Incidents/2025-03-31 docker-registry corrupt blob
document status: draft
Summary
| Incident ID | 2025-03-31 docker-registry corrupt blob | Start | 2025-03-28 00:30:00 |
|---|---|---|---|
| Task | T390251 | End | 2025-03-31 11:38:00 |
| People paged | 0 | Responder count | Scott French, Luca Toscano, Alexandros Kosiaris |
| Coordinators | We didn't need one. | Affected metrics/SLOs | None. We do have SLO for docker-registry, see https://wikitech.wikimedia.org/wiki/SLO/Docker-registry but it's not about durability |
| Impact | A few deployments got temporarily blocked | ||
In 2 separate occasions, on Friday 2025-03-28, early after midnight UTC and Monday 2025-03-31 EU morning we had a couple of MediaWiki deployments getting aborted due to a failure to pull a valid OCI image from the docker-registry. The registry was returning a corrupt blob for a layer of the image for a period of time. While we still haven't found the smoking gun log line, apparently this had to do with nginx caching of blobs in a full filesystem.
Timeline
Write a step by step outline of what happened to cause the incident, and how it was remedied. Include the lead-up to the incident, and any epilogue.
Consider including a graphs of the error rate or other surrogate.
Link to a specific offset in SAL using the SAL tool at https://sal.toolforge.org/ (example)
All times in UTC
2025-03-28
- 00:30 Ahmon files https://phabricator.wikimedia.org/T390251 INCIDENT BEGINS
- 00:04 (Something something)
- 00:06 (Voila) OUTAGE ENDS
- 00:15 (post-outage cleanup finished)
TODO: Clearly indicate when the user-visible outage began and ended.
Detection
A human detected the issue and filed a task. There are no alerts currently on this level. Remains to be discussed whether it is sensible to create such alerts and how. The preliminary useful data, does exist in Kubernetes events, however it is also showing up only during a deployment.
Conclusions
OPTIONAL: General conclusions (bullet points or narrative)
What went well?
- No impact to anything else than deployments.
- The system worked as designed and did not deploy corrupt artifacts
What went poorly?
OPTIONAL: (Use bullet points) for example: documentation on the affected service was unhelpful, communication difficulties, etc
Where did we get lucky?
- …
OPTIONAL: (Use bullet points) for example: user's error report was exceptionally detailed, incident occurred when the most people were online to assist, etc
Links to relevant documentation
- …
Add links to information that someone responding to this alert should have (runbook, plus supporting docs). If that documentation does not exist, add an action item to create it.
Actionables
- …
Create a list of action items that will help prevent this from happening again as much as possible. Link to or create a Phabricator task for every step.
Add the #Sustainability (Incident Followup) and the #SRE-OnFire Phabricator tag to these tasks.
Scorecard
| Question | Answer
(yes/no) |
Notes | |
|---|---|---|---|
| People | Were the people responding to this incident sufficiently different than the previous five incidents? | ||
| Were the people who responded prepared enough to respond effectively | |||
| Were fewer than five people paged? | |||
| Were pages routed to the correct sub-team(s)? | |||
| Were pages routed to online (business hours) engineers? Answer “no” if engineers were paged after business hours. | |||
| Process | Was the "Incident status" section atop the Google Doc kept up-to-date during the incident? | ||
| Was a public wikimediastatus.net entry created? | |||
| Is there a phabricator task for the incident? | |||
| Are the documented action items assigned? | |||
| Is this incident sufficiently different from earlier incidents so as not to be a repeat occurrence? | |||
| Tooling | To the best of your knowledge was the open task queue free of any tasks that would have prevented this incident? Answer “no” if there are open tasks that would prevent this incident or make mitigation easier if implemented. | ||
| Were the people responding able to communicate effectively during the incident with the existing tooling? | |||
| Did existing monitoring notify the initial responders? | |||
| Were the engineering tools that were to be used during the incident, available and in service? | |||
| Were the steps taken to mitigate guided by an existing runbook? | |||
| Total score (count of all “yes” answers above) | |||