Power Outage Takes Wikimedia Down

Baricom writes "Just a few weeks after a major power outage took out well-known blogging service LiveJournal for several hours, almost all of Wikimedia Foundation's services are offline due to a tripped circuit breaker at a different colo. Among other services, Wikimedia runs the well-known Wikipedia open encyclopedia. Coincidentally, the foundation is in the middle of a fundraising drive to pay for new servers. They have established an off-site backup of the fundraising page here until power returns."

What Happened.

What happened?
At about 14:15 PST some circuit breakers were tripped in the colocation facility where our servers are housed. Although the facility has a well-stocked generator, this took out power to places inside the facility, including the switch that connects us to the network and all our servers.

What's wrong?
After some minutes, the switch and most of our machines had rebooted. Some of our servers required additional work to get up, and a few may still be sitting there dead but can be worked around.

The sticky point is the database servers, where all the important stuff is. Although we use MySQL's transactional InnoDB tables, they can still sometimes be left in an unrecoverable state. Attempting to bring up the master database and one of the slaves immediately after the downtime showed corruption in parts of the database. We're currently running full backups of the raw data on two other database slave servers prior to attempting recovery on them (recovery alters the data).

If these machines also can't be recovered, we may have to restore from backup and replay log files which could take a while.

Re:What Happened.

[mr_zorg]

You laugh at this, but it's 100% true.

They should ask for more...

[PornMaster]

If they bought actual servers with dual power supplies and got power from multiple PDUs at their data center, they would be much better off. If this is really because of a tripped breaker, then it's pretty inexcusable, since dual power supplies fed from separate circuits would have prevented it... unlike the LJ outage which was from the power being cut to all circuits.

But if they're going to cobble together some whitebox crap servers, and not change the architecture, they'll be right back to an outage next time it happens.

Re:They should ask for more...

[Jamesday]

The database servers have dual redundant supplies and the colo tells us that TWO circuit breakers tripped. Fun. Not. Do try to avoid having the same happen to you - losing both circuits isn't fun.

Re:They should ask for more...

[Cramer]

A word on breakers... first, they aren't fuses. They are magnetically thrown -- pull too much current through it and an electromechanical break is closed releasing the breaker contacts which are pushed/pulled apart by springs. As it's magnetically thrown, tripping one breaker can (and does) trip surrounding breakers. I've seen it happen a number of times -- with brand new breakers, even.

Re:Coincidence... ;)

[Raul654]

I was just in freenode joking with Jimbo about this. He said he thought was wondering how long it would be before slashdot ran a story about it (2 hours) and asked people to please stop with the consideracy theories. Meanwhile, the devs are working fairly furiously to get it back up (Kate hasn't slept in 27 hours. Jimbo just declared Feb 22 to be Kate-day) (--A wikipedia admin.)

ETA for read only service is now 2-4 hours.

[Jamesday]

So far one of our database servers has completed a successful recovery (we're working through them all). On a gigabit link it takes something between 90 minutes and 4 hours to rsync from one to another. As soon as we have two database servers working, we'll be restoring service in read only mode. Likely to be that 90 minutes to 4 hours from now as worst case.

I'll post followups to this post later, as we're closer to being fully recovered.

Re:ETA for read only service is now 2-4 hours.

[Jamesday]

May be longer so I withdraw that time estimate.

Re:Another indictment of MySql

[sploo22]

No database can guarantee data integrity in the case of a power failure.

Think again. Techniques to do this have been around for years -- it's called stable storage. You just keep redundant copies of data that's changing, and use a neat and simple procedure to ensure that either they both get updated by a transaction, or the original data can be recovered. Certainly the most recent data might be lost, but there's no reason for the database to be corrupted or even in an inconsistent state.

Re:Another indictment of MySql

[imroy]

I just love stupid trolls that can't even use Google.

Tsearch2 - full text extension for PostgreSQL
DevX: Implementing Full Text Indexing with PostgreSQL - about Tsearch2.

Tsearch2 is included in the postgresql-contrib package of at least Debian and Novell/SuSE. Is that "out of the box" enough for a clueless MySQL user?

Re:Where are you guys hosting from?

[Rakishi]

Because the power didn't actually go out?

Re:URI to the Rescue

[Doc+Ruby]

Because domain names equate to a single IP# (even if that number changes) - a single instance of the object. A URI is just a unique ID across the whole Net, for an object class, which can have single instances. A good URI scheme will take different states of that class into account, like different versions of the object. Domain names, as implemented in DNS, can't give us the one (URI) to many (instances) we obviously need to support scalability and distributed objects.

Re:Another indictment of MySql

[Jamesday]

Since at least one of our MySQL database servers has so far restarted successfully with all InnoDB data intact, perhaps you'd care to reconsider your assessment that MySQL is incapable of doing what it just did?

For the rest, we'll see as we get to them and, for any that fail, then look to see whether it was the disk controller or the disk drive lying about having the data written to battery backed up RAM or the disk surface.

Wikipedia hasn't suffered a day of downtime yet for this reason and looks to be down for no more than a few hours this time. A previous incident lasting more than a day was a human or three screwing up and having two copies of the server software writing to the same database files without any locking to prevent conflicting updates. The result of that shouldn't surprise anyone.

Answers.com

[stevemm81]

You can look things up on answers.com.. They mirror wikimedia, as well as other dictionaries/encyclopedias.

Xenu Strikes Again!

It was Xenu! Great God of the Scientoligists who caused the power outage. He/she/it was angry you didn't pay all your hard earned cash to learn the inner secrets to find out about he/she/it. Read all about it on Wikipedia. Oh, wait you can't!

I find it an interesting coincidence the power outage happened so soon after that the Xenu article was featured. I may be paranoid, but the Scientologists have taken paranoia to a new dimension. They are not above dirty tricks. Karl "Turd Blossom" Rove could learn a thing or two.

Re:Xenu Strikes Again!

[MillionthMonkey]

I find it an interesting coincidence the power outage happened so soon after that the Xenu article was featured.

Gee, you just had to mention the X-word! Now this thread won't load for most Scientologists because the keyword filters they were forced to install by their Church will see "Xenu" and block the site. After all the mere sight of the word could cause "pneumonia and death" if you haven't paid the Church of Scientology for the proper preparation.

Wikipedia's Xenu article has an interesting history if you look, as I did the other night when it was featured. Scientologists vandalize it regularly. You're supposed to pay them a half million (or some absurd sum of money) to find out about Xenu. After you find out, you're too embarrassed to admit to anybody that you paid a half million to learn that your problems are caused by bad science fiction, when you could have bought a house in Silicon Valley instead. So they obviously don't want a Wikipedia article giving away their half-million-dollar "trade secret" for free.

One trick I saw was to use HTML entities to spell out insults at the top of the article- like "only an idiot would believe this" or something. In the editor window, the entities weren't rendered and each letter appeared as a hex code.

A more effective attack took a different approach. The vandal in this case changed "Scientologists" to "Muslims", "Scientology" to "Islam", and inserted a boring-sounding sentence at the end of the first paragraph claiming that "Xenu" is another name that Muslims use for "Allah". It completely discouraged you from reading further. If you didn't know better you wouldn't find out how "Allah" distributed the thetans around volcanoes on various planets and blew them up with hydrogen bombs, and how their blown-up spirits cause problems in your personal life today.

This is OT, but what the hell, why not whack a beehive? Additional information on Xenu:
Operation Clambake (Hubbard maintained that humans are descended from clams)
The Xenu leaflet (all about Xenu- this information can save you lots of $$$$$)
The road to Xenu (authored by a woman who got suckered)
The Google cache of Wikipedia's Xenu article is also a must read.

I'm wondering if I'll get a lot of freaks, downmoderations, and hostile AC replies after I post this. After all, that's the kind of thing that Hubbard called "fair game". If it sinks below default visibility I'll repost it again with my karma bonus, so you theta-clear-wannabes out there can save your points for someone else.

Re:Ironic

[Jamesday]

Yes. I wrote that cached page and it's now a bit out of date. IF, and it's not certain, local fire regulations permit the use of UPS systems in the racks we're going to be installing them. Decided on that after LiveJournal's unfortunate experience. But don't yet have them.

Re:This is why you don't turn Google down

[Captain+Nitpick]

Nobody's turned Google down. There's been no actual proposals to turn down yet.

Re:Stupid question...

[Carnildo]

Fire code. When someone hits the Big Red Button, all electrical power in the server room must be out. Therefore, UPSs can't be located in server racks (or if they are, you need to go to the effort of wiring them into the BRB).

Re:Distributed Wikipedia?

do a search for P2P Web Cache

Re:Backup power supply?

[brion]

The colocation facility has diesel generators to protect against the outside power going out. Thanks to the miracle of circuit breakers, power circuits inside the facility shut off (including both circuits feeding our dual-power supply machines).

Re:mysql bad at disaster recovery?

[Tough+Love]

The main issue is that we are dealing with north of 1GB of data here

Nice post. I'd just like to add that Wikipedia deals with north of 170 GB, not counting images.

Re:mysql bad at disaster recovery?

[sarahemm]

A lot of datacentres don't allow UPSes within customer enclosures, as even if the EPO is triggered they keep supplying power which can be dangerous for fire/rescue crews. I'm aware this wasn't an EPO situation AFAIK, but the rules still apply.

Re:mysql bad at disaster recovery?

[sterwill]

I know that PostgreSQL uses write-ahead-logging so it can avoid exactly these kinds of problems. It doesn't matter how much I/O PostgreSQL is doing; all writes go to the log. If the machine crashes, it replays the log file up to its most recent write. Worst case: data that was in the process of being appended to the log when the machine crashed didn't get flushed to disk, and that last transaction is lost. No tables are corrupt. No 6+ hour delay getting back online.

You would know this to if you had read the PostgreSQL documentation.

Re:What's the Name of Wikimedia's Colo?

[timstarling]

http://www.neutelligent.com/

Re:Coincidence... ;)

[Random+Chaos]

Well...Slashdot has fully hit:

Temporary fundraising site: "This account has exceeded it's bandwidth quota and has been temporarily disabled."

Re:mysql bad at disaster recovery?

[TheNarrator]

PostgreSQL is far superior to MySql in it's disaster recovery ability, namely WAL (Write Ahead Logging). I've been using PostgreSQL since version 7.0 came out and I've never had it fail to come back up on me after any power outage or reset.

http://www.postgresql.org/docs/8.0/interactive/wal .html

Fortunately, Wikicities is still online . . .

[greenreaper]

And going strong!

Proper fundraising link

[Jugalator]

The link in the article is broken, here's the proper one:
http://wikimedia.org/fundraising/

It's not SATA

[Jamesday]

The best copy we have is on a lowly pair of 250GB SATA drives using Linux RAID 0 and since thats the best it's the one we used.

Every main database server had corrupt database pages. That is, 3 systems with battery backed up write caching controlles and SCSI drives and 2 SATA systems with write caching SATA controllers, one battery backed up the other not, two different SATA disk drive makers.

Involved:

• Two completely different caching controller brands
  
• Two different SATA drive makers
  
• Seagate only on the SCSI drive maker side
  

Obvious speculation involves the controllers not telling the drives not to write buffer or the drives not listening. No point in getting into SCSI or SATA or this disc controller or that controller fights when there's this much variation involved.

Latest news

[saforrest]

Posted on the mailing list wikipedia-l 32 minutes ago:

From: Brion Vibber
Reply-To: wikipedia-l@wikimedia.org
To: Wikipedia-l, Wikimedia Foundation Mailing List, Wikimedia developers
Date: Tue, 22 Feb 2005 04:47:56 -0800
Subject: Re: [Wikipedia-l] Wiki Problems?

Brion Vibber wrote:
> There was some sort of power failure at the colocation facility. We're
> in the process of rebooting and recovering machines.

The power failure was due to circuit breakers being tripped within the colocation facility; some of our servers have redundant power supplies but *both* circuits failed, causing all our machines and the network switch to unceremoniously shut down.

Whether a problem in MySQL, with our server configurations, or with the hardware (or some combination thereof), most of our database servers managed to glitch the data on disk when they went down. (Yes, we use InnoDB tables. This ain't good enough, apparently.)

The good news: one server maintained a good copy, which we've been copying to the others to get things back on track. We're now serving all wikis read-only.

The bad news: that copy was a bit over a day behind synchronization (it was stopped to run maintenance jobs), so in addition to slogging around 170gb of data to each DB server we have to apply the last day's update logs before we can restore read/write service.

I don't know when exactly we'll have everything editable again, but it should be within 12 hours.

Re:mysql bad at disaster recovery?

[Jamesday]

>>Can anyone quess why its the case?

Easily. See what those saying that MySQL can't do what MySQL does are promoting.:)

LiveJournal found that it had some disk systems which lied about having committed writes. The have a preliminary tool which copies what it's writing to disk to a networked system and then compares the after power off and recovery state to what the disk system said it could do. Are going to make it available to the community as time allows.

I expect we're going to find the same at Wikipedia. Here's a pretty typical error log, this one from the server which was master database server:

050222 5:11:12 InnoDB: Database was not shut down normally.
InnoDB: Starting recovery from log files...
InnoDB: Starting log scan based on checkpoint at
InnoDB: log sequence number 303 1283776146
InnoDB: Doing recovery: scanned up to log sequence number 303 1289018880
InnoDB: Doing recovery: scanned up to log sequence number 303 1294261760
InnoDB: Doing recovery: scanned up to log sequence number 303 1299504640
InnoDB: Doing recovery: scanned up to log sequence number 303 1304747520
InnoDB: Doing recovery: scanned up to log sequence number 303 1309990400
InnoDB: Doing recovery: scanned up to log sequence number 303 1315233280
InnoDB: Doing recovery: scanned up to log sequence number 303 1320476160
InnoDB: Doing recovery: scanned up to log sequence number 303 1325719040
InnoDB: Doing recovery: scanned up to log sequence number 303 1330961920
InnoDB: Doing recovery: scanned up to log sequence number 303 1336204800
InnoDB: Doing recovery: scanned up to log sequence number 303 1341447680
InnoDB: Doing recovery: scanned up to log sequence number 303 1346690560
InnoDB: Doing recovery: scanned up to log sequence number 303 1347688389
InnoDB: 1 transaction(s) which must be rolled back or cleaned up
InnoDB: in total 14 row operations to undo
InnoDB: Trx id counter is 1 935480064
050222 5:11:13 InnoDB: Starting an apply batch of log records to the database...
InnoDB: Progress in percents: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 InnoDB: Database page corruption on disk or a failed
InnoDB: file read of page 8617985.
InnoDB: You may have to recover from a backup.
050222 5:12:20 InnoDB: Page dump in ascii and hex (16384 bytes):

Observe that the database engine went back to its last checkpoint, noticed the partial transaction and undid it and was rolling ahead in the write-ahead log when it encountered a database page which failed its checksum test. That failed checksum test is why I think it's a problem with the disk system lying about what was written. You can get that when a database page spans two drives in a stripe set and one has committed the update while the other hasn't.

In more typical situations MySQL simply applies the updates and all is well. I've had a server set up to exceed RAM with swap turned off and get killed every ten minutes for hours and recover every time.

Just to be complete:

• The database servers have dual redundant power supplies. TWO breakers at the colo tripped, taking out both.
• The systems are a mix of SCSI and SATA, so no point in arguing about one being lousy. SATA and Linux win if you want a winner: it was a SATA box using Linux RAID 0 whoch completed full recovery. It wasn't one of the normal servers - it was used for backup and offline report generation.
• Two different disk controller makers, one each for SCSI and SATA.
• Battery backed up write cache on most of the main server disk controllers but the one without the battery backup for the write cache had the same problem (which shouldn't surprise anyone - that one should be expected not to recover well).
• After LJ's experience we were after UPS systems in the racks but hadn't yet checked whether the local fire code allows them. Some don't, for el

Re:mysql bad at disaster recovery?

[Cramer]

You mis-read the comment. (and again, know little about wiki's setup) The point is, there aren't any Microsoft Windows boxes in the cluster. And I don't expect the Wikimedia Foundation to approve the cash outlay for buying windows and mssql licenses for the number of system currently serving as database engines. Plus there's the complexity of those boxes not just being db servers, and the fact that none of the admins are anywhere near the actual hardware -- remote management of windows boxes is not something I would recommend (and not something easily done via ssh.)

MySQL is not inferior in all possible characteristics... MSSQL is a windows only product. I cannot run it on Solaris, OS X, AIX, Tru64, linux, etc. It, thus, loses on that characteristic. Wiki is not a windows shop, so stop wasting your time suggesting a windows product. The cluster is running linux. Bring linux software to the table and we'll talk. Wiki uses mysql because it's free and it's fast. My suggestion would be Oracle, but it's most certainly not cheap or free.

Re:mysql bad at disaster recovery?

[jdavidb]

Unfortunately for webhosting the demand for MySQL is higher than for the other available DBMS's, since most available open source software and gratis software that requires a database is going to have been developed originally with MySQL. I would much prefer to be using PostgreSQL for the applications I run with a hosting provider, but the apps I use don't function with it, and the hosting provider (NearlyFreeSpeech.net) doesn't offer anything else, anyway.

I figure once the advantages of the other DBMS systems become more apparent (and enough disaster stories happen to highlight the advantages) the apps will begin to offer and improve support for PostgreSQL and others, and then there will be a demand for them and some hosting providers will begin to offer them. I do understand that PostgreSQL consumes a lot more resources than MySQL, though, so it will not be cheap.

You get what you pay for. How much is reliability worth?

ACID

[Jamesday]

Except it's now been a few years since MySQL incorporated InnoDB, so maybe it's time to move on and rejoice that it's now one of the free database servers with ACID support? This one happens to come with standard replication and fulltext search. Also with a range of other engines to choose. PostgreSQL, last I knew, doesn't have built in replication, fulltext search and alternative storage engines but has it's own particular strengths. In the end, every end user gets to benefit from the competition between excellent tools. Good for us all to be happy about that.

InnoDB does use WAL

[Heikki_Tuuri]

Hi!

InnoDB has used WAL since I wrote it in mid-1990s. To PostgreSQL, WAL came later, around 2000.

Regards,
Heikki
Innobase Oy

Re:Another indictment of MySql

> > Any real database server, which MySQL is most assuredly not, can guarentee data integrity since the last COMMIT.

> Since at least one of our MySQL database servers has so far restarted successfully with all InnoDB data intact, perhaps you'd care to reconsider your assessment that MySQL is incapable of doing what it just did?

There is a huge difference between being capable of doing something and guaranteeing it. There is a difference between "sometimes, maybe, if you're lucky" and "always". I'm surprised that you can't see it. (Who the hell is moderating this thread, anyway?)