4cb639bb9eca  rack1

The nodetool utility provides many more interesting tools, among them

Stats about a keyspace (~db)

nodetool cfstats org_wikipedia_en_T_parsoid_html | less

Histograms about a table

nodetool cfhistograms org_wikipedia_en_T_parsoid_html data

Take an immutable snapshot of a specific table or all tables

nodetool snapshot [keyspace] [table]

Clear snapshot(s) to recover disk space

nodetool clearsnapshot [keyspace] [table]

See more options with nodetool help

Adding a new (empty) node

Background: docs

Stop the node and wipe the default data (if it started up) with rm -r /var/lib/cassandra/*.

Remove itself temporarily from its own seeds list in /etc/cassandra/cassandra.yaml. This makes sure that the node goes through a full bootstrap process before fully joining the cluster and accepting requests (see this ticket for background).

Now, start the node. If everything goes well the cassandra node should automatically join the cluster after going through a bootstrap ('joining') phase. Verify with nodetool status as above.

On Bootstrapping

During the bootstrap, data will stream in such a way as to avoid consistency violations. Simply put, the data will be streamed from the node that is giving up the range (primary, or otherwise), and other replicas are not considered. This can result in a lack of streaming concurrency, and a slower bootstrap. For example, consider the case where replication factor is 3, and there are 5 nodes in the cluster, with 2 nodes each in rack A and B, and one in rack C. If a new node is bootstrapped into rack C, all of the data loaded onto the new node will stream from the lone node in rack C.

This behavior can be overridden (if say for example, the single target node were down), by adding the -Dconsistent.rangemovement=false JVM property during startup of the joining node. Tread carefully though, data loss is possible!

See CASSANDRA-2434.

Getting a CQL shell

The cassandra-tools-wmf package ships a wrapper, c-cqlsh, that makes obtaining a CQL shell less cumbersome. The wrapper makes use of a cqlshrc pre-populated with superuser credentials and TLS configuration (see: Multi-instance Cassandra). The file is only readable by root, so the wrapper must be run as root:

$ sudo c-cqlsh {id} [args...]

See also: the full CQL reference documentation.

Installing and generating certificates

Cassandra traffic between datacenters travels encrypted as per https://phabricator.wikimedia.org/T108953.

There are two ways to add TLS support for a Cassandra cluster:

• Using the PKI infrastructure. This is only supported for Cassandra 4+, and it is the easiest way. It is sufficient to add pki configs to the Cassandra settings in puppet, and to set the Keystore's password in Puppet private. The Cassandra instances will pick up any new certificate that Puppet will rollout automatically without the need of a restart.
• Using cassandra-ca-manager. The per-host keypairs live in private.git on the puppetmaster host (Feb 2021 on puppetmaster1001) under /srv/private/modules/secret/secrets/cassandra. To (re)generate the keypairs a script named cassandra-ca-manager is used, the script is driven by YAML configuration files, one per cassandra cluster. The YAML configuration contains one entry per host plus information for the CA itself, and it is designed to be idempotent. If a certain host in the configuration file is missing its keypair it will be (re)generated when invoking the script (on the puppetmaster, from the puppet.git checkout), for example:

 cd /srv/private/modules/secret/secrets/cassandra/
 /usr/local/bin/cassandra-ca-manager services-test.yaml

where the yaml file should be the one for the service for which you need certs; for example for restbase, the file restbase.yaml. Once generated and committed the new private material will be deployed at the next puppet run. Also, when adding a new host don't forget to update labs/private.git too and (re)generate the fake private material.

Rollover / expiration

Certificates created via cassandra-ca-managerare generated with two year expiration, around that time (see also https://phabricator.wikimedia.org/T120662 for monitoring) it is sufficient to delete the old keypairs and generate new ones. Once puppet has deployed the new keypair it should be sufficient to roll-restart Cassandra.

All keypairs are signed by a CA which is part of a truststore, adding a new CA to the truststore will effectively trust both. Another way to achieve rollover is also by issuing another certificate for the CA with extended expiration without changing the private key, in practice this means deleting rootCa.crt and invoking cassandra-ca-manager again.

If the cluster is configured via PKI there is no action needed, the new certificate will be created by puppet automatically and Cassandra will pick it up and reload it (without the need of a restart).

Add a new host to a multi-instance cluster

Provisioning

Once a server is in the right state to be deployed to, first ensure that the correct DNS setup has been completed. RESTBase hosts for example have three additional addresses added as aliases for the system's main interface. These are usually created along with the host's base DNS record (restbaseNNNN) during setup via Netbox using the checkbox for Restbase hosts, but you should make sure that restbaseNNNN-a, restbaseNNNN-b and restbaseNNNN-c have all been created in DNS. Ideally these addresses are sequential from the base address but this is not required. These addresses should be specified in DNS and Netbox.

Once the host is configured correctly:

• Add host definitions in hiera - look at the existing hosts in the chosen datacenter to determine which rack the hosts should go into. Generally distribution between racks should be as even in number as possible. The jbod_devices parameter is dependent on the disk layout of the hosts in question. If you're not changing the layout elsewhere, it's generally okay to reuse the layout of previous hosts - verify this on the new host before reprovisioning it.
• Add the host definitions to the relevant hierdata
• Add the hosts to the datacenter hierdata - these are used only for configuring the rate limiting service and its firewall in puppet and in Scap3.
• Add certificates for the host on the main puppetmaster's /srv/private repo. Search the commit history for previous restbase host additions for examples. Generate the new certificates from the cassandra certs directory by running cassandra-ca-manager $cluster.yaml.
• Change the hosts' roles - by default hosts will be using insetup.

Example links for historical changes shown for context.

Generally it's a good idea to do the above one host at a time. Adding new hosts to the large Cassandra clusters can take a long time and so it's best to just proceed slowly one by one if you have many hosts to add at once rather than have to worry about juggling downtimes.

Cassandra setup

Once the host is fully provisioned, it can be added instance by instance (restbaseNNNN-a, then restbaseNNNN-b, then restbaseNNNN-c) to the Cassandra cluster. Topology changes are costly events in Cassandra and for this reason only ever add one node to the cluster at a time. To start bootstrapping the "a" instance, simply run sudo touch /etc/cassandra-a/service-enabled and sudo run-puppet-agent. This will start the respective cassandra instance and in time it will start bootstrapping itself. To monitor the progress of node a's updates, run cassandra-streams -nt nodetool-a from the bootstrapping host or c-any-nt status -r| grep restbaseNNNN from another host in the cluster. A host can be considered fully bootstrapped when the instance when c-any-nt status -r | grep restbaseNNNN shows the node in status "UN". Hosts still in the process of joining will show status "UJ".

The process of adding a single node can take a long time - even beginning the bootstrap process can take upwards of an hour, and the process itself can take around 5-6 hours. For this reason, it is imperative that you manage your downtimes appropriately to prevent disruption (in short, use the sre.hosts.downtime cookbook).

When waiting for the bootstrapping process to start, it is perfectly normal to see the message "Migration task failed to complete" in the system logs for the instance in question. This can be ignored.

A corrupt commitlog segment prevents node startup

If Cassandra startup fails with log messages that indicate a corrupt commitlog segment (i.e. checksum failures, etc), it is generally acceptable to delete the offending file, and try again.

• Logs: /var/log/cassandra/system.log has very detailed information on what's going on.
  • Grep for 'GCInspector' to search for slow GCs
• There are a number of Grafana dashboards linked from the main dashboard - ensure you're looking at the right keyspace or cluster.

RESTBase (major Cassandra user)

• Grafana: RESTBase service dashboard (as distinct from the RESTBase Cassandra cluster)
• Logstash: RESTBase dashboard (indirect)

On going cassandra bootstrap/decommission

While performing a node bootstrap or decommission it is possible to "monitor" the transfers using cassandra-streams -nt nodetool-a.

Alternatively its progress can be monitored with something like: (change nodetool-a with the "right" nodetool) watch -d -n300 "nodetool-a netstats -H | grep total"

cassandra-tools-wmf

c-cqlsh

Synopsis

c-cqlsh <id>

Description

Given an instance ID, executes cqlsh on that instance. Uses the the cqlshrc file located in the instance's configuration directory.

Example

$ c-cqlsh a
Connected to services-test at 10.64.0.202:9042.
[cqlsh 5.0.1 | Cassandra 2.2.6 | CQL spec 3.3.1 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh>

c-any-nt

Synopsis

c-any-nt <arg> [arg ...]

Description

In a WMF multi-instance environment, executes nodetool on a randomly chosen instance (any instance).

Example

$ c-any-nt status -r
...

c-foreach-nt

Synopsis

c-foreach-nt <arg> [arg ...]

Description

In a WMF multi-instance environment, iteratively execute nodetool on all local Cassandra instances.

Example

$ c-foreach-nt version
a: ReleaseVersion: 2.2.6
b: ReleaseVersion: 2.2.6

c-foreach-restart

Synopsis

usage: c-foreach-restart [-h] [-a ATTEMPTS] [-r RETRY]
                          [--execute-post-shutdown CMD] [-d DELAY]
                          [--logmsgbot LOGMSGBOT] [--tcpircbot-host HOST]
                          [--tcpircbot-port PORT] [--phabricator-issue ISSUE]
 
 Cassandra instance restarter
 
 optional arguments:
   -h, --help            show this help message and exit
   -a ATTEMPTS, --attempts ATTEMPTS
                         Maximum number of times to check if service is up
                         after restarting.
   -r RETRY, --retry RETRY
                         Number seconds between connection attempts, in
                         seconds.
   --execute-post-shutdown CMD
                         Command to execute after Cassandra has been shutdown,
                         and before it is started back up.
   -d DELAY, --delay DELAY
                         Delay between instance restarts (defaults to no
                         delay).
   --logmsgbot
                         Log restarts to SAL (via logmsgbot and #wikimedia-
                         operations).
   --tcpircbot-host HOST
                         tcpircbot hostname. Only valid when --logmsgbot is
                         used. Default: einsteinium.wikimedia.org
   --tcpircbot-port PORT
                         tcpircbot port number. Only valid when --logmsgbot is
                         used. Default: 9200
   --phabricator-issue ISSUE
                         Phabricator issue to associate these restarts with.
                         This currently only makes sense in combination with
                         --logmsgbot where it is included in the formatted log
                         message.

Description

In a WMF multi-instance environment, iteratively restart instances.

Each instance is drained prior to being restarted. After each restart, the process blocks until the CQL port is listening.

Commands specified by --execute-post-shutdown can include the {id} template which will be substituted with the ID of the instance being restarted.

Example

$ sudo c-foreach-restart --execute-post-shutdown="echo '{id} is a teapot, short and stout'"
...

c-ls

Synopsis

c-ls

Description

List the IDs of the locally configured instance IDs.

Example

$ c-ls
a
b
c

streams

Synopsis

streams [-h] [-nt CMD]
 
 Cassandra streams monitor
 
 optional arguments:
   -h, --help            show this help message and exit
   -nt CMD, --nodetool CMD
                         Nodetool command to use

Description

Realtime console monitoring of streaming operations.

Example

$ streams -nt nodetool-b

uyaml

Synopsis

uyaml [-h] yaml path
 
 YAML parser
 
 positional arguments:
   yaml        YAML file to parse
   path        Path to parse from file
 
 optional arguments:
   -h, --help  show this help message and exit

Description

Query attributes from a YAML file.

Example

$ uyaml /etc/cassandra-instances.d/restbase1007-a.yaml /jmx_port
7189
$ for i in `c-ls`; do uyaml /etc/cassandra-instances.d/restbase1007-$i.yaml /jmx_port; done
7189
7190
7191

cassandra-ca-manager

cassandra-ca-manager: manage Java keystores with a self-signed certificate authority

cdsh

cdsh: a Cassandra cluster wrapper for dsh

Monitor compactions

nuria@aqs1004:~$ nodetool-a compactionstats -H
pending tasks: 998
                                     id   compaction type                                           keyspace   table   completed       total    unit   progress
   88386550-6f46-11e6-908d-b320c64aa5c2        Compaction   local_group_default_T_pageviews_per_article_flat    data   333.74 GB    339.6 GB   bytes     98.27%
   0ee1fe70-6f99-11e6-908d-b320c64aa5c2        Compaction   local_group_default_T_pageviews_per_article_flat    data   156.05 GB   336.07 GB   bytes     46.43%
   e9461700-6ecb-11e6-908d-b320c64aa5c2        Compaction   local_group_default_T_pageviews_per_article_flat    data    710.8 GB   896.46 GB   bytes     79.29%
Active compaction remaining time :   0h24m46s
 

Bootstrap a brand new cluster

When bootstrapping a new cluster at least one of the seeds will need to have auto_bootstrap: false in /etc/cassandra/cassandra.yaml to prevent it from asking (and failing) to bootstrap from other seeds.

Chances are you are bootstrapping a new cluster from freshly-installed machines, thus cassandra would have run at least once and we need to remove its data files.

NOTE this procedure is meant to be run only on a brand new cluster and NOT ON EXISTING CLUSTERS

 service cassandra stop
 rm -rf /var/lib/cassandra/*
 # this is needed only on one of the seeds
 grep -q 'auto_bootstrap: false' /etc/cassandra/cassandra.yaml || echo 'auto_bootstrap: false' >> /etc/cassandra/cassandra.yaml
 service cassandra start

once the node has started, you can stop/wipe/start the other seeds.

Switch to multiple cassandra instances per hardware node

As per the work in https://phabricator.wikimedia.org/T95253 and related, we have the capability of running multiple (up to four ATM) cassandra instances per hardware node. A single node can be converted in place from single instance to multiple instances by first decommissioning the node in cassandra, reimage and assign new IP/names for the instances in DNS and puppet.

1. Allocate IP addresses in DNS for instance(s) (e.g. https://gerrit.wikimedia.org/r/#/c/249152/)
2. Generate instance(s) TLS certificates (see palladium:/srv/private/modules/secret/secrets/cassandra)
   1. Also generate new material in labs/private.git for puppet compiler's benefit
3. Stop cassandra from being restarted with systemctl mask cassandra
4. Run nodetool decomission on the node to be converted
5. (In parallel too) Add the new instance(s) to the list of known seeds (e.g. https://gerrit.wikimedia.org/r/#/c/250985/) so they are known to cassandra and allowed in ferm
6. Reimage the machine
7. Add one instance at a time to the reimaged machine (e.g. https://gerrit.wikimedia.org/r/#/c/250975/) once puppet runs it will provision the additional instance

Handling JBOD disk failures

Modern versions of Cassandra (those which include CASSANDRA-6696) are capable of using JBOD. A JBOD configuration is accomplished by simply supplying a list of paths as the data_file_directories directive.

The Wikimedia convention is to mount the respective devices as /srv/{device} (e.g. /srv/sda4, /srv/sdb4, etc), with data_file_directories in the form of /srv/{device}/cassandra-{id}/data. Common data should be placed somewhere with single device redundancy (e.g. RAID-10), mounted as /srv/cassandra/instance-data

Authentication

Authentication is enabled in cassandra.yaml by setting the authenticator and authorizer directives to PasswordAuthenticator and CassandraAuthorizer respectively. When so enabled, Cassandra will automatically create a system_auth keyspace at first start, and a default (super-)user named cassandra, with a password of cassandra. Replication should be set accordingly on this new keyspace, and a new super-user with a strong password created.

First, connect to the cluster using the default credentials and alter the keyspace:

$ cqlsh -u cassandra -p cassandra
cassandra@cqlsh> ALTER KEYSPACE system_auth WITH replication = { 'class': 'SimpleStrategy', 'replication_factor': 3 };

Next, create a new super-user:

cassandra@cqlsh> CREATE USER IF NOT EXISTS admin WITH PASSWORD 'sup3rs3kr3t' SUPERUSER;

Users are not permitted to delete themselves, so exit the shell and reconnect as the new super-user:

cassandra@cqlsh> exit
$ cqlsh -u admin -p sup3rs3kr3t

Delete the default super-user:

admin@cqlsh> DROP USER IF EXISTS cassandra;

For authenticated application access, create a normal user:

admin@cqlsh> CREATE USER IF NOT EXISTS restbase WITH PASSWORD 'moars3kr3t' NOSUPERUSER;

Replicating system_auth

Authentication and authorization information is maintained in the system_auth keyspace, which by default uses SimpleStrategy and a replication factor of 1. This is definitely not what you want; A single node failure can prevent you from accessing your database! Best practice is to configure a replication factor of 3-5 per data-center.

Please check Incident documentation/20170223-AQS before proceeding, increasing the replication of system_auth on a live cluster may lead to outages.

Time-window compaction strategy

See Cassandra/TimeWindowCompactionStrategy.

Prometheus JMX Exporter

See Cassandra/PrometheusJmxExporter.

• Hardware and instance sizing
• Tuning
• Old Cassandra testing notes -- mostly about avoiding OOM at high write volumes