fix: prevent compactor from deleting blocks on transient upload failures #8554
Conversation
Fixes thanos-io#8548. When block upload fails after chunks/index files are uploaded to object storage but before meta.json completes, a partial block is left behind. The syncer later marks it as 'partial' and BestEffortCleanAbortedPartialUploads deletes it after 48 hours, causing permanent data loss. This fix ensures immediate cleanup of partial blocks by: - Adding uploadStarted flag to track when upload begins - Using defer to cleanup on error before returning - Calling Delete() with a separate 5min timeout context - Logging warnings when cleanup occurs for observability The local block is still retained (allowing retry) while the remote object storage copy is cleaned up immediately. Signed-off-by: Shivansh Sahu <[email protected]>
Signed-off-by: Shivansh Sahu <[email protected]>
|
Hey maintainers, All tests relevant to my changes in pkg/block pass locally, including the newly added TestUploadCleanup, verifying the fix works as intended. However, the CI is currently failing required unit tests related to cloud backend storages (GCS, AWS S3, Azure, etc.) due to missing credentials and configuration in the CI environment. These failures are unrelated to this patch. Additionally, the documentation check is failing due to broken external links in legacy docs that this PR does not modify. Please advise on how to proceed with the required cloud backend tests. If needed, I am happy to help with a follow-up PR to improve test mocking or environment configuration. Looking forward to your feedback! |
GiedriusS
left a comment
GiedriusS
left a comment
There was a problem hiding this comment.
Uploading function should not be removing anything. We do this on purpose because it is much harder to reason about the system when you upload, delete, upload, etc. We have functionality that removes partially uploaded blocks. Have you seen it?
|
Thank you for pointing me to BestEffortCleanAbortedPartialUploads()! I've reviewed the existing cleanup mechanism in pkg/compact/clean.go. I see that partial blocks (those without meta.json) are cleaned up after 48 hours (PartialUploadThresholdAge). The issue described in #8548 occurs when: Block upload fails transiently after uploading chunks and index but before uploading meta.json The partial block remains in object storage for 48 hours After 48 hours, BestEffortCleanAbortedPartialUploads() deletes it permanently This causes data loss since the block can't be recovered I understand now that adding cleanup logic to upload() violates the separation of concerns. However, I'm not sure what the correct fix should be. Could you help clarify: Should partial uploads be retried immediately? Is the expectation that transient failures should trigger an immediate retry within the same compaction cycle? Should the 48-hour threshold be adjusted? Or is there a way to distinguish between "truly aborted" uploads vs. "temporarily failed but will retry" uploads? Is the root cause that uploads aren't being retried properly? Should I focus on improving retry logic instead of cleanup? I want to make sure I address the data loss issue while respecting Thanos's design principles. What approach would you recommend? |
2 participants
Problem
When block upload fails mid-operation with a transient error (e.g., S3 500 Internal Server Error):
BestEffortCleanAbortedPartialUploads()deletes it permanently 💥Root Cause:
upload()function inpkg/block/block.gohad a comment saying "It makes sure cleanup is done on error to avoid partial block uploads" but NO cleanup code actually existed.Solution
Added defer-based cleanup logic that:
uploadStartedflagDelete()to clean partial block from object storageChanges
File:
pkg/block/block.goupload()function signature to use named return(err error)uploadStartedflag trackingDelete()with isolated contextFile:
pkg/block/block_test.goTestUploadCleanupexpectations:Testing
TestUploadCleanup- verifies partial block cleanup on failurepkg/blocktests passingImpact
Related Issues
Fixes #8548