3:53 p.m.
Guys,
So this is what I have in mind for this, looking for opinions.
1. We write a SplitBrainListener which is registered when the channel connects. The aim
of this listener is to identify when we have a partition. This can be identified when a
view change is detected, and the new view is significantly smaller than the old view.
Easier to detect for large clusters, but smaller clusters will be harder - trying to
decide between a node leaving vs a partition. (Any better ideas here?)
2. The SBL flips a switch in an interceptor (SplitBrainHandlerInterceptor?) which
switches the node to be read-only (reject invocations that change the state of the local
node) if it is in the smaller partition (newView.size < oldView.size / 2). Only works
reliably for odd-numbered cluster sizes, and the issues with small clusters seen in (1)
will affect here as well.
3. The SBL can flip the switch in the interceptor back to normal operation once a
MergeView is detected.
It's no way near perfect but at least it means that we can recommend enabling this and
setting up an odd number of nodes, with a cluster size of at least N if you want to reduce
inconsistency in your grid during partitions.
Is this even useful?
Bela, is there a more reliable mechanism to detect a split in (1)?
Cheers
Manik
--
Manik Surtani
manik(a)jboss.org
twitter.com/maniksurtani
Platform Architect, JBoss Data Grid
http://red.ht/data-grid
11:02 p.m.
Some other alternatives for detecting a split:
- a hard-coded number of nodes required for a quorum configured by the
customer.
This is what we recommend for HASIngletons when the customer wants to
guarantee that something is running at most once in the cluster.
- an alternative communication channel
JBoss Messaging added this a year or two ago, where it uses a
database in addition to JGroups to keep track of cluster membership and
detect discrepencies between the two
(I don't know all the details of the implementation)
- something in JGroups to notify Infinispan of the difference between a
normal node leave and being kicked
(easily detectable inside JGroups, but I don't think this is really
exposed to apps?)
#1 should probably be pluggable, as a particular strategy may make sense
for specific use cases.
-Dennis
On 04/05/2013 08:53 AM, Manik Surtani wrote:
Guys,
So this is what I have in mind for this, looking for opinions.
1. We write a SplitBrainListener which is registered when the channel connects. The aim
of this listener is to identify when we have a partition. This can be identified when a
view change is detected, and the new view is significantly smaller than the old view.
Easier to detect for large clusters, but smaller clusters will be harder - trying to
decide between a node leaving vs a partition. (Any better ideas here?)
2. The SBL flips a switch in an interceptor (SplitBrainHandlerInterceptor?) which
switches the node to be read-only (reject invocations that change the state of the local
node) if it is in the smaller partition (newView.size < oldView.size / 2). Only works
reliably for odd-numbered cluster sizes, and the issues with small clusters seen in (1)
will affect here as well.
3. The SBL can flip the switch in the interceptor back to normal operation once a
MergeView is detected.
It's no way near perfect but at least it means that we can recommend enabling this
and setting up an odd number of nodes, with a cluster size of at least N if you want to
reduce inconsistency in your grid during partitions.
Is this even useful?
Bela, is there a more reliable mechanism to detect a split in (1)?
Cheers
Manik
--
Manik Surtani
manik(a)jboss.org
twitter.com/maniksurtani
Platform Architect, JBoss Data Grid
http://red.ht/data-grid
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev
9:35 a.m.
On 4/5/13 11:02 PM, Dennis Reed wrote:
Some other alternatives for detecting a split:
- a hard-coded number of nodes required for a quorum configured by
the customer. This is what we recommend for HASIngletons when the
customer wants to guarantee that something is running at most once in
the cluster.
Yes - this is what I described in my previous email (section 5.6.3 of
the JGroups manual). I think this is our best solution so far, and it
can be implemented quickly.
- an alternative communication channel JBoss Messaging added this a
year or two ago, where it uses a database in addition to JGroups to
keep track of cluster membership and detect discrepencies between the
two (I don't know all the details of the implementation)
Yes, a so called arbiter helps to increase chances of detecting a
partition, but it isn't fool-proof, e.g. if the partition has none of
the nodes being able to contact an arbiter database, or if multiple
partitions (with same number of nodes) are able to talk to the DB.
- something in JGroups to notify Infinispan of the difference
between
a normal node leave and being kicked (easily detectable inside
JGroups, but I don't think this is really exposed to apps?)
This could be done at the level of Infinispan (see my prev email). It
would detect graceful leaves, but not crashes or network splits
#1 should probably be pluggable, as a particular strategy may make
sense for specific use cases.
-Dennis
On 04/05/2013 08:53 AM, Manik Surtani wrote:
> Guys,
>
> So this is what I have in mind for this, looking for opinions.
>
> 1. We write a SplitBrainListener which is registered when the
> channel connects. The aim of this listener is to identify when we
> have a partition. This can be identified when a view change is
> detected, and the new view is significantly smaller than the old
> view. Easier to detect for large clusters, but smaller clusters
> will be harder - trying to decide between a node leaving vs a
> partition. (Any better ideas here?)
>
> 2. The SBL flips a switch in an interceptor
> (SplitBrainHandlerInterceptor?) which switches the node to be
> read-only (reject invocations that change the state of the local
> node) if it is in the smaller partition (newView.size <
> oldView.size / 2). Only works reliably for odd-numbered cluster
> sizes, and the issues with small clusters seen in (1) will affect
> here as well.
>
> 3. The SBL can flip the switch in the interceptor back to normal
> operation once a MergeView is detected.
>
> It's no way near perfect but at least it means that we can
> recommend enabling this and setting up an odd number of nodes, with
> a cluster size of at least N if you want to reduce inconsistency in
> your grid during partitions.
>
> Is this even useful?
>
> Bela, is there a more reliable mechanism to detect a split in (1)?
>
> Cheers Manik
>
> -- Manik Surtani manik(a)jboss.org twitter.com/maniksurtani
>
> Platform Architect, JBoss Data Grid http://red.ht/data-grid
>
>
> _______________________________________________ infinispan-dev
> mailing list infinispan-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
_______________________________________________ infinispan-dev
mailing list infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev
--
Bela Ban, JGroups lead (http://www.jgroups.org)
9:26 a.m.
On 4/5/13 3:53 PM, Manik Surtani wrote:
Guys,
So this is what I have in mind for this, looking for opinions.
1. We write a SplitBrainListener which is registered when the
channel connects. The aim of this listener is to identify when we
have a partition. This can be identified when a view change is
detected, and the new view is significantly smaller than the old
view. Easier to detect for large clusters, but smaller clusters will
be harder - trying to decide between a node leaving vs a partition.
(Any better ideas here?)
2. The SBL flips a switch in an interceptor
(SplitBrainHandlerInterceptor?) which switches the node to be
read-only (reject invocations that change the state of the local
node) if it is in the smaller partition (newView.size < oldView.size
/ 2). Only works reliably for odd-numbered cluster sizes, and the
issues with small clusters seen in (1) will affect here as well.
3. The SBL can flip the switch in the interceptor back to normal
operation once a MergeView is detected.
It's no way near perfect but at least it means that we can recommend
enabling this and setting up an odd number of nodes, with a cluster
size of at least N if you want to reduce inconsistency in your grid
during partitions.
Is this even useful?
So I assume this is to shut down (or make read-only) non primary
partitions. I'd go with an approach similar to [1] section 5.6.2, which
makes a partition read-only once it drops below a certain number of nodes N.
Bela, is there a more reliable mechanism to detect a split in (1)?
I'm afraid no. We never know whether a large number of members being
removed from the view means that they left, or that we have a partition,
e.g. because a switch crashed.
One thing you could do though is for members who are about to leave
regularly to broadcast a LEAVE messages, so that when the view is
received, the SBL knows those members, and might be able to determine
better whether we have a partition, or not.
[1] http://www.jgroups.org/manual-3.x/html/user-advanced.html, section 5.6.2
--
Bela Ban, JGroups lead (http://www.jgroups.org)
9:05 p.m.
Guys - I've started documenting this here [1] and will put together a prototype this
week.
One question though, perhaps one for Dan/Adrian - is there any special handling for state
transfer if a MergeView is detected?
- M
[1] https://community.jboss.org/wiki/DesignDealingWithNetworkPartitions
On 6 Apr 2013, at 04:26, Bela Ban <bban(a)redhat.com> wrote:
On 4/5/13 3:53 PM, Manik Surtani wrote:
> Guys,
>
> So this is what I have in mind for this, looking for opinions.
>
> 1. We write a SplitBrainListener which is registered when the
> channel connects. The aim of this listener is to identify when we
> have a partition. This can be identified when a view change is
> detected, and the new view is significantly smaller than the old
> view. Easier to detect for large clusters, but smaller clusters will
> be harder - trying to decide between a node leaving vs a partition.
> (Any better ideas here?)
>
> 2. The SBL flips a switch in an interceptor
> (SplitBrainHandlerInterceptor?) which switches the node to be
> read-only (reject invocations that change the state of the local
> node) if it is in the smaller partition (newView.size < oldView.size
> / 2). Only works reliably for odd-numbered cluster sizes, and the
> issues with small clusters seen in (1) will affect here as well.
>
> 3. The SBL can flip the switch in the interceptor back to normal
> operation once a MergeView is detected.
>
> It's no way near perfect but at least it means that we can recommend
> enabling this and setting up an odd number of nodes, with a cluster
> size of at least N if you want to reduce inconsistency in your grid
> during partitions.
>
> Is this even useful?
So I assume this is to shut down (or make read-only) non primary
partitions. I'd go with an approach similar to [1] section 5.6.2, which
makes a partition read-only once it drops below a certain number of nodes N.
> Bela, is there a more reliable mechanism to detect a split in (1)?
I'm afraid no. We never know whether a large number of members being
removed from the view means that they left, or that we have a partition,
e.g. because a switch crashed.
One thing you could do though is for members who are about to leave
regularly to broadcast a LEAVE messages, so that when the view is
received, the SBL knows those members, and might be able to determine
better whether we have a partition, or not.
[1] http://www.jgroups.org/manual-3.x/html/user-advanced.html, section 5.6.2
--
Bela Ban, JGroups lead (http://www.jgroups.org)
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev
--
Manik Surtani
manik(a)jboss.org
twitter.com/maniksurtani
Platform Architect, JBoss Data Grid
http://red.ht/data-grid
10:31 a.m.
In case of MergeView the cluster topology manager running on (the new)
coordinator will request the current cache topology from all members and
will compute a new topology as the union of all. The new topology id is
computed as the max + 2 of the existing topology ids. Any currently
pending rebalance in any subpartition is ended now and a new rebalance
is triggered for the new cluster. No data version conflict resolution is
performed => chaos :)
On 04/16/2013 10:05 PM, Manik Surtani wrote:
Guys - I've started documenting this here [1] and will put
together a prototype this week.
One question though, perhaps one for Dan/Adrian - is there any special handling for state
transfer if a MergeView is detected?
- M
[1] https://community.jboss.org/wiki/DesignDealingWithNetworkPartitions
On 6 Apr 2013, at 04:26, Bela Ban <bban(a)redhat.com> wrote:
>
> On 4/5/13 3:53 PM, Manik Surtani wrote:
>> Guys,
>>
>> So this is what I have in mind for this, looking for opinions.
>>
>> 1. We write a SplitBrainListener which is registered when the
>> channel connects. The aim of this listener is to identify when we
>> have a partition. This can be identified when a view change is
>> detected, and the new view is significantly smaller than the old
>> view. Easier to detect for large clusters, but smaller clusters will
>> be harder - trying to decide between a node leaving vs a partition.
>> (Any better ideas here?)
>>
>> 2. The SBL flips a switch in an interceptor
>> (SplitBrainHandlerInterceptor?) which switches the node to be
>> read-only (reject invocations that change the state of the local
>> node) if it is in the smaller partition (newView.size < oldView.size
>> / 2). Only works reliably for odd-numbered cluster sizes, and the
>> issues with small clusters seen in (1) will affect here as well.
>>
>> 3. The SBL can flip the switch in the interceptor back to normal
>> operation once a MergeView is detected.
>>
>> It's no way near perfect but at least it means that we can recommend
>> enabling this and setting up an odd number of nodes, with a cluster
>> size of at least N if you want to reduce inconsistency in your grid
>> during partitions.
>>
>> Is this even useful?
>
> So I assume this is to shut down (or make read-only) non primary
> partitions. I'd go with an approach similar to [1] section 5.6.2, which
> makes a partition read-only once it drops below a certain number of nodes N.
>
>
>> Bela, is there a more reliable mechanism to detect a split in (1)?
> I'm afraid no. We never know whether a large number of members being
> removed from the view means that they left, or that we have a partition,
> e.g. because a switch crashed.
>
> One thing you could do though is for members who are about to leave
> regularly to broadcast a LEAVE messages, so that when the view is
> received, the SBL knows those members, and might be able to determine
> better whether we have a partition, or not.
>
> [1] http://www.jgroups.org/manual-3.x/html/user-advanced.html, section 5.6.2
>
> --
> Bela Ban, JGroups lead (http://www.jgroups.org)
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
--
Manik Surtani
manik(a)jboss.org
twitter.com/maniksurtani
Platform Architect, JBoss Data Grid
http://red.ht/data-grid
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev
10:58 a.m.
And the nice behaviour is that if we have partitions P1 and P2 with latest common topology
20 , when P2 increased it's topology to, say 40, while P1 only to 30, when a new
coordinator from P1 will be elected it will try to compare these topology ids directly
(assuming which one is newer or older) which won't end up well.
Radim
----- Original Message -----
| From: "Adrian Nistor" <anistor(a)redhat.com>
| To: "infinispan -Dev List" <infinispan-dev(a)lists.jboss.org>
| Cc: "Manik Surtani" <msurtani(a)redhat.com>
| Sent: Wednesday, April 17, 2013 10:31:39 AM
| Subject: Re: [infinispan-dev] ISPN-263 and handling partitions
|
| In case of MergeView the cluster topology manager running on (the new)
| coordinator will request the current cache topology from all members and
| will compute a new topology as the union of all. The new topology id is
| computed as the max + 2 of the existing topology ids. Any currently
| pending rebalance in any subpartition is ended now and a new rebalance
| is triggered for the new cluster. No data version conflict resolution is
| performed => chaos :)
|
| On 04/16/2013 10:05 PM, Manik Surtani wrote:
| > Guys - I've started documenting this here [1] and will put together a
| > prototype this week.
| >
| > One question though, perhaps one for Dan/Adrian - is there any special
| > handling for state transfer if a MergeView is detected?
| >
| > - M
| >
| > [1] https://community.jboss.org/wiki/DesignDealingWithNetworkPartitions
| >
| > On 6 Apr 2013, at 04:26, Bela Ban <bban(a)redhat.com> wrote:
| >
| >>
| >> On 4/5/13 3:53 PM, Manik Surtani wrote:
| >>> Guys,
| >>>
| >>> So this is what I have in mind for this, looking for opinions.
| >>>
| >>> 1. We write a SplitBrainListener which is registered when the
| >>> channel connects. The aim of this listener is to identify when we
| >>> have a partition. This can be identified when a view change is
| >>> detected, and the new view is significantly smaller than the old
| >>> view. Easier to detect for large clusters, but smaller clusters will
| >>> be harder - trying to decide between a node leaving vs a partition.
| >>> (Any better ideas here?)
| >>>
| >>> 2. The SBL flips a switch in an interceptor
| >>> (SplitBrainHandlerInterceptor?) which switches the node to be
| >>> read-only (reject invocations that change the state of the local
| >>> node) if it is in the smaller partition (newView.size < oldView.size
| >>> / 2). Only works reliably for odd-numbered cluster sizes, and the
| >>> issues with small clusters seen in (1) will affect here as well.
| >>>
| >>> 3. The SBL can flip the switch in the interceptor back to normal
| >>> operation once a MergeView is detected.
| >>>
| >>> It's no way near perfect but at least it means that we can recommend
| >>> enabling this and setting up an odd number of nodes, with a cluster
| >>> size of at least N if you want to reduce inconsistency in your grid
| >>> during partitions.
| >>>
| >>> Is this even useful?
| >>
| >> So I assume this is to shut down (or make read-only) non primary
| >> partitions. I'd go with an approach similar to [1] section 5.6.2, which
| >> makes a partition read-only once it drops below a certain number of nodes
| >> N.
| >>
| >>
| >>> Bela, is there a more reliable mechanism to detect a split in (1)?
| >> I'm afraid no. We never know whether a large number of members being
| >> removed from the view means that they left, or that we have a partition,
| >> e.g. because a switch crashed.
| >>
| >> One thing you could do though is for members who are about to leave
| >> regularly to broadcast a LEAVE messages, so that when the view is
| >> received, the SBL knows those members, and might be able to determine
| >> better whether we have a partition, or not.
| >>
| >> [1] http://www.jgroups.org/manual-3.x/html/user-advanced.html, section
| >> 5.6.2
| >>
| >> --
| >> Bela Ban, JGroups lead (http://www.jgroups.org)
| >> _______________________________________________
| >> infinispan-dev mailing list
| >> infinispan-dev(a)lists.jboss.org
| >> https://lists.jboss.org/mailman/listinfo/infinispan-dev
| > --
| > Manik Surtani
| > manik(a)jboss.org
| > twitter.com/maniksurtani
| >
| > Platform Architect, JBoss Data Grid
| > http://red.ht/data-grid
| >
| >
| > _______________________________________________
| > infinispan-dev mailing list
| > infinispan-dev(a)lists.jboss.org
| > https://lists.jboss.org/mailman/listinfo/infinispan-dev
|
| _______________________________________________
| infinispan-dev mailing list
| infinispan-dev(a)lists.jboss.org
| https://lists.jboss.org/mailman/listinfo/infinispan-dev
|
12:28 p.m.
Well, first of all, we won't *have* any conflicting topology IDs, as the
minority partitions don't change them after becoming minority.
Secondly, we can end up with the coordinator of a minority partition
becoming the coordinator of the new merged partition, so we shouldn't
rely on that (but I don't think we do so anyway?).
On a merge, everyone knows whether it came from a minority or majority
partition, and the algorithm for state transfer should always clear the
state in members in the minority partition and overwrite it from members
of the primary partition.
On 4/17/13 10:58 AM, Radim Vansa wrote:
And the nice behaviour is that if we have partitions P1 and P2 with
latest common topology 20 , when P2 increased it's topology to, say 40, while P1 only
to 30, when a new coordinator from P1 will be elected it will try to compare these
topology ids directly (assuming which one is newer or older) which won't end up well.
Radim
----- Original Message -----
| From: "Adrian Nistor" <anistor(a)redhat.com>
| To: "infinispan -Dev List" <infinispan-dev(a)lists.jboss.org>
| Cc: "Manik Surtani" <msurtani(a)redhat.com>
| Sent: Wednesday, April 17, 2013 10:31:39 AM
| Subject: Re: [infinispan-dev] ISPN-263 and handling partitions
|
| In case of MergeView the cluster topology manager running on (the new)
| coordinator will request the current cache topology from all members and
| will compute a new topology as the union of all. The new topology id is
| computed as the max + 2 of the existing topology ids. Any currently
| pending rebalance in any subpartition is ended now and a new rebalance
| is triggered for the new cluster. No data version conflict resolution is
| performed => chaos :)
|
| On 04/16/2013 10:05 PM, Manik Surtani wrote:
| > Guys - I've started documenting this here [1] and will put together a
| > prototype this week.
| >
| > One question though, perhaps one for Dan/Adrian - is there any special
| > handling for state transfer if a MergeView is detected?
| >
| > - M
| >
| > [1] https://community.jboss.org/wiki/DesignDealingWithNetworkPartitions
| >
| > On 6 Apr 2013, at 04:26, Bela Ban <bban(a)redhat.com> wrote:
| >
| >>
| >> On 4/5/13 3:53 PM, Manik Surtani wrote:
| >>> Guys,
| >>>
| >>> So this is what I have in mind for this, looking for opinions.
| >>>
| >>> 1. We write a SplitBrainListener which is registered when the
| >>> channel connects. The aim of this listener is to identify when we
| >>> have a partition. This can be identified when a view change is
| >>> detected, and the new view is significantly smaller than the old
| >>> view. Easier to detect for large clusters, but smaller clusters will
| >>> be harder - trying to decide between a node leaving vs a partition.
| >>> (Any better ideas here?)
| >>>
| >>> 2. The SBL flips a switch in an interceptor
| >>> (SplitBrainHandlerInterceptor?) which switches the node to be
| >>> read-only (reject invocations that change the state of the local
| >>> node) if it is in the smaller partition (newView.size < oldView.size
| >>> / 2). Only works reliably for odd-numbered cluster sizes, and the
| >>> issues with small clusters seen in (1) will affect here as well.
| >>>
| >>> 3. The SBL can flip the switch in the interceptor back to normal
| >>> operation once a MergeView is detected.
| >>>
| >>> It's no way near perfect but at least it means that we can recommend
| >>> enabling this and setting up an odd number of nodes, with a cluster
| >>> size of at least N if you want to reduce inconsistency in your grid
| >>> during partitions.
| >>>
| >>> Is this even useful?
| >>
| >> So I assume this is to shut down (or make read-only) non primary
| >> partitions. I'd go with an approach similar to [1] section 5.6.2, which
| >> makes a partition read-only once it drops below a certain number of nodes
| >> N.
| >>
| >>
| >>> Bela, is there a more reliable mechanism to detect a split in (1)?
| >> I'm afraid no. We never know whether a large number of members being
| >> removed from the view means that they left, or that we have a partition,
| >> e.g. because a switch crashed.
| >>
| >> One thing you could do though is for members who are about to leave
| >> regularly to broadcast a LEAVE messages, so that when the view is
| >> received, the SBL knows those members, and might be able to determine
| >> better whether we have a partition, or not.
| >>
| >> [1] http://www.jgroups.org/manual-3.x/html/user-advanced.html, section
| >> 5.6.2
| >>
| >> --
| >> Bela Ban, JGroups lead (http://www.jgroups.org)
| >> _______________________________________________
| >> infinispan-dev mailing list
| >> infinispan-dev(a)lists.jboss.org
| >> https://lists.jboss.org/mailman/listinfo/infinispan-dev
| > --
| > Manik Surtani
| > manik(a)jboss.org
| > twitter.com/maniksurtani
| >
| > Platform Architect, JBoss Data Grid
| > http://red.ht/data-grid
| >
| >
| > _______________________________________________
| > infinispan-dev mailing list
| > infinispan-dev(a)lists.jboss.org
| > https://lists.jboss.org/mailman/listinfo/infinispan-dev
|
| _______________________________________________
| infinispan-dev mailing list
| infinispan-dev(a)lists.jboss.org
| https://lists.jboss.org/mailman/listinfo/infinispan-dev
|
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev
--
Bela Ban, JGroups lead (http://www.jgroups.org)
1:23 p.m.
On Wed, Apr 17, 2013 at 1:28 PM, Bela Ban <bban(a)redhat.com> wrote:
Well, first of all, we won't *have* any conflicting topology IDs,
as the
minority partitions don't change them after becoming minority.
We don't have the notion of "conflicting topology IDs" with the
current
algorithm, either. After a merge, it doesn't matter which partition had the
highest topology id before, we just pick a topology id that we know wasn't
used in any of the partitions.
Then we assume that each node has latest data in the segments that it owned
in its pre-merge consistent hash. Obviously, if any value changed while the
partitions were separated, we would have lost consistency - hence the chaos
that Adrian mentioned.
Secondly, we can end up with the coordinator of a minority partition
becoming the coordinator of the new merged partition, so we shouldn't
rely on that (but I don't think we do so anyway?).
No, we don't care what partition the merge coordinator was in, we tread all
partitions the same (with some extra work for overlapping partitions).
On a merge, everyone knows whether it came from a minority or
majority
partition, and the algorithm for state transfer should always clear the
state in members in the minority partition and overwrite it from members
of the primary partition.
Actually, the merge coordinator is the only one that has to know which node
is from a minority or a majority partition.
I like the idea of always clearing the state in members of the minority
partition(s), but one problem with that is that there may be some keys that
only had owners in the minority partition(s). If we wiped the state of the
minority partition members, those keys would be lost.
Of course, you could argue that the cluster already lost those keys when we
allowed the majority partition to continue working without having those
keys... We could also rely on the topology information, and say that we
only support partitioning when numOwners >= numSites (or numRacks, if there
is only one site, or numMachines, if there is a single rack).
One other option is to perform a more complicated post-merge state
transfer, in which each partition sends all the data it has to all the
other partitions, and on the receiving end each node has a "conflict
resolution" component that can merge two values. That is definitely more
complicated than just going with a primary partition, though.
One final point... when a node comes back online and it has a local cache
store, it is very much as if we had a merge view. The current approach is
to join as if the node didn't have any data, then delete everything from
the cache store that is not mapped to the node in the consistent hash.
Obviously that can lead to consistency problems, just like our current
merge algorithm. It would be nice if we could handle both these cases the
same way.
On 4/17/13 10:58 AM, Radim Vansa wrote:
> And the nice behaviour is that if we have partitions P1 and P2 with
latest common topology 20 , when P2 increased it's topology to, say 40,
while P1 only to 30, when a new coordinator from P1 will be elected it will
try to compare these topology ids directly (assuming which one is newer or
older) which won't end up well.
>
> Radim
>
> ----- Original Message -----
> | From: "Adrian Nistor" <anistor(a)redhat.com>
> | To: "infinispan -Dev List" <infinispan-dev(a)lists.jboss.org>
> | Cc: "Manik Surtani" <msurtani(a)redhat.com>
> | Sent: Wednesday, April 17, 2013 10:31:39 AM
> | Subject: Re: [infinispan-dev] ISPN-263 and handling partitions
> |
> | In case of MergeView the cluster topology manager running on (the new)
> | coordinator will request the current cache topology from all members
and
> | will compute a new topology as the union of all. The new topology id is
> | computed as the max + 2 of the existing topology ids. Any currently
> | pending rebalance in any subpartition is ended now and a new rebalance
> | is triggered for the new cluster. No data version conflict resolution
is
> | performed => chaos :)
> |
> | On 04/16/2013 10:05 PM, Manik Surtani wrote:
> | > Guys - I've started documenting this here [1] and will put together a
> | > prototype this week.
> | >
> | > One question though, perhaps one for Dan/Adrian - is there any
special
> | > handling for state transfer if a MergeView is detected?
> | >
> | > - M
> | >
> | > [1]
https://community.jboss.org/wiki/DesignDealingWithNetworkPartitions
> | >
> | > On 6 Apr 2013, at 04:26, Bela Ban <bban(a)redhat.com> wrote:
> | >
> | >>
> | >> On 4/5/13 3:53 PM, Manik Surtani wrote:
> | >>> Guys,
> | >>>
> | >>> So this is what I have in mind for this, looking for opinions.
> | >>>
> | >>> 1. We write a SplitBrainListener which is registered when the
> | >>> channel connects. The aim of this listener is to identify when we
> | >>> have a partition. This can be identified when a view change is
> | >>> detected, and the new view is significantly smaller than the old
> | >>> view. Easier to detect for large clusters, but smaller clusters
will
> | >>> be harder - trying to decide between a node leaving vs a partition.
> | >>> (Any better ideas here?)
> | >>>
> | >>> 2. The SBL flips a switch in an interceptor
> | >>> (SplitBrainHandlerInterceptor?) which switches the node to be
> | >>> read-only (reject invocations that change the state of the local
> | >>> node) if it is in the smaller partition (newView.size <
oldView.size
> | >>> / 2). Only works reliably for odd-numbered cluster sizes, and the
> | >>> issues with small clusters seen in (1) will affect here as well.
> | >>>
> | >>> 3. The SBL can flip the switch in the interceptor back to normal
> | >>> operation once a MergeView is detected.
> | >>>
> | >>> It's no way near perfect but at least it means that we can
recommend
> | >>> enabling this and setting up an odd number of nodes, with a cluster
> | >>> size of at least N if you want to reduce inconsistency in your grid
> | >>> during partitions.
> | >>>
> | >>> Is this even useful?
> | >>
> | >> So I assume this is to shut down (or make read-only) non primary
> | >> partitions. I'd go with an approach similar to [1] section 5.6.2,
which
> | >> makes a partition read-only once it drops below a certain number of
nodes
> | >> N.
> | >>
> | >>
> | >>> Bela, is there a more reliable mechanism to detect a split in (1)?
> | >> I'm afraid no. We never know whether a large number of members being
> | >> removed from the view means that they left, or that we have a
partition,
> | >> e.g. because a switch crashed.
> | >>
> | >> One thing you could do though is for members who are about to leave
> | >> regularly to broadcast a LEAVE messages, so that when the view is
> | >> received, the SBL knows those members, and might be able to
determine
> | >> better whether we have a partition, or not.
> | >>
> | >> [1] http://www.jgroups.org/manual-3.x/html/user-advanced.html,
section
> | >> 5.6.2
> | >>
> | >> --
> | >> Bela Ban, JGroups lead (http://www.jgroups.org)
> | >> _______________________________________________
> | >> infinispan-dev mailing list
> | >> infinispan-dev(a)lists.jboss.org
> | >> https://lists.jboss.org/mailman/listinfo/infinispan-dev
> | > --
> | > Manik Surtani
> | > manik(a)jboss.org
> | > twitter.com/maniksurtani
> | >
> | > Platform Architect, JBoss Data Grid
> | > http://red.ht/data-grid
> | >
> | >
> | > _______________________________________________
> | > infinispan-dev mailing list
> | > infinispan-dev(a)lists.jboss.org
> | > https://lists.jboss.org/mailman/listinfo/infinispan-dev
> |
> | _______________________________________________
> | infinispan-dev mailing list
> | infinispan-dev(a)lists.jboss.org
> | https://lists.jboss.org/mailman/listinfo/infinispan-dev
> |
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>
--
Bela Ban, JGroups lead (http://www.jgroups.org)
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev
4:53 p.m.
On 17 Apr 2013, at 08:23, Dan Berindei <dan.berindei(a)gmail.com> wrote:
I like the idea of always clearing the state in members of the
minority partition(s), but one problem with that is that there may be some keys that only
had owners in the minority partition(s). If we wiped the state of the minority partition
members, those keys would be lost.
Right, this is my concern with such a wipe as well.
Of course, you could argue that the cluster already lost those keys
when we allowed the majority partition to continue working without having those keys... We
could also rely on the topology information, and say that we only support partitioning
when numOwners >= numSites (or numRacks, if there is only one site, or numMachines, if
there is a single rack).
This is only true for an embedded app. For an app communicating with the cluster over Hot
Rod, this isn't the case as it could directly read from the minority partition.
One other option is to perform a more complicated post-merge state
transfer, in which each partition sends all the data it has to all the other partitions,
and on the receiving end each node has a "conflict resolution" component that
can merge two values. That is definitely more complicated than just going with a primary
partition, though.
That sounds massively expensive. I think the right solution at this point is entry
versioning using vector clocks and the vector clocks are exchanged and compared during a
merge. Not the entire dataset.
One final point... when a node comes back online and it has a local
cache store, it is very much as if we had a merge view. The current approach is to join as
if the node didn't have any data, then delete everything from the cache store that is
not mapped to the node in the consistent hash. Obviously that can lead to consistency
problems, just like our current merge algorithm. It would be nice if we could handle both
these cases the same way.
+1
--
Manik Surtani
manik(a)jboss.org
twitter.com/maniksurtani
Platform Architect, JBoss Data Grid
http://red.ht/data-grid
11:44 a.m.
On Wed, Apr 17, 2013 at 5:53 PM, Manik Surtani <msurtani(a)redhat.com> wrote:
On 17 Apr 2013, at 08:23, Dan Berindei <dan.berindei(a)gmail.com> wrote:
I like the idea of always clearing the state in members of the minority
partition(s), but one problem with that is that there may be some keys that
only had owners in the minority partition(s). If we wiped the state of the
minority partition members, those keys would be lost.
Right, this is my concern with such a wipe as well.
Of course, you could argue that the cluster already lost those keys when
we allowed the majority partition to continue working without having those
keys... We could also rely on the topology information, and say that we
only support partitioning when numOwners >= numSites (or numRacks, if there
is only one site, or numMachines, if there is a single rack).
This is only true for an embedded app. For an app communicating with the
cluster over Hot Rod, this isn't the case as it could directly read from
the minority partition.
For that to happen, the client would have to be able to keep two (or more)
active consistent hashes at the same time. I think, at least in the first
phase, the servers in a minority partition should send a "look somewhere
else" response to any request from the client, so that it installs the
topology update of the majority partition and not the topology of one of
the minority partitions.
One other option is to perform a more complicated post-merge state
transfer, in which each partition sends all the data it has to all
the
other partitions, and on the receiving end each node has a "conflict
resolution" component that can merge two values. That is definitely more
complicated than just going with a primary partition, though.
That sounds massively expensive. I think the right solution at this point
is entry versioning using vector clocks and the vector clocks are exchanged
and compared during a merge. Not the entire dataset.
True, it would be very expensive. I think for many applications just
selecting a winner should be fine, though, so it might be worth
implementing this algorithm with the versioning support we already have as
a POC.
One final point... when a node comes back online and it has a local cache
store, it is very much as if we had a merge view. The current
approach is
to join as if the node didn't have any data, then delete everything from
the cache store that is not mapped to the node in the consistent hash.
Obviously that can lead to consistency problems, just like our current
merge algorithm. It would be nice if we could handle both these cases the
same way.
+1
I've been thinking about this some more... the problem with the local cache
store is that nodes don't necessary start in the same order in which they
were shut down. So you might have enough nodes for a cluster to consider
itself "available", but only a slight overlap with the cluster as it looked
the last time it was "available" - so you would have stale data.
We might be able to save the topology on shutdown and block startup until
the same nodes that were in the last "available" partition are all up, but
it all sounds a bit fragile.
Cheers
Dan
3:26 p.m.
On 18 Apr 2013, at 06:44, Dan Berindei <dan.berindei(a)gmail.com> wrote:
On Wed, Apr 17, 2013 at 5:53 PM, Manik Surtani <msurtani(a)redhat.com> wrote:
On 17 Apr 2013, at 08:23, Dan Berindei <dan.berindei(a)gmail.com> wrote:
> I like the idea of always clearing the state in members of the minority partition(s),
but one problem with that is that there may be some keys that only had owners in the
minority partition(s). If we wiped the state of the minority partition members, those keys
would be lost.
Right, this is my concern with such a wipe as well.
> Of course, you could argue that the cluster already lost those keys when we allowed
the majority partition to continue working without having those keys... We could also rely
on the topology information, and say that we only support partitioning when numOwners
>= numSites (or numRacks, if there is only one site, or numMachines, if there is a
single rack).
This is only true for an embedded app. For an app communicating with the cluster over
Hot Rod, this isn't the case as it could directly read from the minority partition.
For that to happen, the client would have to be able to keep two (or more) active
consistent hashes at the same time. I think, at least in the first phase, the servers in a
minority partition should send a "look somewhere else" response to any request
from the client, so that it installs the topology update of the majority partition and not
the topology of one of the minority partitions.
Tat might work with Hot Rod, but not REST or memcached endpoints.
> One other option is to perform a more complicated post-merge state transfer, in which
each partition sends all the data it has to all the other partitions, and on the receiving
end each node has a "conflict resolution" component that can merge two values.
That is definitely more complicated than just going with a primary partition, though.
That sounds massively expensive. I think the right solution at this point is entry
versioning using vector clocks and the vector clocks are exchanged and compared during a
merge. Not the entire dataset.
True, it would be very expensive. I think for many applications just selecting a winner
should be fine, though, so it might be worth implementing this algorithm with the
versioning support we already have as a POC.
I presume versioning (based on Vector Clocks) is now in master, as a part of Pedro's
work on total order?
> One final point... when a node comes back online and it has a local cache store, it
is very much as if we had a merge view. The current approach is to join as if the node
didn't have any data, then delete everything from the cache store that is not mapped
to the node in the consistent hash. Obviously that can lead to consistency problems, just
like our current merge algorithm. It would be nice if we could handle both these cases the
same way.
+1
I've been thinking about this some more... the problem with the local cache store is
that nodes don't necessary start in the same order in which they were shut down. So
you might have enough nodes for a cluster to consider itself "available", but
only a slight overlap with the cluster as it looked the last time it was
"available" - so you would have stale data.
We might be able to save the topology on shutdown and block startup until the same nodes
that were in the last "available" partition are all up, but it all sounds a bit
fragile.
Yeah, those nodes may never come up again.
- M
--
Manik Surtani
manik(a)jboss.org
twitter.com/maniksurtani
Platform Architect, JBoss Data Grid
http://red.ht/data-grid
12:56 p.m.
On 17 Apr 2013, at 16:53, Manik Surtani wrote:
> Of course, you could argue that the cluster already lost those
keys when we allowed the majority partition to continue working without having those
keys... We could also rely on the topology information, and say that we only support
partitioning when numOwners >= numSites (or numRacks, if there is only one site, or
numMachines, if there is a single rack).
This is only true for an embedded app. For an app communicating with the cluster over
Hot Rod, this isn't the case as it could directly read from the minority partition.
I don't think it's that simple:
- k1 is in the minority partition *only*
- it is removed/updated in the majority partition
- then read in the minority partition
> One other option is to perform a more complicated post-merge state transfer, in which
each partition sends all the data it has to all the other partitions, and on the receiving
end each node has a "conflict resolution" component that can merge two values.
That is definitely more complicated than just going with a primary partition, though.
That sounds massively expensive.
if you move only the keys + version around (not
the values) shouldn't be that bad from a load perspective.
I think the right solution at this point is entry versioning using
vector clocks and the vector clocks are exchanged and compared during a merge. Not the
entire dataset.
+1
> One final point... when a node comes back online and it has a local cache store, it
is very much as if we had a merge view. The current approach is to join as if the node
didn't have any data, then delete everything from the cache store that is not mapped
to the node in the consistent hash. Obviously that can lead to consistency problems, just
like our current merge algorithm. It would be nice if we could handle both these cases the
same way.
Cheers,
--
Mircea Markus
Infinispan lead (www.infinispan.org)
2:42 p.m.
On 17 Apr 2013, at 13:23, Dan Berindei wrote:
I like the idea of always clearing the state in members of the
minority partition(s), but one problem with that is that there may be some keys that only
had owners in the minority partition(s). If we wiped the state of the minority partition
members, those keys would be lost.
Indeed, data consistency is lost the moment we
have a partition with numOwners members. So with the read-only cluster approach, we can
only target *eventual* consistency - that's when the partitions are merged.
Of course, you could argue that the cluster already lost those keys when we allowed the
majority partition to continue working without having those keys... We could also rely on
the topology information, and say that we only support partitioning when numOwners >=
numSites (or numRacks, if there is only one site, or numMachines, if there is a single
rack).
Good point re: topology.
That assumes that there won't be any split brains in the same site (or rack), which
I'm not sure stands true in general. Bela care to comment?
One other option is to perform a more complicated post-merge state transfer, in which
each partition sends all the data it has to all the other partitions, and on the receiving
end each node has a "conflict resolution" component that can merge two values.
That is definitely more complicated than just going with a primary partition, though.
+1
One final point... when a node comes back online and it has a local cache store, it is
very much as if we had a merge view. The current approach is to join as if the node
didn't have any data, then delete everything from the cache store that is not mapped
to the node in the consistent hash.
With this approach a value that has been deleted
within the cluster might resurrect. Wouldn't it be better to delete everything from
the cache store?
Obviously that can lead to consistency problems, just like our
current merge algorithm. It would be nice if we could handle both these cases the same
way.
+1. The cache store is the equivalent of the read only partition.
Cheers,
--
Mircea Markus
Infinispan lead (www.infinispan.org)
12:24 p.m.
If we go with a primary partition approach, then only the primary
partition will be allowed to make progress (a.k.a. accept changes), we
therefore won't have any conflicts.
The partition approach must be chosen so there can only be 1 primary
partition max, and the minority partitions shut down or turn read-only.
When merging, minority partitions need to get the state from the primary
partition, so state transfer on a merge always needs to flow from the
primary partition to the minority partition(s).
I don't know how this could be done, but perhaps an approach would be to
treat members of minority partitions on a merge as if they were fresh
joiners ?
On 4/17/13 10:31 AM, Adrian Nistor wrote:
In case of MergeView the cluster topology manager running on (the
new)
coordinator will request the current cache topology from all members and
will compute a new topology as the union of all. The new topology id is
computed as the max + 2 of the existing topology ids. Any currently
pending rebalance in any subpartition is ended now and a new rebalance
is triggered for the new cluster. No data version conflict resolution is
performed => chaos :)
On 04/16/2013 10:05 PM, Manik Surtani wrote:
> Guys - I've started documenting this here [1] and will put together a prototype
this week.
>
> One question though, perhaps one for Dan/Adrian - is there any special handling for
state transfer if a MergeView is detected?
>
> - M
>
> [1] https://community.jboss.org/wiki/DesignDealingWithNetworkPartitions
>
> On 6 Apr 2013, at 04:26, Bela Ban <bban(a)redhat.com> wrote:
>
>>
>> On 4/5/13 3:53 PM, Manik Surtani wrote:
>>> Guys,
>>>
>>> So this is what I have in mind for this, looking for opinions.
>>>
>>> 1. We write a SplitBrainListener which is registered when the
>>> channel connects. The aim of this listener is to identify when we
>>> have a partition. This can be identified when a view change is
>>> detected, and the new view is significantly smaller than the old
>>> view. Easier to detect for large clusters, but smaller clusters will
>>> be harder - trying to decide between a node leaving vs a partition.
>>> (Any better ideas here?)
>>>
>>> 2. The SBL flips a switch in an interceptor
>>> (SplitBrainHandlerInterceptor?) which switches the node to be
>>> read-only (reject invocations that change the state of the local
>>> node) if it is in the smaller partition (newView.size < oldView.size
>>> / 2). Only works reliably for odd-numbered cluster sizes, and the
>>> issues with small clusters seen in (1) will affect here as well.
>>>
>>> 3. The SBL can flip the switch in the interceptor back to normal
>>> operation once a MergeView is detected.
>>>
>>> It's no way near perfect but at least it means that we can recommend
>>> enabling this and setting up an odd number of nodes, with a cluster
>>> size of at least N if you want to reduce inconsistency in your grid
>>> during partitions.
>>>
>>> Is this even useful?
>>
>> So I assume this is to shut down (or make read-only) non primary
>> partitions. I'd go with an approach similar to [1] section 5.6.2, which
>> makes a partition read-only once it drops below a certain number of nodes N.
>>
>>
>>> Bela, is there a more reliable mechanism to detect a split in (1)?
>> I'm afraid no. We never know whether a large number of members being
>> removed from the view means that they left, or that we have a partition,
>> e.g. because a switch crashed.
>>
>> One thing you could do though is for members who are about to leave
>> regularly to broadcast a LEAVE messages, so that when the view is
>> received, the SBL knows those members, and might be able to determine
>> better whether we have a partition, or not.
>>
>> [1] http://www.jgroups.org/manual-3.x/html/user-advanced.html, section 5.6.2
>>
>> --
>> Bela Ban, JGroups lead (http://www.jgroups.org)
>> _______________________________________________
>> infinispan-dev mailing list
>> infinispan-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/infinispan-dev
> --
> Manik Surtani
> manik(a)jboss.org
> twitter.com/maniksurtani
>
> Platform Architect, JBoss Data Grid
> http://red.ht/data-grid
>
>
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev
--
Bela Ban, JGroups lead (http://www.jgroups.org)
4:47 p.m.
On 17 Apr 2013, at 07:24, Bela Ban <bban(a)redhat.com> wrote:
If we go with a primary partition approach, then only the primary
partition will be allowed to make progress (a.k.a. accept changes), we
therefore won't have any conflicts.
The partition approach must be chosen so there can only be 1 primary
partition max, and the minority partitions shut down or turn read-only.
When merging, minority partitions need to get the state from the primary
partition, so state transfer on a merge always needs to flow from the
primary partition to the minority partition(s).
Correct. This was the 'special behaviour' that I was asking for, to check whether
this state transfer from primary partition to secondary partitions happen during a merge,
or whether the minority partition nodes are just wiped and treated as fresh joiners.
I don't know how this could be done, but perhaps an approach would be to
treat members of minority partitions on a merge as if they were fresh
joiners ?
On 4/17/13 10:31 AM, Adrian Nistor wrote:
> In case of MergeView the cluster topology manager running on (the new)
> coordinator will request the current cache topology from all members and
> will compute a new topology as the union of all. The new topology id is
> computed as the max + 2 of the existing topology ids. Any currently
> pending rebalance in any subpartition is ended now and a new rebalance
> is triggered for the new cluster. No data version conflict resolution is
> performed => chaos :)
>
> On 04/16/2013 10:05 PM, Manik Surtani wrote:
>> Guys - I've started documenting this here [1] and will put together a
prototype this week.
>>
>> One question though, perhaps one for Dan/Adrian - is there any special handling
for state transfer if a MergeView is detected?
>>
>> - M
>>
>> [1] https://community.jboss.org/wiki/DesignDealingWithNetworkPartitions
>>
>> On 6 Apr 2013, at 04:26, Bela Ban <bban(a)redhat.com> wrote:
>>
>>>
>>> On 4/5/13 3:53 PM, Manik Surtani wrote:
>>>> Guys,
>>>>
>>>> So this is what I have in mind for this, looking for opinions.
>>>>
>>>> 1. We write a SplitBrainListener which is registered when the
>>>> channel connects. The aim of this listener is to identify when we
>>>> have a partition. This can be identified when a view change is
>>>> detected, and the new view is significantly smaller than the old
>>>> view. Easier to detect for large clusters, but smaller clusters will
>>>> be harder - trying to decide between a node leaving vs a partition.
>>>> (Any better ideas here?)
>>>>
>>>> 2. The SBL flips a switch in an interceptor
>>>> (SplitBrainHandlerInterceptor?) which switches the node to be
>>>> read-only (reject invocations that change the state of the local
>>>> node) if it is in the smaller partition (newView.size < oldView.size
>>>> / 2). Only works reliably for odd-numbered cluster sizes, and the
>>>> issues with small clusters seen in (1) will affect here as well.
>>>>
>>>> 3. The SBL can flip the switch in the interceptor back to normal
>>>> operation once a MergeView is detected.
>>>>
>>>> It's no way near perfect but at least it means that we can recommend
>>>> enabling this and setting up an odd number of nodes, with a cluster
>>>> size of at least N if you want to reduce inconsistency in your grid
>>>> during partitions.
>>>>
>>>> Is this even useful?
>>>
>>> So I assume this is to shut down (or make read-only) non primary
>>> partitions. I'd go with an approach similar to [1] section 5.6.2, which
>>> makes a partition read-only once it drops below a certain number of nodes N.
>>>
>>>
>>>> Bela, is there a more reliable mechanism to detect a split in (1)?
>>> I'm afraid no. We never know whether a large number of members being
>>> removed from the view means that they left, or that we have a partition,
>>> e.g. because a switch crashed.
>>>
>>> One thing you could do though is for members who are about to leave
>>> regularly to broadcast a LEAVE messages, so that when the view is
>>> received, the SBL knows those members, and might be able to determine
>>> better whether we have a partition, or not.
>>>
>>> [1] http://www.jgroups.org/manual-3.x/html/user-advanced.html, section 5.6.2
>>>
>>> --
>>> Bela Ban, JGroups lead (http://www.jgroups.org)
>>> _______________________________________________
>>> infinispan-dev mailing list
>>> infinispan-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>> --
>> Manik Surtani
>> manik(a)jboss.org
>> twitter.com/maniksurtani
>>
>> Platform Architect, JBoss Data Grid
>> http://red.ht/data-grid
>>
>>
>> _______________________________________________
>> infinispan-dev mailing list
>> infinispan-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>
--
Bela Ban, JGroups lead (http://www.jgroups.org)
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev
--
Manik Surtani
manik(a)jboss.org
twitter.com/maniksurtani
Platform Architect, JBoss Data Grid
http://red.ht/data-grid
11:04 a.m.
On 04/05/2013 02:53 PM, Manik Surtani wrote:
2. The SBL flips a switch in an interceptor
(SplitBrainHandlerInterceptor?) which switches the node to be read-only (reject
invocations that change the state of the local node) if it is in the smaller partition
(newView.size < oldView.size / 2). Only works reliably for odd-numbered cluster sizes,
and the issues with small clusters seen in (1) will affect here as well.
I have another suggestion that can allow all the partitions to process
write commands.
I think we can rely on the primary owners to decide which partition has
the write permission on a key. For example, if the primary owner of key1
is on partition_1, then the partition_1 has the only partition that can
update key1. All the remaining partitions only have read access over key1.
The problem with this approach is that we have to keep the consistent
hash before the partition occurs.
Another problem is the state transfer. It has to be aware of this
primary partitions in order to avoid overwrite a key with an old value.
wdyt?
Pedro
11:51 a.m.
TBH I'm not understanding which problem this thread is about :)
Surely network partitions are a problem, but there are many forms of
"partition", and many different opinions of what an "acceptable"
behaviour is that the grid should implement, which largely depend on
assumptions the client application is making.
Since we seem to be discussing a case in which the minority group is
expected to flip into read-only mode, could we step back and describe:
- why this is an accepatble solution for some class of applications?
- what kind of potential network failure we want to take compensating
actions for?
I'm not an expert on how people physically wire up single nodes, racks
and rooms to allow for our virtual connections, but let's assume that
all nodes are connected with a single "cable" between each other, or
if concrete multiple cables are actually used, could we rely on system
configuration to guarantee packets can find alternative routes if one
wire is eaten by mice?
It seems important to me to define what level of network failure we
want to address, for example are we assuming we don't deal with cases
in which nodes can talk to one group but not vice-versa?
If the effect of a nework failure is a completely isolated group, can
we assume Hot Rod clients can't reach them either?
If the group is totally isolated, would it still need read-only (with
the risk of outdated reads) or could the whole group just shutdown
since it's not reachable by anyone anyway? That is making more
assumptions, like that all produced state change goes via the network
as well, not suited for example to driving an assembly chain in a
manufacturing plant, but then again it might be safer to stop the
production belt rather than going ahead without being able to perform
fresh read operations.
I'm just trying to make an example of entirely different class of
requirements, not proposing any solution but it seems to me that,
given the complexity of the problem, we'll always need to make some
trade off and which trade off is acceptable depends on the problem. If
we described a very specific problem, we can work to make sure
Infinispan and JGroups have enough extension points and smart
protocols to deal with it, but I don't think we can resolve this issue
at a one-size-fits-all level.
Sanne
12:42 p.m.
After think a bit about it, we can conclude that the behaviour when we
have partition totally depends on the application.
So, why not create an generic interface (like, execute(Operation, Key,
isPrimaryPartition)) that is invoked when a partition occurs?
Maybe I'm losing the focus of the first email, but this way the
application can choose what it is better for it. For example, if the
application does not care about consistency, it can allow all partitions
to read and write. On other hand, if the application is more restrict,
it can allow only one partition to read and write and the others
partitions reject all the operations.
Pedro
On 04/19/2013 10:51 AM, Sanne Grinovero wrote:
TBH I'm not understanding which problem this thread is about :)
Surely network partitions are a problem, but there are many forms of
"partition", and many different opinions of what an "acceptable"
behaviour is that the grid should implement, which largely depend on
assumptions the client application is making.
Since we seem to be discussing a case in which the minority group is
expected to flip into read-only mode, could we step back and describe:
- why this is an accepatble solution for some class of applications?
- what kind of potential network failure we want to take compensating
actions for?
I'm not an expert on how people physically wire up single nodes, racks
and rooms to allow for our virtual connections, but let's assume that
all nodes are connected with a single "cable" between each other, or
if concrete multiple cables are actually used, could we rely on system
configuration to guarantee packets can find alternative routes if one
wire is eaten by mice?
It seems important to me to define what level of network failure we
want to address, for example are we assuming we don't deal with cases
in which nodes can talk to one group but not vice-versa?
If the effect of a nework failure is a completely isolated group, can
we assume Hot Rod clients can't reach them either?
If the group is totally isolated, would it still need read-only (with
the risk of outdated reads) or could the whole group just shutdown
since it's not reachable by anyone anyway? That is making more
assumptions, like that all produced state change goes via the network
as well, not suited for example to driving an assembly chain in a
manufacturing plant, but then again it might be safer to stop the
production belt rather than going ahead without being able to perform
fresh read operations.
I'm just trying to make an example of entirely different class of
requirements, not proposing any solution but it seems to me that,
given the complexity of the problem, we'll always need to make some
trade off and which trade off is acceptable depends on the problem. If
we described a very specific problem, we can work to make sure
Infinispan and JGroups have enough extension points and smart
protocols to deal with it, but I don't think we can resolve this issue
at a one-size-fits-all level.
Sanne
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev
3:24 p.m.
Yes, that's what we decided to do a long time ago... see policy based
merge approach in the mailing lists.
But the point of *this* discussion is not data reconciliation after a
merge, but how to *avoid* that reconciliation by making conflicting
minority partitions read only, such that a merge always transfers data
from the primary partition to the minority partitions.
This is not as easy as it sounds though; Dan mentioned the case where
the primary partition is not the owner of a given key K. In this case,
we cannot simply swipe the minority partition. Even worse, if K is
created and modified in the primary partition, we have to reconcile K's
value between the primary and minority partitions...
Again, this could be dealt with by simply creating a new value for K in
the primary partition, when K is accessed, and overwriting K's value
from the minority partition on a merge.
Not nice, but the effect is the same as if all current owners of K
crashed at the same time, and a partition could be seen as a *mass
crash* of some sorts... :-)
On 4/19/13 12:42 PM, Pedro Ruivo wrote:
After think a bit about it, we can conclude that the behaviour when
we
have partition totally depends on the application.
So, why not create an generic interface (like, execute(Operation, Key,
isPrimaryPartition)) that is invoked when a partition occurs?
Maybe I'm losing the focus of the first email, but this way the
application can choose what it is better for it. For example, if the
application does not care about consistency, it can allow all partitions
to read and write. On other hand, if the application is more restrict,
it can allow only one partition to read and write and the others
partitions reject all the operations.
--
Bela Ban, JGroups lead (http://www.jgroups.org)
6:42 p.m.
On 22 Apr 2013, at 14:24, Bela Ban <bban(a)redhat.com> wrote:
Yes, that's what we decided to do a long time ago... see policy
based
merge approach in the mailing lists.
But the point of *this* discussion is not data reconciliation after a
merge, but how to *avoid* that reconciliation by making conflicting
minority partitions read only, such that a merge always transfers data
from the primary partition to the minority partitions.
This is not as easy as it sounds though; Dan mentioned the case where
the primary partition is not the owner of a given key K. In this case,
we cannot simply swipe the minority partition. Even worse, if K is
created and modified in the primary partition, we have to reconcile K's
value between the primary and minority partitions...
And hence my asking whether we have a vector clock implementation in place yet.
Anyway, I have created a (fairly naive and simplistic) VectorClock implementation on this
experimental branch:
https://github.com/maniksurtani/infinispan/commit/5d083a079ff3a16181081e2...
The next step, what needs to happen in the state transfer code to make use of this when
handling a MergeView?
- M
--
Manik Surtani
manik(a)jboss.org
twitter.com/maniksurtani
Platform Architect, JBoss Data Grid
http://red.ht/data-grid
3:47 p.m.
On 4/19/13 11:51 AM, Sanne Grinovero wrote:
TBH I'm not understanding which problem this thread is about :)
Surely network partitions are a problem, but there are many forms of
"partition", and many different opinions of what an "acceptable"
behaviour is that the grid should implement, which largely depend on
assumptions the client application is making.
This thread is not about providing different application data merge
policies, which is also something that needs to be done, but more likely
in the context of eventual consistency in Infinispan. This thread is
about a *primary partition* approach which says that only members in a
primary partition are allowed to make progress, and others aren't.
'No progress' needs to be defined, but so far I think we've agreed on a
notion of read-only members, which do provide access to data, but don't
allow modifications. One could also think about not even allowing reads
as the data might be stale. Perhaps this is configurable.
The idea is that if only a primary partition can make progress, and only
*one* primary partitions exists in the system at any time, then we can
simply overwrite the data of minority partitions with data from the
primary partition on a merge.
So a primary partition approach is not about how to merge (possibly
conflicting) data after a cluster split heals, but about how to
*prevent* conflicting data in the first place.
If you think about this in CAP terminology, we sacrifice availability in
favor of consistency.
Since we seem to be discussing a case in which the minority group is
expected to flip into read-only mode, could we step back and describe:
- why this is an acceptable solution for some class of applications?
- what kind of potential network failure we want to take compensating
actions for?
There *are* no compensating actions, as we avoid the different branches
of the same key, contrary to eventual consistency which is all about
merging conflicting branches of a key.
I'm not an expert on how people physically wire up single nodes,
racks
and rooms to allow for our virtual connections, but let's assume that
all nodes are connected with a single "cable" between each other, or
if concrete multiple cables are actually used, could we rely on system
configuration to guarantee packets can find alternative routes if one
wire is eaten by mice?
In my experience, dropped packets due to this almost never happen. Most
partitions (in Infinispan/JGroups) occur because of the following things:
- Maxed out thread pool at one or more members, which leads to missed
heartbeat acks and false suspicions
- Misconfigured switch / firewall, especially if members are in
different subnets
- Buggy firmware in the switch, e.g. dropping multicasts every now and
then (IGMP snooping)
- Small packet queues, so packets are discarded
- GC inhibiting heartbeats for some time
It seems important to me to define what level of network failure we
want to address, for example are we assuming we don't deal with cases
in which nodes can talk to one group but not vice-versa?
We cannot guarantee this won't happen. As a matter of fact, I've seen
this in practice, and MERGE{2,3} contain code that deals with asymmetric
partitions.
If the effect of a nework failure is a completely isolated group,
can
we assume Hot Rod clients can't reach them either?
Partitions may include some clients and some cluster nodes, we cannot
assume they cleanly separate clients from server nodes. Unfortunately... :-)
--
Bela Ban, JGroups lead (http://www.jgroups.org)
6:43 p.m.
On 22 Apr 2013, at 14:47, Bela Ban <bban(a)redhat.com> wrote:
On 4/19/13 11:51 AM, Sanne Grinovero wrote:
> TBH I'm not understanding which problem this thread is about :)
>
> Surely network partitions are a problem, but there are many forms of
> "partition", and many different opinions of what an "acceptable"
> behaviour is that the grid should implement, which largely depend on
> assumptions the client application is making.
This thread is not about providing different application data merge
policies, which is also something that needs to be done, but more likely
in the context of eventual consistency in Infinispan. This thread is
about a *primary partition* approach which says that only members in a
primary partition are allowed to make progress, and others aren't.
'No progress' needs to be defined, but so far I think we've agreed on a
notion of read-only members, which do provide access to data, but don't
allow modifications. One could also think about not even allowing reads
as the data might be stale. Perhaps this is configurable.
+1
The idea is that if only a primary partition can make progress, and
only
*one* primary partitions exists in the system at any time, then we can
simply overwrite the data of minority partitions with data from the
primary partition on a merge.
So a primary partition approach is not about how to merge (possibly
conflicting) data after a cluster split heals, but about how to
*prevent* conflicting data in the first place.
If you think about this in CAP terminology, we sacrifice availability in
favor of consistency.
Precisely. This would still follow the strongly consistent model.
> Since we seem to be discussing a case in which the minority group is
> expected to flip into read-only mode, could we step back and describe:
> - why this is an acceptable solution for some class of applications?
> - what kind of potential network failure we want to take compensating
> actions for?
There *are* no compensating actions, as we avoid the different branches
of the same key, contrary to eventual consistency which is all about
merging conflicting branches of a key.
> I'm not an expert on how people physically wire up single nodes, racks
> and rooms to allow for our virtual connections, but let's assume that
> all nodes are connected with a single "cable" between each other, or
> if concrete multiple cables are actually used, could we rely on system
> configuration to guarantee packets can find alternative routes if one
> wire is eaten by mice?
In my experience, dropped packets due to this almost never happen. Most
partitions (in Infinispan/JGroups) occur because of the following things:
- Maxed out thread pool at one or more members, which leads to missed
heartbeat acks and false suspicions
- Misconfigured switch / firewall, especially if members are in
different subnets
- Buggy firmware in the switch, e.g. dropping multicasts every now and
then (IGMP snooping)
- Small packet queues, so packets are discarded
- GC inhibiting heartbeats for some time
> It seems important to me to define what level of network failure we
> want to address, for example are we assuming we don't deal with cases
> in which nodes can talk to one group but not vice-versa?
We cannot guarantee this won't happen. As a matter of fact, I've seen
this in practice, and MERGE{2,3} contain code that deals with asymmetric
partitions.
> If the effect of a nework failure is a completely isolated group, can
> we assume Hot Rod clients can't reach them either?
Partitions may include some clients and some cluster nodes, we cannot
assume they cleanly separate clients from server nodes. Unfortunately... :-)
--
Bela Ban, JGroups lead (http://www.jgroups.org)
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev
--
Manik Surtani
manik(a)jboss.org
twitter.com/maniksurtani
Platform Architect, JBoss Data Grid
http://red.ht/data-grid
5:08 p.m.
On 22 Apr 2013, at 17:43, Manik Surtani wrote:
On 22 Apr 2013, at 14:47, Bela Ban <bban(a)redhat.com> wrote:
>
>
> On 4/19/13 11:51 AM, Sanne Grinovero wrote:
>> TBH I'm not understanding which problem this thread is about :)
>>
>> Surely network partitions are a problem, but there are many forms of
>> "partition", and many different opinions of what an
"acceptable"
>> behaviour is that the grid should implement, which largely depend on
>> assumptions the client application is making.
>
>
> This thread is not about providing different application data merge
> policies, which is also something that needs to be done, but more likely
> in the context of eventual consistency in Infinispan. This thread is
> about a *primary partition* approach which says that only members in a
> primary partition are allowed to make progress, and others aren't.
>
> 'No progress' needs to be defined, but so far I think we've agreed on a
> notion of read-only members, which do provide access to data, but don't
> allow modifications. One could also think about not even allowing reads
> as the data might be stale. Perhaps this is configurable.
+1
> The idea is that if only a primary partition can make progress, and only
> *one* primary partitions exists in the system at any time, then we can
> simply overwrite the data of minority partitions with data from the
> primary partition on a merge.
>
> So a primary partition approach is not about how to merge (possibly
> conflicting) data after a cluster split heals, but about how to
> *prevent* conflicting data in the first place.
>
> If you think about this in CAP terminology, we sacrifice availability in
> favor of consistency.
Precisely. This would still follow the strongly consistent model.
I don't
think consistency is preserved in at least the following situations:
- the read-only partition has more than numOwner members. Reads in the active partition
would miss data. Also the conditional operation, that rely on existing data, perform
incorrectly.
- data is deleted in the active partition but copies are kept in the read-only partition.
The 2nd problem can be solved with tombstones. The first problem cannot be solved and we
can only target an eventual consistent cluster. That should be made very clear to the
users.
Cheers,
--
Mircea Markus
Infinispan lead (www.infinispan.org)
5:38 p.m.
On 24 Apr 2013, at 16:08, Mircea Markus <mmarkus(a)redhat.com> wrote:
On 22 Apr 2013, at 17:43, Manik Surtani wrote:
> On 22 Apr 2013, at 14:47, Bela Ban <bban(a)redhat.com> wrote:
>
>>
>>
>> On 4/19/13 11:51 AM, Sanne Grinovero wrote:
>>> TBH I'm not understanding which problem this thread is about :)
>>>
>>> Surely network partitions are a problem, but there are many forms of
>>> "partition", and many different opinions of what an
"acceptable"
>>> behaviour is that the grid should implement, which largely depend on
>>> assumptions the client application is making.
>>
>>
>> This thread is not about providing different application data merge
>> policies, which is also something that needs to be done, but more likely
>> in the context of eventual consistency in Infinispan. This thread is
>> about a *primary partition* approach which says that only members in a
>> primary partition are allowed to make progress, and others aren't.
>>
>> 'No progress' needs to be defined, but so far I think we've agreed on
a
>> notion of read-only members, which do provide access to data, but don't
>> allow modifications. One could also think about not even allowing reads
>> as the data might be stale. Perhaps this is configurable.
>
> +1
>
>> The idea is that if only a primary partition can make progress, and only
>> *one* primary partitions exists in the system at any time, then we can
>> simply overwrite the data of minority partitions with data from the
>> primary partition on a merge.
>>
>> So a primary partition approach is not about how to merge (possibly
>> conflicting) data after a cluster split heals, but about how to
>> *prevent* conflicting data in the first place.
>>
>> If you think about this in CAP terminology, we sacrifice availability in
>> favor of consistency.
>
> Precisely. This would still follow the strongly consistent model.
I don't think consistency is preserved in at least the following situations:
- the read-only partition has more than numOwner members. Reads in the active partition
would miss data. Also the conditional operation, that rely on existing data, perform
incorrectly.
Good point.
- data is deleted in the active partition but copies are kept in the
read-only partition.
The 2nd problem can be solved with tombstones. The first problem cannot be solved and we
can only target an eventual consistent cluster. That should be made very clear to the
users.
Cheers,
--
Mircea Markus
Infinispan lead (www.infinispan.org)
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev
--
Manik Surtani
manik(a)jboss.org
twitter.com/maniksurtani
Platform Architect, JBoss Data Grid
http://red.ht/data-grid
4:30 p.m.
Simple solution:
each node works on power-via-ethernet: when the cable is unplugged, it's down.
Then we think of a redundant design at the physical network level to
make it unlikely.
Sanne
On 24 April 2013 16:38, Manik Surtani <msurtani(a)redhat.com> wrote:
On 24 Apr 2013, at 16:08, Mircea Markus <mmarkus(a)redhat.com> wrote:
>
> On 22 Apr 2013, at 17:43, Manik Surtani wrote:
>
>> On 22 Apr 2013, at 14:47, Bela Ban <bban(a)redhat.com> wrote:
>>
>>>
>>>
>>> On 4/19/13 11:51 AM, Sanne Grinovero wrote:
>>>> TBH I'm not understanding which problem this thread is about :)
>>>>
>>>> Surely network partitions are a problem, but there are many forms of
>>>> "partition", and many different opinions of what an
"acceptable"
>>>> behaviour is that the grid should implement, which largely depend on
>>>> assumptions the client application is making.
>>>
>>>
>>> This thread is not about providing different application data merge
>>> policies, which is also something that needs to be done, but more likely
>>> in the context of eventual consistency in Infinispan. This thread is
>>> about a *primary partition* approach which says that only members in a
>>> primary partition are allowed to make progress, and others aren't.
>>>
>>> 'No progress' needs to be defined, but so far I think we've
agreed on a
>>> notion of read-only members, which do provide access to data, but don't
>>> allow modifications. One could also think about not even allowing reads
>>> as the data might be stale. Perhaps this is configurable.
>>
>> +1
>>
>>> The idea is that if only a primary partition can make progress, and only
>>> *one* primary partitions exists in the system at any time, then we can
>>> simply overwrite the data of minority partitions with data from the
>>> primary partition on a merge.
>>>
>>> So a primary partition approach is not about how to merge (possibly
>>> conflicting) data after a cluster split heals, but about how to
>>> *prevent* conflicting data in the first place.
>>>
>>> If you think about this in CAP terminology, we sacrifice availability in
>>> favor of consistency.
>>
>> Precisely. This would still follow the strongly consistent model.
> I don't think consistency is preserved in at least the following situations:
> - the read-only partition has more than numOwner members. Reads in the active
partition would miss data. Also the conditional operation, that rely on existing data,
perform incorrectly.
Good point.
> - data is deleted in the active partition but copies are kept in the read-only
partition.
> The 2nd problem can be solved with tombstones. The first problem cannot be solved and
we can only target an eventual consistent cluster. That should be made very clear to the
users.
>
>
> Cheers,
> --
> Mircea Markus
> Infinispan lead (www.infinispan.org)
>
>
>
>
>
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
--
Manik Surtani
manik(a)jboss.org
twitter.com/maniksurtani
Platform Architect, JBoss Data Grid
http://red.ht/data-grid
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev
3:17 p.m.
On 4/19/13 11:04 AM, Pedro Ruivo wrote:
I have another suggestion that can allow all the partitions to
process write commands.
I think we can rely on the primary owners to decide which partition
has the write permission on a key. For example, if the primary owner
of key1 is on partition_1, then the partition_1 has the only
partition that can update key1. All the remaining partitions only
have read access over key1.
This is problematic, as it doesn't take primary / minority partitions
into account. E.g if we have {A,B,C,D,E,F,G} and key1 is present on A
(primary owner) and G (backup owner), and the cluster splits into
{A,B,C,D} and {E,F,G}, then key1 might be on A (primary) and D (new
backup), but also on E (new primary) and G (old backup). Both partitions
would allow modifications to key1.
Also, if key1 was not present in the {E,F,G} partition, and some client
created it, nothing would prevent that, as we don't know the the other
partition's existence.
The problem with this approach is that we have to keep the
consistent hash before the partition occurs.
Yes, the issue is that you can *never* determine if a partition
occurred, or if some member(s) crashed, so in the above case a hard and
fast rule of the primary partition have at 4 or more members make sense
for a primary partition approach.
--
Bela Ban, JGroups lead (http://www.jgroups.org)
5:46 p.m.
On 5 Apr 2013, at 15:53, Manik Surtani wrote:
1. We write a SplitBrainListener which is registered when the
channel connects. The aim of this listener is to identify when we have a partition. This
can be identified when a view change is detected, and the new view is significantly
smaller than the old view. Easier to detect for large clusters, but smaller clusters will
be harder - trying to decide between a node leaving vs a partition. (Any better ideas
here?)
2. The SBL flips a switch in an interceptor (SplitBrainHandlerInterceptor?) which
switches the node to be read-only (reject invocations that change the state of the local
node) if it is in the smaller partition (newView.size < oldView.size / 2). Only works
reliably for odd-numbered cluster sizes, and the issues with small clusters seen in (1)
will affect here as well.
3. The SBL can flip the switch in the interceptor back to normal operation once a
MergeView is detected.
It's no way near perfect but at least it means that we can recommend enabling this
and setting up an odd number of nodes, with a cluster size of at least N if you want to
reduce inconsistency in your grid during partitions.
would the read only partition
be wiped out and repopulated during merge? Otherwise not sure how useful this is as
there'll still going to be inconsistencies in the cluster, the same way there
currently are with a merge, but fewer.
Cheers,
--
Mircea Markus
Infinispan lead (www.infinispan.org)
6:46 p.m.
On 22 Apr 2013, at 16:46, Mircea Markus <mmarkus(a)redhat.com> wrote:
would the read only partition be wiped out and repopulated during
merge?
Naively, yes. But as Dan pointed out, if a key K only exists in the minor partition
(primary and backups), then just wiping the minor partition nodes will result in data
loss.
A more sophisticated algorithm would just wipe keys in the minor partition that also exist
in the major partition.
An *even* more sophisticated algorithm would only wipe keys in the minor partition that
also exist in the major partition, that have changed since the partition occurred. Hence
the vector clocks.
- M
--
Manik Surtani
manik(a)jboss.org
twitter.com/maniksurtani
Platform Architect, JBoss Data Grid
http://red.ht/data-grid
5:37 p.m.
On 4/22/13 6:46 PM, Manik Surtani wrote:
On 22 Apr 2013, at 16:46, Mircea Markus <mmarkus(a)redhat.com> wrote:
> would the read only partition be wiped out and repopulated during
> merge?
Naively, yes. But as Dan pointed out, if a key K only exists in the
minor partition (primary and backups), then just wiping the minor
partition nodes will result in data loss.
A more sophisticated algorithm would just wipe keys in the minor
partition that also exist in the major partition.
I think this would be good enough for a lot of scenarios.
An *even* more sophisticated algorithm would only wipe keys in the
minor partition that also exist in the major partition, that have
changed since the partition occurred. Hence the vector clocks.
Even better. What would you do in a conflict case ? Throw the conflict
at the user who has to resolve it ? Always prefer the data from the
primary partition ?
--
Bela Ban, JGroups lead (http://www.jgroups.org)
7:26 p.m.
On 23 Apr 2013, at 16:37, Bela Ban <bban(a)redhat.com> wrote:
On 4/22/13 6:46 PM, Manik Surtani wrote:
>
> On 22 Apr 2013, at 16:46, Mircea Markus <mmarkus(a)redhat.com> wrote:
>
>> would the read only partition be wiped out and repopulated during
>> merge?
>
> Naively, yes. But as Dan pointed out, if a key K only exists in the
> minor partition (primary and backups), then just wiping the minor
> partition nodes will result in data loss.
>
> A more sophisticated algorithm would just wipe keys in the minor
> partition that also exist in the major partition.
I think this would be good enough for a lot of scenarios.
> An *even* more sophisticated algorithm would only wipe keys in the
> minor partition that also exist in the major partition, that have
> changed since the partition occurred. Hence the vector clocks.
Even better. What would you do in a conflict case ? Throw the conflict
at the user who has to resolve it ? Always prefer the data from the
primary partition ?
Why would a conflict happen? Only the primary partition is allowed to update data after a
split.
- M
--
Manik Surtani
manik(a)jboss.org
twitter.com/maniksurtani
Platform Architect, JBoss Data Grid
http://red.ht/data-grid
7:52 a.m.
right
On 4/23/13 7:26 PM, Manik Surtani wrote:
On 23 Apr 2013, at 16:37, Bela Ban <bban(a)redhat.com> wrote:
>
>
> On 4/22/13 6:46 PM, Manik Surtani wrote:
>>
>> On 22 Apr 2013, at 16:46, Mircea Markus <mmarkus(a)redhat.com> wrote:
>>
>>> would the read only partition be wiped out and repopulated during
>>> merge?
>>
>> Naively, yes. But as Dan pointed out, if a key K only exists in the
>> minor partition (primary and backups), then just wiping the minor
>> partition nodes will result in data loss.
>>
>> A more sophisticated algorithm would just wipe keys in the minor
>> partition that also exist in the major partition.
>
>
> I think this would be good enough for a lot of scenarios.
>
>
>> An *even* more sophisticated algorithm would only wipe keys in the
>> minor partition that also exist in the major partition, that have
>> changed since the partition occurred. Hence the vector clocks.
>
> Even better. What would you do in a conflict case ? Throw the conflict
> at the user who has to resolve it ? Always prefer the data from the
> primary partition ?
Why would a conflict happen? Only the primary partition is allowed to update data after
a split.
- M
--
Manik Surtani
manik(a)jboss.org
twitter.com/maniksurtani
Platform Architect, JBoss Data Grid
http://red.ht/data-grid
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev
--
Bela Ban, JGroups lead (http://www.jgroups.org)
4075
days inactive
4095
days old
infinispan-dev@lists.jboss.org
32 comments
9 participants
participants (9)
-
Adrian Nistor -
Bela Ban -
Dan Berindei -
Dennis Reed -
Manik Surtani -
Mircea Markus -
Pedro Ruivo -
Radim Vansa -
Sanne Grinovero