[ https://issues.apache.org/jira/browse/CASSANDRA-3620?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dominic Williams updated CASSANDRA-3620: ---------------------------------------- Description: Proposal for an improved system for handling distributed deletes, which removes the requirement to regularly run repair processes to maintain performance and data integrity. h2. The Problem There are various issues with repair: * Repair is expensive to run * Repair jobs are often made more expensive than they should be by other issues (nodes dropping requests, hinted handoff not working, downtime etc) * Repair processes can often fail and need restarting, for example in cloud environments where network issues make a node disappear from the ring for a brief moment * When you fail to run repair within GCSeconds, either by error or because of issues with Cassandra, data written to a node that did not see a later delete can reappear (and a node might miss a delete for several reasons including being down or simply dropping requests during load shedding) * If you cannot run repair and have to increase GCSeconds to prevent deleted data reappearing, in some cases the growing tombstone overhead can significantly degrade performance Because of the foregoing, in high throughput environments it can be very difficult to make repair a cron job. It can be preferable to keep a terminal open and run repair jobs one by one, making sure they succeed and keeping and eye on overall load to reduce system impact. This isn't desirable, and problems are exacerbated when there are lots of column families in a database or it is necessary to run a column family with a low GCSeconds to reduce tombstone load (because there are many write/deletes to that column family). The database owner must run repair within the GCSeconds window, or increase GCSeconds, to avoid potentially losing delete operations. It would be much better if there was no ongoing requirement to run repair to ensure deletes aren't lost, and no GCSeconds window. Ideally repair would be an optional maintenance utility used in special cases, or to ensure ONE reads get consistent data. h2. "Reaper Model" Proposal # Tombstones do not expire, and there is no GCSeconds # Tombstones have associated ACK lists, which record the replicas that have acknowledged them # Tombstones are deleted (or marked for compaction) when they have been acknowledged by all replicas # When a tombstone is deleted, it is added to a "relic" index. The relic index makes it possible for a reaper to acknowledge a tombstone after it is deleted # The ACK lists and relic index are held in memory for speed # Background "reaper" threads constantly stream ACK requests to other nodes, and stream back ACK responses back to requests they have received (throttling their usage of CPU and bandwidth so as not to affect performance) # If a reaper receives a request to ACK a tombstone that does not exist, it creates the tombstone and adds an ACK for the requestor, and replies with an ACK. This is the worst that can happen, and does not cause data corruption. ADDENDUM The proposal to hold the ACK and relic lists in memory was added after the first posting. Please see comments for full reasons. Furthermore, a proposal for enhancements to repair was posted to comments, which would cause tombstones to be scavenged when repair completes (the author had assumed this was the case anyway, but it seems at time of writing they are only scavenged during compaction on GCSeconds timeout). The proposals are not exclusive and this proposal is extended to include the possible enhancements to repair described. NOTES * If a node goes down for a prolonged period, the worst that can happen is that some tombstones are recreated across the cluster when it restarts, which does not corrupt data (and this will only occur with a very small number of tombstones) * The system is simple to implement and predictable * With the reaper model, repair would become an optional process for optimizing the database to increase the consistency seen by ConsistencyLevel.ONE reads, and for fixing up nodes, for example after an sstable was lost h3. Planned Benefits * Reaper threads can utilize "spare" cycles to constantly scavenge tombstones in the background thereby greatly reducing tombstone load, improving query performance, reducing the system resources needed by processes such as compaction, and making performance generally more predictable * The reaper model means that GCSeconds is no longer necessary, which removes the threat of data corruption if repair can't be run successfully within that period (for example if repair can't be run because of a new adopter's lack of Cassandra expertise, a cron script failing, or Cassandra bugs or other technical issues) * Reaper threads are fully automatic, work in the background and perform finely grained operations where interruption has little effect. This is much better for database administrators than having to manually run and manage repair, whether for the purposes of preventing data corruption or for optimizing performance, which in addition to wasting operator time also often creates load spikes and has to be restarted after failure. was: Proposal for an improved system for handling distributed deletes, which removes the requirement to run repair regular processes to maintain performance and data integrity. h2. The Problem There are various issues with repair: * Repair is expensive anyway * Repair jobs are often made more expensive than they should be by other issues (nodes dropping requests, hinted handoff not working, downtime etc) * Repair processes can often fail and need restarting, for example in cloud environments where network issues make a node disappear from the ring for a brief moment * When you fail to run repair within GCSeconds, either by error or because of issues with Cassandra, data written to a node that did not see a later delete can reappear (and a node might miss a delete for several reasons including being down or simply dropping requests during load shedding) * If you cannot run repair and have to increase GCSeconds to prevent deleted data reappearing, in some cases the growing tombstone overhead can significantly degrade performance Because of the foregoing, in high throughput environments it can be very difficult to make repair a cron job. It can be preferable to keep a terminal open and run repair jobs one by one, making sure they succeed and keeping and eye on overall load to reduce system impact. This isn't desirable, and problems are exacerbated when there are lots of column families in a database or it is necessary to run a column family with a low GCSeconds to reduce tombstone load (because there are many write/deletes to that column family). The database owner must run repair within the GCSeconds window, or increase GCSeconds, to avoid potentially losing delete operations. It would be much better if there was no ongoing requirement to run repair to ensure deletes aren't lost, and no GCSeconds window. Ideally repair would be an optional maintenance utility used in special cases, or to ensure ONE reads get consistent data. h2. "Reaper Model" Proposal # Tombstones do not expire, and there is no GCSeconds # Tombstones have associated ACK lists, which record the replicas that have acknowledged them # Tombstones are only deleted (or marked for compaction) when they have been acknowledged by all replicas # When a tombstone is deleted, it is added to a fast "relic" index of MD5 hashes of cf-key-name[-subName]-ackList. The relic index makes it possible for a reaper to acknowledge a tombstone after it is deleted # Background "reaper" threads constantly stream ACK requests to other nodes, and stream back ACK responses back to requests they have received (throttling their usage of CPU and bandwidth so as not to affect performance) # If a reaper receives a request to ACK a tombstone that does not exist, it creates the tombstone and adds an ACK for the requestor, and replies with an ACK NOTES * The existence of entries in the relic index do not affect normal query performance * If a node goes down, and comes up after a configurable relic entry timeout, the worst that can happen is that a tombstone that hasn't received all its acknowledgements is re-created across the replicas when the reaper requests their acknowledgements (which is no big deal since this does not corrupt data) * Since early removal of entries in the relic index does not cause corruption, it can be kept small, or even kept in memory * Simple to implement and predictable h3. Planned Benefits * Operations are finely grained (reaper interruption is not an issue) * The labour & administration overhead associated with running repair can be removed * Reapers can utilize "spare" cycles and run constantly in background to prevent the load spikes and performance issues associated with repair * There will no longer be the threat of corruption if repair can't be run for some reason (for example because of a new adopter's lack of Cassandra expertise, a cron script failing, or Cassandra bugs preventing repair being run etc) * Deleting tombstones earlier, thereby reducing the number involved in query processing, will often dramatically improve performance > Proposal for distributed deletes - fully automatic "Reaper Model" rather than > GCSeconds and manual repairs > ---------------------------------------------------------------------------------------------------------- > > Key: CASSANDRA-3620 > URL: https://issues.apache.org/jira/browse/CASSANDRA-3620 > Project: Cassandra > Issue Type: Improvement > Components: Core > Reporter: Dominic Williams > Labels: GCSeconds,, deletes,, distributed_deletes,, > merkle_trees, repair, > Original Estimate: 504h > Remaining Estimate: 504h > > Proposal for an improved system for handling distributed deletes, which > removes the requirement to regularly run repair processes to maintain > performance and data integrity. > h2. The Problem > There are various issues with repair: > * Repair is expensive to run > * Repair jobs are often made more expensive than they should be by other > issues (nodes dropping requests, hinted handoff not working, downtime etc) > * Repair processes can often fail and need restarting, for example in cloud > environments where network issues make a node disappear from the ring for a > brief moment > * When you fail to run repair within GCSeconds, either by error or because of > issues with Cassandra, data written to a node that did not see a later delete > can reappear (and a node might miss a delete for several reasons including > being down or simply dropping requests during load shedding) > * If you cannot run repair and have to increase GCSeconds to prevent deleted > data reappearing, in some cases the growing tombstone overhead can > significantly degrade performance > Because of the foregoing, in high throughput environments it can be very > difficult to make repair a cron job. It can be preferable to keep a terminal > open and run repair jobs one by one, making sure they succeed and keeping and > eye on overall load to reduce system impact. This isn't desirable, and > problems are exacerbated when there are lots of column families in a database > or it is necessary to run a column family with a low GCSeconds to reduce > tombstone load (because there are many write/deletes to that column family). > The database owner must run repair within the GCSeconds window, or increase > GCSeconds, to avoid potentially losing delete operations. > It would be much better if there was no ongoing requirement to run repair to > ensure deletes aren't lost, and no GCSeconds window. Ideally repair would be > an optional maintenance utility used in special cases, or to ensure ONE reads > get consistent data. > h2. "Reaper Model" Proposal > # Tombstones do not expire, and there is no GCSeconds > # Tombstones have associated ACK lists, which record the replicas that have > acknowledged them > # Tombstones are deleted (or marked for compaction) when they have been > acknowledged by all replicas > # When a tombstone is deleted, it is added to a "relic" index. The relic > index makes it possible for a reaper to acknowledge a tombstone after it is > deleted > # The ACK lists and relic index are held in memory for speed > # Background "reaper" threads constantly stream ACK requests to other nodes, > and stream back ACK responses back to requests they have received (throttling > their usage of CPU and bandwidth so as not to affect performance) > # If a reaper receives a request to ACK a tombstone that does not exist, it > creates the tombstone and adds an ACK for the requestor, and replies with an > ACK. This is the worst that can happen, and does not cause data corruption. > ADDENDUM > The proposal to hold the ACK and relic lists in memory was added after the > first posting. Please see comments for full reasons. Furthermore, a proposal > for enhancements to repair was posted to comments, which would cause > tombstones to be scavenged when repair completes (the author had assumed this > was the case anyway, but it seems at time of writing they are only scavenged > during compaction on GCSeconds timeout). The proposals are not exclusive and > this proposal is extended to include the possible enhancements to repair > described. > NOTES > * If a node goes down for a prolonged period, the worst that can happen is > that some tombstones are recreated across the cluster when it restarts, which > does not corrupt data (and this will only occur with a very small number of > tombstones) > * The system is simple to implement and predictable > * With the reaper model, repair would become an optional process for > optimizing the database to increase the consistency seen by > ConsistencyLevel.ONE reads, and for fixing up nodes, for example after an > sstable was lost > h3. Planned Benefits > * Reaper threads can utilize "spare" cycles to constantly scavenge tombstones > in the background thereby greatly reducing tombstone load, improving query > performance, reducing the system resources needed by processes such as > compaction, and making performance generally more predictable > * The reaper model means that GCSeconds is no longer necessary, which removes > the threat of data corruption if repair can't be run successfully within that > period (for example if repair can't be run because of a new adopter's lack of > Cassandra expertise, a cron script failing, or Cassandra bugs or other > technical issues) > * Reaper threads are fully automatic, work in the background and perform > finely grained operations where interruption has little effect. This is much > better for database administrators than having to manually run and manage > repair, whether for the purposes of preventing data corruption or for > optimizing performance, which in addition to wasting operator time also often > creates load spikes and has to be restarted after failure. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira