MDEV-17856 Port binlog_error_action from MySQL

[ParadoxV5]

This is a work-in-progress draft pushed for feedback.

---

• The Jira issue number for this PR is: MDEV-17856

An amazing description should answer some questions like:

1. What problem is the patch trying to solve?
2. If some output changed that is not visible in a test case, what was it looking like before the change and how it's looking with this patch applied?
3. Do you think this patch might introduce side-effects in other parts of the server?

Description

TODO: fill description here

---

This is a port of MySQL 5.6.22’s binlog_error_action variable – specifically, mysql/mysql-server@477240cee6 and select follow-up changes.

Controls what happens when the server cannot write to the binary log, which can cause the master's log to become inconsistent and replication slaves to lose synchronization. Previous releases used the name binlogging_impossible_mode.

In MySQL 5.6 [and current MariaDB], the default for binlog_error_action is IGNORE_ERROR, meaning the server logs the error, halts logging, and continues performing updates; this is to provide backward compatibility with older versions of the MySQL [and MariaDB] Server. Setting this variable to ABORT_SERVER makes the server halt logging and shut down whenever it cannot write to the binary log; this is the recommended setting, particularly in complex replication environments.

The binlog_error_action=ABORT_SERVER enables the server to fail logging fast (Don’t full disk cause downtime anyway eh?), which prevents the server from accepting (or rejecting) more modifications that it cannot log for recovery and/or replication.

---

• IGNORE_ERROR (current default): https://mariadb.com/kb/en/using-and-maintaining-the-binary-log/#effects-of-full-disk-errors-on-binary-logging
  • MDEV-20796 could distictively split the two cases into, say, RETRY_LATER and DISABLE_LOGGING
• mysql/mysql-server@9a05c9803a changes the default to ABORT_SERVER.

---

Release Notes

TODO: What should the release notes say about this change?
Include any changed system variables, status variables or behaviour. Optionally list any https://mariadb.com/kb/ pages that need changing.

How can this PR be tested?

TODO: modify the automated test suite to verify that the PR causes MariaDB to behave as intended.
Consult the documentation on "Writing good test cases".

If the changes are not amenable to automated testing, please explain why not and carefully describe how to test manually.

Basing the PR against the correct MariaDB version

• This is a new feature or a refactoring, and the PR is based against the main branch.
• This is a bug fix, and the PR is based against the earliest maintained branch in which the bug can be reproduced.

PR quality check

• I checked the CODING_STANDARDS.md file and my PR conforms to this where appropriate.
• For any trivial modifications to the PR, I am ok with the reviewer making the changes themselves.

[ParadoxV5]

a draft is a draft

[ParadoxV5]

This hangs at flush logs; on my machine.
It may or may not have something to od with the disabled suppressions.

[ParadoxV5]

If MariaDB encounters a full disk error while trying to write to a binary log file, then it will keep retrying the write every 60 seconds. Log messages will get written to the error log every 600 seconds.
⸺ MariaDB Knowledge Base “Using and Maintaining the Binary Log” § Effects of Full Disk Errors on Binary Logging

Mentioned by MDEV-20796, This note reminded me that I saw this retry message in my logs; they confirm this “hanging” behavior.

---

Actually, this periodically-retry mechanism means that this case doesn’t actually IGNORE_ERROR, since strictly speaking, it picks up the error and reponds with “retry later” (contrast with ABORT_SERVER’s “abort immediately” response).
MDEV-20796(’s description) even wants the IGNORE_ERROR to apply this periodically-retry behavior on all scenarios.

Should we review our terminologies?

[bnestere]

Well, in general, we don't have to, but if we can conform to MySQL options, it is preferred, as it makes migration more straightforward. Another option would be to include MDEV-20796 in the scope of this PR (perhaps a separate commit though) as a third option that allows for consistency between the option names and behaviors.

[ParadoxV5]

Another option would be to include MDEV-20796 in the scope of this PR

Nay, the option MDEV-20796 wants would make other cases respond to errors by continuously retrying as well; it’s a distinct feature.

[bnestere]

Right, but it would allow each option to be consistent to its meaning. That is, we could slightly change IGNORE_ERROR behavior so it wouldn't "retry later" on full disk errors, but it would always turn off binlogging and move on. And we wouldn't lose the functionality because it would be nested in the RETRY configuration.

[ParadoxV5]

mysql/mysql-server@3b6b4bf8c5 mentioned the MySQL ticket and looked like a follow-up bug-fix.
However, it looks like MySQL had a different caching model than MariaDB.

[ParadoxV5]

simulate_file_write_error does simulate disk full.

[ParadoxV5]

This file was copied from MySQL.

I plan to reformat the file a bit – at least I’d --echo the testcase descriptions in the .results.
Let me know what other conventions there are.

[ParadoxV5]

I optimistically reënabled this to see if it’s good now or still needs more support.

[ParadoxV5]

mysql/mysql-server@3b6b4bf8c5 amended the second error call.

I wonder, what’s the difference between my_error and sql_print_error, and why did they (if not us) need to error twice?

I know that my_error receives its format template from errmsg-utf8.txt while sql_print_error uses a given template. (I know this from #3360.) This is why they have different error messages here.

server/sql/share/errmsg-utf8.txt

Lines 8311 to 8317 in ebbbe9d

	ER_BINLOG_LOGGING_IMPOSSIBLE
	chi "二进制记录不可能。消息：%s"
	eng "Binary logging not possible. Message: %s"
	ger "Binärlogging nicht möglich. Meldung: %s"
	geo "ბინარული ჟურნალი შეუძლებელია. შეტყობინება: %s"
	spa "No es posible llevar historial (log) binario. Mensaje: %s"
	sw "Uwekaji katika kumbukumbu ya mfumo wa jozi hauwezekani. Ujumbe: %s"

(Yes, ER_BINLOG_LOGGING_IMPOSSIBLE already exists.)

[bnestere]

Good question, I'm actually not sure why they did that..In Maria, my_error() will set an error context on current_thd (see my_message_sql) as well as print an error message, whereas sql_print_error() just prints the error. I imagine we should only need my_error , though we should extend abort_error with the

Could not use %s ..

details.

[ParadoxV5]

I referred MySQL’s locations for changes in sys_vars.cc and mysqld.cc, but mysqld.h… I don’t understand how the sections were divided.

[ParadoxV5]

I felt that it’s excessive to exile the enum list at a different place but still only use it here.

[ParadoxV5]

Darn. Compount literals is a GCC extension for C++, even though it’s standardized in C99, our regular-C version.

[ParadoxV5]

What’s a Sys_var_on_access_global?

[bnestere]

Its basically an authentication wrapper to secure the variable s.t. its modification is protected by some role (see set_var::check() and for more details on the variable checking process).

[ParadoxV5]

MySQL had an additional log_type == LOG_BIN requirement for this condition:

  if (log_type == LOG_BIN && binlogging_impossible_mode == ABORT_SERVER)
  {
    …
    my_error(ER_BINLOG_LOGGING_IMPOSSIBLE …

Why is it there?

[bnestere]

It ensures we only apply the error logic to the binary log, and not other logs. That is, the binlog (of type MYSQL_BIN_LOG) is derived from MYSQL_LOG, and this is the general MYSQL_LOG::open function.

[ParadoxV5]

A passerby colleague questioned why a variable for a single file requires modifying 4 files to add.

I’ll move this line to log.cc and then, yes, why is a variable split among variables.cc, implementation.cc and a bridging .h 🤷?

[ParadoxV5]

An enum variable only has so many valid options, but they’re unsigned longs in RAM. The old design left so much unused RAM space 🤷.