THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Terminologies:
AR: assigned replicas, ISR: in-sync replicas
| Code Block |
|---|
Replica { // a replica of a partition
broker_id : int
partition : Partition
log : Log // local log associated with this replica
hw : long // offset of the last committed message
leo : long // log end offset
isLeader : Boolean // is this replica leader
}
Partition { //a partition in a topic
topic : string
partition_id : int
leader : Replica // the leader replica of this partition
ISR : Set[Replica] // In-sync replica set, maintained at the leader
AR : Set[Replica] // All replicas assigned for this partition
LeaderAndISRVersionInZK : long // version id of the LeaderAndISR path; used for conditionally update the LeaderAndISR path in ZK
}
|
A. Failover during broker failure.
...
| Code Block |
|---|
For LeaderAndISRCommand: it calls on_LeaderAndISRCommand().
on_LeaderAndISRCommand(command):
1. Read the set of partitions set_P from command.
2. For each partition P in set_p
2.0 if P doesn't exist locally, call startReplica()
2.1 If the command asks this broker to be the new leader for P and this broker is not already the leader for P,
2.1.1 call becomeLeader()
2.2 If the command asks this broker to following a leader L and the broker is not already following L
2.2.1 call becomeFollower()
3. If the command has a flag INIT, delete all local partitions not in set_p.
becomeLeader(r: Replica, command) {
stop the ReplicaFetcherThread to the old leader //after this, no more messages from the old leader can be appended to r r.leaderAndISRZKVersion = command.leaderAndISRZKVersion
r.partition.ISR = command.ISR
r.isLeader = true //enables reads/writes to this partition on this broker
r.partition.LeaderAndISRVersionInZK = command.LeaderAndISRVersionInZK
start a commit thread on r
}
Note that the new leader's HW could be behind the HW of the previous leader. Therefore, immediately after the leadership transition,
it is possible for a consumer (client) to ask for an offset larger than the new leader's HW. To handle this case, if the consumer is
asking for an offset between the leader's HW and LEO, the broker could just return an empty set. If the requested offset is larger
than LEO, the broker would still return OffsetOutofRangeException.
becomeFollower(r: Replica) {
stop the ReplicaFetcherThread to the old leader r.isLeader = false //disables reads/writes to this partition on this broker
stop the commit thread, if any
truncate the log to r.hw
start a new ReplicaFetcherThread to the current leader of r, from offset r.leo
}
startReplica(r: Replica) {
create the partition directory locally, if not present
start the HW checkpoint thread for r
}
For StopReplicaCommand: it calls on_StopReplicaCommand().
on_StopReplicaCommand(command):
1. Read the list of partitions from command.
2. For each such partition P
2.1 call stopReplica() on p
stopReplica(r: Replica) {
stop the ReplicaFetcherThread associated with r, if any.
stop the HW checkpoint thread for r
delete the partition directory locally, if present
}
|
...
| Code Block |
|---|
ReplicaFetchReqeust {
topic: String
partition_id: Int
replica_id: Int
offset: Long
}
ReplicaFetchResponse {
hw: Long // the offset of the last message committed at the leader
messages: MessageSet // fetched messages
}
At the leader, on receiving a ReplicaFetchRequest, it calls on_ReplicaFetchRequest
on_ReplicaFetchRequest(f: ReplicaFetchRequest) {
leader = getLeaderReplica(f.topic, f.partition_id)
if(leader == null) throw NotLeaderException
response = new ReplicaFetcherResponse
getReplica(f.topic, f.partition_id, f.replica_id).leo = f.offset
call maybe_change_ISR() // see if we need to shrink or expand ISR
leader.hw = min of leo of every replica in ISR // try to advance HW
// trigger potential acks to produce requests
response.messages = //fetch seemessages ifstarting wefrom needf.offset to shrink or expand ISR
from leader.log
response.hw = leader.hw = min of leo of every replica in ISR // try to advance HW
// trigger potential acks to produce requests
response.messages = fetch messages starting from f.offset from leader.log
response.hw = leader.hw
send response back
}
maybe_change_ISR() {
// If a follower is slow or is not active at all, the leader will want to take it out of ISR so that it can commit messages
// with fewer replicas.
find the smallest leo (leo_min) of every replica in ISR
if ( leader.leo - leo_min > MAX_BYTES_LAG || the replica with leo_min hasn't updated leo for more than MAX_TIME
send response back
}
maybe_change_ISR() {
// If a follower is slow or is not active at all, the leader will want to take it out of ISR so that it can commit messages
// with fewer replicas.
find the smallest leo (leo_min) of every replica in ISR
if ( leader.leo - leo_min > MAX_BYTES_LAG || the replica with leo_min hasn't updated leo for more than MAX_TIME_LAG)
newISR = ISR - replica with leo_min
// If a follower has fully caught up, the leader will want to add it to ISR.
for each replica r not in ISR
if ( r.leo - leo_min < MIN_BYTES_LAG)
newISR = ISR - replica + r
update the LeaderAndISR path in ZK with leo_min
// If a follower has fully caught up, the leader will want to add it to ISR.
for each replica r not in ISR
if ( r.leo - leo_min < MIN_BYTES_LAG)
newISR = ISR + r
update the LeaderAndISR path in ZK with newISR
the update is conditional and only succeeds if the version of the LeaderAndISR path in ZK is the same as leader.LeaderAndISRVersionInZK
if (update in ZK successful) {
leader.LeaderAndISRVersionInZK = new version of the LeaderAndISR path in ZK
leader.ISR = new ISR
}
}
newISR
the update is conditional and only succeeds if the version of the LeaderAndISR path in ZK is the same as leader.partition.LeaderAndISRVersionInZK
if (update in ZK successful) {
leader.partition.LeaderAndISRVersionInZK = new version of the LeaderAndISR path in ZK
leader.partition.ISR = new ISR
}
}
??? We need a way to call maybe_change_ISR() when a follower stopped fetching for more than MAX_TIME_LAG. One way to do that is to register a new
DelayedRequest each time a new ProduceRequest comes in. The DelayedRequest will timeout after MAX_TIME_LAG and is cleared if leader.hw has moved
beyond the offset of the message in the ProduceRequest before the timeout. Will this cause too much overhead?
At the follower: ReplicaFetcherThread for Replica r
run() {
while(true) {
send ReplicaFetchRequest to leader and get response:ReplicaFetcherResponse back
append response.messages to r's log
r.hw = response.hw
advance offset in ReplicaFetchRequest
}
}
|
...
For reference, HBase only updates the metadata (for client routing) after the regionserver responds to close/open region commands. So, one would think that instead of the controller directly updating the LeaderAndISR path, we can let each broker update that path after it completes the execution of the command. There is actually a critical reason that the leaderAndISR path has to be updated by the controller. This is because we rely on the leaderAndISR path in ZK to synchronize between the controller and the leader of a partition. After the controller makes a leadership change decision, it doesn't want the ISR to be changed by the current leader any more. Otherwise, the newly elected leader could be taken out of ISR by the current leader before the new leader takes over the leadership. By publishing the new leader immediately in the leaderAndISR path, the controller prevents the current leader from updating the ISR any more.
One possibility is to use another ZK path ExternalView for client routing. The controller only updates ExternalView after the broker responds positively for the leadership change command. There is a tradeoff between using 1 ExternalView path for all partitions or 1 ExternalView path per partition. The former has less ZK overhead, but potentially forces unnecessary rebalancing on the consumers.Aonther way to think about this is that in the normal case, leadership change commands are executed very quickly. So we probably can just rely on client side retry logic to handle the transition period. In the uncommon case that somehow it takes too long for a broker to become a leader (likely due to a bug), the controller will get a timeout and can trigger an alert so that an admin can take a look at it. So, we probably can start without the ExternalView path and reconsider it if it's really needed.
7. Can follower keep up with the leader?
In general, we need to have as much I/O parallelism in the follower as in the leader. Probably need to think a bit more on this.
Potential optimizations:
...