2022-02-18: Creation timestamp of container images shown as null in the UI/API

Incident DRI

Current Status

The root cause was identified (gitlab-org/gitlab#353244 (closed)) and a fix (gitlab-org/gitlab!81056 (merged)) is on the way.

Summary for CMOC notice / Exec summary:

1. Customer Impact: Users cannot see the creation timestamp of container images in the GitLab UI/API. There is a workaround described here.
2. Service Impact: ServiceContainer Registry
3. Impact Duration: 2022-01-26 - end time UTC ( duration in minutes )
4. Root cause: The "follow redirect" functionality in the Rails container registry client was incompatible with redirections to Google Cloud CDN (gitlab-org/gitlab#353244 (closed)).

Timeline

• Problem should have started on 2022-01-26 when we started the gradual rollout of the Cloud CDN feature for GitLab.com. Nothing was reported until 2022-02-18;
• Incident declared on 2022-02-18, in response to a customer report (gitlab-org/gitlab#352999 (closed));
• Root cause and corrective actions identified on 2022-02-18;
• Fix deployed to GitLab.com on date ;
• Resolved on end time UTC .

Recent Events (available internally only):

• Deployments
• Feature Flag Changes
• Infrastructure Configurations
• GCP Events (e.g. host failure)

All times UTC.

2022-02-18

• 11:25 - @jdrpereira declares incident in Slack.

Takeaways

This subtle issue went unnoticed during the preparation and initial release of the Cloud CDN feature for the Container Registry on GitLab.com (so this affected GitLab.com only). The problem only revealed itself when invoking the Rails API/UI from outside GCP, as otherwise, the registry continues to redirect clients to GCS and not CDN. The only place where Rails performs a blob download is for detecting the creation timestamp of a container image. When it fails to obtain such blob, the creation timestamp is displayed as "just now" in the Rais UI and null in the API. So multiple things went wrong here:

• We did not pay enough attention to the Rails UI/API when testing the CDN feature in staging. The lack of the creation timestamp went unnoticed;
• Rails is silently failing when unable to download a blob from the registry, which has not raised any alarm (e.g. warn/error log message or exception in Sentry). In conjunction with the above, this caused us to not realize we had a problem;
• Our QA tests run within GCP, which means that they don't trigger specific behaviors only observed when requests originate outside GCP. This is a blind spot.

Corrective Actions

• gitlab-org/gitlab#353244 (closed): To fix the actual bug;
• gitlab-org/gitlab#353223: To log all failed requests in the container registry client;
• gitlab-org/gitlab#353230 (closed): To patch the QA blind spot in regards to requests originating outside GCP.

---

Note: In some cases we need to redact information from public view. We only do this in a limited number of documented cases. This might include the summary, timeline or any other bits of information, laid out in out handbook page. Any of this confidential data will be in a linked issue, only visible internally. By default, all information we can share, will be public, in accordance to our transparency value.

Create a confidential issue

Click to expand or collapse the Incident Review section.

Incident Review

• Ensure that the exec summary is completed at the top of the incident issue, the timeline is updated and relevant graphs are included in the summary
• If there are any corrective action items mentioned in the notes on the incident, ensure they are listed in the "Corrective Action" section
• Fill out relevant sections below or link to the meeting review notes that cover these topics

Customer Impact

1. Who was impacted by this incident? (i.e. external customers, internal customers)
   1. ...
2. What was the customer experience during the incident? (i.e. preventing them from doing X, incorrect display of Y, ...)
   1. ...
3. How many customers were affected?
   1. ...
4. If a precise customer impact number is unknown, what is the estimated impact (number and ratio of failed requests, amount of traffic drop, ...)?
   1. ...

What were the root causes?

• ...

Incident Response Analysis

1. How was the incident detected?
   1. ...
2. How could detection time be improved?
   1. ...
3. How was the root cause diagnosed?
   1. ...
4. How could time to diagnosis be improved?
   1. ...
5. How did we reach the point where we knew how to mitigate the impact?
   1. ...
6. How could time to mitigation be improved?
   1. ...
7. What went well?
   1. ...

Post Incident Analysis

1. Did we have other events in the past with the same root cause?
   1. ...
2. Do we have existing backlog items that would've prevented or greatly reduced the impact of this incident?
   1. ...
3. Was this incident triggered by a change (deployment of code or change to infrastructure)? If yes, link the issue.
   1. ...

What went well?

• ...

Guidelines

• Blameless RCA Guideline

Resources

1. If the Situation Zoom room was utilised, recording will be automatically uploaded to Incident room Google Drive folder (private)

added IncidentActive ServiceContainer Registry Source::IMAIncidentDeclare incident severity4 labels

changed the severity to Low - S4

Slack channel here.

Production checks fail!

---

Production has no active severity1 / severity2 incidents

---

Production has no change requests in progress

---

GitLab Deployment Health Status - overview

• All services healthy

---

active deployment

Production environment locked: There's an active production deployment, see the deployer pipeline

---

Rollback of gprd is unavailable:

Current: 14.8.202202180320

Target: 14.8.202202172120

Comparison: https://gitlab.com/gitlab-org/security/gitlab/-/compare/a262d63167a8c38883266e6fa1d25647704133a1...4c1dbbb43766ee7634ec1393d84c44f341481a88

1 post-deploy migrations

• 20220217135229_validate_not_null_constraint_on_security_findings_uuid.rb

This was initially reported in gitlab-org/gitlab#352999 (closed). It seems to be affecting the displaying of all images on GitLab.com.

From gitlab-org/gitlab#352999 (closed):

I can see the timestamp being retrieved as null in the GraphQL API:

Checking the container registry backend, there is nothing wrong with the configuration payload of the images or the registry API response, they all have the created timestamp which serves as the source for the created_at on the Rails API response.

Checking the production console:

[ gprd ] production> cr = ContainerRepository.find_by_path(ContainerRegistry::Path.new('gitlab-org/build/cng/gitlab-kas'))
=> #<ContainerRepository id: 2645879, project_id: 4359271, name: "gitlab-kas", created_at: "2022-01-12 23:17:45.565927000 +0000", updated_at: "2022-01-12 23:17:45.565927000 +00...
[ gprd ] production> t = cr.tags.pop{|t| t.name == '14-8-stable'}
=> #<ContainerRegistry::Tag:0x00007f7539da4778 @repository=#<ContainerRepository id: 2645879, project_id: 4359271, name: "gitlab-kas", created_at: "2022-01-12 23:17:45.56592700...
[ gprd ] production> t.created_at
=> Thu, 17 Feb 2022 22:08:29 +0000

This rules out a problem in the image (already unlikely given that it's happening apparently everywhere), the container registry, or between Rails and the registry. So this seems to be limited to the Rails API.

mentioned in issue gitlab-org/gitlab#352999 (closed)

changed the description

marked this issue as related to gitlab-org/gitlab#352999 (closed)

added NeedsRootCause label

Update

Engineers continue investigating the root cause.

Current findings (narrowing the investigation)

• Images have the timestamp, this narrows the problem to Rails API
• Something between the Tag object and the API output is nullifying the value

Discarded guesses and long shots

• Possible problem with timestamps marshaling
• Possible relation with auth

Next

• Continue investigating ...

mentioned in issue on-call-handovers#2498 (closed)

marked this issue as related to gitlab-org/gitlab#353223

mentioned in issue gitlab-org/gitlab#353230 (closed)

marked this issue as related to gitlab-org/gitlab#353230 (closed)

Update

Engineers continue investigating the root cause.

Current findings (implementing observability improvements and narrowing the investigation)

• corrective action We need to improve the service observability to detect and rule out problems when Rails fetches the configuration blobs (which contain the images creation timestamp) from the registry storage backend (GCS for GitLab.com): gitlab-org/gitlab#353223.

• corrective action We have identified a test gap that should be filled to prevent issues like this in the future: gitlab-org/gitlab#353230 (closed).

Next

• Implement and deploy observability improvements (gitlab-org/gitlab#353223) so that we can confirm or rule out problems when interacting with GCS;

• Continue investigating other possible root causes...

mentioned in issue gitlab-org/gitlab#353244 (closed)

marked this issue as related to gitlab-org/gitlab#353244 (closed)

Update

Engineers have identified the root cause and have started working on a fix.

Current findings (root cause and initial date of the problem have been identified)

• The Faraday http client library is url-encoding characters that do not need to be encoded. The Google Cloud CDN requires use of URLs that are not encoded, so when it receives the request with the encoded URL, it returns a 403 error.

• Faraday has always encoded these characters by default, but it wasn't until we started using the Google Cloud CDN on 2022-01-26 that this became a problem.

Next

• A fix will be implemented on gitlab-org/gitlab#353244 (closed). Updates regarding the status of the fix will be posted in that issue.

A small update here: we have an MR started implementing the fix. The plan is to release it behind a feature flag so we have the ability to disable the change in case there are unforeseen side effects.

mentioned in issue on-call-handovers#2499 (closed)

mentioned in issue on-call-handovers#2500 (closed)

mentioned in issue on-call-handovers#2501 (closed)

mentioned in issue on-call-handovers#2502 (closed)

mentioned in issue on-call-handovers#2503 (closed)

mentioned in issue on-call-handovers#2504 (closed)

mentioned in issue on-call-handovers#2505 (closed)

mentioned in issue on-call-handovers#2506 (closed)

added RootCauseSoftware-Change label

removed NeedsRootCause label

mentioned in issue on-call-handovers-test#8

mentioned in issue on-call-handovers#2507 (closed)

mentioned in issue on-call-handovers#2508 (closed)

mentioned in issue on-call-handovers-test#9 (closed)

mentioned in issue on-call-handovers#2509 (closed)

mentioned in issue on-call-handovers-test#10 (closed)

mentioned in issue on-call-handovers#2510 (closed)

mentioned in issue on-call-handovers-test#11

mentioned in issue on-call-handovers#2511 (closed)

mentioned in issue on-call-handovers-test#12 (closed)

mentioned in issue on-call-handovers#2512 (closed)

mentioned in issue on-call-handovers-test#13 (closed)

I understand we follow a more relaxed incident review process for incidents with lower severities, but, hehe, yes there is a but, our process is there for us to learn and improve and with the high impact container registry has, I would like us to proactively learn so we can avoid incidents.

@10io @jdrpereira, can you please do an RCA and fill in the details of the corrective actions with their corresponding due dates and DRIs?

@michelletorres, I just filled the timeline, takeaways, and corrective actions. As for the incident review, there is a prominent comment in the template:

<!-- THE BELOW IS TO BE CONDUCTED ONCE THE ABOVE INCIDENT IS MITIGATED. -->
<br/>
<details>
<summary><i>Click to expand or collapse the Incident Review section.</i>
<br/>

# Incident Review

So I'm holding off until this is mitigated.

mentioned in issue on-call-handovers#2513 (closed)

mentioned in issue on-call-handovers-test#14

changed the description

mentioned in issue on-call-handovers#2514 (closed)

mentioned in issue on-call-handovers-test#15 (closed)

mentioned in issue on-call-handovers#2515 (closed)

mentioned in issue on-call-handovers-test#16 (closed)

I'm getting a slightly different manifestation of this problem:

this is on gitlab.com

Thanks for reporting @bradwood. It seems like the UI may behave differently in the presence of a created_at with value null. For some, it shows Published just now, for others it shows the UNIX epoch (00:00:00 UTC on 1 January 1970). Regardless, the root cause is the same. We have a fix on the way (gitlab-org/gitlab!81056 (merged)).

@nmezzopera, is this the expected UI behavior? Just to know if we should open an issue for this.

The difference in showing is the user setting use relative time or not:

Both are related to the same issue underlying, just a difference in the calculation based on that setting

I have the "use relative time" setting on and I observe the issue

mentioned in issue on-call-handovers#2516 (closed)

mentioned in issue on-call-handovers-test#17

mentioned in issue on-call-handovers#2517 (closed)

mentioned in issue on-call-handovers#2518 (closed)

mentioned in issue on-call-handovers#2519 (closed)

mentioned in issue on-call-handovers#2520 (closed)

mentioned in issue on-call-handovers#2521 (closed)

mentioned in issue on-call-handovers#2522 (closed)

mentioned in issue on-call-handovers#2523 (closed)

mentioned in issue on-call-handovers#2524 (closed)

mentioned in issue on-call-handovers#2525 (closed)

mentioned in issue on-call-handovers#2526 (closed)

mentioned in issue on-call-handovers#2527 (closed)

mentioned in issue on-call-handovers#2528 (closed)

Also reported on the forum in https://forum.gitlab.com/t/container-registry-shows-published-just-now/66017

mentioned in issue on-call-handovers#2529 (closed)

mentioned in issue on-call-handovers#2530 (closed)

mentioned in issue on-call-handovers#2531 (closed)

mentioned in issue on-call-handovers#2532 (closed)

mentioned in issue on-call-handovers#2533 (closed)

mentioned in issue on-call-handovers#2534 (closed)

mentioned in issue on-call-handovers#2535 (closed)

mentioned in issue on-call-handovers#2536 (closed)

mentioned in issue on-call-handovers#2537 (closed)

mentioned in issue on-call-handovers#2538 (closed)

mentioned in issue on-call-handovers#2539 (closed)

mentioned in issue on-call-handovers#2540 (closed)

mentioned in issue on-call-handovers#2541 (closed)

mentioned in issue on-call-handovers#2542 (closed)

mentioned in issue on-call-handovers#2543 (closed)

mentioned in issue on-call-handovers#2544 (closed)

mentioned in issue on-call-handovers#2545 (closed)

mentioned in issue on-call-handovers#2546 (closed)

mentioned in issue on-call-handovers#2547 (closed)

mentioned in issue on-call-handovers#2548 (closed)

mentioned in issue on-call-handovers#2549 (closed)

Great to see this here and the fix already on its way. I've been struggling to figure this out for a while now. Hopefully it'll be resolved soon as the MR was just merged.

mentioned in issue on-call-handovers#2550 (closed)

mentioned in issue on-call-handovers#2551 (closed)