2023-12-14: sidekiq_queueing for shard catchall violating SLO
Customer Impact
No observed customer impact
Current Status
- 2023-12-18 17:34 UTC MR Refresh security policies only when user is present in approvers was deployed to production.
- 2023-12-18 19:25 UTC - database_throttled queue was fully processed and we removed the feature flag
drop_sidekiq_jobs_Security::RefreshProjectPoliciesWorker
- 2023-12-18 19:45 UTC - Reverted
Security::ProcessScanResultPolicyWorker
back to catchall shard on gitlab-com/gl-infra/k8s-workloads/gitlab-com!3313 (merged) - Around 18:30 UTC Scan Results Policy feature was enabled by a large customer.
- This resulted in saturation on our
catchall
sidekiq shard caused by the workerAuditEvents::AuditEventStreamingWorker
- The responsible caller to this worker is
Security::ProcessScanResultPolicyWorker
- This also had some impact on our DB load.
We have moved the the AuditEvents::AuditEventStreamingWorker
worker to the database_throttled
shard for now, and will have to monitor the queue length once done.
While this took pressure off the catchall
shard, it is not sustainable for the database_throttled
queue.
Because of this we have opted to disable the feature for now:
Feature.disable(:"run_sidekiq_jobs_Security::ProcessScanResultPolicyWorker")
Feature.disable(:"run_sidekiq_jobs_Security::RefreshProjectPoliciesWorker")
Next Steps
-
Wait for Refresh security policies only when user is pre... (gitlab-org/gitlab!139980 - merged) to be merged, deployed and enable skip_refresh_project_policies
FF for the customer. -
SRE on-call connect to rails console and remove the deferral following https://docs.gitlab.com/ee/development/feature_flags/index.html#deferring-sidekiq-jobs /chatops run feature delete drop_sidekiq_jobs_Security::RefreshProjectPoliciesWorker --ignore-feature-flag-consistency-check
-
SRE on-call when backlog in database_throttled
is done revert gitlab-com/gl-infra/k8s-workloads/gitlab-com!3305 (merged)
📚 References and helpful links
Recent Events (available internally only):
- Feature Flag Log - Chatops to toggle Feature Flags Documentation
- Infrastructure Configurations
- GCP Events (e.g. host failure)
Deployment Guidance
- Deployments Log | Gitlab.com Latest Updates
- Reach out to Release Managers for S1/S2 incidents to discuss Rollbacks, Hot Patching or speeding up deployments. | Rollback Runbook | Hot Patch Runbook
Use the following links to create related issues to this incident if additional work needs to be completed after it is resolved:
- Corrective action ❙ Infradev
- Incident Review ❙ Infra investigation followup
- Confidential Support contact ❙ QA investigation
Note: In some cases we need to redact information from public view. We only do this in a limited number of documented cases. This might include the summary, timeline or any other bits of information, laid out in our handbook page. Any of this confidential data will be in a linked issue, only visible internally. By default, all information we can share, will be public, in accordance to our transparency value.
Security Note: If anything abnormal is found during the course of your investigation, please do not hesitate to contact security.