A big part of this appears to be that dumping the huge Leylines table locks it, so requests can't record their own Leylines data:

| 27164749 | web-xxx | localhost | admin_leylines   | Query   |    98 | Waiting for table level lock | INSERT INTO `leylines_event`
          (agentKey, sessionKey, type,
            xDimensionID, yDimensionID, zDimensionID,
            epoch) VALUES ('xxx', 'xxx', 'aura', 0, 0, 0, 1493234603), ('xxx', 'xxx', 'halo', 7, 0, 0, 1493234603)      |

One "fix" for this would be to disable Leylines for Conduit (or, as a heavier hammer, disable it for all intracluster requests).

I used bin/files migrate to move some old files which were stored in MySQL before S3 was configured to S3. The file blob table is now down to 160MB from 477MB.

Deploying Leylines + GC changes to admin now.

I think the Leylines change didn't actually work because we make the call via the LB so the request appears to coming from outside the cluster.

GC has caught up to Conduit and the conduit_methodcalllog table is down to 160MB from ~1GB.

Leylines is down to 26MB but needs a better fix for the internal traffic since it's accumulating at the same rate as before.

The new backup stuff should run in a couple of hours.

I'm not going to try to time-shift this yet since everyone is going on vacation forever, but I'll probably write a bin/trigger adjust command or something. I could imagine instances wanting to be able to move instance backups to off-peak for their users in the future, and if we set up a mechanism for that it'll be easier to add a UI button later.

The next actions I plan to take here are:

• Fix bin/host download (T12651). This isn't exactly related but it came up during other ops work yesterday.
• Fix the rCORGI dependency (T12652). This came up yesterday when I was deploying admin to update the GC settings.
• Fix the adjustment to Leylines so that we really stop logging metrics for internal Conduit traffic, likely by letting the event handler have a little more information about the request.
• Attempt to improve the performance of the almanac.service.search call (per T12297).

Two other thoughts:

• It might be nice to add an X-Phabricator-Origin: web003.phacility.net HTTP header to intracluster and pseudo-intracluster requests. When a web or repo host makes a request for instance details, identifying the requesting host is currently somewhat involved (X-Forwarded-For). This data isn't available in the access logs right now, although it should be once the application HTTP log deploys. It will also be legitimately unavailable for requests which hit the external load balancer once we put a NAT gateway in place (T11336) since the traffic would go out through the NAT gateway, over the internet, and hit the external interface on the LB.
• Alternatively (or additionally) it would probably be nice to send this traffic through an internal load balancer, instead of through the external interfaces on alb001. That would preserve the origin node in X-Forwarded-For, could give us somewhat better options for monitoring and responding to issues, and generally keep cluster traffic in the cluster. I don't see a particularly strong reason why we definitely want to do this (and it does make overall configuration a bit more complicated) but it feels a little cleaner.

Attempt to improve the performance of the almanac.service.search call

From XHProf, these actually appear reasonable already. I'm seeing ~20ish milliseconds from XHProf, but ~100ish milliseconds from instances. It's possible that the 80ms discrepancy is from Leylines, which fires writes after XHProf finishes. I'm going to deploy D17804 first and see how things look after that.

One broad issue is that admin.phacility.com sees a generally high, sustained request rate of almanac.service.search calls (up to dozens per second). I think the uneven performance I've sometimes observed is just load-related, and that this load is sometimes high enough to max out the Apache workers and cause queue stalls.

These are presumably coming from the web and repo tiers to fetch instance status information ("does this instance exist?"), although I can't conclusively rule out a bug somewhere (either X-Phabricator-Origin or a preserved X-Forwarded-For would help a bit, per above).

I think this request rate is just expected, though. The cache has a 5 minute TTL, but dividing the number of active instances by the TTL lands us in the ballpark of the request rate.

In almost all cases, these cache fetches are fruitless, because it is very rare for instances to change status (normally, once every several months). As with other infrastructure, the current cache design makes fairly good sense when the tier is revenue-generating (it's very simple, we can just add more admin hosts to scale it, and instances get updated promptly) but does not scale gracefully to a mostly-free tier.

Some approaches we could take:

• Add more admin hardware (pro: something we should do eventually anyway; con: complex, doesn't really solve the problem, just sweeps it under the rug).
• Push out cache dirties, then raise the TTL (pro: reduces load in a steady state by an arbitrary factor; con: complex, could still hit thundering herd problems, opens more windows for cache inconsistencies).
• Change instances to bulk-fetch caches (pro: probably much better for repo hosts, limits thundering herd; con: probably much worse for web hosts, especially at scale, dirties get messier).
• Put an intermediate lightweight cache layer in place [memcache, direct database cache] (pro: kind of improves things, might be better in some sense than the disk garbage we're doing now; con: doesn't solve the problem, adds a lot of complexity, no other current use cases for this cache, disk garbage is pretty simple/reliable).
• Make the cache change-based instead of state-based. The rate of changes to this cache is very low, so hosts could reasonably fetch and write an initial cache state on deploy, then just subscribe to changes to the cache. This makes the cache itself more complicated, but might position us better in the long run, at least for repo hosts. I think web hosts probably need to stay on the state-based readthrough cache plan, though? So maybe this isn't really such a hot idea.

I'm inclined to:

• At least plan (and possibly execute) expanding the admin tier since this is something we should do anyway for redundancy, and there shouldn't be any major issues now that secure has been stable in a similar configuration for long time.
• Probably put an internal LB into production and send the internal admin traffic through that, to preserve X-Forwarded-For and keep the traffic entirely in the cluster.

I'm inclined to look at a bulk or change-based cache for repo hosts, since it's a good fit for them, although I'm not excited about having multiple different cache designs.