Atomic slot migration HLD

[madolson]

High level design

We want to introduce a new Slot Migration process that atomically migrates a set of slots from a source node to a target node.

We will implement a net new slot serialization strategy which emulates the behavior of BGSave but sends a series of RESTORE COMMANDS instead of the RDB snapshot serialization format. The strategy being that we fork when migrating a batch of slots, we establish the new connection, and then iterate over the slot space and sent the restore commands. Once all the data for a slot is migrated, the accumulated buffer for the slot is drained. Once the buffer is drained, we block all write commands for the slot while we do a coordinated handoff, this can be upgraded to 2PC for cluster v2, to complete the transaction and make sure the target node takes ownership of the slot. Once the target has confirmed it owns the slot, the source node will asynchronously purge its slot data. This process will be repeated for all slots being migrated, one at a time. The forked process will be used to migrate a set of slots, once this set of slots has been migrated, the fork process ends.

On the source node there will be a cron job that will drive a state machine which will execute the different phases of the slot migration process. If an individual migration fails, it will be rolled back and the process will be aborted. Slot migrations can therefor partially succeed, with some slots owned by the target and some owned by the source.

Benefits from this new implementation compared to the current one:

• Atomic slot migration - no splitting of slots.
• Multi-key operations are seamless while a slot migration is ongoing
• No extra hop for client requests
• Easy to recover from failures

New commands

CLUSTER MIGRATESLOTS [NODE <Target node ID>] [SHARD <Target shard ID>] SLOTRANGES start end [start end]

Initiate a slot migration between a source and target node. Optionally supports a “shard ID” that can be used instead of a specific node. If a migration failed, it will not be automatically retried. It will be up to the caller to determine the migration has failed and to restart the process.

CLUSTER IMPORTSLOT START <slot> <Source node ID>

Control command sent between a source and target node to indicate that this link will be used to transfer the ownership of a slot.

CLUSTER IMPORTSLOT END <slot> <source-node-id> [<expected-keys-in-slot>]

Control function to indicate that the transfer has completed and the node should now take ownership of the data. Upon receiving this signal, the target will take ownership of the slot and broadcast to all nodes the new epoch.

New Info fields

slot_migration_role: [source|target]
if role == source
slot_migration_migrating_slots:
slot_migration_state:[see below]
slot_migration_start_time:
slot_migration_keys_processed:N
slot_migration_keys_total:N
slot_migration_perc:X%
slot_migration_last_duration_ms:
slot_migration_last_status:
slot_migration_last_failure_reason:

if role == target
slot_migration_importing_slots:
slot_migration_keys_processed:N

Major components

Slot migration state machine/SlotMigrationCron (slotmigration.c)

A new cron job will be introduced that runs every iteration of the clusterCron as long as a slot migration is running. It will be responsible for driving the state machine of an ongoing slot migrations (on the source node) forward.

These are the different states:
WAIT_TARGET_CONNECTION_SETUP: Established connection with the target node. Sends the CLUSTER IMPORTSLOT START ... to the target node. Process is forked.
SM_SRC_START: The request to migrate a slot has started. Start the actual slot migration tsk.
SM_SRC_FULL_SYNC_IN_PROGRESS: The migration is moved into this state when the fork has triggered and is now streaming data to the target. Once this process is complete, the fork will signal its parent process to begin transferring the accumulated output buffer.
SM_SRC_OUTPUT_TRANSFER_IN_PROGRESS: The full sync has completed. At this point, the primary is draining the client output buffer accumulated during the fork for that slot.
SM_SRC_WAIT_ACK: Once this process is complete, the primary will initiate the committing of the slot by sending CLUSTER MIGRATESLOT END . At the beginning of this state, we will start blocking all writes to the slot being migrated. In this state, we are waiting for the acknowledgement from the target that it took ownership of the slot. This is done by the target publishing a cluster bus gossip message stating that is has ownership of the slot with a higher epoch number. The source receiving such message would indicate the target has successfully claimed the slot. Once the acknowledgement is received, we will commit the slot transfer and begin to purge the data in our slots. The source node does not own the slot anymore.
SM_SRC_CLEANUP: Final state where the migration was either successful, cancelled or failed. Clean up the slot migration states and close the connection to the target.

The states SRC_START through SRC_WAIT_ACK will be repeated for every slot that is being migrated. So there will be one connection for all of the slots being migrated. There will be one fork per batch of slots being migrated.

From the point of view of the target node the following happens:

• Receive CLUSTER IMPORTSLOT START from the source node: start of the migration of a slot is replicated to its replicas then acknowledged. We are now expecting to get slot data from this link. The node processes the incoming commands from the source node to load the data into the slot, and relays the incoming slot data to its replicas.
• Receive CLUSTER IMPORTSLOT END from the source node: propagate the end of the slot migration to its replicas then acknowledges the end of the import slot. At this point the target node now owns the slot and can start serving traffic for it. A primary will synchronously replicate the CLUSTER MIGRATESLOT END to its replica, waiting for the acknowledgment, this will prevent the replica from needing to reconcile having data without knowing the state of the mgration.

Fork based slot migration full transfer (slotmigration_sync.c)

At the start of the slot migration, a client will be created on the source node and connect to the target node. This will be re-used from the migrate command code. At this point, a system fork will be executed, which will be used to send the point in time transfer of the data in the slot. The data transfer will occur on the main thread, with a named pipe being used to transfer the data from the child to the parent. This is link is used to enable TLS to be used, since a FD can not be shared between two processes since the internal TLS state will diverge. The process will periodically send information about the progress of the migration.

Once the full sync is completed, the fork will send a status message to the parent process using a pipe to signal that it has finished. If the status code was success, the primary will then begin transferring the queued up replication on the relevant slots. All incoming write traffic will be checked for which slot it is being accessed. If the slot being accessed is one of the slots currently being migrated, during propagation it will be queued on a dedicated buffer for the migration. Although the buffers could be kept independent for each slot, they will be grouped together in this implementation for simplicity.

Once this queue has been completely drained, a special “client pause” will be started on the slots being migrated, which will block all writes against those slots. This pause will remain in effect while a coordinated handoff is sent committing the ownership on the target.

If at any point in time, the connection between the source and target is killed, the migration will be aborted on both ends.

We will be forking once per batch of slots to be migrated, and serially sending the content of each slots in the batch. We believe there is an implicit tradeoff here between CoB usage, CoW usage, and time it takes to pause. We will optimize the number of slots in a batch to be migrated in a single fork based on performance testing. We think there will be some sweet spot for the number of slots to migrate per fork.

Async slot flush (slotflush.c)

A new state will be introduced for the slot state, which is slot flush. A slot that is flushing has data but is unreachable because the node does not own the slot anymore. A node will be unable to “import” data on this slot until the data has been fully flushed. The flush will happen in a new cron job which will be triggered at the end of the SM_SRC_WAIT_ACK state.
Since the flush of a slot will happen asynchronously, we can start migrating the next slot while flushing of a slot is still happening. If flushing a slot takes longer than migrating the next slot, then the next slot to be flushed is queued up and flushed once the previous slots have been completely flushed.

This might also benefit from the investigation done here: #10589. Having a dictionary per slot would make it very easy to “unlink” the entire dictionary, but will require more investigation.

Failure modes

Source or target node dies during transfer: In this failure mode, the migration will be aborted once some pre-defined timeouts are reached. Once a target realizes that the migration target has been disconnected, it will initiate a slot flush of its data. Once a source realizes the target is dead, it will rollback the migration process.

Target primary dies during handoff: If the target primary dies after sending the CLUSTER IMPORT END and committing it to replicas. The newly promoted replica will be able to acknowledge slot ownership, completing the handoff. If no replica is there to acknowledge it, the slot will be lost with the remaining slots on that node.

Target never acknowledges handoff: If we have sent CLUSTER IMPORT END but never received acknowledgment that it was applied. In this event, we will wait for CLUSTER_NODE_TIMEOUT, at which point we will unblock the writes against the source. If the target is still alive, it will still be able to take over ownership of the slot via clusterbus message with a higher epoch of it owning the slot. This is consistent with OSS Redis behavior, which allows inconsistent writes within nodes that aren’t talking to each other.
Note about clusterv2, the 2PC will be directed towards the topology director instead of the target node.

Target rejects a command: Any error received during the migration will result in a failure of the migration. Typical failures would be ‘incorrect acls’ or ‘OOM’.

Notes about cluster v2

The same general strategy will apply. The only difference is that the handoff will be a 2PC facilitated through the FC/TD instead of just between the source and target.

Open questions

• Should we include the Slot Migration client output buffer size as a new metric? Should we treat the target client as a replica client?

Comment updates

• Update to do a single fork per batch of slots.

[oranagra]

Very nice.
I think I'm missing some chapter about replicas of the source and target.

[PingXie]

`CLUSTER MIGRATESLOTS [NODE ] [SHARD ] <slot1...slot2>'

Can we add the slot range syntax sugar similar to ADDSLOTSRANGE for consistency?

How do you plan to support auth? Are you thinking about the MIGRATE model where the client provides clear text auth on the command?

Fork-based migration protocol

The proposed migration protocol makes sense to me.

2PC

On the surface it sounds like target replicas don't participate 2PC and they seem to serve as a "volatile" WAL. Are the slot ownership asynchronously replicated to the (target) replicas? If yes, even with an HA setup, depending on the replica that wins the election, the slot could still be lost just like the non-HA case. Then in the source post-migration failure case, we seem to still fall back on the epoch, which I assume is bumped on the target without consensus as well? In general, I am not sure what additional value 2PC provides without a real WAL. Maybe I am missing details.

[zuiderkwast]

I think the target needs to synchronously propagate CLUSTER IMPORTSLOT END to replicas and write it to AOF/RDB before taking ownership by bumping the epoch. Is it enough though? Will this lead to other problems? @PingXie WDYT?

[judeng]

this is a very mature and exciting proposal. only have one minor suggestion.

We will implement a net new slot serialization strategy which emulates the behavior of BGSave but sends a series of RESTORE COMMANDS instead of the RDB snapshot serialization format.

I think the restore command is designed for the old version scheme to realize the atomic migration of keys. When migrating large keys, especially the zset keys, restore comand often make the target to be hung for a long time, maybe causing the slot migration to fail. According to your proposal, in the source fork process, we can give up the use of the restore command, we could transmit many small commands, just like the output of bgaofrewrite.

[PingXie]

@zuiderkwast I think you are essentially suggesting 2PC in the target shard as well, either hanging off of the 2PC between source and target primaries or part of the same 2PC between source and target primaries. The source replicas if any should also participate in the same 2PC BTW; otherwise the agreement reached by the source primary and the target shard could be nullified if both source and target primaries failed. Then I think this should work in theory but still there are details to work out too. For instance, how do we determine the new 2PC coordinator if the original one died? In the textbook 2PC, we would like to stick to the same coordinator after the failure. Need to think it though what it means if we change the coordinator midway a transaction.

Another concern I have is w.r.t. the dependency on any sort of persistence. What do we do for the deployment without non-volatile storage access?

The fork requirement is not ideal but is acceptable IMO, if there is an incremental path forward, which isn't clear to me at the moment. If we ended up not reusing any fork-based pieces, the tech debt is real.

Among the key benefits called out

1. simplicity - only one command is needed per-slot; no more coding required on the admin side
2. transparency - no more dealing with moved/asking on the client app side; multi-key commands no longer need retries during migration
3. strong consistency - via 2PC

I can totally see 1) happening;
I think 2) is undoubtedly a good trait, if it can be delivered without fork. With fork, we are trading the long-lived but smaller (additional n/w hops) impact on a few keys (in the slot being migrated) with the short-lived but bigger impact (frozen) on all keys;
I am looking forward to more details on 3). So far my understanding is that unless we go 2PC all the way, it is hard to say the consistency bar would be raised significantly, compared to what we have today.

[hwware]

I have several questions for this design:

1. As @PingXie comment, if the command CLUSTER MIGRATESLOTS [NODE ] [SHARD ] <slot1...slot2> could support multiply slot ranges, such as CLUSTER MIGRATESLOTS [NODE ] [SHARD ]

2. It is mentioned that All of these states will be repeated for every slot that is being migrated. So there will be one fork and one connection to the target node for each migrating slot. I am not sure how much cost of every fork and how many performance difference between these 2 ways , if we could only fork once and migration multiply slots?

3. In the old design, if we want to do one slot migration, we need run the command on source node and target node client sisde. Can we add the feature that allow client to run all the migration commands on any node client side, including non-target node and non-source node?

4. In the design, it says that If an individual migration fails, it will be rolled back and the process will be aborted. My question is when we migrate multily slots, if one slot fail, only this slot process abort and continue migtating other slots OR other slot migration process will be termiated as well?

Thanks

[madolson]

@zuiderkwast There is some value in replicating the import slot synchronously on the target. I think the most interesting example is as follows (Assume 2 primaries and two replicas across two shards (A and B), where A is migrating to B)

• Primary A is transferring data to Primary B, all the data is already staged on B.
• Primary A sends the IMPORT SLOT END. There isn't really a reason to replicate anything to replica B at this time.
• Primary B receives the end, and replicates it to its own replica. I think this should be done in either case. There are two sub-cases:
• • If it's done async, there is a case where replica B never learns that primary B completed the transaction that is interesting. In this case, it's possible that primary B did acknowledge to primary A that migration completed. At this point, the slot is lost, since replica B will take over without any data. This is easy to mitigate though, as we can detect that replica B has staged data and nobody owns the data.
• • In the synchronous case, the previous failure mode can be mitigated since we explicitly replicate the IMPORT END command before responding. However, we still run into the special case of the primary B failing, and the replica B needing to take special action.

I don't think it changes the overall correctness, but if it's easier to reason about I don't have much of a strong opinion.

On the surface it sounds like target replicas don't participate 2PC and they seem to serve as a "volatile" WAL.

For what it is worth, it's still a 2PC without a persistent WAL, it just adds failure modes. At AWS we just reconcile the system after it has failed catastrophically (Read everything has died). A single AOF disk is something we should probably think about more, which is not a mode we support internally. Replicas + AOF already don't play well together.

In the old design, if we want to do one slot migration, we need run the command on source node and target node client sisde. Can we add the feature that allow client to run all the migration commands on any node client side, including non-target node and non-source node?

Will ask this be a separate feature probably, since in a way it's kind of like a proxy of commands to the right node. Which I think is useful in many other circumstances.

In the design, it says that If an individual migration fails, it will be rolled back and the process will be aborted. My question is when we migrate multily slots, if one slot fail, only this slot process abort and continue migtating other slots OR other slot migration process will be termiated as well?

Currently it will not rollback the slots that have been successfully migrated.

[zuiderkwast]

@madolson

If it's done async, there is a case where replica B never learns that primary B completed the transaction that is interesting. In this case, it's possible that primary B did acknowledge to primary A that migration completed. At this point, the slot is lost, since replica B will take over without any data. This is easy to mitigate though, as we can detect that replica B has staged data and nobody owns the data.

I'm fine with such mitigation. It reminds me of redis-cli --cluster fix.

In the synchronous case, the previous failure mode can be mitigated since we explicitly replicate the IMPORT END command before responding. However, we still run into the special case of the primary B failing, and the replica B needing to take special action.

You mean primary B failing before the slot is fully migrated? The migration is rollbacked and the only thing replica B needs to do is to flush the slot, right? (or do we want to continue the migration after failover?)

What about primary A and primary B failing at the same time? Will the mitigation (replica B detects that the slot has no owner) work for this case too?

[ushachar]

The strategy being that we fork when migrating a slot, we establish the new connection, and then iterate over the slot space and sent the restore commands. Once all the data for the slot is migrated, the fork ends and the accumulated buffer for the slot is drained.

During the discussions about this, we said we will also offer a forkless option for people running in a very resource constrained
environment (these deployments will lose write availability for the duration of the data migration).

These are the different states: WAIT_TARGET_CONNECTION_SETUP: Established connection with the target node. Sends the CLUSTER IMPORTSLOT START ... to the target node.

I suggest preserving the current behavior of gossiping the intermediate state (marking slot X as being imported/migrated in the relevant shards) as it would make it easier for an admin to understand the current cluster state / see when rollback happens. This could be done automatically by the source and doesn't need to have an actual effect on the source/target.

SM_SRC_WAIT_ACK: Once this process is complete, the primary will initiate the second part of the 2PC by sending a CLUSTER MIGRATESLOT END ... . In this state, we are waiting for the acknowledgement from the target that it took ownership of the slot. This is done by the target publishing a cluster bus gossip message stating that is has ownership of the slot with a higher epoch number. The source receiving such message would indicate the target has successfully claimed the slot. At this point we are blocking all write requests against this slot.

The source should block writes to the slot before sending '''CLUSTER MIGRATESLOT END''', and not after receiving the acknowledgment from the target. Otherwise new writes would be lost.

All of these states will be repeated for every slot that is being migrated. So there will be one fork and one connection to the target node for each migrating slot.

This means that we will have 8K forks (not concurrent, but still...) happening when scaling up from one shard / whenever we multiply the number of shards. I know you suggest a potential improvement later in the game, but can we live with this in the first drop?

At the start of the slot migration, a client will be created on the source node and connect to the target node. This will be re-used from the migrate command code. At this point, a system fork will be executed, which will be used to send the point in time transfer of the data in the slot. The data transfer will occur on the main thread, with a named pipe being used to transfer the data from the child to the parent. This is link is used to enable TLS to be used, since a FD can not be shared between two processes since the internal TLS state will diverge. The process will periodically send information about the progress of the migration.

Why not just open the client conn in the child process? Worst case we'll incur the cost of forking and immediately exiting if unable to connect (and - under the assumption that the majority of the data is in the initial full sync - we benefit from less interruption to the primary in the happy path).

If at any point in time, the connection between the source and target is killed, the migration will be aborted on both ends.

Technically we can reconnect and continue in cases of connection failures that are not the result of process failure (verified by comparing runid). This could be a potential future enhancement since it will require a more complicated state handling.

This might also benefit from the investigation done here: #10589. Having a dictionary per slot would make it very easy to “unlink” the entire dictionary, but will require more investigation.

Going in this route would also open up the option of dedicated memory arena per slot(s) -- which will place a much tighter bound on the CoW overhead generated by slot migration.

Source or target node dies during transfer: In this failure mode, the migration will be aborted once some pre-defined timeouts are reached.

Once one of the sides decides on a timeout it must drop the connection ASAP as a signal to the other.

Target primary dies during 2PC: If the target primary dies after sending the CLUSTER IMPORT END and committing it to replicas. The newly promoted replica will be able to acknowledge slot ownership, completing the 2PC. If no replica is there to acknowledge it, the slot will be lost with the remaining slots on that node.

Doesn't the target primary receive the CLUSTER IMPORT END?
How will the newly promoted replica be able to ack the slot ownership & complete 2PC? Shouldn't this case have the same end result as Target never acknowledges 2PC ?

As a nitpick, I think the using the term 2PC here is a distraction - we don't have a coordinator and there are only two entities which reach agreement.

[zuiderkwast]

The strategy being that we fork when migrating a slot, we establish the new connection, and then iterate over the slot space and sent the restore commands. Once all the data for the slot is migrated, the fork ends and the accumulated buffer for the slot is drained.

During the discussions about this, we said we will also offer a forkless option for people running in a very resource constrained environment (these deployments will lose write availability for the duration of the data migration).

I still don't understand why we don't implement the simpler thread approach instead: Let a thread on the source node handle the transfer of data to the target. For each key, it asks the main thread (over a named pipe) to serialize it. Pros: No CoW, no losing write ability. The only downside is that it blocks the source node for the duration of serializing one key, but that's no worth than what we do on the target node, namely execute the RESTORE command which blocks the target for the duration of restoring the key. The thread can keep the pipeline to the target busy by serializing a few keys in advance, so I can't see that it should be any slower than the fork either.

What am I missing?

[ushachar]

The strategy being that we fork when migrating a slot, we establish the new connection, and then iterate over the slot space and sent the restore commands. Once all the data for the slot is migrated, the fork ends and the accumulated buffer for the slot is drained.

During the discussions about this, we said we will also offer a forkless option for people running in a very resource constrained environment (these deployments will lose write availability for the duration of the data migration).

I still don't understand why we don't implement the simpler thread approach instead

@zuiderkwast As I understand it, the goal here is to provide an atomic transfer of the slot (and avoid the current intermediate state which requires ASK/ASKING). Serializing per key while locking the entire slot will create a very long write outage.

[zuiderkwast]

@ushachar Then you misunderstand me. The idea is that the thread does exactly what the fork would do, apart from asking the main thread for each key. When a key has been serialized, it is marked so that further writes are accumulated and transferred later. Everything else can work as with the fork, except that the work is done in a thread instead. I hope I am more clear this time.

Edit: We'd need a structure to remember which keys have already been serialized, so we accumulate writes for them. (I forgot to mention but it's implied.)