Eric Sowell

I Had an AWS Elasticsearch Service Outage Today

Posted: 07/31/19 7:51 PM
Tags: Elasticsearch

We had an outage today with the AWS Elasticsearch Service. I figured I would blog about it here just in case anyone might find it instructive, and because I like Elasticsearch so much.

We use Elasticsearch at work purely for logging, so if it goes down temporarily and we lose some logs, it is not a huge deal. All the super important stuff goes into Sql Server or MySql. If you use it for more than logging, you’ll certainly want to set it up differently than I have it setup below (one master node, two others). That being said, I use it all the time, and it has been my chief instrument for understanding this system that I jumped into six months ago. Anyway, let’s jump in.

Problems

The symptom that we first noticed was slowness in some parts of the system. I did not know it at the time, but all calls to Elasticsearch were taking a while (and then failing). A little later we decided to take a look at Kibana (where we keep our logs) to see what was going on and it was completely hosed. At that point it didn’t take log to figure out we had an Elasticsearch-related issue.

The obvious next step was to check the console for Elasticsearch Service in AWS. I did not capture a screenshot in the middle of the kerfuffle (I was a bit busy) but here is one after things had started to recover.

AWS Elasticsearch console

In general with Elasticsearch, green means everything is okay. Yellow/orange means things are working but there are issues, like there aren’t enough nodes for you to have enough copies of all your shards. Red means things are really really bad and you are hosed. Other things you might notice is a general loss of searchable documents (bottom right) and the loss of a node (in the middle).

One of the nice things about Elasticsearch is that it is multi-node, and if you have your sharding and replication correctly setup, you can easily survive the death of a data node. My problem, as it turns out, was not that I lost a data node. Nope, I lost my one and only master node. And that is exactly what Elasticsearch was telling us any time we made a call.


cluster_block_exception
blocked by: [SERVICE_UNAVAILABLE/2/no master]

Or if we made a call to GET /_cluster/health


{
  "error": {
    "root_cause": [
      {
        "type": "master_not_discovered_exception",
        "reason": null
      }
    ],
    "type": "master_not_discovered_exception",
    "reason": null
  },
  "status": 503
}

Dealing With It

On snap! Since this was log data only, the first thing was to just stop sending logging calls to Elasticsearch to get the app back to normal, which meant a couple quick ssh sessions into prod and changes to two lines of code to shut all that off. With that, the site was back to normal speed.

One of the big advantages of a managed service like the AWS Elasticsearch Service is that I didn’t have to do anything to fix this. A few minutes later AWS spun up a new master node, and because Elasticsearch already knows how to rebalance its shards when it loses a node, at that point I just had to wait for things to get back to normal. Here is a picture of the GET /_cat/allocation?v call during this rebalancing process.

Elasticsearch Shuffling Shards

If you have never seen this before, you have one node per line, and the shards will be spread out across all the nodes. Depending on how you have it set up, you might have it generally balanced among the nodes, as is the case for me. And here it is after the fact.

Elasticsearch Nice and Tidy

The great thing about all this is that this is basically a self-recovering system, which is pretty handy. But it did make me curious how many nodes I have lost over the last two weeks.

My Nodes

Hrrrrrrrrmmmm. Honestly, it is a little troubling to me that I have nodes come in and out this often. Looking at the other visualizations in the dashboard, I see that the "Cluster writes status" is a complete lie because it didn’t notice my outage today, or any change over the last two weeks. The cluster status graph tells me when all was green but not when it was yellow or red.

Cluster Status

The Kibana status, however, seems useful.

Kibana Status

Even though it shouldn’t be the case, the Kibana graph is probably the most beneficial graph for Elasticsearch usability.

Final Thoughts

Fortunately, this had no impact on the customers except a little slowness. We don’t throw exceptions for these errors, so things were able to run pretty well regardless of problems.

I suspect that I could have avoided this outage entirely by just having more master nodes (as my buddy Brett pointed out). It is actually quite easy to configure multiple master nodes in Elasticsearch, and the AWS Elasticsearch Service allows you to do that as well. But that raises server costs, so I am not sure I am going to do that. If this wasn’t just log data, I would have done this already.

I was suprised at the number of failures but pleased with the self-healing ability. As a man with no ops person and a tiny dev team (two of us), fiddling around with operational things is not something we have a lot of time for, so I haven’t decided what I am going to do at this point, if anything. I already have plenty of super important things to deal with.

One obvious improvement would be to move these to asynchronous calls to Elasticsearch. This would at least keep the site from slowing down. But I am on an old version of PHP and Laravel, so this might be easier said than done. There are several things in this combo that I have come to distrust.

A common pattern people follow to write logs to Elasticsearch is to put Filebeat and Logstash between the app and Elasticsearch. So the app would write to STDOUT, then filebeat would pick that up and give it to Logstash, then Logstash would look at it, possibly transform it, then send it to Elasticsearch. This gets rid of the direct connection between app and Elasticsearch, which would have helped me here. We did this a lot at the last job. But this is certainly not something I am going to do anytime soon. It adds more work for me now and adds more moving pieces to the system, complicating it. At the moment I am trying to simplify things, not complicate them. I have a small team. Simplicity of the system is paramount, and that setup sends me in the opposite direction of where I want to go.

That is it for now. May your nodes be abundant and your clusters fruitful.

comments powered by Disqus

Tags

  1. .NET
  2. Ajax
  3. Apostolic Fathers
  4. Aramaic
  5. ASP.NET
  6. ASP.NET MVC
  7. ASP.NET Web API
  8. Azure
  9. Azure Devops
  10. Baptists
  11. Books
  12. C#
  13. Cambodia
  14. Canvas
  15. Career
  16. Christology
  17. Church Fathers
  18. Classics
  19. CSS
  20. Development
  21. Digitization
  22. Drawing
  23. Dynamics
  24. Early Christianity
  25. Eastern Orthodox
  26. Ecclesiology
  27. Education
  28. Elasticsearch
  29. Entertainment
  30. Flash
  31. Fun
  32. General
  33. Gnosticism
  34. Gospels Studies
  35. Greece
  36. Greek
  37. Greek Handwriting
  38. Hebrew
  39. History
  40. Html
  41. HTML5
  42. IIS
  43. Improving
  44. Intertestamental History
  45. iOS
  46. Javascript
  47. JavaScript
  48. LaTeX
  49. Latin
  50. Mark
  51. Mobile
  52. Mobile Web
  53. New Testament
  54. Node.js
  55. NT Apocrypha
  56. Old Testament
  57. Pauline Studies
  58. Performance
  59. Philosophy
  60. Politics
  61. Power Platform
  62. Productivity
  63. Pylus
  64. Python
  65. React
  66. Renaissance
  67. Silverlight
  68. Software
  69. Speaking
  70. StructureMap
  71. Teaching
  72. Tech Community
  73. Tech Review
  74. Technology
  75. Textual Criticism
  76. The Reformation
  77. Theology
  78. Touch Programming
  79. Visual Studio
  80. Visual Studio 2010
  81. WCF
  82. Windows7
  83. Winforms
  84. WPF

Posts by Month

2004

  1. Aug
  2. Sept
  3. Oct
  4. Nov
  5. Dec

2005

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May
  6. June
  7. July
  8. Aug
  9. Sept
  10. Oct
  11. Nov
  12. Dec

2006

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May
  6. Aug
  7. Sept
  8. Oct
  9. Nov
  10. Dec

2007

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May
  6. June
  7. July
  8. Aug
  9. Sept
  10. Oct
  11. Nov
  12. Dec

2008

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May
  6. June
  7. July
  8. Aug
  9. Sept
  10. Oct
  11. Nov
  12. Dec

2009

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May
  6. June
  7. July
  8. Aug
  9. Sept
  10. Oct
  11. Nov
  12. Dec

2010

  1. Jan
  2. Aug
  3. Nov
  4. Dec

2011

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May
  6. June
  7. Aug
  8. Sept
  9. Oct
  10. Nov
  11. Dec

2012

  1. Jan
  2. Feb
  3. June
  4. July
  5. Sept

2013

  1. May
  2. June
  3. July
  4. Oct
  5. Nov

2014

  1. Jan
  2. June

2015

  1. Mar
  2. June
  3. Aug
  4. Sept
  5. Oct

2016

  1. Jan
  2. Mar
  3. July
  4. Oct
  5. Nov
  6. Dec

2017

  1. Jan
  2. Feb
  3. May
  4. June
  5. Aug
  6. Dec

2018

  1. Mar
  2. Apr
  3. June
  4. Aug
  5. Sept
  6. Oct
  7. Nov

2019

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May
  6. June
  7. July
  8. Aug
  9. Dec

2020

  1. Jan
  2. Feb
  3. Mar
  4. May
  5. June
  6. July
  7. Aug
  8. Oct
  9. Dec

2021

  1. Jan
  2. Apr
  3. Aug

2022

  1. Apr

2024

  1. Feb