Incidents/2025-03-31 sessionstore unavailability

document status: draft

Starting at approximately 02:58 the sessionstore service in both datacenters became unavailable after a enough nodes had crashed due to disk exhaustion, that clients were no longer able to make quorum.

At 03:32 the decision was made to wipe storage (removing all sessions) in order to return sessionstore to a working state. This was completed at around 03:36 and edits began to flow again, returning to steady state rates by ~03:40.

All times in UTC.

• 02:58 sessionstore service in both DCs begin emitting 500 errors — OUTAGE BEGINS
• 03:03 MediaWikiEditFailures (session loss) fires (critical)
• 03:04 SessionStoreErrorRateHigh fires (page)
• 03:09 swfrench responds / investigation begins
• 03:14 swfrench escalates to urandom for investigating the Cassandra aspect
• 03:18 cassandra unavailability identified (many nodes are down, no longer able to achieve quorum)
• 03:22 disk space exhaustion identified as cause, along with concerning upward trend in utilization since ~2025-03-10
• 03:32 decision is made to wipe storage in order to restore service
• 03:36 storage is wiped, Cassandra is restarted, edits begin to flow — OUTAGE ENDS

MediaWiki	Sessionstore

SessionStoreErrorRateHigh (high 5xx rate) fired, resulting in a page (sent to batphone). Paging on error rate seems correct, but the 5xx errors returned by sessionstore were caused by the complete outage of many Cassandra nodes, so having an alert (critical) could have provided additional context (i.e. "Critical number of Cassandra node failures" versus "Many HTTP errors"). Moreover, the node failures in question were the result of a lack of free disk space, and the rate of storage growth preceding this made the timing of the outages predictable. An alert for high storage utilization well in advance of the node failures would have provided an opportunity to head off an impacting incident before it began.

https://portal.victorops.com/ui/wikimedia/incident/5917/details

• task T390512

The obvious (proximal) cause was an increase in session writes that filled the storage devices. The distal cause though seems to be an aberrant workload consisting of session overwrites at high rate. Cassandra's storage is log-structured; An overwrite doesn't happen in-place, and the overwritten values must be garbage collected during compaction. The high rate of overwrites exceeded what could be efficiently collected before running out of space.

Prior to the incident, we viewed the sessionstore cluster as being wildly over-provisioned. This incident however, has demonstrated that an aberrant workload has the potential to create rapid, unsustainable growth.

• Automated alerting surfaced the influx of sessionstore service errors soon after onset.
• Responders were able to identify the (proximal) cause and mitigate within ~ 30m of the first page.

• There was no automated alerting in place for sessionstore Cassandra node disk utilization and / or growth rate that would have given us the opportunity to intervene before the start of user impact.
• It was, and continues to be, challenging to understand how various factors contributed to the elevated sessionstore write rates (workload changes, SUL3 migration, etc.).
• The mitigation for this (or a future) disk exhaustion incident (truncation) is itself disruptive, though less so than a sustained edit outage.
• The incident occurred during Batphone hours (early Monday UTC), which contributed to delayed response.

• Responders, including one with expertise in Cassandra, were available to work on the incident despite the awkward time of day.

• SessionStorage/Runbook#High_Storage_Utilization

• Page when disk utilization trend becomes unreasonable (task T390630) Done
• Increase sessionstore storage capacity (task T391544)
• Sessionstore namespacing (task T392170)
• Sessionstore workload observability (task T392182)
• Identify the cause of high rate of storage growth in sessionstore Cassandra (task T390514)
• Alert (non-paging) on Cassandra error rate(?)
• Page/alert on Cassandra nodes entering a downed state(?)