Skip peer discovery cleanup when backend returns error #14606
Merged
+222
−37
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Including this info in the error report can help with sanity checks in debugging `?awaitMatch/4` failures.
the-mikedavis
force-pushed
the
md/peer-disc-cleanup-error
branch
from
5540c69 to
cfc50d5
Compare
Previously if the peer discovery backend returned an error from failing to discover nodes, the `service_discovery_nodes/0` helper returned an empty list. During cleanup this would mean that any nodes unreachable during a partition would have destructive action taken against them: `rabbit_db_cluster:forget_member/2` and `rabbit_quorum_queue:shrink_all/1`. The `list_nodes/0` callback can fail transiently, though, and a failure shouldn't mean that the cluster is empty. It's safer to avoid cleaning up any nodes when the peer discovery backend fails to return the intended set of nodes.
the-mikedavis
force-pushed
the
md/peer-disc-cleanup-error
branch
from
cfc50d5 to
2d4f19c
Compare
michaelklishin
added a commit
that referenced
this pull request
Oct 8, 2025
Skip peer discovery cleanup when backend returns error (backport #14606)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously if the peer discovery backend returned an error from failing to discover nodes, the
service_discovery_nodes/0helper returned an empty list. During cleanup this would mean that any nodes unreachable during a partition would have destructive action taken against them:rabbit_db_cluster:forget_member/2andrabbit_quorum_queue:shrink_all/1. Thelist_nodes/0callback can fail transiently, though, and a failure shouldn't mean that the cluster is empty. It's safer to avoid cleaning up any nodes when the peer discovery backend fails to return the intended set of nodes.I also raised the log level of the error from debug to info. Maybe we could go to warning without too much log spam as this cleanup action happens on a timer measured in seconds.
Opening this as a draft for now - I'd like to write a test case for this.I've seen this in the wild when rabbitmq_aws fails to refresh its session token (because of a transient timeout) -> unauthorized request to get EC2 metadata ->list_nodes/0returns the error tuple -> any node with the bad luck of being unreachable at that moment is forgotten and has its QQ data deleted. Especially if a broker is underprovisioned and overloaded, the session token refresh can fail around the same time that nodes mistakenly think they are partitioned from one another due to busy_dist_port / clogged internode communication.