diff options
| author | antirez <antirez@gmail.com> | 2015-06-12 18:33:03 +0200 |
|---|---|---|
| committer | antirez <antirez@gmail.com> | 2015-06-12 18:36:17 +0200 |
| commit | 821a986643717018cad8af9f35cba49818e60294 (patch) | |
| tree | 98e2f1dbd3f4e1893c30fc4370ff9fd734bebe9b | |
| parent | 4b5a0f0376e122316f3f04709fd7c502b159428d (diff) | |
| download | redis-821a986643717018cad8af9f35cba49818e60294.tar.gz | |
Sentinel: fix bug in config rewriting during failover
We have a check to rewrite the config properly when a failover is in
progress, in order to add the current (already failed over) master as
slave, and don't include in the slave list the promoted slave itself.
However there was an issue, the variable with the right address was
computed but never used when the code was modified, and no tests are
available for this feature for two reasons:
1. The Sentinel unit test currently does not test Sentinel ability to
persist its state at all.
2. It is a very hard to trigger state since it lasts for little time in
the context of the testing framework.
However this feature should be covered in the test in some way.
The bug was found by @badboy using the clang static analyzer.
Effects of the bug on safety of Sentinel
===
This bug results in severe issues in the following case:
1. A Sentinel is elected leader.
2. During the failover, it persists a wrong config with a known-slave
entry listing the master address.
3. The Sentinel crashes and restarts, reading invalid configuration from
disk.
4. It sees that the slave now does not obey the logical configuration
(should replicate from the current master), so it sends a SLAVEOF
command to the master (since the slave master is the same) creating a
replication loop (attempt to replicate from itself) which Redis is
currently unable to detect.
5. This means that the master is no longer available because of the bug.
However the lack of availability should be only transient (at least
in my tests, but other states could be possible where the problem
is not recovered automatically) because:
6. Sentinels treat masters reporting to be slaves as failing.
7. A new failover is triggered, and a slave is promoted to master.
Bug lifetime
===
The bug is there forever. Commit 16237d78 actually tried to fix the bug
but in the wrong way (the computed variable was never used! My fault).
So this bug is there basically since the start of Sentinel.
Since the bug is hard to trigger, I remember little reports matching
this condition, but I remember at least a few. Also in automated tests
where instances were stopped and restarted multiple times automatically
I remember hitting this issue, however I was not able to reproduce nor
to determine with the information I had at the time what was causing the
issue.
| -rw-r--r-- | src/sentinel.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/sentinel.c b/src/sentinel.c index c7e7f672d..3ff8899d7 100644 --- a/src/sentinel.c +++ b/src/sentinel.c @@ -1787,7 +1787,7 @@ void rewriteConfigSentinelOption(struct rewriteConfigState *state) { slave_addr = master->addr; line = sdscatprintf(sdsempty(), "sentinel known-slave %s %s %d", - master->name, ri->addr->ip, ri->addr->port); + master->name, slave_addr->ip, slave_addr->port); rewriteConfigRewriteLine(state,"sentinel",line,1); } dictReleaseIterator(di2); |