Enable Gitaly's transaction support on gprd canary

Production Change

Change Summary

Enable Gitaly's transaction support on production canary.

Gitaly has recently gained support for ACID transactions. In summary:

• Each RPC runs in a transaction.
• Transactions are snapshot isolated from each other.
• Optimistic concurrency control is used with conflict detection on transaction commit.
• All writes go are write-ahead logged before applying them.

The goal of transactions is to improve Gitaly's reliability. Writes are atomic and durable. Gitaly can recover interrupted writes from the write-ahead log. Concurrency related issues are largely eliminated as transactions are snapshot isolated. Transactions can execute as if they were the only one executing.

As a storage level change, this affects every read and write operation in Gitaly. Unexpected issues can lead to errors, data corruption/loss, or performance problems.

The main uncertainty with the change is related to performance.

• In gitlab-org/gitaly#6146 (comment 1948429409), we've ran GPT benchmarks against transactions. We see a roughly ~20% latency increase but the tests are considered as passing. We've since further optimized by sharing transaction read snapshots when possible.
• In gitlab-org/gitaly#6146 (comment 2001836859) shows that we add about ~20% CPU overhead with transactions. Pretty much all of the overhead is associated with creating read snapshots for the transactions.

Transactions have been running on staging since 2024-06. We identified few bugs in staging which have since been fixed. We'd now like to gather real world data on production canary to see how transactions do in practice. We're interested in finding out whether the performance is sufficient in practice, and whether production data surfaces some cases we haven't covered.

There's further work we'd like to finish before a wider production rollout in Gitaly transactions on GitLab.com (gitlab-org&14532). These largely aim to make the rollout smoother, provide better observability, optimize performance, and some correctness issues that could theoretically occur but are not expected to occur in practice. If there are issues surfacing in the limited canary rollout, bad state may need to be fixed manually.

Enabling and disabling transactions should be safe. After disabling transactions, Gitaly will ensure all WAL is fully applied before resuming non-transactional access. This ensures we don't leave repositories in bad states if transactions are disabled mid write.

This is a second attempt. The first attempt was done in Enable Gitaly's transaction support on gprd canary (#18455 - closed) but was reverted due to performance issues outlined in #18455 (comment 2086842140). We've since addressed the identified action points here. One of them was left unaddressed as we believe it isn't necessary. The other changes we've performed should be sufficient to address the performance issues.

Change Details

1. Services Impacted - ServiceGitaly
2. Change Technician - @samihiltunen
3. Change Reviewer - @ahmadsherif
4. Time tracking - 10 minutes
5. Downtime Component - None

Detailed steps for the change

Change Steps - steps to take to execute the change

Estimated Time to Complete (mins) - 10 minutes

• Set label changein-progress /label ~change::in-progress
• Announce the change on relevant Slack channels:
  • Post on #gitaly, forward the message to #infrastructure-lounge, #development, #delivery, #test-platform.
    • We are deploying Gitaly's transaction support to production canary. Transactions are a major change in Gitaly and affect all of its reads and writes. If you encounter any issues with Git operations, please let the Gitaly team know in #gitaly. You can find more details about this change on the change management issue.
• Merge https://gitlab.com/gitlab-com/gl-infra/chef-repo/-/merge_requests/5037+
• Set label changecomplete /label ~change::complete

Rollback

Rollback steps - steps to be taken in the event of a need to rollback this change

Estimated Time to Complete (mins) - 10 minutes

• Announce the change on relevant Slack channels:
  • Post on #gitaly, forward the message to #infrastructure-lounge, #development, #delivery, #test-platform.
    • We are reverting the changes that enabled transaction support in Gitaly on production canary. If you keep encountering issues with Git operations, please let the Gitaly team know in #gitaly. You can find more details about this change on the change management issue.
• Revert https://gitlab.com/gitlab-com/gl-infra/chef-repo/-/merge_requests/5037+
• Set label changeaborted /label ~change::aborted

Monitoring

Key metrics to observe

The main metric to monitor is Gitaly's Apdex. Transcations affect all storage access in Gitaly, and this metric best covers the overall health of Gitaly.

• Metric: gitaly Service Apdex
  • Location: https://dashboards.gitlab.net/d/gitaly-main/gitaly3a-overview?orgId=1
  • What changes to this metric should prompt a rollback: If the Apdex decreases and shows an increase in errors.

Change Reviewer checklist

C4 C3 C2 C1:

• Check if the following applies:
  • The scheduled day and time of execution of the change is appropriate.
  • The change plan is technically accurate.
  • The change plan includes estimated timing values based on previous testing.
  • The change plan includes a viable rollback plan.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.

C2 C1:

• Check if the following applies:
  • The complexity of the plan is appropriate for the corresponding risk of the change. (i.e. the plan contains clear details).
  • The change plan includes success measures for all steps/milestones during the execution.
  • The change adequately minimizes risk within the environment/service.
  • The performance implications of executing the change are well-understood and documented.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.
    • If not, is it possible (or necessary) to make changes to observability platforms for added visibility?
  • The change has a primary and secondary SRE with knowledge of the details available during the change window.
  • The change window has been agreed with Release Managers in advance of the change. If the change is planned for APAC hours, this issue has an agreed pre-change approval.
  • The labels blocks deployments and/or blocks feature-flags are applied as necessary.

Change Technician checklist

• Check if all items below are complete:
  • The change plan is technically accurate.
  • This Change Issue is linked to the appropriate Issue and/or Epic
  • Change has been tested in staging and results noted in a comment on this issue.
  • A dry-run has been conducted and results noted in a comment on this issue.
  • The change execution window respects the Production Change Lock periods.
  • For C1 and C2 change issues, the change event is added to the GitLab Production calendar.
  • For C1 and C2 change issues, the SRE on-call has been informed prior to change being rolled out. (In #production channel, mention @sre-oncall and this issue and await their acknowledgement.)
  • For C1 and C2 change issues, the SRE on-call provided approval with the eoc_approved label on the issue.
  • For C1 and C2 change issues, the Infrastructure Manager provided approval with the manager_approved label on the issue.
  • Release managers have been informed prior to any C1, C2, or blocks deployments change being rolled out. (In #production channel, mention @release-managers and this issue and await their acknowledgment.)
  • There are currently no active incidents that are severity1 or severity2
  • If the change involves doing maintenance on a database host, an appropriate silence targeting the host(s) should be added for the duration of the change.