← Back to context

Comment by simonw

7 hours ago

Thanks for this, the anecdote with the lost data was very concerning to me.

I think you're exactly right about the WAL shared memory not crossing the container boundary. EDIT: It looks like WAL works fine across Docker boundaries, see https://kamal-deploy.org/docs/upgrading/proxy-changes/ it looks like Kamal 2's new proxy doesn't have this yet, they list "Pausing requests" as "coming soon".

9 comments

simonw

Reply
hedora  6 hours ago

Pausing requests then running two sqlites momentarily probably won’t prevent corruption. It might make it less likely and harder to catch in testing.

The easiest approach is to kill sqlite, then start the new one. I’d use a unix lockfile as a last-resort mechanism (assuming the container environment doesn’t somehow break those).

  • simonw  6 hours ago

    I'm saying you pause requests, shut down one of the SQLite containers, start up the other one and un-pause.

Retr0id  6 hours ago

> I think you're exactly right about the WAL shared memory not crossing the container boundary.

I don't, fwiw (so long as all containers are bind mounting the same underlying fs).

  • simonw  6 hours ago

    I just tried an experiment and you're right, WAL mode worked fine across two Docker containers running on the same (macOS) host: https://github.com/simonw/research/tree/main/sqlite-wal-dock...

    Could the two containers in the OP have been running on separate filesystems, perhaps?

    • jmull  6 hours ago

      I dug into this limitation a bit around a year ago on AWS, using a sqlite db stored on an EFS volume (I think it was EFS -- relying on memory here) and lambda clients.

      Although my tests were slamming the db with reads and write I didn't induce a bad read or write using WAL.

      But I wouldn't use experimental results to override what the sqlite people are saying. I (and you) probably just didn't happen to hit the right access pattern.

    • Retr0id  6 hours ago

      Perhaps they're using NFS or something - which would give them issues regardless of container boundaries.

  • hedora  6 hours ago

    It would explain the corruption:

    https://sqlite.org/wal.html

    The containers would need to use a path on a shared FS to setup the SHM handle, and, even then, this sounds like the sort of thing you could probably break via arcane misconfiguration.

    I agree shm should work in principle though.

    • PunchyHamster  4 hours ago

      Not how SQLite works (any more)

      > The wal-index is implemented using an ordinary file that is mmapped for robustness. Early (pre-release) implementations of WAL mode stored the wal-index in volatile shared-memory, such as files created in /dev/shm on Linux or /tmp on other unix systems. The problem with that approach is that processes with a different root directory (changed via chroot) will see different files and hence use different shared memory areas, leading to database corruption. Other methods for creating nameless shared memory blocks are not portable across the various flavors of unix. And we could not find any method to create nameless shared memory blocks on windows. The only way we have found to guarantee that all processes accessing the same database file use the same shared memory is to create the shared memory by mmapping a file in the same directory as the database itself.

chasil  6 hours ago

You might consider taking the database(s) out of WAL mode during a migration.

That would eliminate the need for shared memory.