Change the behavior of the option 'force_recovery'

EvgenyMekhanik · Korablev77 · commit 0be1243ecc8a · 2020-12-22T19:32:50.000+03:00
There was an option 'force_recovery' that makes tarantool to ignore some problems during xlog recovery. This patch change this option behavior and makes tarantool to ignore some errors during snapshot recovery just like during xlog recovery. Error types which can be ignored: - snapshot is someway truncated, but after necessary system spaces - snapshot has some garbage after it declared length - single tuple within snapshot has broken checksum and may be skipped without consequences (in this case we ignore all row with this tuple) @TarantoolBot document Title: Change 'force_recovery' option behavior Change 'force_recovery' option behavior to allow tarantool loading from broken snapshot Closes #5422
diff --git a/src/box/memtx_engine.c b/src/box/memtx_engine.c
@@ -150,7 +150,7 @@ memtx_engine_shutdown(struct engine *engine)
 
 static int
 memtx_engine_recover_snapshot_row(struct memtx_engine *memtx,
-				  struct xrow_header *row);
+				  struct xrow_header *row, int *is_space_system);
 
 int
 memtx_engine_recover_snapshot(struct memtx_engine *memtx,
@@ -170,12 +170,19 @@ memtx_engine_recover_snapshot(struct memtx_engine *memtx,
 	int rc;
 	struct xrow_header row;
 	uint64_t row_count = 0;
-	while ((rc = xlog_cursor_next(&cursor, &row,
-				      memtx->force_recovery)) == 0) {
+	int is_space_system = -1;
+	bool force_recovery = false;
+	/*
+	 * In case when we read system space, we can't ignore errors.
+	 */
+	while ((rc = xlog_cursor_next(&cursor, &row, force_recovery)) == 0) {
 		row.lsn = signature;
-		rc = memtx_engine_recover_snapshot_row(memtx, &row);
+		rc = memtx_engine_recover_snapshot_row(memtx, &row,
+						       &is_space_system);
+		force_recovery = is_space_system == 0 ?
+				 memtx->force_recovery : false;
 		if (rc < 0) {
-			if (!memtx->force_recovery)
+			if (!force_recovery)
 				break;
 			say_error("can't apply row: ");
 			diag_log();
@@ -188,16 +195,20 @@ memtx_engine_recover_snapshot(struct memtx_engine *memtx,
 		}
 	}
 	xlog_cursor_close(&cursor, false);
-	if (rc < 0)
+	if (rc < 0 || is_space_system < 0)
 		return -1;
 
 	/**
 	 * We should never try to read snapshots with no EOF
 	 * marker - such snapshots are very likely corrupted and
 	 * should not be trusted.
 	 */
-	if (!xlog_cursor_is_eof(&cursor))
-		panic("snapshot `%s' has no EOF marker", filename);
+	if (!xlog_cursor_is_eof(&cursor)) {
+		if (!memtx->force_recovery)
+			panic("snapshot `%s' has no EOF marker", filename);
+		else
+			say_error("snapshot `%s' has no EOF marker", filename);
+	}
 
 	return 0;
 }
@@ -216,7 +227,7 @@ memtx_engine_recover_raft(const struct xrow_header *row)
 
 static int
 memtx_engine_recover_snapshot_row(struct memtx_engine *memtx,
-				  struct xrow_header *row)
+				  struct xrow_header *row, int *is_space_system)
 {
 	assert(row->bodycnt == 1); /* always 1 for read */
 	if (row->type != IPROTO_INSERT) {
@@ -230,6 +241,7 @@ memtx_engine_recover_snapshot_row(struct memtx_engine *memtx,
 	struct request request;
 	if (xrow_decode_dml(row, &request, dml_request_key_map(row->type)) != 0)
 		return -1;
+	*is_space_system = (request.space_id < BOX_SYSTEM_ID_MAX);
 	struct space *space = space_cache_find(request.space_id);
 	if (space == NULL)
 		return -1;
@@ -448,10 +460,10 @@ memtx_engine_bootstrap(struct engine *engine)
 				sizeof(bootstrap_bin), "bootstrap") < 0)
 		return -1;
 
-	int rc;
+	int rc, is_space_system;
 	struct xrow_header row;
 	while ((rc = xlog_cursor_next(&cursor, &row, true)) == 0) {
-		rc = memtx_engine_recover_snapshot_row(memtx, &row);
+		rc = memtx_engine_recover_snapshot_row(memtx, &row, &is_space_system);
 		if (rc < 0)
 			break;
 	}
diff --git a/test/box/gh-5422-broken_snapshot.lua b/test/box/gh-5422-broken_snapshot.lua
@@ -0,0 +1,9 @@
+#!/usr/bin/env tarantool
+
+require('console').listen(os.getenv('ADMIN'))
+
+box.cfg({
+    listen = os.getenv("LISTEN"),
+    force_recovery = true,
+    read_only = false,
+})
diff --git a/test/box/gh-5422-broken_snapshot.result b/test/box/gh-5422-broken_snapshot.result
@@ -0,0 +1,299 @@
+-- write data recover from latest snapshot
+env = require('test_run')
+---
+...
+test_run = env.new()
+---
+...
+test_run:cmd("restart server default")
+fio = require 'fio'
+---
+...
+test_run:cmd("setopt delimiter ';'")
+---
+- true
+...
+function get_snap_file ()
+    local snapfile = nil
+    local directory = fio.pathjoin(fio.cwd(), 'gh-5422-broken_snapshot')
+    for files in io.popen(string.format("ls %s", directory)):lines() do
+        local snaps = string.find(files, "snap")
+        if (snaps ~= nil) then
+            local snap = string.find(files, "%n")
+            if (snap ~= nil) then
+                snapfile = string.format("%s/%s", directory, files)
+            end
+        end
+    end
+    return snapfile
+end;
+---
+...
+test_run:cmd("setopt delimiter ''");
+---
+- true
+...
+test_run:cmd("create server test with script='box/gh-5422-broken_snapshot.lua'")
+---
+- true
+...
+test_run:cmd("start server test")
+---
+- true
+...
+test_run:cmd("switch test")
+---
+- true
+...
+space = box.schema.space.create('test', { engine = "memtx" })
+---
+...
+space:format({ {name = 'id', type = 'unsigned'}, {name = 'year', type = 'unsigned'} })
+---
+...
+index = space:create_index('primary', { parts = {'id'} })
+---
+...
+for key = 1, 10000 do space:insert({key, key + 1000}) end
+---
+...
+box.snapshot()
+---
+- ok
+...
+test_run:cmd("switch default")
+---
+- true
+...
+snapfile = get_snap_file()
+---
+...
+file = io.open(snapfile, "r")
+---
+...
+size = file:seek("end")
+---
+...
+if size > 30000 then size = 30000 end
+---
+...
+io.close(file)
+---
+- true
+...
+-- save last snapshot
+os.execute(string.format('cp %s %s.save', snapfile, snapfile))
+---
+- 0
+...
+-- write garbage at the end of file
+file = io.open(snapfile, "ab")
+---
+...
+for i = 1, 1000, 1 do file:write(math.random(1,254)) end
+---
+...
+io.close(file)
+---
+- true
+...
+test_run:cmd("switch test")
+---
+- true
+...
+test_run:cmd("restart server test with script='box/gh-5422-broken_snapshot.lua'")
+test_run:cmd("setopt delimiter ';'")
+---
+- true
+...
+-- check that all data valid
+val = box.space.test:select()
+for i = 1, 10000, 1 do
+    assert(val[i] ~= nil)
+end;
+---
+...
+test_run:cmd("setopt delimiter ''");
+---
+- true
+...
+test_run:cmd("switch default")
+---
+- true
+...
+-- restore snapshot
+os.execute(string.format('cp %s.save %s', snapfile, snapfile))
+---
+- 0
+...
+-- truncate
+os.execute(string.format('dd if=%s.save of=%s bs=%d count=1', snapfile, snapfile, size))
+---
+- 0
+...
+test_run:cmd("switch test")
+---
+- true
+...
+test_run:cmd("restart server test with script='box/gh-5422-broken_snapshot.lua'")
+-- check than some data valid
+test_run:cmd("setopt delimiter ';'")
+---
+- true
+...
+val = box.space.test:select();
+---
+...
+for i = 1, 1000, 1 do
+    assert(val[i] ~= nil)
+end;
+---
+...
+test_run:cmd("setopt delimiter ''");
+---
+- true
+...
+test_run:cmd("switch default")
+---
+- true
+...
+-- restore snapshot
+os.execute(string.format('cp %s.save %s', snapfile, snapfile))
+---
+- 0
+...
+-- write garbage at the middle of file
+file = io.open(snapfile, "r+b")
+---
+...
+file:seek("set", size)
+---
+- 30000
+...
+for i = 1, 100, 1 do file:write(math.random(1,254)) end
+---
+...
+io.close(file)
+---
+- true
+...
+test_run:cmd("switch test")
+---
+- true
+...
+test_run:cmd("restart server test with script='box/gh-5422-broken_snapshot.lua'")
+test_run:cmd("setopt delimiter ';'")
+---
+- true
+...
+-- check that some data valid
+val = box.space.test:select();
+---
+...
+for i = 1, 1000, 1 do
+    assert(val[i] ~= nil)
+end;
+---
+...
+test_run:cmd("setopt delimiter ''");
+---
+- true
+...
+test_run:cmd("switch default")
+---
+- true
+...
+-- restore snapshot
+os.execute(string.format('cp %s.save %s', snapfile, snapfile))
+---
+- 0
+...
+-- write big garbage at the middle of file, check that start data valid
+file = io.open(snapfile, "r+b")
+---
+...
+file:seek("set", size / 2 + 8000)
+---
+- 23000
+...
+for i = 1, 10000, 1 do file:write(math.random(1,254)) end
+---
+...
+io.close(file)
+---
+- true
+...
+test_run:cmd("switch test")
+---
+- true
+...
+test_run:cmd("restart server test with script='box/gh-5422-broken_snapshot.lua'")
+test_run:cmd("setopt delimiter ';'")
+---
+- true
+...
+-- check that some data valid
+val = box.space.test:select();
+---
+...
+for i = 1, 1000, 1 do
+    assert(val[i] ~= nil)
+end;
+---
+...
+test_run:cmd("setopt delimiter ''");
+---
+- true
+...
+test_run:cmd("switch default")
+---
+- true
+...
+test_run:cmd('stop server test')
+---
+- true
+...
+-- restore snapshot
+os.execute(string.format('cp %s.save %s', snapfile, snapfile))
+---
+- 0
+...
+os.execute(string.format('rm %s.save', snapfile))
+---
+- 0
+...
+-- write big garbage at the start of file
+file = io.open(snapfile, "r+b")
+---
+...
+file:seek("set", size / 2)
+---
+- 15000
+...
+for i = 1, 1000, 1 do file:write(math.random(1,254)) end
+---
+...
+io.close(file)
+---
+- true
+...
+test_run:cmd("start server test with crash_expected=True")
+---
+- false
+...
+log = string.format("%s/%s.%s", fio.cwd(), "gh-5422-broken_snapshot", "log")
+---
+...
+-- We must not find ER_UNKNOWN_REPLICA in log file, so grep return not 0
+assert(os.execute(string.format("cat %s | grep ER_UNKNOWN_REPLICA:", log)) ~= 0)
+---
+- true
+...
+test_run:cmd("cleanup server test")
+---
+- true
+...
+test_run:cmd("delete server test")
+---
+- true
+...
diff --git a/test/box/gh-5422-broken_snapshot.test.lua b/test/box/gh-5422-broken_snapshot.test.lua
