Protected restarts for memory-only setups with replication.

[antirez]

Recently there was an incident that involved mixing Replication, Sentinel, with masters having snapshots/AOF disabled. This setup was not supported by Redis, since slaves try to connect with the master in order to be their exact copy, and Redis Sentinel operated clusters require to have persistence turned on in order to be able to recover their state after restarts.

While publicly discussing the incident, Michel Martens and Jason Watkins argued that to have an explicit support for diskless Redis setups using replication could be useful.

In the past I received requests to better support pure in-memory setups with replication, however I was always extremely skeptical about this setup for a simple reason: replication used to require the ability to persist on disk for the first synchronization of slaves. If you are forced to persist, it is not really an in-memory setup, it only got the disadvantages of requiring disk I/O, and, at the same time the disadvantage of the dataset being volatile after restarts. So my argument was: let's enable persistence in replicated setups, or if you want really want just a cache, use masters with consistent hashing.

However this scenario changed because of the new feature we are introducing: diskless replication. At this point it will be possible to have a master-slaves setup where disk is not touched for synchronization with slaves. The feature was originally conceived more in order to cope with latency issues in slow disk environments like EC2, however it has more interesting consequences for Redis, since it allows to have truly diskless master-slaves setups if also persistence is disabled at all.

However for this diskless setups to be useful, the Redis server must support a new mode that allows the data set to survive to the reboot of the master. Especially in absence of network partitions, if we have N instances with one master and N-1 slaves, the dataset should survive the restart of N-1 instances.

This issue introduces the simplest feature that can provide this ability, and at the same time plays well with Sentinel. All this by providing backward compatibility, since most setups rely on the ability of slaves to automatically reconnect and resynchronize with the master each time the replication link gets disconnected.

Why replication and persistence turned off don’t play well today

While Redis is an in-memory database, replication totally rely on the fact that Redis is disk backed: first resynchronizations relied on RDB snapshots in the master side, slaves stored an RDB file on disk before loading it in order to survive restarts with the ability to load the data set, and so forth.

Basically a fundamental requirement was the ability to restore the previous state (or a state that represented a point in time state in the near past, when AOF is not used) after restarts. Masters with persistence turned off violates this requirements, however they accept slaves in order to support scaling reads with multiple nodes.

Once a master has replication turned off, a restart is semantically equivalent to a FLUSHALL operation. The server returns online with the previous configuration, but with a wiped data set.
Slaves trying to resynchronize will try to copy the master’s exact state, effectively wiping their own data set as well.

In order to support purely in-memory setups, the user should be able to rely on the fact that redundancy is obtained via multiple replicated nodes that can fail in an independent way, so that as long as N-1 nodes are restarted, the data set is able to survive.

Different point of views, different solutions

The obvious way to support this use case is to stop the automatism that allow slaves to reconnect to the master after a reboot. For example a possible approach would be for slaves to stop the replication process as soon as they discover the master was rebooted, that is, the master “runid” changed.
Let’s call this solution “conservative slaves”.

Another approach is the reverse one, to have “conservative masters”. Conservative masters don’t trust their status after a reboot, if configured to do so. After a reboot, the master remains offline, replying to requests with errors, until it is unblocked in order to return either an (empty) master, or a slave of some other master.

The two approaches have advantages and disadvantages, however conservative masters have the big advantage of playing well with Redis Sentinel.

In a master reboot event, if the Sentinel timeout is set so large that the reboot does not trigger the failure detector, the error reported by the conservative master will trigger a failure anyway. Moreover, as soon as a new master will be elected, the old master will be configured to replicate with the new one, which in turn unblock it into a normal state.

Basically a conservative master, if used together with Sentinel, guarantees that each master reboot triggers a Sentinel failover.

Feature description

The feature will be called protected restart, and can be enabled in the configuration file with the following configuration directive:

protected-restart yes

It only affects instances that are restarted configured as masters, regardless of the fact the instance is configured to persist on disk or not.

After a protected restart, the server will reply with a -PROTECTED error, waiting a SLAVEOF command in order to be properly configured as a master (using slaveof no one), or as a slave.

Slaves will not be able to replicate from a protected master, since it will reply with an error to synchronization attempts.

Masters in protected state will sill be able to reply to INFO commands in the proper way, however they will reply to PING with an error, triggering the Sentinel failure detector and most other monitoring systems checking for PONG replies to validate the instance state.

The first time a master-slave setup is created, the system administrator requires to manually unblock the master with the SLAVEOF NO ONE command.

Mixed mode

It sounds reasonalbe to also support an intermediate model where:

1. Masters have persistence disabled.
2. Slaves have persistence enabled.

Of course, when an instance is reconfigured, it switches persistence on/off automatically. In this way we can have more data safety in slaves, which would allow to use a diskless master in single datacenter setups without big concerns.

This could be obtained by extending the diskless-operations configuration option in order to support three different models:

1. diskless-operations no # Like today.
2. diskless-operations full # Masters and slaves with persistence turned off. Master safe restarts.
3. diskless-operations master # Only masters will not persist regardless of saving/AOF config. Master safe restarts.

[FransBouma]

So you're going to implement the algorithm in this paper? http://pmg.csail.mit.edu/papers/vr-revisited.pdf

[soveran]

@FransBouma I think the paper you mention is not related to the problem or the proposed solution described here.

[FransBouma]

The paper discusses a disk-less replication system, solving the problem of how to do that reliably. Although it isn't mentioning master-slave in particular (just replicas), IMHO it discusses precisely the algorithm needed. I just thought I'd mention it, in case you hadn't seen the paper.

[soveran]

@FransBouma The paper mentions a completely different scenario. The fact that it was mentioned by Aphyr has more to do with his agenda to discredit Redis than with the actual problem.

[FransBouma]

Fair enough (and I agree re: agendas)

[antirez]

Dudes, I'm not familiar with this paper, not sure if I never read it or I read it enough time ago to don't remember much. So I'm going to read it today and check if the ideas contained can help our use case or if there is some inspiration. However at a first look while we can get interesting ideas in order to improve the Sentinel orchestration of a set of replicas, the solution proposed above is a feature that makes sense per se (it was requested in the past, for example by Craigslist folks) and is actually able to fix this problem without requiring other big changes in the system. So sounds like something Redis users are able to get in production in a matter of weeks: the implementation is trivial.

However we may want to check the invariants here, so that we can compare the same invariants with other algorithms. In the context of Sentinel the invariants are:

1. If all nodes are configured with protected restarts on, it is guaranteed that a reboot either triggers a failover, or an unavailability condition (if there is no slave to promote the old master will remain active, but will return errors).
2. If N-1 slaves restarted as well, Sentinel is guaranteed to pick the slave that didn't restarted as successor of the rebooted master. This happens since Sentinels consider slaves that were not able to synchronize after a reboot not candidates for promotion.

However as described earlier in my latest blog post, Sentinel currently does not guarantee to pick the best available slave among the possible M slaves that did not rebooted. Most of the times, it will do the right thing, but if we take into account more complex netsplits and restarts events, the fact that the replication offset counter resets lowers the guarantees.

I'll check the guarantees offered by our current system with what is achieved by the revisited version of TSed replication. Thanks.

About the agendas stuff: I think that all in all there was an useful discussion and Redis is going to benefit from this in the long run. The fact that we don't protect the Redis image at every cost, makes us able to enter moments of deep self-criticism, and to evolve into new solutions, or instead to get more confidence in our current solutions. In the long time this makes Redis more fit for the user base compared to products that avoid this self-criticism crisis ;-)

[antirez]

Ok, I was familiar with the paper, I read it after the Raft paper, the two papers are closely related (this is acknowledged in the Raft paper, btw). TSed replication is a synchronous replication protocol, so it is basically not applicable in the case of a set of Redis replicas. One can just try to capture the higher level goals, and adapt them to an asynchronously replicated system. Proposing this paper as way to improve Redis, without all the additional background needed to change scenario from synchronous to asynchronous, is basically not a very informed and informative suggestion.

[yossigo]

@antirez +1 for this feature, we have a similar practice and it works well. Basically in this approach Redis is a pure in-memory replicated system, and persistence can be viewed as a second-level data protection mechanism (e.g. in the event of N instances down).

Also, instances should avoid reading AOF or RDB files on startup as it's just a waste of time - they must replicate immediately anyway. This is true not only to protected masters, but also to slaves of course.

My last point is I think the name is not very descriptive, and something like "ephemeral-master" may be more clear, and this should be ON by default if no disk persistence is configured.

[mattsta]

Also, instances should avoid reading AOF or RDB files on startup as it's just a waste of time - they must replicate immediately anyway. This is true not only to protected masters, but also to slaves of course.

That was suggested earlier, but it got denied because:

bb8ce05 is totally broken: It breaks Cluster / Sentinel failovers after a slave restart and the config directive to serve stale data if we can't connect with the master. In general a slave should do everything is its power to serve stuff after a restart. If it will later be able to connect with the master to refresh its view of the data, fine, otherwise what is authoritative is the latest data it was able to obtain.

[antirez]

@yossigo thanks for the ack about this feature, it's great to have a positive feedback from folks that already did a similar thing internally. I also agree on the point of view that this is data safety achieved with redundancy instead of persistence: this is an old DS concept and inspired many database systems, for example VoltDB was initially based only on this concept without any disk persistence built-in (I believe it was later introduced for single data center setups).

About not loading AOF/RDB: it makes sense for this feature to be used when the master has persistence disabled, however forcing this gives less choice and moreover is backward not compatible. I would stop just documenting in the future that it makes sense to use this for diskless setups. If users enable both protected master and turn off persistence, the result is indeed fast startups.

Actually we may have a "diskless-operations" option that when set to yes forces Redis to be totally in memory, and is just a macro-operation for:

1. Disable AOF.
2. Disable snapshots.
3. Enable diskless replication.

So in many setups one should just use:

protected-restart yes
diskless-operations yes

Slaves not reading the on-disk file in setups with persistence turned on is risky for the reason quoted by @matttsta: we can't give away the dataset unless we are able to make sure the replication process succeeded. However in diskless setups this is automatic, no dataset is loaded.

About the name, I would like to capture as much as possible what the feature actually does. Ephemeral-master is not very clear in my opinion since you can have protected restarts but persistence on.

Maybe a candidate could be auto-rejoin-on-restart yes/no, where yes is the current behavior, and no would be the new one.