stability: investigate recovery from permanent unavailability

[hxiaodon]

Hi,
I proposed this issue in gitter at last weekend. It should be helpful if the disaster recovery tool is provided:)

Hi,All. I started a local cockroachdb cluster with 3 instances(node1,node2,node3), node2 and node3 join node1, all works fine even one node is crashed. When I crash node1 and node2(clean data folder and restart), node3 could not provide service(It's expected), but I could not dump data from node3.Suppose we have this scenario, if 2 nodes are just permanently dead and the daily backup operation was triggered long time ago while the rest healthy node keep the latest data(until service unavailable) compared with the backup one, at this time, I could not use the healthy node's data(dump/backup) with adding other 2 new nodes to provide the service. Does it make sense? Thanks!
What I mean is that cluster do not provide service when minority nodes left make sense, but it does not make sense to block dumping data(raft committed one) when minority nodes keep the complete copy(replication number equal to cluster nodes number)

Andrei Matei's reply
@hxiaodon indeed, we want to provide some type of data recovery tools for this situation, but we haven’t gotten to it yet

Jira issue: CRDB-6362

[dianasaur323]

@hxiaodon Thanks for bringing this up. There is nothing coming up in our 1.1 yet, but we are currently scoping out what a solution for this scenario might look like. The scenario you are hitting is that if you lose 2 out of 3 replicas, you'll have to restore from a backup.

Quick question for you, in this use case, would you rather force the single remaining replica to up-replicate, or would you prefer some form of incremental recovery that brings you closer to the most updated version of your database?

[hxiaodon]

@dianasaur323
I'd like to choose the former one, although its implementation would be complex; The latter way need me to restore the backup and apply the incremental change manually to new created cluster, but it should be easier for you to provide quickly:)

updates:
The former way need to first check the database integrity for single replica, then refresh/update the clusterId and cluster member before up-replicate for existed lived minority nodes(user should confirm this operation) ,and then I could scale this new cluster with adding new cockroach instance freely. Is my assumption reasonable?

[petermattis]

One challenge with recovering data from a below-quorum range is that we can't know that we have the most recent data. This is inescapable. But it is feasible to build a tool which does a best-effort reconstruction of data. What I'm imagining would be offline and might utilize some of the mapreduce-like infrastructure being used for bulk ingest and we'd want to pair that with some SQL fsck tool which would recover a consistent state given schema constraints. Seems large in scope, but doable.

[hxiaodon]

@petermattis
Hi, how about the draft plan for this feature? In next minor release or other time.
Thanks!

[dianasaur323]

@hxiaodon this won't make it into the upcoming minor release, although we will be working on something that may enable the second solution I discussed. If we have extra time in the next minor release, we may get to an RFC to explore this further.

[tbg]

Copying over from #19645:

Suppose you run a cluster and one of more permanent node outages occur, leaving at least some ranges permanently in minority. Currently, there is no way to recover from this situation and we must come up with one. Generally, since data may have been lost, it may not be possible to completely recover. However, in many situations it would at least be possible to recover most of the state, save a few lost writes (due to having to take data from a follower that isn't up to date).

There are a few model cases:

1. three node cluster, two nodes catch fire and melt. Should be able to lose only some writes, but this could still mean partial transactions and violation of SQL integrity constraints.
2. five node cluster, three nodes disappear. Might lose a few whole ranges, but in principle most of the data may be recoverable. Big chunks of data might be missing.

@LEGO, would be interested in which types of corruption #19327 would be able to catch. Running these integrity checks would definitely be one of the steps carried out in this setting, and it would be nice to have that leave as little remaining room for error as possible.

One aspect that was pointed out is that it would be nice if AS OF SYSTEM TIME could be used in the recovery to roll back to a consistent view of the data. Perhaps there is a connection with follower reads: if the lease holder dies in the unavailability event, the follower would still be able to serve "old enough" queries.

We've also previously talked about using AS OF SYSTEM TIME to create backups, which ties into this issue as long as AS OF SYSTEM TIME can be routed appropriately in the unavailable cluster.

@petermattis wrote:

Agreed that any recovery would likely need to work in concert with SQL SCRUB in order to ensure consistent table state.

Using AS OF SYSTEM TIME to generate a backup and then restoring from the backup would be a nice general approach.

[lgo]

@LEGO, would be interested in which types of corruption #19327 would be able to catch. Running these integrity checks would definitely be one of the steps carried out in this setting, and it would be nice to have that leave as little remaining room for error as possible.

Yea definitely. #19327 is only checking the index integrity, but it will also be able to check other SQL integrity problems soon.

Maybe we can use SCRUB to find violations and their corresponding write timestamps, then take use a timestamp just before those for AS OF SYSTEM TIME. Alternatively, this is where some kind of repair mechanism is helpful. It would be easy tack on some logic to read the SCRUB errors and handle those in the disaster recovery to produce a consistent table.

Aside: we already have the mechanisms for making sure ranges are found, yea? Are there other things that might go awry, like the integrity of table descriptors in relation to other descriptors?

[dianasaur323]

i think @bdarnell had some strong opinions on this topic, so mentioning him here

[bdarnell]

My feeling is that until we have a very comprehensive SCRUB (covering secondary indexes, foreign keys, etc), it's best to try and determine a known-good timestamp (ideally making use of the max-safe-timestamp mechanism once we have that), make a backup at that time, then restore that backup. (once we have CDC, using that to maintain a streaming backup would be even better)

This leaves dead ranges around in the keyspace that are unreferenced. A nice way to resolve this would be to implement merging of empty ranges, and then treat the dead ranges as "empty" and stitch the keyspace closed over them.

If the data loss affects meta or system ranges, is there any way to recover, or are we still going to have catastrophic data loss scenarios even if we implement this?

[a-robinson]

Maybe we can use SCRUB to find violations and their corresponding write timestamps, then take use a timestamp just before those for AS OF SYSTEM TIME.

This also provides motivation for wanting to be able to run SCRUB as of a system time, since you'd also want to verify that the time you're restoring to didn't have issues of its own.

[dianasaur323]

Do we have a sense on if the timeline for this has been moved up? I currently have it saved in our backlog with no prioritization, but sounds like more and more people have been asking for something here.