fix(cluster_family): Cancel slot migration from incoming node on OOM #5000

mkaruza · 2025-04-25T11:16:13Z

If applying command on incoming node will result in OOM (we overflow
max_memory_limit) we are closing migration and switch state to FATAL.

src/server/cluster/cluster_family.cc

BorysTheDev · 2025-05-06T13:30:58Z

src/server/cluster/cluster_family.cc

+  if (migration->GetState() == MigrationState::C_FATAL) {
+    migration->Stop();
+  }


looks like incorrect place for this logic

If FLOW fails with C_FATAL we'll call it, where would you put migration->Stop to handle stopping of migration?

Maybe we can move it to reportError or SetState, where we set the fatal status

src/server/cluster/incoming_slot_migration.cc

BorysTheDev · 2025-05-06T13:48:52Z

src/server/cluster/incoming_slot_migration.cc

@@ -70,6 +76,20 @@ class ClusterShardMigration {
        break;
      }

+      auto oom_check = [&]() -> bool {
+        auto used_mem = used_mem_current.load(memory_order_relaxed);
+        if ((used_mem + tx_data->command.cmd_len) > max_memory_limit) {


is used_mem RSS? maybe we need max_memory_limit - 100MB for example, or how we can guarantee 100% success of this condition?

Yes, it is checks whatever is set with maxmemory. I'll modify so it uses 90% of max memory as upper bound. That should be safe i think.

Let's discuss it with @adiholden or @romange

src/server/cluster/incoming_slot_migration.cc

src/server/cluster/incoming_slot_migration.h

BorysTheDev · 2025-05-06T14:02:28Z

src/server/cluster/incoming_slot_migration.h

+  void ReportFatalError(dfly::GenericError err) ABSL_LOCKS_EXCLUDED(state_mu_, error_mu_) {
+    errors_count_.fetch_add(1, std::memory_order_relaxed);
+    util::fb2::LockGuard lk_state(state_mu_);
+    util::fb2::LockGuard lk_error(error_mu_);
+    state_ = MigrationState::C_FATAL;
+    last_error_ = std::move(err);
+  }


I don't like this code. Let's think how to make it better. Maybe we can use state_mu_ for error too or merge this method with reportError

Agree, but i changed ReportError to check GetState() != C_FATAL and i wanted to update state & set error message while having both locks.

src/server/cluster/incoming_slot_migration.h

src/server/cluster/outgoing_slot_migration.cc

If applying command on incoming node will result in OOM (we overflow max_memory_limit) we are closing migration and switch state to FATAL. Signed-off-by: mkaruza <[email protected]>

BorysTheDev · 2025-05-09T07:44:21Z

src/server/cluster/cluster_family.cc

@@ -925,7 +926,7 @@ void ClusterFamily::InitMigration(CmdArgList args, SinkReplyBuilder* builder) {

  if (!migration) {
    VLOG(1) << "Unrecognized incoming migration from " << source_id;
-    return builder->SendSimpleString(OutgoingMigration::kUnknownMigration);
+    return builder->SendSimpleString(kUnknownMigration);


I think it should be error not string, like below

Part of code that was handling kUnknownMigration is using both SendError and SendSimpleString. This PR didn't change that but it moved this constant into different location. kUnknownMigration will be matched only if SendSimpleString is used.

BorysTheDev · 2025-05-09T07:45:35Z

src/server/cluster/cluster_family.cc

  }

  auto migration = GetIncomingMigration(source_id);
  if (!migration)
    return builder->SendError(kIdNotFound);

  if (!migration->Join(attempt)) {
-    return builder->SendError("Join timeout happened");
+    if (migration->GetState() == MigrationState::C_FATAL) {
+      return builder->SendError(absl::StrCat("-", kIncomingMigrationOOM));


why do we need "-", maybe we can make it as part of the kIncomingMigrationOOM

If - is not provided in error string response would be -ERR INCOMING_MIGRATION_OOM which will not be matched. If we use - as part of constant we would need to remove - prefix when matching error response.

BorysTheDev · 2025-05-09T07:49:14Z

src/server/cluster/outgoing_slot_migration.cc

+    // Break outgoing migration if INIT from incoming node responded with OOM. Usually this will
+    // happen on second iteration after first failed with OOM. Sending second INIT is required to
+    // cleanup slots on incoming slot migration node.
+    if (CheckRespSimpleError(kIncomingMigrationOOM)) {
+      ChangeState(MigrationState::C_FATAL);
+      break;
+    }
+


I think you can move it in next if if (!CheckRespIsSimpleReply("OK")) {

CheckRespIsSimpleReply expects that response is STRING (+) while we are returning now ERROR (-)

mkaruza requested a review from BorysTheDev April 25, 2025 11:16

mkaruza marked this pull request as draft April 25, 2025 11:16

BorysTheDev reviewed Apr 26, 2025

View reviewed changes

src/server/cluster/cluster_family.cc Outdated Show resolved Hide resolved

BorysTheDev reviewed Apr 26, 2025

View reviewed changes

src/server/cluster/cluster_family.cc Outdated Show resolved Hide resolved

mkaruza force-pushed the mkaruza/github#4977 branch from 9c88c11 to 6a5d621 Compare May 6, 2025 12:34

mkaruza requested a review from BorysTheDev May 6, 2025 12:35

mkaruza marked this pull request as ready for review May 6, 2025 12:35

mkaruza changed the title ~~fix(cluster_family): Cancel slot migration in case of OOM errors on t…~~ fix(cluster_family): Cancel slot migration from incoming node on OOM May 6, 2025