Обсуждение: Multimaster

Hi,

Our company PostgresPRO is now developing multimaster for Postgres, some
analogue of MySQL Galera.
It is based on logical replication and pglogical plugin from
2ndQuandrand and uses distributed transaction manager.
The main differences of multimaster from standard PostgreSQL streaming
replication with hot standby are:

1. There is no time gap between master and slave (which is currently
present even for synchronous streaming replication).
2. It is possible to execute any transaction on any node. In case of hot
standby you can only execute read-only queries on replicas and,
moreover,  you can not create temporary tables to store the results of
complex queries. With hot standby you have to change your application by
separating read-only and read-write transactions or use special proxies
like PgBouncer.
3. Multimaster provides high-availability out of the box: it is able to
detect node failure and provide automatic recovery and node return to
the cluster. Unlike HA stacks based on streaming replication,
multimaster doesn't require any external tools like corosync and pacemaker.

Unlike bidirectional replication, multimaster provides distributed
consistency: all transactions will always see consistent snapshots.
If transactions on different nodes are trying to update the same data,
then conflicts will be detected in the same way as in standalone
Postgres. No custom conflict resolution is required.
Multimaster is using two phase commit, so a transaction is either
applied on all nodes or on none. Thus the data of all online nodes are
identical.

Multimaster doesn't provide:
1. Write scalability: the changes have to be applied to all nodes, so
there can not be any write performance gain over standalone server. If
you need write scalability, use sharding. In this case you have to use
Postgres-XL, GreenPlum, pg_shard, or some application-level solution.
2. Optimization of complex analytic queries using distributed query
execution. Multimaster doesn't build distributed execution plans and can
not speed-up execution of single heavy query.
3. Georeplication. Although it is possible to have multimaster nodes in
different data centers, in practice it will lead to very low write
performance. For such scenarios asynchronous BDR is much better solution.


So multimaster may be efficient for providing high availability and load
balancing when most of your queries are read-only.

It will be interesting for us to get user's feedbacks and collect
possible use cases and workloads for multimaster.
Performance of multimaster greatly depends on relative amount of update
queries and transaction size (most of multimaster overhead is related to
transaction processing). In case of simple pgbench-like queries
performance of three-node multimaster is about two times lower than
performance of standalone Postgres on update queries and about two times
higher on read-only queries.
In case of complex analytic queries (like TPC-H) results are much better
and multimaster provides almost linear scalability.
But multimaster is not intended for read-only OLAP: there are more
efficient solutions.
We expect most performance benefits for OLTP with high ratio of
read-only queries.
This is why we try to find workloads for multimaster as close to real
life as possible. Any references to benchmarks, examples of queries,
scenarios, etc. are welcome.

Also we would like to get feedback for the following questions:

1. Currently logical replication requires primary key for replicated
table (otherwise the updates can not be propagated).
How critical can this limitation be for potential multimaster use cases?

2. Is it necessary to support local (not replicated) tables?

3. Right now multimaster replicates the whole instance. Alternatively we
can try to implement database-level replication, making it possible
to provide more flexible configurations of different databases connected
into different clusters. It is hard to estimate now how difficult it
will be to support such mode, but first of all we want to know if this
feature is really needed?

4. We plan to implement sharding support. But first we also have to
understand what people want from cluster first of all?
HA, load balancing, distributed queries, etc. In particular: what use
cases do you see for multimaster without sharding?

5.What is the preferred way of cluster configuration: through
postgresql.conf or using some special API allowing to dynamically
add/remove nodes from cluster?

Thanks in advance,

--
Konstantin Knizhnik
Postgres Professional: http://www.postgrespro.com
The Russian Postgres Company

Hi Simon,

Yes, we will distributed all our code under PostgreSQL license.
Right now we are using copy of pglogical_output plugin + receiver part written based on BDR code (just because when we started work on multimaster pglogical plugin was not released).
We have plans to eliminate copies of pglogical plugin files from our code and instead of it refer pglogical plugin.

Right now the main problem is parallel apply: we need to apply changes concurrently to avoid unintended dependencies causing deadlocks and provide reasonable performance.

We also need 2PC support but this code was sent to you by Stas, so I hope that sometime it will be included in PostgreSQL core and pglogical plugin.

There are also some minor technical issues which lead us to making few changes in pglogical code but we tried to do our best to keep original versions unchanged, so we can switch to public version in future.

On 1 April 2016 at 11:33, Konstantin Knizhnik <k.knizhnik@postgrespro.ru> wrote:

 

Our company PostgresPRO is now developing multimaster for Postgres, some analogue of MySQL Galera.
It is based on logical replication and pglogical plugin from 2ndQuandrant and uses distributed transaction manager.

Hi Konstantin,

Is this open source with The PostgreSQL Licence?

Will you be contributing those changes to the BDR project, or is this a permanent fork of that?

Thanks

--

Simon Riggs                http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

-- 
Konstantin Knizhnik
Postgres Professional: http://www.postgrespro.com
The Russian Postgres Company 

On 04/01/2016 04:50 AM, Konstantin Knizhnik wrote:

> There are also some minor technical issues which lead us to making few
> changes in pglogical code but we tried to do our best to keep original
> versions unchanged, so we can switch to public version in future.

It seems the better solution for all of this would be for BDR and this
project to come together as a community project to get multimaster for
PostgreSQL. Otherwise we are going to end up with the same situation we
had before Pg had master-slave replication.

JD

--
Command Prompt, Inc.                  http://the.postgres.company/
                         +1-503-667-4564
PostgreSQL Centered full stack support, consulting and development.
Everyone appreciates your honesty, until you are honest with them.

Il 01/04/2016 17:22, Joshua D. Drake ha scritto:
> On 04/01/2016 04:50 AM, Konstantin Knizhnik wrote:
>
>> There are also some minor technical issues which lead us to making few
>> changes in pglogical code but we tried to do our best to keep original
>> versions unchanged, so we can switch to public version in future.
>
> It seems the better solution for all of this would be for BDR and this
> project to come together as a community project to get multimaster for
> PostgreSQL. Otherwise we are going to end up with the same situation
> we had before Pg had master-slave replication.
>
> JD
>
I'd like to post my use case, hoping it could be of any interest.
We are giving a cloud service, based on our professional application,
hosting databases on our server and replicating them to every site the
users register with.
Every user have (for now) a unique database to keep in sync.
Users write on their local database and data is replicated with the
server via a background process running while user is connected.
Actually we have to improve what our replicator is doing: it's only
replicating the single user's database. The improvement should that we
can put it on the "server" (in some cases there are groups of users
sharing a dedicated server) and, given a configuration of what and how
to replicate, it should replicate more than one DB a time.
Actually, it's a stand-alone program, but what we'd like would be
something more integrated in PostgreSQL, so where PostgreSQL can run
(everywhere!), so can it.
We were beginning to "translate" (and then improve) this program in c#,
when I bumped into articles pointing to BDR, and I started taking a
look. But it seems that is good to replicahe whole servers, and still
hasn't the granularity we need.

My 2 cent...

Cheers,
Moreno.

<div class="moz-cite-prefix">Il 14/04/2016 07:45, Craig Ringer ha scritto:<br /></div><blockquote
cite="mid:CAMsr+YHA-ijT0Cq1UTy=YNXyEf7WcfzHAXQXxdOCqwu4M=uD+g@mail.gmail.com"type="cite"><div dir="ltr"><div
class="gmail_extra"><divclass="gmail_quote">On 2 April 2016 at 02:15, Moreno Andreo <span dir="ltr"><<a
href="mailto:moreno.andreo@evolu-s.it"moz-do-not-send="true" target="_blank">moreno.andreo@evolu-s.it</a>></span>
wrote:<br/><div> </div><blockquote class="gmail_quote" style="margin:0 0 0             .8ex;border-left:1px #ccc
solid;padding-left:1ex">Actually we have to improve what our replicator is doing: it's only replicating the single
user'sdatabase. The improvement should that we can put it on the "server" (in some cases there are groups of users
sharinga dedicated server) and, given a configuration of what and how to replicate, it should replicate more than one
DBa time.<br /></blockquote><div><br /></div><div>That's a layer on top as far as pglogical is concerned. It's only
interestedin a single database at a time.</div><div><br /></div><div>The same is true of
BDR.</div></div></div></div></blockquote>I'll try to explain.<br /> We have a "cloud server" which contains all users
DBsand to which all users connect to get replication and.<br /> Some users have more than one work site, i.e. in one
they'realone (and the PostgreSQL server is on their own work PC) and in another they're teamed up and they have a
dedicatedserver (and everyone can write on teammates' databases).<br /> In the first case it's easy: the only database
isreplicated with the corresponding one on the cloud server. Straightforward.<br /> At the current state, in the team
case,replication occurs only when the user connects to application, so if there's a user going to a particular site
say,only once a week, in the remaining days all data input by team mates won't be replicated, and the user won't be
awareon what's been done until he replicates again...<br /> So we are trying to have a process, running on the server,
thatchecks for any database to be replicated and performs the action on all of these.<br /><br /> Case 1<br /> Local   
                    Remote<br /> [User1:DB1]    -->    [DB1]<br /><br /> Case 2<br /> [User1:DB1]    -->   
[DB1]<br/> [User2:DB2]    -->    [DB2]<br /> ...<br /> [UserN:DBn]   -->    [DBn]<br /><br /><blockquote
cite="mid:CAMsr+YHA-ijT0Cq1UTy=YNXyEf7WcfzHAXQXxdOCqwu4M=uD+g@mail.gmail.com"type="cite"><div dir="ltr"><div
class="gmail_extra"><divclass="gmail_quote"><div><br /></div><div>A tool that automatically configures newly found
databasesto be replicated should be pretty trivial to write, though.</div></div></div></div></blockquote> All databases
thathave to be replicated have a flag in the app configuration, and the replication config is set up, for each database
andeach site, when the first synchronization is made, so we could spawn a process per database and replicate.<br /> Not
tomention we should be able, if necessary, to exclude one or more tables from the replication.<br /><blockquote
cite="mid:CAMsr+YHA-ijT0Cq1UTy=YNXyEf7WcfzHAXQXxdOCqwu4M=uD+g@mail.gmail.com"type="cite"><div dir="ltr"><div
class="gmail_extra"><divclass="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px#ccc solid;padding-left:1ex"> We were beginning to "translate" (and then improve) this program in
c#,when I bumped into articles pointing to BDR, and I started taking a look. But it seems that is good to replicahe
wholeservers, and still hasn't the granularity we need.</blockquote><div><br /></div><div>Huh?</div><div><br
/></div><div>BDRis configured database-by-database. The only exception is with bdr_init_copy, for initial setup using
binarybase backups; in that case all databases are copied.</div></div></div></div></blockquote> Hmmm... it seems I
misunderstoodsomething......<br /><blockquote
cite="mid:CAMsr+YHA-ijT0Cq1UTy=YNXyEf7WcfzHAXQXxdOCqwu4M=uD+g@mail.gmail.com"type="cite"><div dir="ltr"><div
class="gmail_extra"><divclass="gmail_quote"><div><br /></div><div>It sounds like you actually *want* to replicate all
databasesat once. Presumably the reason you're not just using physical streaming replication for that  is that
differenthosts have a different set of writeable databases? E.g.</div><div><br /></div><div>[Node A]   [Node
B]</div><div>[DB-1]  ->  [DB-1]</div><div>[DB-2]   ->  [DB-2]</div><div>[DB-3]   <-  [DB-3]</div><div>[DB-4]  
<- [DB-4]</div><div><br /></div><div>so each DB is written from only one node at a time, but both nodes have
writeableDBs. Right?</div></div></div></div></blockquote> Yes, I tried to explain this in the first part of the
message.<br/><br /> Thanks<br /> Moreno<br /><blockquote
cite="mid:CAMsr+YHA-ijT0Cq1UTy=YNXyEf7WcfzHAXQXxdOCqwu4M=uD+g@mail.gmail.com"type="cite"><div dir="ltr"><div
class="gmail_extra"><brclear="all" /><div><br /></div> -- <br /><div class="gmail_signature"><div dir="ltr"><div><div
dir="ltr"> CraigRinger                   <a href="http://www.2ndQuadrant.com/" moz-do-not-send="true"
target="_blank"><aclass="moz-txt-link-freetext"
href="http://www.2ndQuadrant.com/">http://www.2ndQuadrant.com/</a></a><br/>  PostgreSQL Development, 24x7 Support,
Training& Services<br /></div></div></div></div></div></div></blockquote><br /> 

Hi,
Thank you for your response.

I intend to make the same split in pglogical its self - a receiver and apply worker split. Though my intent is to have them communicate via a shared memory segment until/unless the apply worker gets too far behind and spills to disk.

In case of multimaster  "too far behind" scenario can never happen. So here is yet another difference in asynchronous and synchronous replication approaches. For asynchronous replication situation when replica is far behind master is quite normal and has to be addressed without blocking master. For synchronous replication it is not possible all this "spill to disk" adds just extra overhead.

It seems to me that pglogical plugin is now becoming too universal, trying to address a lot of different issues and play different roles.
Here are some use cases for logical replication which I see (I am quite sure that you know more):
1. Asynchronous replication (including georeplication) - this is actually BDR.
2. Logical backup: transfer data to different database (including new version of Postgres)
3. Change notification: there are many different subscribers which can be interested in receiving notifications about database changes.
As far as I know new JDBC driver is going to use logical replication to receive update streams. It can be also used for update/invalidation of caches in ORMs.
4. Synchronous replication: multimaster

Any vacant worker form this pool can dequeue this work and proceed it.

How do you handle correctness of ordering though? A naïve approach will suffer from a variety of anomalies when subject to insert/delete/insert write patterns, among other things. You can also get lost updates, rows deleted upstream that don't get deleted downstream and various other exciting ordering issues.

At absolute minimum you'd have to commit on the downstream in the same commit order as the upstream.. This can deadlock. So when you get a deadlock you'd abort the xacts of the deadlocked worker and all xacts with later commit timestamps, then retry the lot.

We are not enforcing order of commits as Galera does. Consistency is enforces by DTM, which enforce that transactions at all nodes are given consistent snapshots and assigned same CSNs. We have also global deadlock detection algorithm which build global lock graph (but still false positives are possible because  this graphs is build incrementally and so it doesn't correspond to some global snapshot).

BDR has enough trouble with this when applying transactions from multiple peer nodes. To a degree it just throws its hands up and gives up - in particular, it can't tell the difference between an insert/update conflict and an update/delete conflict. But that's between loosely coupled nodes where we explicitly document that some kinds of anomalies are permitted. I can't imagine it being OK to have an even more complex set of possible anomalies occur when simply replaying transactions from a single peer...

We should definitely perform more testing here, but right now we do not have any tests causing some synchronization anomalies.

It is certainly possible with this approach that order of applying transactions can be not the same at different nodes.

Well, it can produce downright wrong results, and the results even in a single-master case will be all over the place.

But it is not a problem if we have DTM.

How does that follow?

Multimaster is just particular (and simplest) case of distributed transactions. Specific of multimaster is that the same transaction has to be applied at all nodes and that selects can be executed at any node. The goal of DTM is to provide consistent execution of distributed transactions. If it is able to do for arbitrary transactions then, definitely,  it can do it for multimaster.
I can not give you here formal prove that our DTM is able to solve all this problems. Certainly there are may be bugs in implementation
and this is why we need to perform more testing.  But actually we are not "reinventing the wheel", our DTM is based on the existed approaches.

 

The only exception is recovery of multimaster node. In this case we have to apply transaction exactly in the same order as them were applied at the original node performing recovery. It is done by applying changes in recovery mode by pglogical_receiver itself.

I'm not sure I understand what you area saying here.

Sorry for unclearness.
I just said that normally transactions are applied concurrently by multiple workers and DTM is used to enforce consistency.
But in case of recovery (when some node is crashed and then reconnect to the cluster), we perform recovery of this node sequentially, by single worker. In this case DTM is not used (because other nodes are far ahead) and to restore the same state of node we need to apply changes exactly in the same order and at the source node. In this case case content of target (recovered) node should be the same as of source node.

  

We also need 2PC support but this code was sent to you by Stas, so I hope that sometime it will be included in PostgreSQL core and pglogical plugin.

I never got a response to my suggestion that testing of upstream DDL is needed for that. I want to see more on how you plan to handle DDL on the upstream side that changes the table structure and acquires strong locks. Especially when it's combined with row changes in the same prepared xacts. 

We are now replicating DDL in the way similar with one used in BDR: DDL statements are inserted in special table and are replayed at destination node as part of transaction. 

We have also alternative implementation done by Artur Zakirov <a.zakirov@postgrespro.ru> 

which is using custom WAL records: https://gitlab.postgrespro.ru/pgpro-dev/postgrespro/tree/logical_deparse

Patch for custom WAL records was committed in 9.6, so we are going to switch to this approach.

How does that really improve anything over using a table?

It is more straightforward approach, isn't it? You can either try to restore DDL from low level sequence of updates of system catalogue.
But it is difficult and not always possible. Or need to add to somehow add original DDL statements to the log.
It can be done using some special table or store this information directly in the log (if custom WAL records are supported).
Certainly in the last case logical protocol should be extended to support playback of user-defined WAl records.
But it seems to be universal mechanism which can be used not only for DDL.

I agree, that custom WAL adds no performance or functionality advantages over using a table.
This is why we still didn't switch to it. But IMHO approach with inserting DDL (or any other user-defined information) in special table looks like hack.

This doesn't address what I asked above though, which is whether you have tried doing ALTER TABLE in a 2PC xact with your 2PC replication patch, especially one that also makes row changes. 

Well, recently I have made attempt to merge our code with the latest version of pglogical plugin (because our original implementation of multimaster was based on the code partly taken fro BDR) but finally have to postpone most of changes. My primary intention was to support metadata caching. But presence of multiple apply workers make it not possible to implement it in the same way as it is done node in pglogical plugin.

Not with a simplistic implementation of multiple workers that just round-robin process transactions, no. Your receiver will have to be smart enough to read the protocol stream and write the metadata changes to a separate stream all the workers read. Which is awkward.

I think you'll probably need your receiver to act as a metadata broker for the apply workers in the end.

Also now pglogical plugin contains a lot of code which performs mapping between source and target database schemas. So it it is assumed that them may be different.

But it is not true in case of multimaster and I do not want to pay extra cost for the functionality we do not need.

All it's really doing is mapping upstream to downstream tables by name, since the oids will be different.

Really?
Why then you send all table metadata (information about attributes) and handle invalidation messages?
What is the purpose of "mapping to local relation, filled as needed" fields in PGLogicalRelation if are are not going to perform such mapping?

Multimater really  needs to map local or remote OIDs.  We do not need to provide any attribute mapping and handle catalog invalidations.

--

 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services

-- 
Konstantin Knizhnik
Postgres Professional: http://www.postgrespro.com
The Russian Postgres Company 

On 18 April 2016 at 16:28, Konstantin Knizhnik <k.knizhnik@postgrespro.ru> wrote:

 

I intend to make the same split in pglogical its self - a receiver and apply worker split. Though my intent is to have them communicate via a shared memory segment until/unless the apply worker gets too far behind and spills to disk.

In case of multimaster  "too far behind" scenario can never happen.

I disagree. In the case of tightly coupled synchronous multi-master it can't happen, sure. But that's hardly the only case of multi-master out there.

Sorry, it is just matter of terms meaning. By multimaster I really mean "synchronous multimaster", because from my point of view the main characteristic of multimaster is symmetric access to all nodes. If there is no warranty that all cluster nodes have the same state, then, from my point of view, it is not a multimaster at all.  But i have registered "multimaster" trademark, so can not insists on such treatment of this term:)

 

2. Logical backup: transfer data to different database (including new version of Postgres)

I think that's more HA than logical backup. Needs to be able to be synchronous or asynchronous, much like our current phys.rep.

Closely related but not quite the same is logical read replicas/standbys.

This is use case from real production system (Galera use case). If customer want to migrate data to new data center, then multimaster is one of the possible (and safest) ways to do it. You can ste-by-step and transparently for users redirect workload to new data center.

 

3. Change notification: there are many different subscribers which can be interested in receiving notifications about database changes.

Yep. I suspect we'll want a json output plugin for this, separate to pglogical etc, but we'll need to move a bunch of functionality from pglogical into core so it can be shared rather than duplicated.

JSON is not is efficient format for it. And here performance may be critical.

 

4. Synchronous replication: multimaster

"Synchronous multimaster". Not all multimastrer is synchronous, not all synchronous replication is multimaster. 

We are not enforcing order of commits as Galera does. Consistency is enforces by DTM, which enforce that transactions at all nodes are given consistent snapshots and assigned same CSNs. We have also global deadlock detection algorithm which build global lock graph (but still false positives are possible because  this graphs is build incrementally and so it doesn't correspond to some global snapshot).

OK, so you're relying on a GTM to determine safe, conflict-free apply orderings.

I'm ... curious ... about how you do that. Do you have a global lock manager too? How do you determine ordering for things that in a single-master case are addressed via unique b-tree indexes, not (just) heavyweight locking?

We have tried both DTM with global arbiter (analogue of XL GTM) and DTM based on timestamps. In the last case there is no centralized arbiter. But we are using "raftable" - yet another our plugin which provides consistent distributed storage based on RAFT protocol.
Using this raftable we build global deadlock graph based on local subgraphs.

Or need to add to somehow add original DDL statements to the log.

Actually you need to be able to add normalized statements to the xlog. The original DDL text isn't quite good enough due to issues with search_path among other things. Hence DDL deparse.

Yes, for general purpose we need some DBMS-independent representation of DDL.
But for multimaster needs original SQL statement will be enough.

 

--

 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services

-- 
Konstantin Knizhnik
Postgres Professional: http://www.postgrespro.com
The Russian Postgres Company