You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@activemq.apache.org by "Gary Tully (JIRA)" <ji...@apache.org> on 2011/07/19 11:53:57 UTC

[jira] [Commented] (AMQ-3364) Broker can lose messages during pure master/slave failover when master undergoes a controlled shutdown

    [ https://issues.apache.org/jira/browse/AMQ-3364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13067597#comment-13067597 ] 

Gary Tully commented on AMQ-3364:
---------------------------------

one thought, there is a shutdownOnSlaveFailure attribute on a broker such that a controlled shutdown of the master can be triggered by a slave failure or shutdown. I wonder if shutting down the slave can provide a workaround. 
But the shutdown order does seem to be problematic in this case. The connectors and active connections should be terminated first so that the clients can see the failure early and failover kicks in.

> Broker can lose messages during pure master/slave failover when master undergoes a controlled shutdown
> ------------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-3364
>                 URL: https://issues.apache.org/jira/browse/AMQ-3364
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.4.2, 5.5.0
>            Reporter: Martin Serrano
>            Priority: Critical
>
> I see this problem consistently when a producer is continuously sending messages and the master is shutdown in a controlled fashion.  When the master broker is undergoing a controlled shutdown, the BrokerService.stop() method stops things in this order: 
> * services 
> * connectors 
> * registered vm transports 
> * broker 
> So there is a period where the broker will still process sends after other (apparently necessary) facilities have been shutdown.  I have not followed the code paths to understand exactly what goes wrong, but I traced enough to tell that messages sent in this interval can disappear.  That is, the client send call will return without error but after failover the slave will not replay the message.  
> This appears to only be an issue during a controlled shutdown.  Process death should not cause this problem. 
> I'm currently working around this by having the BrokerService set a stopping flag and having the MasterBroker check this flag and reject sends (with a new exception class) if true.  My client code then detects this case and just retries until the failover is complete.  It seems like there should be a better and more integrated solution that does not require the client code to handle this but is handled inside of the FailoverTransport code on the client's behalf.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira