Compaction Strategy Cassandra Ops & Automation

Diagnosing Gossip Protocol Failures in Multi-DC Clusters: Production-Ready Diagnostics & Automation

Gossip operates as the decentralized membership and failure detection backbone in Apache Cassandra. In multi-datacenter (DC) deployments, asymmetric routing, MTU fragmentation, and I/O saturation from background maintenance frequently trigger false-positive failure detections. When the failure detector incorrectly marks a peer as unreachable, cross-DC repair streams stall, compaction backlogs compound, and consistency guarantees degrade. Understanding how Node Gossip & Failure Detection Protocols interact with underlying storage mechanics is essential before attempting remediation. This guide delivers deterministic, idempotent workflows for isolating gossip degradation, correlating it with Cassandra Architecture & Compaction Fundamentals, and executing controlled state reconciliation across v4.x and v5.x clusters.

The decision tree below outlines the triage path from an observed symptom through telemetry inspection to a likely root cause and its corrective action.

flowchart TD A["Symptom node flapping or marked DOWN"] --> B["Check nodetool gossipinfo and failuredetector phi"] B --> C{"What drives high phi"} C -->|"network latency"| D["Tune cross-DC keepalive and routing"] C -->|"GC pause"| E["Tune JVM heap and pauses or raise phi_convict_threshold"] C -->|"clock skew"| F["Enforce chronyd or ntpd drift under 50ms"] C -->|"I/O starvation"| G["Throttle compaction and repair load"] D --> H["Revalidate phi and gossip stability"] E --> H F --> H G --> H
Gossip failure diagnostic decision tree

Prerequisites & Safety Constraints

Before executing diagnostics, enforce these production safety constraints:

  • Clock Synchronization: All nodes must run chronyd or ntpd with drift ≤50ms. Clock skew corrupts gossip generation/version vectors and invalidates failure detector timestamps.
  • Configuration Parity: Verify cassandra.yaml consistency across all nodes. endpoint_snitch, seed_provider, phi_convict_threshold (default 8.0), and cross_dc_tcp_keep_alive must match exactly.
  • Read-Only Default: All diagnostic scripts execute in read-only mode. State mutation requires explicit --confirm flags and pre-flight validation gates.
  • Prohibited Commands: Never execute nodetool assassinate, nodetool decommission, or nodetool stopdaemon during active gossip instability. These bypass consensus and risk partitioned data loss.

Step 1: Baseline Gossip & Failure Detector Telemetry

Cassandra v4.x and v5.x expose thread pool saturation through the system_views.thread_pools virtual table, queryable via CQL. There is no system_views.gossip_info table, however: gossip generation/version and per-endpoint phi values are not available through CQL. Source them from the JMX FailureDetector MBean or by parsing nodetool gossipinfo and nodetool failuredetector.

#!/usr/bin/env python3
"""
Idempotent gossip baseline validator for Cassandra v4.x/v5.x.
Reads thread-pool saturation from system_views.thread_pools and per-endpoint
phi values from `nodetool failuredetector`, without mutating state.
"""
import re
import subprocess
import sys
import json
from cassandra.cluster import Cluster
from cassandra.auth import PlainTextAuthProvider

SAFETY_CHECKS = {
    "min_version": 4,
    "max_phi_threshold": 12.0,
    "read_only": True
}

def validate_cluster_version(session):
    row = session.execute("SELECT release_version FROM system.local LIMIT 1").one()
    major = int(row.release_version.split('.')[0])
    if major < SAFETY_CHECKS["min_version"]:
        raise RuntimeError(f"Unsupported version {row.release_version}. system_views requires Cassandra 4.0+")
    return major

def collect_gossip_baseline(contact_points, username=None, password=None):
    auth = PlainTextAuthProvider(username, password) if username else None
    cluster = Cluster(contact_points, auth_provider=auth, connect_timeout=10)
    session = cluster.connect()
    validate_cluster_version(session)

    baseline = {"peers": [], "thread_pools": []}

    # Per-endpoint phi values are not exposed via CQL; parse `nodetool failuredetector`.
    # Endpoint header lines look like "/10.0.0.1"; strip the leading "/".
    for ep, phi in parse_failuredetector().items():
        baseline["peers"].append({"peer": ep, "phi": phi})

    # Thread pool saturation check via the real system_views.thread_pools table.
    monitored = ("GossipStage", "CompactionExecutor", "RepairSession")
    tp_rows = session.execute("""
        SELECT name, active_tasks, pending_tasks, completed_tasks, blocked_tasks
        FROM system_views.thread_pools
    """)
    for row in tp_rows:
        if row.name not in monitored:
            continue
        baseline["thread_pools"].append({
            "pool": row.name,
            "active": row.active_tasks,
            "pending": row.pending_tasks,
            "completed": row.completed_tasks,
            "blocked": row.blocked_tasks,
        })

    cluster.shutdown()
    return baseline


def parse_failuredetector():
    """Return {endpoint: phi} parsed from `nodetool failuredetector` output."""
    result = subprocess.run(
        ["nodetool", "failuredetector"],
        capture_output=True, text=True, timeout=15
    )
    if result.returncode != 0:
        raise RuntimeError(f"nodetool failuredetector failed: {result.stderr.strip()}")

    phi_map = {}
    # Rows look like: "/10.0.0.1            8.0          true"
    row_re = re.compile(r"^/?(\S+?):?\d*\s+([0-9.]+|Infinity)\s+\S+")
    for line in result.stdout.splitlines():
        line = line.strip()
        m = row_re.match(line)
        if not m:
            continue
        endpoint = m.group(1)
        raw_phi = m.group(2)
        phi_map[endpoint] = float("inf") if raw_phi == "Infinity" else float(raw_phi)
    return phi_map

if __name__ == "__main__":
    try:
        result = collect_gossip_baseline(["127.0.0.1"])
        print(json.dumps(result, indent=2))
    except Exception as e:
        print(f"[FATAL] Baseline collection failed: {e}", file=sys.stderr)
        sys.exit(1)

Safety Check: Script validates Cassandra major version before querying system_views. Connection timeouts are capped at 10s to prevent thread exhaustion. No mutation occurs. Expected Output: JSON mapping each peer to its phi value (parsed from nodetool failuredetector), alongside active_tasks/pending_tasks/completed_tasks/blocked_tasks for GossipStage, CompactionExecutor, and RepairSession from system_views.thread_pools. Rollback Path: If the script fails or returns malformed data, the cluster state remains untouched. Re-run with --verbose to capture CQL trace logs. No service restart is required.

Step 2: Correlating Gossip Degradation with Compaction & Repair Load

False-positive gossip failures frequently originate from I/O starvation. When compaction or repair consumes available disk bandwidth, the GossipStage thread pool queues packets, causing phi values to exceed phi_convict_threshold.

#!/usr/bin/env bash
# compaction_gossip_correlation.sh
# Correlates high phi values with compaction/repair backlog

set -euo pipefail

SAFETY_GATE() {
    local disk_util
    # Match sd*, nvme*, vd*, xvd*, and dm-* device names; %util is the last column.
    disk_util=$(iostat -x 1 1 | awk '/^(sd|nvme|vd|xvd|dm-)/{print $NF}' | sort -rn | head -1)
    if [ -z "$disk_util" ]; then
        echo "[WARN] Could not read disk utilization from iostat. Skipping I/O gate."
        return 0
    fi
    if (( $(echo "$disk_util > 90" | bc -l) )); then
        echo "[WARN] Disk I/O utilization >90%. Deferring diagnostics to prevent further contention."
        exit 0
    fi
}

EXPECTED_OUTPUT="Tabular output mapping nodes with phi > 7.0 to pending compaction tasks."
ROLLBACK_PATH="If compaction was manually paused via 'nodetool disableautocompaction', re-enable with: nodetool enableautocompaction"

SAFETY_GATE

echo "[INFO] Extracting high-phi nodes..."
# nodetool gossipinfo has no phi field; per-endpoint phi comes from
# nodetool failuredetector. Rows look like: "/10.0.0.1   8.0   true".
# Strip the leading "/" from the endpoint and compare the phi column.
HIGH_PHI_NODES=$(nodetool failuredetector | awk '$2+0 > 7.0 && $2 != "" {sub(/^\//,"",$1); print $1}')

if [ -z "$HIGH_PHI_NODES" ]; then
    echo "[OK] No nodes exceed phi threshold. Gossip healthy."
    exit 0
fi

echo "[INFO] Checking compaction/repair backlog for affected nodes..."
for node in $HIGH_PHI_NODES; do
    echo "--- Node: $node ---"
    nodetool compactionstats | grep -E "pending|active" || echo "No compaction backlog"
    nodetool tpstats | grep -E "RepairSession|GossipStage" | awk '{print $1, $2, $3}'
done

echo "[INFO] Correlation complete."

Safety Check: SAFETY_GATE halts execution if disk utilization exceeds 90%, preventing diagnostic overhead from compounding I/O starvation. Script only reads nodetool output. Expected Output: Filtered list of IPs with phi > 7.0, followed by pending/active compaction counts and thread pool metrics for RepairSession and GossipStage. Rollback Path: If the script detects paused compaction (nodetool disableautocompaction), it logs the exact nodetool enableautocompaction command. No automatic resumption occurs without operator confirmation.

Step 3: Safe State Reconciliation & Threshold Tuning

When network asymmetry causes persistent false positives, you can temporarily raise phi_convict_threshold. There is no nodetool getter/setter for this value: change it persistently in cassandra.yaml (requires a restart) or, for a runtime adjustment, invoke the setPhiConvictThreshold operation on the JMX FailureDetector MBean (org.apache.cassandra.net:type=FailureDetector). The example below drives JMX via jmxterm; the adjustment is reversible and bounded.

#!/usr/bin/env python3
"""
Safe phi_convict_threshold adjustment with automatic rollback.
There is no nodetool command for this value; we use the JMX FailureDetector
MBean (org.apache.cassandra.net:type=FailureDetector) via jmxterm.
"""
import subprocess
import sys
import time

TARGET_THRESHOLD = 10.0
DEFAULT_THRESHOLD = 8.0
RESTORE_DELAY = 300  # seconds
JMX_HOST = "127.0.0.1:7199"
FD_MBEAN = "org.apache.cassandra.net:type=FailureDetector"

def jmxterm(script, timeout=30):
    """Run a jmxterm command script against the local Cassandra JMX port."""
    result = subprocess.run(
        ["jmxterm", "-l", JMX_HOST, "-n", "-v", "silent"],
        input=script, capture_output=True, text=True, timeout=timeout
    )
    if result.returncode != 0:
        raise RuntimeError(f"jmxterm failed: {result.stderr.strip()}")
    return result.stdout.strip()

def read_phi_threshold():
    """Read the current PhiConvictThreshold attribute from the FailureDetector MBean."""
    return jmxterm(f"get -b {FD_MBEAN} PhiConvictThreshold\n")

def set_phi_threshold(value):
    """Invoke setPhiConvictThreshold(double) on the FailureDetector MBean."""
    jmxterm(f"run -b {FD_MBEAN} setPhiConvictThreshold {value}\n")

def adjust_phi_threshold():
    print("[SAFETY] Reading current phi_convict_threshold via JMX...")
    current = read_phi_threshold()
    print(f"[INFO] Current PhiConvictThreshold: {current}")

    print(f"[INFO] Applying temporary threshold: {TARGET_THRESHOLD}")
    set_phi_threshold(TARGET_THRESHOLD)

    print(f"[INFO] Monitoring gossip stabilization for {RESTORE_DELAY}s...")
    time.sleep(RESTORE_DELAY)

    print("[ROLLBACK] Restoring original threshold...")
    set_phi_threshold(DEFAULT_THRESHOLD)
    print("[OK] Threshold restored. Verify with nodetool failuredetector.")

if __name__ == "__main__":
    try:
        adjust_phi_threshold()
    except Exception as e:
        print(f"[FATAL] Adjustment failed. Manual rollback required: {e}", file=sys.stderr)
        sys.exit(1)

Safety Check: Script reads the current threshold before modification. Apply only if phi consistently exceeds 8.0 across multiple intervals. Timeout guards prevent hanging JMX calls. Note that a JMX setPhiConvictThreshold change is in-memory only and is lost on restart; persist the value in cassandra.yaml if you intend to keep it. Expected Output: Confirmation of threshold change, 300-second stabilization window, and automatic restoration to 8.0. Rollback Path: Automatic restoration triggers after RESTORE_DELAY. If the script crashes mid-execution, re-invoke setPhiConvictThreshold 8.0 on the org.apache.cassandra.net:type=FailureDetector MBean (via jmxterm or another JMX client), or simply restart the node to fall back to the cassandra.yaml value. No data mutation occurs.

Step 4: Continuous Validation & Telemetry Integration

Gossip instability rarely resolves permanently without infrastructure-level corrections. Export failure detector metrics to Prometheus using the JMX Exporter and configure alerts on phi_convict_threshold breaches and GossipStage queue depth. For automated node management, integrate the Python baseline validator into your CI/CD pipeline or cron scheduler. Reference the official Apache Cassandra Gossip Documentation for version-specific MBean mappings, and consult the DataStax Python Driver for connection pooling best practices during high-latency diagnostics.

Implement a validation gate that blocks nodetool repair execution when phi values exceed 7.5 across >20% of peers. This prevents repair streams from amplifying gossip flapping and triggering cascading node evictions.

Back to Node Gossip Failure Detection Protocols