Incidents/2023-09-20 Elasticsearch unavailable

document status: draft

On-wiki search for all wikis was delayed or unavailable for a subset of end users.

14:00 UTC Primary datacenter switches from EQIAD to CODFW.

14:00 A portion of queries (up to 25% at peak) begin being rejected by the PoolCounter during the incident window; rejections will continue for the next half hour. The spike in rejections was caused by long request response times that were themselves worsened by the unexpected decline in cache hit rate from 71.6% to 55.5%

14:08 Alert "CirrusSearch codfw 95th percentile latency - more_like" fires

14:14 Hashar pings in #wikimedia-search. Dcausse, inflatador and pfischer begin troubleshooting.

14:26 Grafana shows extremely high load on elastic2044, inflatador bans this node from the cluster and latency begins to drop back to normal.

14:34 claime confirms impact has passed.

14:35 Poolcounter rejections are now at zero.

Was automated monitoring first to detect it? Or a human reporting an error?

Monitoring caught it, but not quickly enough for humans to prevent user-facing impact.

Copy the relevant alerts that fired in this section.

** PROBLEM alert - graphite1005/CirrusSearch codfw 95th percentile latency - more_like is CRITICAL (Grafana alert sent to IRC and Search Platform email list)

Did the appropriate alert(s) fire? Was the alert volume manageable? Did they point to the problem with as much accuracy as possible?

Yes to all questions.

What went well?

• SREs were at a heightened state of awareness due to DC switchover, so impact was recognized immediately.
• Mitigation was quick and easy (banning a single node). Incident resolved within ~30m, whether due to self-healing or due to the aforementioned node ban.

What went poorly?

• We had expected all more_like queries to route to eqiad (corresponding to the non-primary mediawiki datacenter), but instead they routed to codfw. The underlying cause appears to be that the restbase requests were sent as POST rather than GET which forced routing to the primary datacenter (codfw) instead of the non-primary (eqiad).

• Switch Datacenter#ElasticSearch

• Determine what Elasticsearch-related steps are needed prior to a datacenter switchover.
• Update documentation as mentioned in "Links to relevant documentation" section above.
• Review https://phabricator.wikimedia.org/T285347 (suggestions for switchover improvements) and decide whether to implement.
• phab:T347034 Update the RESTBase /related/{article} endpoint to make a GET request and not a POST in order to help having a CirrusSearch query cache warm in both DC when running multi-DC
• Review current shard balance for busy wikis, particularly enwiki_content. In my haste to mitigate, I (inflatador) did not check the shards of the highly-loaded host. Dcausse theorized that two enwiki shards may have been on the same host, which is extremely expensive, particularly when more_like queries are involved. That would suggest that the problem was worsened by the DC switchover, but not directly caused by it.