activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Tully (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMQ-3364) Broker can lose messages during pure master/slave failover when master undergoes a controlled shutdown
Date Tue, 19 Jul 2011 09:53:57 GMT

    [ https://issues.apache.org/jira/browse/AMQ-3364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13067597#comment-13067597
] 

Gary Tully commented on AMQ-3364:
---------------------------------

one thought, there is a shutdownOnSlaveFailure attribute on a broker such that a controlled
shutdown of the master can be triggered by a slave failure or shutdown. I wonder if shutting
down the slave can provide a workaround. 
But the shutdown order does seem to be problematic in this case. The connectors and active
connections should be terminated first so that the clients can see the failure early and failover
kicks in.

> Broker can lose messages during pure master/slave failover when master undergoes a controlled
shutdown
> ------------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-3364
>                 URL: https://issues.apache.org/jira/browse/AMQ-3364
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.4.2, 5.5.0
>            Reporter: Martin Serrano
>            Priority: Critical
>
> I see this problem consistently when a producer is continuously sending messages and
the master is shutdown in a controlled fashion.  When the master broker is undergoing a controlled
shutdown, the BrokerService.stop() method stops things in this order: 
> * services 
> * connectors 
> * registered vm transports 
> * broker 
> So there is a period where the broker will still process sends after other (apparently
necessary) facilities have been shutdown.  I have not followed the code paths to understand
exactly what goes wrong, but I traced enough to tell that messages sent in this interval can
disappear.  That is, the client send call will return without error but after failover the
slave will not replay the message.  
> This appears to only be an issue during a controlled shutdown.  Process death should
not cause this problem. 
> I'm currently working around this by having the BrokerService set a stopping flag and
having the MasterBroker check this flag and reject sends (with a new exception class) if true.
 My client code then detects this case and just retries until the failover is complete.  It
seems like there should be a better and more integrated solution that does not require the
client code to handle this but is handled inside of the FailoverTransport code on the client's
behalf.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message