Cassandra
Clusters
There are four distinct production Cassandra clusters in use at WMF.
Restbase
RESTBase uses Cassandra for caching of responses.
AQS
AQS stores all analytics data in Cassandra
Sessionstore
Sessionstore uses Kask with Cassandra (a dedicated cluster for security reasons) as a key-value store for session data.
Maps
Maps uses Cassandra for storage of rendered vector tiles.
Common admin tasks
Multiinstance nodes, be aware
Have in mind that nodetool commands in multiinstance nodes (new cluster) have to be prefixed, for example nodetool-a runs the following command against instance "a"
nodetool-a tablestats -- local_group_default_T_pageviews_per_article_flat.data
Rolling restart
Cassandra will take a while (minutes) to start up when the dataset per instance is large. During this time, it is not part of the cluster and does not respond to client requests. It is therefore important to wait for each node to come fully up before proceeding with another node.
There is a cookbook for this, sre.cassandra.roll-restart, which should be run from the cumin server. Example:
cookbook -v sre.cassandra.roll-restart --query restbase1.eqiad.wmnet,restbase2.eqiad.wmnet -r "why we are doing this"
This takes a good while to run. Make sure you're in a screen or tmux.
Restart & check status
(Re)start cassandra: systemctl restart cassandra. The command
nodetool status
should return information and show your node (and the other nodes) as being up. Example output:
root@xenon:~# nodetool status Datacenter: datacenter1 ======================= Status=Up/Down |/ State=Normal/Leaving/Joining/Moving -- Address Load Tokens Owns Host ID Rack UN 10.64.16.149 91.4 KB 256 33.4% c72025f6-8ad8-4ab6-b989-1ce2f4b8f665 rack1 UN 10.64.0.200 30.94 KB 256 32.8% 48821b0f-f378-41a7-90b1-b5cfb358addb rack1 UN 10.64.16.147 58.75 KB 256 33.8% a9b2ac1c-c09b-4f46-95f9-4cb639bb9eca rack1
The nodetool utility provides many more interesting tools, among them
- Stats about a keyspace (~db)
nodetool cfstats org_wikipedia_en_T_parsoid_html | less- Histograms about a table
nodetool cfhistograms org_wikipedia_en_T_parsoid_html data- Take an immutable snapshot of a specific table or all tables
nodetool snapshot [keyspace] [table]- Clear snapshot(s) to recover disk space
nodetool clearsnapshot [keyspace] [table]
See more options with nodetool help
Adding a new (empty) node
Background: docs
Stop the node and wipe the default data (if it started up) with rm -r /var/lib/cassandra/*.
Remove itself temporarily from its own seeds list in /etc/cassandra/cassandra.yaml. This makes sure that the node goes through a full bootstrap process before fully joining the cluster and accepting requests (see this ticket for background).
Now, start the node. If everything goes well the cassandra node should automatically join the cluster after going through a bootstrap ('joining') phase. Verify with nodetool status as above.
On Bootstrapping
During the bootstrap, data will stream in such a way as to avoid consistency violations. Simply put, the data will be streamed from the node that is giving up the range (primary, or otherwise), and other replicas are not considered. This can result in a lack of streaming concurrency, and a slower bootstrap. For example, consider the case where replication factor is 3, and there are 5 nodes in the cluster, with 2 nodes each in rack A and B, and one in rack C. If a new node is bootstrapped into rack C, all of the data loaded onto the new node will stream from the lone node in rack C.
This behavior can be overridden (if say for example, the single target node were down), by adding the -Dconsistent.rangemovement=false JVM property during startup of the joining node. Tread carefully though, data loss is possible!
See CASSANDRA-2434.
Re-syncing a node
To fully bring a node up to date after crashes or other outages, run nodetool repair -par -inc on the node, ideally in a screen session (can take a while if the delta is large). This will pull this new node's share of data from other nodes in the cluster in the background.
This command is also run from cron every 24 hours as a kind of background scrubbing process.
Getting a CQL shell
Our cassandra nodes only listen on the public IPs, so you need to use:
cqlsh -u <user> -p <password> <public ip or host name>
See the docs for next steps with CQL.
Installing and generating certificates
Cassandra traffic between datacenters travels encrypted as per https://phabricator.wikimedia.org/T108953. The per-host keypairs live in private.git on the puppetmaster host (Feb 2021 on puppetmaster1001) under /srv/private/modules/secret/secrets/cassandra.
To (re)generate the keypairs a script named cassandra-ca-manager is used, the script is driven by YAML configuration files, one per cassandra cluster. The YAML configuration contains one entry per host plus information for the CA itself, and it is designed to be idempotent. If a certain host in the configuration file is missing its keypair it will be (re)generated when invoking the script (on the puppetmaster, from the puppet.git checkout), for example:
cd /srv/private/modules/secret/secrets/cassandra/ /usr/local/bin/cassandra-ca-manager services-test.yaml
where the yaml file should be the one for the service for which you need certs; for example for restbase, the file restbase.yaml.
Once generated and committed the new private material will be deployed at the next puppet run.
Also, when adding a new host don't forget to update labs/private.git too and (re)generate the fake private material.
Rollover / expiration
Certificates are generated with two year expiration, around that time (see also https://phabricator.wikimedia.org/T120662 for monitoring) it is sufficient to delete the old keypairs and generate new ones. Once puppet has deployed the new keypair it should be sufficient to roll-restart cassandra.
All keypairs are signed by a CA which is part of a truststore, adding a new CA to the truststore will effectively trust both. Another way to achieve rollover is also by issuing another certificate for the CA with extended expiration without changing the private key, in practice this means deleting rootCa.crt and invoking cassandra-ca-manager again.
Add a new host to a multi-instance cluster
Provisioning
Once a server is in the right state to be deployed to, first ensure that the correct DNS setup has been completed. RESTBase hosts for example have three additional addresses added as aliases for the system's main interface. These are usually created along with the host's base DNS record (restbaseNNNN) during setup via Netbox using the checkbox for Restbase hosts, but you should make sure that restbaseNNNN-a, restbaseNNNN-b and restbaseNNNN-c have all been created in DNS. Ideally these addresses are sequential from the base address but this is not required. These addresses should be specified in DNS and Netbox.
Once the host is configured correctly:
- Add host definitions in hiera - look at the existing hosts in the chosen datacenter to determine which rack the hosts should go into. Generally distribution between racks should be as even in number as possible. The
jbod_devicesparameter is dependent on the disk layout of the hosts in question. If you're not changing the layout elsewhere, it's generally okay to reuse the layout of previous hosts - verify this on the new host before reprovisioning it. - Add the host definitions to the relevant hierdata
- Add the hosts to the datacenter hierdata - these are used only for configuring the rate limiting service and its firewall in puppet and in Scap3.
- Add certificates for the host on the main puppetmaster's /srv/private repo. Search the commit history for previous restbase host additions for examples. Generate the new certificates from the cassandra certs directory by running
cassandra-ca-manager $cluster.yaml. - Change the hosts' roles - by default hosts will be using
insetup.
Example links for historical changes shown for context.
Generally it's a good idea to do the above one host at a time. Adding new hosts to the large Cassandra clusters can take a long time and so it's best to just proceed slowly one by one if you have many hosts to add at once rather than have to worry about juggling downtimes.
Cassandra setup
Once the host is fully provisioned, it can be added instance by instance (restbaseNNNN-a, then restbaseNNNN-b, then restbaseNNNN-c) to the Cassandra cluster. Topology changes are costly events in Cassandra and for this reason only ever add one node to the cluster at a time. To start bootstrapping the "a" instance, simply run sudo touch /etc/cassandra-a/service-enabled and sudo run-puppet-agent. This will start the respective cassandra instance and in time it will start bootstrapping itself. To monitor the progress of node a's updates, run cassandra-streams -nt nodetool-a from the bootstrapping host or c-any-nt status -r| grep restbaseNNNN from another host in the cluster. A host can be considered fully bootstrapped when the instance when c-any-nt status -r | grep restbaseNNNN shows the node in status "UN". Hosts still in the process of joining will show status "UJ".
The process of adding a single node can take a long time - even beginning the bootstrap process can take upwards of an hour, and the process itself can take around 5-6 hours. For this reason, it is imperative that you manage your downtimes appropriately to prevent disruption (in short, use the sre.hosts.downtime cookbook).
When waiting for the bootstrapping process to start, it is perfectly normal to see the message "Migration task failed to complete" in the system logs for the instance in question. This can be ignored.
Monitoring
- Logs:
/var/log/cassandra/system.loghas very detailed information on what's going on.- Grep for 'GCInspector' to search for slow GCs
- There are a number of Grafana dashboards linked from the main dashboard - ensure you're looking at the right keyspace or cluster.
RESTBase (major Cassandra user)
- Grafana: RESTBase service dashboard (as distinct from the RESTBase Cassandra cluster)
- Logstash: RESTBase dashboard (indirect)
On going cassandra bootstrap/decommission
While performing a node bootstrap or decommission it is possible to "monitor" the transfers using cassandra-streams -nt nodetool-a.
Alternatively its progress can be monitored with something like: (change nodetool-a with the "right" nodetool) watch -d -n300 "nodetool-a netstats -H | grep total"
Tools
cassandra-tools-wmf
c-cqlsh
Synopsis
c-cqlsh <id>
Description
Given an instance ID, executes cqlsh on that instance. Uses the the cqlshrc file located in the instance's configuration directory.
Example
$ c-cqlsh a
Connected to services-test at 10.64.0.202:9042.
[cqlsh 5.0.1 | Cassandra 2.2.6 | CQL spec 3.3.1 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh>
c-any-nt
Synopsis
c-any-nt <arg> [arg ...]
Description
In a WMF multi-instance environment, executes nodetool on a randomly chosen instance (any instance).
Example
$ c-any-nt status -r
...
c-foreach-nt
Synopsis
c-foreach-nt <arg> [arg ...]
Description
In a WMF multi-instance environment, iteratively execute nodetool on all local Cassandra instances.
Example
$ c-foreach-nt version
a: ReleaseVersion: 2.2.6
b: ReleaseVersion: 2.2.6
c-foreach-restart
Synopsis
usage: c-foreach-restart [-h] [-a ATTEMPTS] [-r RETRY]
[--execute-post-shutdown CMD] [-d DELAY]
[--logmsgbot LOGMSGBOT] [--tcpircbot-host HOST]
[--tcpircbot-port PORT] [--phabricator-issue ISSUE]
Cassandra instance restarter
optional arguments:
-h, --help show this help message and exit
-a ATTEMPTS, --attempts ATTEMPTS
Maximum number of times to check if service is up
after restarting.
-r RETRY, --retry RETRY
Number seconds between connection attempts, in
seconds.
--execute-post-shutdown CMD
Command to execute after Cassandra has been shutdown,
and before it is started back up.
-d DELAY, --delay DELAY
Delay between instance restarts (defaults to no
delay).
--logmsgbot
Log restarts to SAL (via logmsgbot and #wikimedia-
operations).
--tcpircbot-host HOST
tcpircbot hostname. Only valid when --logmsgbot is
used. Default: einsteinium.wikimedia.org
--tcpircbot-port PORT
tcpircbot port number. Only valid when --logmsgbot is
used. Default: 9200
--phabricator-issue ISSUE
Phabricator issue to associate these restarts with.
This currently only makes sense in combination with
--logmsgbot where it is included in the formatted log
message.
Description
In a WMF multi-instance environment, iteratively restart instances.
Each instance is drained prior to being restarted. After each restart, the process blocks until the CQL port is listening.
Commands specified by --execute-post-shutdown can include the {id} template which will be substituted with the ID of the instance being restarted.
Example
$ sudo c-foreach-restart --execute-post-shutdown="echo '{id} is a teapot, short and stout'"
...
c-ls
Synopsis
c-ls
Description
List the IDs of the locally configured instance IDs.
Example
$ c-ls
a
b
c
streams
Synopsis
streams [-h] [-nt CMD]
Cassandra streams monitor
optional arguments:
-h, --help show this help message and exit
-nt CMD, --nodetool CMD
Nodetool command to use
Description
Realtime console monitoring of streaming operations.
Example
$ streams -nt nodetool-b
uyaml
Synopsis
uyaml [-h] yaml path YAML parser positional arguments: yaml YAML file to parse path Path to parse from file optional arguments: -h, --help show this help message and exit
Description
Query attributes from a YAML file.
Example
$ uyaml /etc/cassandra-instances.d/restbase1007-a.yaml /jmx_port
7189
$ for i in `c-ls`; do uyaml /etc/cassandra-instances.d/restbase1007-$i.yaml /jmx_port; done
7189
7190
7191
cassandra-ca-manager
cassandra-ca-manager: manage Java keystores with a self-signed certificate authority
cassandra-metrics-collector
cassandra-metrics-collector: JMX metrics collector
cdsh
cdsh: a Cassandra cluster wrapper for dsh
Uncommon admin tasks
Monitor compactions
nuria@aqs1004:~$ nodetool-a compactionstats -H
pending tasks: 998
id compaction type keyspace table completed total unit progress
88386550-6f46-11e6-908d-b320c64aa5c2 Compaction local_group_default_T_pageviews_per_article_flat data 333.74 GB 339.6 GB bytes 98.27%
0ee1fe70-6f99-11e6-908d-b320c64aa5c2 Compaction local_group_default_T_pageviews_per_article_flat data 156.05 GB 336.07 GB bytes 46.43%
e9461700-6ecb-11e6-908d-b320c64aa5c2 Compaction local_group_default_T_pageviews_per_article_flat data 710.8 GB 896.46 GB bytes 79.29%
Active compaction remaining time : 0h24m46s
Bootstrap a brand new cluster
When bootstrapping a new cluster at least one of the seeds will need to have auto_bootstrap: false in /etc/cassandra/cassandra.yaml to prevent it from asking (and failing) to bootstrap from other seeds.
Chances are you are bootstrapping a new cluster from freshly-installed machines, thus cassandra would have run at least once and we need to remove its data files.
NOTE this procedure is meant to be run only on a brand new cluster and NOT ON EXISTING CLUSTERS
service cassandra stop rm -rf /var/lib/cassandra/* # this is needed only on one of the seeds grep -q 'auto_bootstrap: false' /etc/cassandra/cassandra.yaml || echo 'auto_bootstrap: false' >> /etc/cassandra/cassandra.yaml service cassandra start
once the node has started, you can stop/wipe/start the other seeds.
Switch to multiple cassandra instances per hardware node
As per the work in https://phabricator.wikimedia.org/T95253 and related, we have the capability of running multiple (up to four ATM) cassandra instances per hardware node. A single node can be converted in place from single instance to multiple instances by first decommissioning the node in cassandra, reimage and assign new IP/names for the instances in DNS and puppet.
- Allocate IP addresses in DNS for instance(s) (e.g. https://gerrit.wikimedia.org/r/#/c/249152/)
- Generate instance(s) TLS certificates (see palladium:/srv/private/modules/secret/secrets/cassandra)
- Also generate new material in labs/private.git for puppet compiler's benefit
- Stop cassandra from being restarted with systemctl mask cassandra
- Run nodetool decomission on the node to be converted
- (In parallel too) Add the new instance(s) to the list of known seeds (e.g. https://gerrit.wikimedia.org/r/#/c/250985/) so they are known to cassandra and allowed in ferm
- Reimage the machine
- Add one instance at a time to the reimaged machine (e.g. https://gerrit.wikimedia.org/r/#/c/250975/) once puppet runs it will provision the additional instance
Handling JBOD disk failures
Modern versions of Cassandra (those which include CASSANDRA-6696) are capable of using JBOD. A JBOD configuration is accomplished by simply supplying a list of paths as the data_file_directories directive.
The Wikimedia convention is to mount the respective devices as /srv/{device} (e.g. /srv/sda4, /srv/sdb4, etc), with data_file_directories in the form of /srv/{device}/cassandra-{id}/data. Common data should be placed somewhere with single device redundancy (e.g. RAID-10), mounted as /srv/cassandra/instance-data
Cluster Setup
Authentication
Authentication is enabled in cassandra.yaml by setting the authenticator and authorizer directives to PasswordAuthenticator and CassandraAuthorizer respectively. When so enabled, Cassandra will automatically create a system_auth keyspace at first start, and a default (super-)user named cassandra, with a password of cassandra. Replication should be set accordingly on this new keyspace, and a new super-user with a strong password created.
First, connect to the cluster using the default credentials and alter the keyspace:
$ cqlsh -u cassandra -p cassandra
cassandra@cqlsh> ALTER KEYSPACE system_auth WITH replication = { 'class': 'SimpleStrategy', 'replication_factor': 3 };
Next, create a new super-user:
cassandra@cqlsh> CREATE USER IF NOT EXISTS admin WITH PASSWORD 'sup3rs3kr3t' SUPERUSER;
Users are not permitted to delete themselves, so exit the shell and reconnect as the new super-user:
cassandra@cqlsh> exit $ cqlsh -u admin -p sup3rs3kr3t
Delete the default super-user:
admin@cqlsh> DROP USER IF EXISTS cassandra;
For authenticated application access, create a normal user:
admin@cqlsh> CREATE USER IF NOT EXISTS restbase WITH PASSWORD 'moars3kr3t' NOSUPERUSER;
Replicating system_auth
Authentication and authorization information is maintained in the system_auth keyspace, which by default uses SimpleStrategy and a replication factor of 1. This is definitely not what you want; A single node failure can prevent you from accessing your database! Best practice is to configure a replication factor of 3-5 per data-center.
Please check Incident documentation/20170223-AQS before proceeding, increasing the replication of system_auth on a live cluster may lead to outages.
Time-window compaction strategy
See Cassandra/TimeWindowCompactionStrategy.
Prometheus JMX Exporter
See Cassandra/PrometheusJmxExporter.
See also
- Hardware and instance sizing
- Tuning
- Old Cassandra testing notes -- mostly about avoiding OOM at high write volumes