Schema changes on a live database are hard, and they should not be done lightly. That doesn't mean that schema changes should be avoided, not at all, a good database design is essential for security and performance.
If you are a MediaWiki hacker, please note that the following only applies to changes that will be deployed to WMF servers. MediaWiki schema changes and standards are not covered here. But it has been agreed that
update.php is avoided in our servers, as it would cause huge production issues. For that reasons, the following workflow has been created in order to attend schema change requests as fast as possible.
Workflow of a schema change
- Add the
schema-changetag to the relevant Phabricator task the moment you propose a change that involves a change in the table design
- Make sure to involve as many relevant people as possible. For example, a DBA can provide constructive feedback in time if requested.
- Once the solution has been agreed among all developers (usually that means merged to HEAD including the schema change, but disabled on configuration), and you need to apply that to the live databases, create a separate specific task (subtask of the main issue) for the #blocked-on-schema-change, owned by #DBA, providing the following specific information, one per batch (group of alters to be done at the same time):
- The ALTER TABLEs to run (usually, a link to a commit diff is the best way)
- Where to run those changes (the databases, dblist file or a very specific description such as "all wikis with the table X")
- When to run those changes (if it depends on a particular code deployment or can be done at any time)
- If the schema change is backwards compatible (is compatible with the current code deployed and can be performed at any time now)
- If the schema change has been tested already on some of the test/beta wikis. Usually, as a last test, change should be applied to testwiki first.
- If it involves new columns or tables, if the data should be made available on the labs replicas and/or dumps or not because they contain private or sensitive data (consult legal if you are unsure). Similar question if it involves deletion of data previously available on labs.
Example ticket: https://phabricator.wikimedia.org/T119752
The alter will be performed as soon as possible within the available resources. If the schema change has to be done in a particular timeframe (for example, depending on code deployment), a 2-week advance notice is strongly suggested.
These are used to request the attention of an operator and are proactively monitored by DBAs:
- DBA aka #Wikimedia-Database component: Tickets related to database administration of the WMF, and issues found on them. E.g.: "Please recover the table X on day Y.". "db1022 is down" "db1047 has lag"
- blocked-on-schema-change tag: A schema change has been fully agreed (equivalent to +2, even if it is not yet merged), and we are waiting for the DBAs to perform the change on the WMF databases. Please note that a complex schema change could take up several weeks to be performed once it has started to be applied.
These are freely managed by MediaWiki developers and are not proactively monitored by DBAs:
- MediaWiki-Database component: Tickets related to programming/fixing issues of all kinds of database backends. "Postgres port fails on saving a revision." DBAs can and will be happy to help with this, but have to be notified.
- schema-change tag: a change in MediaWiki that is work in progress. Wikimedia DBAs should be (ideally) taken into consideration for possible optimizations, potential problems, etc.
Advice on schema changes
- All tables must have a primary key. That is not a suggestion, it is a MediaWiki policy. Primary keys prevent duplicate rows, allow better performance for ROW-based replication, and are required to perform online schema changes by many tools. Add one to your table before it gets too big.
- Do not break compatibility with existing code. Usually, that forces to perform two code deployments, one where code is compatible with new and old structure, and the final one. While it is a lot of more effort, please take into account that schema changes are not transactional, they could take hours or even days to be deployed on all servers, on all wikis. Adding new columns at the end of the table is another way to do it, as code should be compatible with that. Once data has been migrated or filled in, the old columns could be dropped.
- If a table is deployed to multiple wikis/databases, any schema changes must be applied to all wikis where that table is present for consistency.
- DBAs are here to help, not to be an obstacle. If you have any doubt about a schema change (data types, performance, etc.), just ask.
Dangers of schema changes
- Certain ALTER operations require to stop writes for a while while they are ongoing. For the master, this means that new edits and updates to the wikis are stopped or fail, for the slaves, it means replication lag, which can lead to other kind of bad consequences, such as querying stale data, or, with the protections put in place, not being able to read at all (as master reads are avoided as much as possible).
- ALTER TABLES on large tables can take days to execute (currently, ALTERing the enwiki revision table takes 4-5 days per server. We have 20 enwiki servers.)
- Even if an online alter table is possible (with the built-in online ALTER TABLE functionality or pt-online-schema-change), or the table is very small to not care about online changes, in mysql there exists a failsafe called metadata locking that avoids SELECTs runinng with stale metadata information. This metadata-locking means that, while SELECTS are ongoing, the ALTER TABLE cannot start, and it is queued. While the alter table is queued, all subsequent transactions are also blocked. Please note that tools like pt-online-schema change, while online, requires also metadata locking on the original table due to trigger creation. This happens on tables such as the image table on Commons, and other popular tables.
- Schema changes can impact the performance of the server while ongoing, making it more susceptible to lag problems or overload. In order to perform a schema change successfully it is needed to prepare the deployment by warming up the tables on the slaves to minimize lag issues, and configure the online schema change tool adequately.
- All schema change, like any code deployment, is a source of potential application breakage. Sometimes, in the most strange ways: deleting an apparently unused index can lead to a server failure if it was, in-fact, used and the application starts performing full table scans, maximizing connection count. Please note that testing on beta is a requirement, but not a guarantee that things will work in production due to the high amount of traffic
- Schema changes, unlike code, cannot be rolled back. Only the reverse schema change can be executed again, assuming data has not been lost in the process. What it is worse, changes done with ALTER TABLE, if failed or cancelled, start rollbacking the process, that could take the same or more than applying the changes in the first place.
- Sometimes, adding new columns has a lot of overhead in space consumed, and that could lead to server failure if the schema change fails do the lack of disk space. This is particularly impacting on large tables such as revision or page.
- Schema changes have to be coordinated so two incompatible changes are not running at the same time. Also, by grouping schema changes happening on the same table, usually a huge speed up is achieved and the applications is for less time in a degraded state.
For all those reasons, which can be summarized on assuring our system's reliability, schema changes should be carefully reviewed and applied by a Database administrator, or by someone at Operations/Platform engineering to avoid larger issues.
What is not a schema change
- Creating new tables. This is not a dangerous process, and can be done unattended. However, due to labs filtering limitation (hopefully, to be solved soon) you still should block on a DBA to review the table creation to check data leak is not possible.