docs: add RFC for remote storage generation numbers #4919
Conversation
jcsp
added
c/storage/pageserver
1624 tests run: 1548 passed, 0 failed, 76 skipped (full report)The comment gets automatically updated with the latest test results
cf564f3 at 2023-08-30T08:18:32.984Z :recycle: |
There was a problem hiding this comment.
Thanks for writing this up!
I think with some tweaking this can fly.
IMO for easier reading its a good idea to add more references and mermaid diagrams outlining key operations involved.
Additionally I think this lacks comparison with previously discussed approaches. What are the downsides of this one compared to others.
Also discussion started in slack and @knizhnik made some points, so I'd reference them here: https://neondb.slack.com/archives/C05EPKK8K6G/p1691478137757059?thread_ts=1691423240.177529&cid=C05EPKK8K6G
|
IMHO this proposal requires quite a lot changes in all Neon components: PS, SK, control plane,... At the same time data corruption is not so frequent event (unlike crash, split brain, ... and a lot of other reasons of PS temporary unavailability. During last two years it happens only once. Certainly one we will have more server, there will be more data corruption incidents. But still them be quite rare. Also please take in account that spawning new PS is very expensive operation because we loose all storage contents old PS and have to reload it from S3. So may be try to find some simpler solution of the problem? So if PS seems to be not alive, we send alert but do nothing before leasing timeout expiration. After timeout is expired control panel can either automatically spawn new PS, either wait until it is done explicitly by DBA.In any case at this moment leasing period of old PS is already expired and it should send new leaving request to control panel (and will get negative response). IMHO such approach requires less changes in Neon and is more safe because exlude situation with two or more concurrently running PS. Certainly we should take in account time measuring error and the fact that PS can not be stopped immediately. For example control panel should wait not for leasing timeout but timeout*2. But it is technical detail. |
|
Agree with @knizhnik that required changes are quite invasive. There also needs to be a way to handle existing layers/index parts that lack new suffixes.
I think it can be a bit simpler, IMO we should always have some spare capacity to distribute tenants from single failing pageserver because current process of spawning a pageserver takes a lot of time (tens of minutes at best) Also see this thread in slack where I've tried to see what is the impact of reattach operation on running pgbench |
Added a section "On-disk backward compatibility", along with various other aspects in the "Operational impact" section. |
|
Inlining some of the questions from the slack thread here:
I've updated the "
Yeah, this was something I had left kind of vague. I've change this so that the safekeeper's behaviors are only optimizations, and the pagekeeper itself Then, since the safekeeper stuff is just an optional optimization, we can lazily propagate generation numbers as part of
The old PS will remain available until it encounters some operation it can't do because of its generation (like trying to delete objects, or trying to update its remote_persiste Endpoints won't be talking to the old PS because the control plane will have informed them of the new PS. During the transition, it is still safe for endpoints to talk to the old PS, because its data doesn't diverge from the new PS: they're both consuming the same WAL. The purpose of this RFC is to make such scenarios data-safe: actually killing the node can take seconds, minutes or hours, but it won't do any harm. But usually it would just
The deletion changes don't assume that we can check the old node is dead: they just require the new node to verify that its generation ID is current. |
There was a problem hiding this comment.
Thank you for writing this up!
After relatively careful reading of this RFC I haven't spotted any immediate problems or safety violations. Proposed changes aren't deeply invasive and looks like they could be done in a reasonable time frame. So +1 from my side on proceeding with this approach.
One item that I'm interested in discussing is #4919 (comment). Looks like we can reduce migration latency and simplify things by dropping reliance on "no stolen attachments without increasing node generation" and checking attachment generations only on demand when tenant want to delete some data.
…n unclean attachment to a new node, and double attachments are explicitly supported.
…l plane to track dirty bit on a pageserver
Co-authored-by: Christian Schwarz <christian@neon.tech>
Co-authored-by: Christian Schwarz <christian@neon.tech>
There was a problem hiding this comment.
Re-read top-to-bottom up to but not including "Timeline/Branch creation".
I really like where this is moving, congrats!
This review contains a lot of suggestions to align on use of wording.
Hope you're aware of the "Add suggestion to batch" feature :)
Will read the remainder tomorrow.
Co-authored-by: Christian Schwarz <christian@neon.tech>
|
Damn, accidentally pushed to this branch, force-pushing to remove the commits. |
problame
force-pushed
the
jcsp/rfc-generation-numbers
branch
from
362ed6a
to
baf8ab1
Compare
(v2 since [I accidentally merged the first version](#4919 (comment)) of this PR) In a PR stacked onto [your RFC](#4919) so that there aren't as many conversations :) Please leave the commits separate (merge by merge commit / rebase & merge)
In a PR stacked onto [your RFC](#4919) so that there aren't as many conversations :) deletion queue: radical simplifcation 1. Change the flow to just assume a persistent queue. 2. Skip the detail of DeletionList objects, and re-writing them; instead, orient the whole flow around the entries. 3. Move the trick where we detect generation-1 to a "future optimization" section. 4. Remove the on-disk format spec. I know I asked for it, but I think it's best to have it in the deletion queue PR, not here. 5. Remove all the between-the-lines hints that this deletion queue is going to have low filesystem perf needs. Nobody cares, we could probably append & fsync for each and the NVMes would bear the load just fine. With the version of deletion queue that is written here, I am confident that it's a correct optimization. And I find it substantially easier to follow, since the unimportant details of how we persist it most efficientl are gone.
There was a problem hiding this comment.
I think this has come out great!
- I don't see any correctness issues.
- I don't think we're painting ourselves into a corner.
- I think the recent (last few days) additions make this RFC quite easily digestible:
- simplifications to a single generation number type
- concept of re-attach
- editor changes to how the deletion queue is explained in this rfc 🤓 )
Thanks for enduring my countless review iterations. Truly great and impressive work! :)
## Problem Currently we don't have a way to migrate tenants from one pageserver to another without a risk of gap in availability. ## Summary of changes This follows on from #4919 Migrating tenants between pageservers is essential to operating a service at scale, in several contexts: 1. Responding to a pageserver node failure by migrating tenants to other pageservers 2. Balancing load and capacity across pageservers, for example when a user expands their database and they need to migrate to a pageserver with more capacity. 3. Restarting pageservers for upgrades and maintenance Currently, a tenant may migrated by attaching to a new node, re-configuring endpoints to use the new node, and then later detaching from the old node. This is safe once [generation numbers](025-generation-numbers.md) are implemented, but does meet our seamless/fast/efficient goals: Co-authored-by: Christian Schwarz <christian@neon.tech>
Summary
A scheme of logical "generation numbers" for pageservers and their attachments is proposed, along with
changes to the remote storage format to include these generation numbers in S3 keys.
Using the control plane as the issuer of these generation numbers enables strong anti-split-brain
properties in the pageserver cluster without implementing a consensus mechanism directly
in the pageservers.
Motivation
Currently, the pageserver's remote storage format does not provide a mechanism for addressing
split brain conditions that may happen when replacing a node during failover or when migrating
a tenant from one pageserver to another. From a remote storage perspective, a split brain condition
occurs whenever two nodes both think they have the same tenant attached, and both can write to S3. This
can happen in the case of a network partition, pathologically long delays (e.g. suspended VM), or software
bugs.
This blocks robust implementation of failover from unresponsive pageservers, due to the risk that
the unresponsive pageserver is still writing to S3.