PXC-5113 [DOCS] - add troubleshooting steps for a stalled SST 8.4

patrickbirch · patrickbirch · commit 2b7689cd23dc · 2026-03-16T05:41:58.000-05:00
modified:   docs/restarting-nodes.md
diff --git a/docs/crash-recovery.md b/docs/crash-recovery.md
@@ -109,37 +109,50 @@ cat /var/lib/mysql/grastate.dat
     safe_to_bootstrap: 0
     ```
 
-In this case, you cannot be sure that all nodes are consistent with each other. We cannot use `safe_to_bootstrap` variable to determine the node that has the last transaction committed as this variable is set to **0** for each node. 
+In this case, you cannot be sure that all nodes are consistent with each other. The `safe_to_bootstrap` variable is set to **0** on every node and cannot be used to identify which node has the last transaction committed.
 
-An attempt to bootstrap from such a node will fail unless you start `mysqld` with the `--wsrep-recover` option:
+!!! warning "Risk of split-brain"
+
+    Setting `safe_to_bootstrap: 1` on a node without first confirming that node has the highest recovered position can cause split-brain and data loss. Always run the validation step below on every node and bootstrap only from the node with the highest seqno.
+
+### Validation step: recover and record position on every node
+
+On each node that was part of the cluster, run `mysqld` with the `--wsrep-recover` option so that the server prints the recovered position and exits (the server does not stay running):
 
 ```shell
 mysqld --wsrep-recover
 ```
 
-Search the output for the line that reports the recovered position after the node UUID (**1122** in this case):
+In the output, find the line that reports the recovered position in the form `UUID:seqno`:
 
-??? example "Expected output"
+??? example "Example output"
 
     ```{.text .no-copy}
     ...
     ... [Note] WSREP: Recovered position: 220dcdcb-1629-11e4-add3-aec059ad3734:1122
     ...
     ```
 
-The node where the recovered position is marked by the greatest number is the best bootstrap candidate. In its `grastate.dat` file, set the safe_to_bootstrap variable to **1**. Then, bootstrap from this node:
+Run the command on every node and record the UUID and seqno from each. Use a table like the following so that you can compare and choose the correct bootstrap candidate:
+
+| Node (hostname or label) | UUID | seqno |
+|--------------------------|------|-------|
+| node1                    |      |       |
+| node2                    |      |       |
+| node3                    |      |       |
+
+The node with the greatest seqno is the only safe bootstrap candidate. If two nodes show the same UUID and seqno, either can be used.
+
+### Bootstrap step: set safe_to_bootstrap and start the first node
+
+Only on the node that has the highest seqno from the validation step, set `safe_to_bootstrap` to **1** in that node’s `grastate.dat` file, then bootstrap from that node:
 
 ```shell
+# On the chosen node only: edit grastate.dat and set safe_to_bootstrap: 1, then:
 systemctl start mysql@bootstrap.service
 ```
 
-After a shutdown, you can bootstrap from the node which is marked as safe in the `grastate.dat` file.
-
-```{.text .no-copy}
-...
-safe_to_bootstrap: 1
-...
-```
+After a clean shutdown in the future, you can bootstrap from the node which is marked as safe in the `grastate.dat` file (where `safe_to_bootstrap: 1`).
 
 In recent Galera versions, the option [`pc.recovery`](wsrep-provider-index.md#pcrecovery) (enabled by default) saves the cluster state into a file named `gvwstate.dat` on each member node. As the name of this option suggests (pc – primary component), it saves only a cluster being in the PRIMARY state. An example content of the file may look like this:
 
diff --git a/docs/restarting-nodes.md b/docs/restarting-nodes.md
@@ -2,18 +2,112 @@
 
 To restart a cluster node, shut down MySQL and restart the service. The node leaves the cluster, reducing the total vote count for quorum. 
 
-The quorum refers to the minimum number of votes required for the cluster to operate effectively and make decisions. Each node in the cluster typically represents one vote. When a node leaves the cluster, the total number of votes decreases, affecting the cluster's ability to achieve quorum. If the cluster does not maintain quorum, it may become unable to process transactions or make changes, potentially leading to a split-brain scenario where different parts of the cluster operate independently.
+The quorum refers to the minimum number of votes required for the cluster to operate effectively and make decisions. Each node in the cluster typically represents one vote. When a node leaves the cluster, the total number of votes decreases, affecting the cluster's ability to achieve quorum. If the cluster does not maintain quorum, the cluster may become unable to process transactions or make changes, potentially leading to a split-brain scenario where different parts of the cluster operate independently.
 
-Upon rejoining, the node synchronizes using IST (Incremental State Transfer). IST allows the node to catch up with the current state of the cluster by transferring only the changes that occurred while the node was offline. If the necessary changes for IST do not exist in the `gcache` file on any other node within the cluster, the process will perform SST (State Snapshot Transfer) instead. SST involves transferring a complete database snapshot to the node, which can be more time-consuming but ensures that the node receives all data. This approach makes restarting cluster nodes for rolling configuration changes, or software upgrades straightforward from the cluster’s perspective. 
+Upon rejoining, the node synchronizes using IST (Incremental State Transfer). IST allows the node to catch up with the current state of the cluster by transferring only the changes that occurred while the node was offline. If the necessary changes for IST do not exist in the `gcache` file on any other node within the cluster, the process will perform SST (State Snapshot Transfer) instead. SST involves transferring a complete database snapshot to the node, which can be more time-consuming but ensures that the node receives all data. The approach makes restarting cluster nodes for rolling configuration changes, or software upgrades straightforward from the cluster’s perspective. 
 
 If a node restarts with an invalid configuration change that prevents MySQL from loading, Galera drops the node’s state and forces an SST for that node.
 
-In the event of a MySQL failure, the system does not remove the PID file because the system deletes this file only during a clean shutdown. As a result, the server does not restart if an existing PID file is present. When MySQL encounters a failure, check the log records for details. You must remove the PID file manually. 
+In the event of a MySQL failure, the system does not remove the PID file because the system deletes the PID file only during a clean shutdown. As a result, the server does not restart if an existing PID file is present. When MySQL encounters a failure, check the log records for details. You must remove the PID file manually. 
 
-Use the `rm` command in a Unix/Linux shell to do this:
+Use the `rm` command in a Unix/Linux shell to remove the PID file:
 
 ```shell
 bash rm /path/to/mysql.pid
 ```
 
-Replace `/path/to/mysql.pid` with the actual path to your MySQL PID file. The default location for the PID file is often `/var/run/mysqld/mysqld.pid` or `/var/lib/mysql/mysql.pid`, but this can vary based on your configuration. Before executing this command, ensure that MySQL is not running, as removing the PID file while the server is active can lead to issues.
+Replace `/path/to/mysql.pid` with the actual path to your MySQL PID file. The default location for the PID file is often `/var/run/mysqld/mysqld.pid` or `/var/lib/mysql/mysql.pid`, but the default location can vary based on your configuration. Before executing the command, ensure that MySQL is not running, as removing the PID file while the server is active can lead to issues.
+
+## Troubleshooting: node refuses to join after restart
+
+When a node restarts and refuses to join, the refusal is usually because the [State Snapshot Transfer](state-snapshot-transfer.md) (SST)—the process where the donor node sends data to the joiner—is failing silently or getting blocked by environmental security features. Check firewall rules, [SELinux](selinux.md), and [AppArmor](apparmor.md) so that the SST port (default 4444) and related processes are allowed between nodes.
+
+### Troubleshooting cheat sheet: grep the error log
+
+Use these patterns on the server error log to quickly find the cause instead of scrolling. Replace `/var/log/mysql/error.log` with your log path if it differs (for example, `/var/log/mysqld.log` on RHEL, or `log_error` in your config).
+
+| Pattern | What it points to |
+|---------|-------------------|
+| `grep "conflict" /var/log/mysql/error.log` | Certification or replication conflicts; possible split-brain or divergent data. |
+| `grep "SST script failed" /var/log/mysql/error.log` | State Snapshot Transfer failed (script, permissions, or donor/joiner communication). |
+| `grep -i "evicted" /var/log/mysql/error.log` | Node was evicted from the cluster (e.g. timeout or cluster decision). |
+
+### Security context (AppArmor, SELinux)
+
+Percona XtraDB Cluster runs inside an OS-level security context: AppArmor on Debian and Ubuntu, SELinux on RHEL and derivatives. If that context blocks the [SST](state-snapshot-transfer.md) method or the paths the SST script uses, the node cannot join and the failure is often silent. On Ubuntu 22.04, a node that refuses to join after restart is very often (in practice, the majority of cases) caused by AppArmor blocking the [`wsrep_sst_method`](wsrep-system-index.md#wsrep_sst_method) script or the binaries and paths the script needs—for example the xtrabackup binary or the data directory.
+
+AppArmor (Ubuntu / Debian): The profiles that matter are the one for the server binary and the one for the SST script. To confirm that AppArmor is blocking SST, put both profiles in complain mode and restart MySQL on the joiner. If the node joins, the cause is AppArmor; then fix the profiles and put them back in enforce mode instead of leaving them in complain mode.
+
+Run as root or with `sudo`:
+
+```shell
+aa-complain /usr/sbin/mysqld
+aa-complain /usr/bin/wsrep_sst_xtrabackup-v2
+systemctl restart mysql
+```
+
+If the node joins after the above, reload the profiles with the correct permissions (see [Enable AppArmor](apparmor.md) and [modifying the mysqld profile :octicons-link-external-16:](https://www.percona.com/doc/percona-server/8.0/apparmor.html#modify-mysqld)), then put the profiles back in enforce mode:
+
+```shell
+aa-enforce /usr/sbin/mysqld
+aa-enforce /usr/bin/wsrep_sst_xtrabackup-v2
+```
+
+SELinux (RHEL / Rocky / Alma): Ensure the SST script and ports are allowed; see [SELinux](selinux.md).
+
+### Diagnose whether the joiner will use IST or SST
+
+When the sequence-number gap between the cluster and the joiner is larger than what the donor’s [gcache](wsrep-provider-index.md#gcachesize) holds, the joiner always attempts a full [SST](state-snapshot-transfer.md). Full SST can severely impact cluster performance because the donor must stream a full copy of the data. Use the following steps to determine whether the joiner will get [IST](glossary.md#ist) or SST before you start the node.
+
+1. On a donor node (any node that is already in `Synced` state), run:
+
+   ```sql
+   SHOW STATUS LIKE 'wsrep_last_committed';
+   SHOW STATUS LIKE 'wsrep_local_cached_downto';
+   ```
+   Note the values: `wsrep_last_committed` is the cluster’s latest sequence number; [`wsrep_local_cached_downto`](wsrep-status-index.md#wsrep_local_cached_downto) is the lowest sequence number still in that donor’s gcache.
+
+2. On the joiner (with the node stopped), read the joiner’s last position:
+
+   ```shell
+   cat /var/lib/mysql/grastate.dat
+   ```
+   Find the `seqno` line. If `seqno` is `-1` or `0`, or the file is missing, the joiner will need a full SST when started.
+
+3. Compare values. Compute the gap: *donor `wsrep_last_committed`* minus *joiner `seqno`*. If the joiner’s `seqno` is less than the donor’s `wsrep_local_cached_downto`, no donor has the required range in gcache and the joiner will perform a full SST when started. A large gap (donor far ahead of joiner) usually means the same.
+
+4. If SST is inevitable, reduce impact before starting the joiner:
+
+   * Prefer [Clone SST](clone-sst.md): set `wsrep_sst_method=clone` on the joiner (and meet the [Clone SST prerequisites](clone-sst.md#prerequisites)) so that when the node starts, the cluster uses Clone instead of the default `xtrabackup-v2`. Clone SST is often faster and less taxing on the donor.
+   
+   * Or schedule starting the joiner during a maintenance window when donor load is acceptable.
+
+If the node still does not join after you start the node, check the server `error.log` for SST-related errors and work through [Security context (AppArmor, SELinux)](#security-context-apparmor-selinux) above; on Ubuntu 22.04, security profiles blocking the SST method are the most common cause.
+
+### Alternative: Clone plugin for SST
+
+Percona XtraDB Cluster 8.4 supports [SST using the Clone plugin](clone-sst.md), which can be more stable than the xtrabackup-based flow. With Clone SST, the joiner wipes its own data directory and receives a full copy from the donor. To use the Clone plugin, set `wsrep_sst_method=clone` (and meet the [Clone SST prerequisites](clone-sst.md#prerequisites)) on all nodes.
+
+### Other common causes when a node cannot join
+
+* `grastate.dat` and bootstrap order: After a crash or unclean shutdown, `safe_to_bootstrap` in `grastate.dat` is set to `0`. If you start nodes in the wrong order, the cluster may not form quorum. Compare `seqno` and bootstrap from the most advanced node; see [Crash recovery](crash-recovery.md) and [Bootstrap the first node](bootstrap.md).
+
+* Network and bind address: Set [`wsrep_node_address`](wsrep-system-index.md#wsrep_node_address) explicitly to the node’s IP address that other nodes can reach. If the node binds to `127.0.0.1` or an interface that others cannot use, the Galera handshake fails and the node will not join.
+
+### Emergency override: last node up but refusing traffic (non-primary)
+
+When two of three nodes are down (or more in a larger cluster), the remaining node loses quorum and switches to non-primary state. The node stays up and accepts connections, but MySQL refuses to run data-changing statements and may refuse reads; applications often see errors such as `WSREP has not yet prepared node for application use`. This is the situation that the emergency override fixes: the single remaining node can be forced to form a primary component and serve traffic again so that the cluster can recover.
+
+Run the following on the node that is still up (connected as a user with sufficient privileges):
+
+```sql
+SET GLOBAL wsrep_provider_options='pc.bootstrap=YES';
+```
+
+The [`pc.bootstrap`](wsrep-provider-index.md#pcbootstrap) option tells that node to form a new primary component. After the command runs, the node accepts writes and the cluster is effectively that one node until the other nodes are started and rejoin. Then start the other nodes so they join this primary (via IST or SST as usual).
+
+!!! warning "Only when the other nodes are down"
+
+    Run this override only when you have confirmed that the other nodes are actually down or unreachable. If another node is still primary elsewhere (for example, in another datacenter after a split), setting `pc.bootstrap=YES` on a second node creates two separate clusters with diverging data (split-brain). See [Scenario 5: Two nodes disappear from the cluster](crash-recovery.md#scenario-5-two-nodes-disappear-from-the-cluster) and [Scenario 7: Split brain](crash-recovery.md#scenario-7-the-cluster-loses-its-primary-state-due-to-split-brain) in Crash recovery.
+
+For more support options, see [Get help from Percona](get-help.md).
