Getting the design ready for production troubleshooting
The following is an excerpt from a design document for a major feature in RavenDB 4.0 that I’m currently reviewing, written by Tal.
One of the major problems when debugging such issues in production is the fact that most of the interesting information resides in memory and goes away when the server restarts, the sad thing is that the first thing an admin will do when having issues with the server is to recycle it, giving us very little to work with. Yes, we have logs, but debug level logs are very expensive and usually are not enabled in production (nor should they), we already have the ability to turn logs on, on a production system which is a great option but not enough. The root cause of a raft problem usually resides in the past so unless we have logs from the beginning of time there is not much use for them. The suggested solution is a persistent log for important events that indicate that things went south.
This is based on our experience (and frustration) from diagnosing production issues. By the time the admin see something is wrong, the problem already occurred, and in the process of handling the problem, the admin will typically focus on fixing it, rather than figuring out what exactly is going on.
Those kind of features, focusing explicitly on giving us enough information to find the root cause of the issue has been an on going effort for us. Yesterday they enabled us to get a debug package from a customer (a zip file that the server can generate with a lot of important information), go through it and figure out exactly what the problem was (the customer was running in 32 bits mode and running into virtual memory exhaustion) in one support roundtrip, rather than having to go back and forth multiple times to try to get a bunch of different data points to figure out the issue.
Also, go and read Release It, it has a huge impact on actual system design.
Do you mean "extract" instead of "expert" in the first sentence?
@Carsten - given the phonetics involved, I'd guess it was meant to be "excerpt".
I see you have design documents that capture the "motivations" and the "reasoning" to build a feature in a certain way, IMHO that's the only way to build design documents with actual value for future readers.
I meant excerpt
Pop Catalin, The idea here is that the impl is often very mutable. We keep finding better ways to do stuff, and it changes what we do. However, even if you read the code, a lot of the things that we do is the stuff that isn't done, and that has a lot of implications. Why we choose to not do something is not visible in the docs, and maintaining the history of our motivations is very important.
The doc specifically mentions looking for problems in Raft. My experience with logging in Raft-style systems is that there's a steady-state "happy path" through the system on which it is expensive to log, but there's all sorts of deviations that indicate something funny going on, and all such deviations can write fairly detailed log messages without worrying about performance too much as they are, by definition, rare and unusual cases.
The resulting logs are indeed incredibly useful as you can see exactly what was going on, without needing to recording thousands of "everything is fine, I chose the happy path" messages in between the deviations.
David, We aren't talking here about making this a general log, and having to wade through thousands of "it's okay" isn't fun.
The issue is that when you do have a problem, then it is common to generate a LOT of error message about it, and the critical stuff is usually at the beginining