Compaction Strategy Cassandra Ops & Automation

Production-Ready Cassandra Repair Orchestration: Read Repair vs Anti-Entropy

In distributed Cassandra deployments, consistency reconciliation operates across two distinct synchronization planes: query-path resolution and background cluster-wide divergence management. The architectural split between Read Repair vs Anti-Entropy Repair dictates how you configure table properties, schedule maintenance windows, and design automation pipelines. Misalignment between these mechanisms directly impacts compaction throughput, streaming bandwidth, and p99 query latency. For DBAs and platform engineers, treating repair as an isolated maintenance task rather than a compaction-aware process guarantees operational debt and unpredictable latency degradation.

Read Repair Mechanics & Query-Path Deprecation

Historically, read repair executed during SELECT operations when replica digests diverged. Modern Cassandra (v4.0+) controls this behavior via the read_repair table property, which replaced the removed read_repair_chance and dclocal_read_repair_chance options. The only valid states are 'BLOCKING' (the default) and 'NONE'. With 'BLOCKING', a digest mismatch at consistency levels above ONE triggers synchronous reconciliation before the result is returned; this can introduce latency spikes, consume coordinator CPU cycles that should serve application traffic, and trigger background compaction cycles. Workloads sensitive to that overhead set 'NONE'.

When read_repair is disabled, consistency guarantees shift entirely to background anti-entropy processes and tunable consistency levels (QUORUM, LOCAL_QUORUM). Disabling it requires explicit operational discipline: you must guarantee that anti-entropy runs frequently enough to prevent unbounded data drift.

Configuration Command & Safety Protocol

-- Apply read_repair = 'NONE' to a production table (run in cqlsh)
ALTER TABLE my_keyspace.my_table WITH read_repair = 'NONE';
  • Safety Check: Verify table schema before applying. Run cqlsh DESCRIBE TABLE my_keyspace.my_table; and confirm the current read_repair value on active OLTP tables.
  • Expected Output: ALTER TABLE returns no output on success; re-run DESCRIBE TABLE my_keyspace.my_table; to confirm read_repair = 'NONE'.
  • Rollback Path: Revert immediately if query latency spikes post-alteration: ALTER TABLE my_keyspace.my_table WITH read_repair = 'BLOCKING';. Monitor coordinator thread pool saturation for 15 minutes.

Anti-Entropy Repair & Compaction Coupling

Anti-entropy repair operates asynchronously. It constructs Merkle trees over assigned token ranges, identifies divergent ranges, and streams the differing data between replicas. Crucially, every repaired range generates fresh SSTables that immediately enter the compaction queue. If anti-entropy runs concurrently with heavy write loads or aggressive compaction strategies, you will observe compaction backlog, tombstone accumulation, and StreamingTimeoutException errors. Understanding the precise trade-offs documented in Cassandra Architecture & Compaction Fundamentals is mandatory before scheduling automated repair workflows. The process is inherently I/O bound and must be throttled to match disk throughput and CPU capacity.

The following sequence shows how nodetool repair uses Merkle trees to reconcile replicas with minimal streaming.

sequenceDiagram participant Co as Coordinator participant R1 as Replica 1 participant R2 as Replica 2 Co->>R1: Build Merkle tree over token ranges Co->>R2: Build Merkle tree over token ranges R1-->>Co: Tree hashes R2-->>Co: Tree hashes Note over Co: Compare hashes for divergence Co->>R2: Stream only differing ranges Co->>R1: Stream only differing ranges
Anti-entropy repair streams only the differing token ranges

Configuration Matrix for v4.x/v5.x

Parameter Recommended Value Rationale
read_repair (table) 'NONE' Eliminates synchronous read-path reconciliation overhead
nodetool repair scope -pr (primary range) Prevents overlapping repairs across nodes
Repair mode Incremental (default in 4.0+) Streams only divergent ranges, reducing I/O
Compaction strategy alignment TWCS for time-series, LCS for OLTP TWCS isolates repair SSTables by time window; LCS merges them efficiently

Automation Pipeline & Command Safety Protocols

Production repair orchestration requires deterministic execution, mid-flight compaction monitoring, and explicit failure boundaries. The following Python orchestrator integrates nodetool execution with real-time compaction queue validation. It relies on Python’s subprocess module for safe process management and signal handling.

#!/usr/bin/env python3
import subprocess
import sys
import time
import logging
import signal

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")

MAX_PENDING_COMPACTIONS = 8
REPAIR_TIMEOUT_SEC = 3600
KEYSPACE = "production_data"

def run_nodetool(cmd, timeout=30):
    """Execute nodetool with strict error handling."""
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout, check=True)
        return result.stdout.strip()
    except subprocess.CalledProcessError as e:
        logging.error(f"nodetool failed: {cmd}. Stderr: {e.stderr}")
        raise
    except subprocess.TimeoutExpired:
        logging.error(f"nodetool timed out: {cmd}")
        raise

def get_pending_compactions():
    """Parse compactionstats for pending tasks."""
    output = run_nodetool(["nodetool", "compactionstats", "-H"])
    for line in output.splitlines():
        # compactionstats prints e.g. "pending tasks: 2"
        if line.strip().lower().startswith("pending tasks:"):
            try:
                return int(line.split(":", 1)[1].strip())
            except ValueError:
                continue
    return 0

def execute_repair():
    """Orchestrate repair with safety checks, expected outputs, and rollback paths."""
    logging.info("Pre-flight: Checking compaction backlog...")
    pending = get_pending_compactions()
    logging.info(f"Current pending compactions: {pending}")
    
    if pending > MAX_PENDING_COMPACTIONS:
        logging.warning("Compaction backlog exceeds safety threshold. Deferring repair.")
        sys.exit(1)

    cmd = ["nodetool", "repair", "-pr", KEYSPACE]
    logging.info(f"Executing: {' '.join(cmd)}")
    
    proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
    start = time.time()
    
    while proc.poll() is None:
        if time.time() - start > REPAIR_TIMEOUT_SEC:
            logging.error("Repair timeout reached. Initiating abort sequence.")
            proc.kill()
            logging.info("Rollback: Process terminated. Verify `nodetool netstats` for hung streams.")
            sys.exit(2)
            
        time.sleep(15)
        mid_pending = get_pending_compactions()
        if mid_pending > MAX_PENDING_COMPACTIONS * 2:
            logging.error("Critical compaction backlog during repair. Aborting.")
            proc.kill()
            logging.info("Rollback: Repair killed. Run `nodetool compactionstats` to verify queue drain.")
            sys.exit(3)

    stdout, stderr = proc.communicate()
    if proc.returncode != 0:
        logging.error(f"Repair failed with code {proc.returncode}. Stderr: {stderr}")
        logging.info("Rollback: Check `system.log` for streaming errors. Schedule manual range repair.")
        sys.exit(4)

    logging.info(f"Repair completed successfully. Output: {stdout[:150]}...")
    final_pending = get_pending_compactions()
    logging.info(f"Post-repair pending compactions: {final_pending}")

if __name__ == "__main__":
    signal.signal(signal.SIGTERM, lambda s, f: sys.exit(0))
    execute_repair()

Operational Safety & Rollback Specifications

Phase Safety Check Expected Output Rollback Path
Pre-Flight nodetool status returns UN for all nodes. nodetool compactionstats shows pending tasks < 8. UN for every node, pending tasks: 2 Abort scheduling. Defer to next maintenance window.
Execution nodetool repair -pr runs. Merkle tree generation completes without OOM or StreamingTimeout. repair completes with exit code 0 Kill the orchestrator process; stop validation compactions with nodetool stop VALIDATION. Verify nodetool netstats shows zero active streams.
Post-Flight nodetool compactionstats shows pending tasks decreasing. nodetool tablestats shows SSTable count stable. pending tasks: 0, SSTable count: 12 Trigger manual nodetool compact if backlog persists. Monitor disk I/O wait (iowait < 30%).

Compaction-Aware Scheduling Discipline

Automated repair must never run during peak write windows or concurrent compaction bursts. Implement cron or systemd timers aligned with your compaction strategy:

  • TWCS: Schedule repair during the lowest-traffic window of the day. TWCS naturally isolates time windows, but repair-generated SSTables can force premature compaction if ranges overlap across windows.
  • LCS: Repair must run with concurrent_compactors throttled. LCS aggressively merges small SSTables; repair deltas will trigger cascading compaction if not rate-limited.

Throttling Command & Safety Protocol

# Limit repair streaming bandwidth to prevent disk saturation (value in megabits/s)
nodetool setstreamthroughput 100
  • Safety Check: Verify current throughput: nodetool getstreamthroughput. Ensure disk I/O utilization (iostat -x 1) shows util% < 60% before applying.
  • Expected Output: setstreamthroughput prints nothing on success; confirm with nodetool getstreamthroughput (the value is in megabits/s).
  • Rollback Path: Restore default if streaming stalls: nodetool setstreamthroughput 0 (unlimited). Monitor system.log for StreamSession timeouts.

Failure Recovery & State Validation

When repair fails mid-stream, Cassandra leaves partial SSTables and potentially inconsistent token ranges. Recovery requires deterministic validation:

  1. Identify Failed Ranges: query system_distributed.repair_history or parse system.log for Repair session failed.
  2. Clear Partial State: stop in-flight validation compactions with nodetool stop VALIDATION; to terminate active repair sessions use the JMX operation StorageService.forceTerminateAllRepairSessions. If the session is orphaned, restart the node to clear in-memory repair state.
  3. Validate Consistency: Run nodetool verify <ks> <tbl> on affected tables. This performs a full SSTable checksum scan without streaming.

Verification Command & Safety Protocol

# Verify SSTable integrity post-repair (positional: keyspace then table)
nodetool verify production_data user_events
  • Safety Check: Ensure cluster is not under heavy write load. nodetool verify is disk-intensive. Add -e/--extended-verify for a deeper per-cell check.
  • Expected Output: exit code 0 and no error lines; corruption is reported on stderr and in system.log.
  • Rollback Path: If errors are reported, isolate the node, run nodetool scrub on the affected table, and trigger a full range repair (nodetool repair -full) during a maintenance window.

Conclusion

Read repair and anti-entropy repair are complementary but architecturally distinct. Modern Cassandra deployments must disable synchronous read repair, align anti-entropy execution with compaction strategy constraints, and enforce strict automation boundaries. By embedding safety checks, monitoring compaction backlogs, and defining explicit rollback paths, DBAs and DevOps teams can guarantee deterministic consistency reconciliation without sacrificing p99 latency or disk throughput.

Back to Read Repair vs Anti Entropy Repair