> While investigating issues like KAFKA-17754, we also encountered unseen writes in Kafka. Owing to time constraints we have not investigated this behavior, but unseen writes could be a sign of hanging transactions, stuck consumers, or even data loss. We are curious whether a delayed Produce message could slide into a future transaction, violating transactional guarantees. We also suspect that the Kafka Java Client may reuse a sequence number when a request times out, causing writes to be acknowledged but silently discarded. More Kafka testing is warranted.<p>Seems like Jepsen should do another Kafka deep-dive. Last time was in 2013 (<a href="https://aphyr.com/posts/293-call-me-maybe-kafka" rel="nofollow">https://aphyr.com/posts/293-call-me-maybe-kafka</a>, Kafka version 0.8 beta) and seems like they're on the verge of discovering a lot of issues in Kafka itself. Things like "causing writes to be acknowledged but silently discarded" sounds very scary.
I'm very surprised by this:<p>> [with the default enable.auto.commit=true] Kafka consumers may automatically mark offsets as committed, regardless of whether they have actually been processed by the application. This means that a consumer can poll a series of records, mark them as committed, then crash—effectively causing those records to be lost<p>That's never been my understanding of auto-commit, that would be a crazy default wouldn't it?<p>The docs say this:<p>> when auto-commit is enabled, every time the poll method is called and data is fetched, the consumer is ready to automatically commit the offsets of messages that have been returned by the poll. If the processing of these messages is not completed before the next auto-commit interval, there’s a risk of losing the message’s progress if the consumer crashes or is otherwise restarted. In this case, when the consumer restarts, it will begin consuming from the last committed offset. When this happens, the last committed position can be as old as the auto-commit interval. Any messages that have arrived since the last commit are read again. If you want to reduce the window for duplicates, you can reduce the auto-commit interval<p>I don't find it amazingly clear, but overall my understanding from this is that offsets are committed _only_ if the processing finishes. Tuning the auto-commit interval helps with duplicate processing, not with lost messages, as you'd expect for at-least-once processing.
I’m looking at the product page [0] and wondering how those two statements are compatible:<p>> Bufstream runs fully within your AWS or GCP VPC, giving you complete control over your data, metadata, and uptime. Unlike the alternatives, Bufstream never phones home.<p>> Bufstream pricing is simple: just $0.002 per uncompressed GiB written (about $2 per TiB). We don't charge any per-core, per-agent, or per-call fees.<p>Surely they wouldn’t run their entire business on the honor system?<p>[0] <a href="https://buf.build/product/bufstream" rel="nofollow">https://buf.build/product/bufstream</a>
Great work as always.<p>After reading thru the relevant blog posts and docs, my understanding is that Kafka defines "exactly-once delivery" as a property of what they call a "read-process-write operation", where workers read-from topic 1, and write-to topic 2, where both topics are in the same logical Kafka system. Is that correct? If so, isn't that better described as a transaction?
> We would like to combine Jepsen’s workload generation and history checking with Antithesis’ deterministic and replayable environment to make our tests more reproducible.<p>For those unaware, Antithesis was founded by some of the folks who worked on FoundationDB - see <a href="https://youtu.be/4fFDFbi3toc?si=wY_mrD63fH2osiU-" rel="nofollow">https://youtu.be/4fFDFbi3toc?si=wY_mrD63fH2osiU-</a> for some of their handiwork.<p>A Jepsen + Antithesis team up is something the world needs right now, specifically on the back of the Horizon Post Office scandal.<p>Thanks for all your work highlighting the importance of db safety Aphyr