zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kishore g <g.kish...@gmail.com>
Subject Re: Efficient backup and a reasonable restore of an ensemble
Date Tue, 09 Jul 2013 01:34:00 GMT
I think what we are looking at is a  point in time restore functionality.
How about adding a feature that says go back to a specific zxid/timestamp.
This way before doing any change to zookeeper simply note down the
timestamp/zxid on leader. If things go wrong after making changes, bring
down zookeepers and provide additional parameter of a zxid/timestamp while
restarting. The server can go the exact point and make it current. The
followers can be started blank.



On Mon, Jul 8, 2013 at 5:53 PM, Thawan Kooburat <thawan@fb.com> wrote:

> Just saw that  this is the corresponding use case to the question posted
> in dev list.
>
> In order to restore the data to a given point in time correctly, you need
> both snapshot and txnlog. This is because zookeeper snapshot is fuzzy and
> snapshot alone may not represent a valid state of the server if there are
> in-flight requests.
>
> The 4wl command should cause the server to roll the log and take a
> snapshot similar to periodic snapshotting operation. Your backup script
> need grap the snapshot and corresponding txnlog file from the data dir.
>
> To restore, just shutdown all hosts, clear the data dir, copy over the
> snapshot and txnlog, and restart them.
>
>
> --
> Thawan Kooburat
>
>
>
>
>
> On 7/8/13 3:28 PM, "Sergey Maslyakov" <evolvah@gmail.com> wrote:
>
> >Thank you for your response, Flavio. I apologize, I did not provide a
> >clear
> >explanation of the use case.
> >
> >This backup/restore is not intended to be tied to any write event,
> >instead,
> >it is expected to run as a periodic (daily?) cron job on one of the
> >servers, which is not guaranteed to be the leader of the ensemble. There
> >is
> >no expectation that all recent changes are committed and persisted to
> >disk.
> >The system can sustain the loss of several hours worth of recent changes
> >in
> >the event of restore.
> >
> >As for finding the leader dynamically and performing backup on it, this
> >approach could be more difficult as the leader can change time to time and
> >I still need to fetch the file to store it in my designated backup
> >location. Taking backup on one server and picking it up from a local file
> >system looks less error-prone. Even if I went the fancy route and had
> >Zookeeper send me the serialized DataTree in response to the 4wl, this
> >approach would involve a lot of moving parts.
> >
> >I have already made a PoC for a new 4wl that invokes takeSnapshot() and
> >returns an absolute path to the snapshot it drops on disk. I have already
> >protected takeSnapshot() from concurrent invocation, which is likely to
> >corrupt the snapshot file on disk. This approach works but I'm thinking to
> >take it one step further by providing the desired path name as an argument
> >to my new 4lw and to have Zookeeper server drop the snapshot into the
> >specified file and report success/failure back. This way I can avoid
> >cluttering the data directory and interfering with what Zookeeper finds
> >when it scans the data directory.
> >
> >Approach with having an additional server that would take the leadership
> >and populate the ensemble is just a theory. I don't see a clean way of
> >making a quorum member the leader of the quorum. Am I overlooking
> >something
> >simple?
> >
> >In backup and restore of an ensemble the biggest unknown for me remains
> >populating the ensemble with desired data. I can think of two ways:
> >
> >1. Clear out all servers by stopping them, purge version-2 directories,
> >restore a snapshot file on one server that will be brought first, and then
> >bring up the rest of the ensemble. This way I somewhat force the first
> >server to be the leader because it has data and it will be the only member
> >of a quorum with data, provided to the way I start the ensemble. This
> >looks
> >like a hack, though.
> >
> >2. Clear out the ensemble and reload it with a dedicated client using the
> >provided Zookeeper API.
> >
> >With the approach of backing up an actual snapshot file, option #1 appears
> >to be more practical.
> >
> >I wish I could start the ensemble with a designate leader that would
> >bootstrap the ensemble with data and then the ensemble would go into its
> >normal business...
> >
> >
> >
> >On Mon, Jul 8, 2013 at 4:30 PM, Flavio Junqueira
> ><fpjunqueira@yahoo.com>wrote:
> >
> >> One bit that is still a bit confusing to me in your use case is if you
> >> need to take a snapshot right after some event in your application.
> >>Even if
> >> you're able to tell ZooKeeper to take a snapshot, there is no guarantee
> >> that it will happen at the exact point you want it if update operations
> >> keep coming.
> >>
> >> If you use your four-letter word approach, then would you search for the
> >> leader or would you simply take a snapshot at any server? If it has to
> >>go
> >> through the leader so that you make sure to have the most recent
> >>committed
> >> state, then it might not be a bad idea to have an api call that tells
> >>the
> >> leader to take a snapshot at some directory of your choice. Informing
> >>you
> >> the name of the snapshot file so that you can copy sounds like an
> >>option,
> >> but perhaps it is not as convenient.
> >>
> >> The approach of adding another server is not very clear. How do you
> >>force
> >> it to be the leader? Keep in mind that if it crashes, then it will lose
> >> leadership.
> >>
> >> -Flavio
> >>
> >> On Jul 8, 2013, at 8:34 AM, Sergey Maslyakov <evolvah@gmail.com> wrote:
> >>
> >> > It looks like the "dev" mailing list is rather inactive. Over the past
> >> few
> >> > days I only saw several automated emails from JIRA and this is pretty
> >> much
> >> > it. Contrary to this, the "user" mailing list seems to be more alive
> >>and
> >> > more populated.
> >> >
> >> > With this in mind, please allow me to cross-post here the message I
> >>sent
> >> > into the "dev" list a few days ago.
> >> >
> >> >
> >> > Regards,
> >> > /Sergey
> >> >
> >> > === forwarded message begins here ===
> >> >
> >> > Hi!
> >> >
> >> > I'm facing the problem that has been raised by multiple people but
> >>none
> >> of
> >> > the discussion threads seem to provide a good answer. I dug in
> >>Zookeeper
> >> > source code trying to come up with some possible approaches and I
> >>would
> >> > like to get your inputs on those.
> >> >
> >> > Initial conditions:
> >> >
> >> > * I have an ensemble of five Zookeeper servers running v3.4.5 code.
> >> > * The size of a committed snapshot file is in vicinity of 1GB.
> >> > * There are about 80 clients connected to the ensemble.
> >> > * Clients a heavily read biased, i.e., they mostly read and rarely
> >> write. I
> >> > would say less than 0.1% of queries modify the data.
> >> >
> >> > Problem statement:
> >> >
> >> > * Under certain conditions, I may need to revert the data stored in
> >>the
> >> > ensemble to an earlier state. For example, one of the clients may ruin
> >> the
> >> > application-level data integrity and I need to perform a disaster
> >> recovery.
> >> >
> >> > Things look nice and easy if I'm dealing with a single Zookeeper
> >>server.
> >> A
> >> > file-level copy of the data and dataLog directories should allow me to
> >> > recover later by stopping Zookeeper, swapping the corrupted data and
> >> > dataLog directories with a backup, and firing Zookeeper back up.
> >> >
> >> > Now, the ensemble deployment and the leader election algorithm in the
> >> > quorum make things much more difficult. In order to restore from a
> >>single
> >> > file-level backup, I need to take the whole ensemble down, wipe out
> >>data
> >> > and dataLog directories on all servers, replace these directories with
> >> > backed up content on one of the servers, bring this server up first,
> >>and
> >> > then bring up the rest of the ensemble. This [somewhat] guarantees
> >>that
> >> the
> >> > populated Zookeeper server becomes a member of a majority and
> >>populates
> >> the
> >> > ensemble. This approach works but it is very involving and, thus,
> >> > error-prone due to a human error.
> >> >
> >> > Based on a study of Zookeeper source code, I am considering the
> >>following
> >> > alternatives. And I seek advice from Zookeeper development community
> >>as
> >> to
> >> > which approach looks more promising or if there is a better way.
> >> >
> >> > Approach #1:
> >> >
> >> > Develop a complementary pair of utilities for export and import of the
> >> > data. Both utilities will act as Zookeeper clients and use the
> >>existing
> >> > API. The "export" utility will recursively retrieve data and store it
> >>in
> >> a
> >> > file. The "import" utility will first purge all data from the ensemble
> >> and
> >> > then reload it from the file.
> >> >
> >> > This approach seems to be the simplest and there are similar tools
> >> > developed already. For example, the Guano Project:
> >> > https://github.com/d2fn/guano
> >> >
> >> > I don't like two things about it:
> >> > * Poor performance even on a backup for the data store of my size.
> >> > * Possible data consistency issues due to concurrent access by the
> >>export
> >> > utility as well as other "normal" clients.
> >> >
> >> > Approach #2:
> >> >
> >> > Add another four-letter command that would force rolling up the
> >> > transactions and creating a snapshot. The result of this command would
> >> be a
> >> > new snapshot.XXXX file on disk and the name of the file could be
> >>reported
> >> > back to the client as a response to the four-letter command. This
> >>way, I
> >> > would know which snapshot file to grab for future possible restore.
> >>But
> >> > restoring from a snapshot file is almost as involving as the
> >>error-prone
> >> > sequence described in the "Initial conditions" above.
> >> >
> >> > Approach #3:
> >> >
> >> > Come up with a way to temporarily add a new Zookeeper server into a
> >>live
> >> > ensemble, that would overtake (how?) the leader role and push out the
> >> > snapshot that it has into all ensemble members upon restore. This
> >> approach
> >> > could be difficult and error-prone to implement because it will
> >>require
> >> > hacking the existing election algorithm to designate a leader.
> >> >
> >> > So, which of the approaches do you think works best for an ensemble
> >>and
> >> for
> >> > the database size of about 1GB?
> >> >
> >> >
> >> > Any advice will be highly appreciated!
> >> > /Sergey
> >>
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message