Consensus, Raft and Rafter

7c4bac30ed2d3a9d346ced746b1d985d?s=47 Tom Santero
August 01, 2013
Programming
21
2.5k

Consensus, Raft and Rafter

Tech talk on consensus protocols, with a focus on Raft and Andrew Stone's Erlang implementation: rafter.

Presented at Erlang NYC: http://www.meetup.com/Erlang-NYC/events/131394712/

7c4bac30ed2d3a9d346ced746b1d985d?s=128

Tom Santero

August 01, 2013
Tweet

Want more?

7c4bac30ed2d3a9d346ced746b1d985d?s=48 tsantero
1
230
7c4bac30ed2d3a9d346ced746b1d985d?s=48 tsantero
1
160
7c4bac30ed2d3a9d346ced746b1d985d?s=48 tsantero
1
130
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
12
690
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
3
370
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
230
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
8
490
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
9
270
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
330
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
4
760
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
200
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
270

Transcript

  1. 1.

    & Consensus RAFT RAFTER

  2. 2.

    Tom Santero cats I newports distributed systems

  3. 3.

    Andrew Stone cats I bread distributed systems

  4. 4.

    @tsantero @andew_j_stone

  5. 5.

    tsantero andewjstone

  6. 6.

    tsantero astone @ basho.com

  7. 7.

    tsantero astone @ basho.com (notice Andrew’s contact keeps getting shorter?)

  8. 8.

    http://thinkdistributed.io A Chris Meiklejohn Production

  9. 9.

    The Usual Suspects

  10. 10.

    “Strongly Consistent Datastores” MongoDB Redis MySQL others...

  11. 11.

    async {replication disk persistence Failure Detection

  12. 12.

    Problem?

  13. 13.

    Single Node w/ async disc writes Data is written to

    fs buffer, user is sent acknowledgement, power goes out Data not yet written to disk is LOST System is UNAVAILABLE Single Disk Solutions: fsync, battery backup, prayer Failure Mode 1
  14. 14.

    Master/Slave with asynchronous replication Data is written by user and

    acknowledged Data synced on Primary, but crashes Failure Mode 2
  15. 15.

    ? Consistent Available

  16. 16.

    ? Consistent Available

  17. 17.

    ? Consistent Available Primary Failed. Data not yet written to

    Secondary Write already ack’d to Client if promote_secondary() == true; { stderr(“data loss”); } else { stderr(“system unavailable”); }
  18. 18.

    (›°□°ʣ›ớ ᵲᴸᵲ

  19. 19.

    Synchronous Writes FTW?

  20. 20.

    PostgreSQL / Oracle Master / Slave Ack when Slave confirms

    Write
  21. 21.

    Problem?

  22. 22.

    Problem? Failure Detection Automated Failover “split brain” partitions

  23. 23.

    Solution!

  24. 24.

    Solution! Consensus protocols! (Paxos, ZAB, Raft) RYOW Consistency Safe Serializability

  25. 25.

    What is Consensus?

  26. 26.

    “The problem of reaching agreement among remote processes is one

    of the most fundamental problems in distributed computing and is at the core of many algorithms for distributed data processing, distributed file management, and fault- tolerant distributed applications.”
  27. 27.

    In a distributed system... despite failures. multiple processes agreeing on

    a value
  28. 28.

    host0 host1 host2 Replicated Log

  29. 29.

    v0 host0 host1 host2 Replicated Log

  30. 30.

    v0 v1 v2 v3 v4 v5 ... v(n-1) host0 host1

    host2 Replicated Log
  31. 31.

    Consensus {termination agreement validity

  32. 32.

    Consensus {termination agreement validity non faulty processes eventually decide on

    a value
  33. 33.

    Consensus {termination agreement validity non faulty processes eventually decide on

    a value processes that decide do so on the same value
  34. 34.

    Consensus {termination agreement validity non faulty processes eventually decide on

    a value processes that decide do so on the same value value must have been proposed
  35. 35.

    Theoretical Real World

  36. 36.

    Back to 1985...

  37. 37.

    Back to 1985... The FLP Result

  38. 38.

    & Safety Liveness

  39. 39.

    bad things can’t happen

  40. 40.

    good things eventually happen

  41. 41.

    Consensus {termination agreement validity non faulty processes eventually decide on

    a value processes that decide do so on the same value value must have been proposed
  42. 42.

    {termination agreement validity non faulty processes eventually decide on a

    value processes that decide do so on the same value value must have been proposed Safety Liveness
  43. 43.

    Safety Liveness {termination agreement validity non faulty processes eventually decide

    on a value processes that decide do so on the same value value must have been proposed
  44. 44.

    Safety Liveness {termination agreement validity non faulty processes eventually decide

    on a value processes that decide do so on the same value value must have been proposed
  45. 45.

    Safety Liveness {termination agreement validity non faulty processes eventually decide

    on a value processes that decide do so on the same value value must have been proposed non-triviality
  46. 46.

    The FLP Result: perfect Safety and Liveness in async consensus

    is impossible
  47. 47.

    Symmetric vs Asymmetric

  48. 48.

    Raft

  49. 49.

    Motivation: RAMCloud large scale, general purpose, distributed storage all data

    lives in DRAM strong consistency model https://ramcloud.stanford.edu/
  50. 50.

    Motivation: RAMCloud large scale, general purpose, distributed storage all data

    lives in DRAM strong consistency model 100 byte object reads in 5μs https://ramcloud.stanford.edu/
  51. 51.

    John Ousterhout Diego Ongaro In Search of an Understandable Consensus

    Algorithm https://ramcloud.stanford.edu/raft.pdf
  52. 52.

    “Unfortunately, Paxos is quite difficult to understand, in spite of

    numerous attempts to make it more approachable. Furthermore, its architecture is unsuitable for building practical systems, requiring complex changes to create an efficient and complete solution. As a result, both system builders and students struggle with Paxos.”
  53. 53.
    None
  54. 54.

    Design Goals: Understandability & Decomposition Strong Leadership Model Joint Consensus

    for Membership Changes
  55. 55.

    Log SM C Consensus Module Replicated Log State Machine

  56. 56.

    Log SM C Log SM C Log SM C Client

    C
  57. 57.

    Log SM C Log SM C Log SM C Client

    1. client makes request to Leader C
  58. 58.

    Log SM C Log SM C Log SM C Client

    2. consensus module manages request C
  59. 59.

    Log SM C Log SM C Log SM C Client

    3. persist instruction to local log v C
  60. 60.

    Log SM C Log SM C Log SM C Client

    v C
  61. 61.

    Log SM C Log SM C Log SM C Client

    v 4. leader replicates command to other machines C C C
  62. 62.

    Log SM C Log SM C Log SM C Client

    v C C C
  63. 63.

    Log SM C Log SM C Log SM C Client

    v C C v v 5. command recorded to local machines’ log C
  64. 64.

    Log SM C Log SM C Log SM C Client

    v C C v v C
  65. 65.

    Log SM C Log SM C Log SM C Client

    v C C v v C
  66. 66.

    Log SM C Log SM C Log SM C Client

    v C C v v C
  67. 67.

    Log SM C Log SM C Log SM C Client

    v C C v v 7. command forwarded to state machines for processing SM SM SM C
  68. 68.

    Log SM C Log SM C Log SM C Client

    v C C v v 7. command forwarded to state machines for processing SM SM SM C
  69. 69.

    Log SM C Log SM C Log SM C Client

    v C C v v SM C
  70. 70.

    Log SM C Log SM C Log SM C Client

    v C C v v SM 8. SM processes command, ACKs to client C
  71. 71.

    Log SM C Log SM C Log SM C Client

    v C C v v SM C
  72. 72.

    Why does that work? job of the consensus module to:

    C manage replicated logs determine when it’s safe to pass to state machine for execution only requires majority participation
  73. 73.

    Why does that work? job of the consensus module to:

    C manage replicated logs determine when it’s safe to pass to state machine for execution only requires majority participation Safety { Liveness {
  74. 74.

    2F + 1

  75. 75.

    2F + 1 solve for F

  76. 76.

    F + 1 service unavailable

  77. 77.

    Fail-Stop Behavior

  78. 78.

    What If The Leader DIES?

  79. 79.

    Leader Election!

  80. 80.

    1. Select 1/N servers to act as Leader 2. Leader

    ensures Safety and Linearizability 3. Detect crashes + Elect new Leader 4. Maintain consistency after Leadership “coups” 5. Depose old Leaders if they return 6. Manage cluster topology
  81. 81.

    Possible Server Roles: Leader Follower Candidate

  82. 82.

    Possible Server Roles: Leader Follower Candidate At most only 1

    valid Leader at a time Receives commands from clients Commits entries Sends heartbeats
  83. 83.

    Possible Server Roles: Leader Follower Candidate Replicate state changes Passive

    member of cluster during normal operation Vote for Candidates
  84. 84.

    Possible Server Roles: Leader Follower Candidate Initiate and coordinate Leader

    Election Was previously a Follower
  85. 85.

    Terms: election normal operation Term 1 Term 2 Term 3

    Term 4 no emerging leader
  86. 86.

    Leader Follower Candidate

  87. 87.

    Leader Follower Candidate times out, starts election

  88. 88.

    Leader Follower Candidate

  89. 89.

    Leader Follower Candidate times out, new election

  90. 90.

    Leader Follower Candidate

  91. 91.

    Leader Follower Candidate receives votes from majority of servers

  92. 92.

    Leader Follower Candidate

  93. 93.

    Leader Follower Candidate discover server with higher term

  94. 94.

    Leader Follower Candidate

  95. 95.

    Leader Follower Candidate discover current leader or higher term

  96. 96.

    Leader Follower Candidate

  97. 97.

    Potential Use Cases: Distributed Lock Manager Database Transactions Automated Failover

    Configuration Management http://coreos.com/blog/distributed-configuration-with-etcd/index.html Service Discovery etc...
  98. 98.

    Rafter github.com/andrewjstone/rafter

  99. 99.

    •A labor of love, a work in progress •A library

    for building strongly consistent distributed systems in Erlang •Implements the raft consensus protocol in Erlang •Fundamental abstraction is the replicated log What:
  100. 100.

    Replicated Log •API operates on log entries •Log entries contain

    commands •Commands are transparent to Rafter •Systems build on top of rafter with pluggable state machines that process commands upon log entry commit.
  101. 101.

    Erlang

  102. 102.

    Erlang: A Concurrent Language •Processes are the fundamental abstraction •Processes

    can only communicate by sending each other messages •Processes do not share state •Processes are managed by supervisor processes in a hierarchy
  103. 103.

    Erlang: A Concurrent Language  loop()  -­‐>        

       receive                    {From,  Msg}  -­‐>                              From  !  Msg,                              loop()            end.   %%  Spawn  100,000  echo  servers                       Pids  =  [spawn(fun  loop/0)  ||  _  <-­‐   lists:seq(1,100000)] %%  Send  a  message  to  the  first  process lists:nth(0,  Pids)  !  {self(),  ayo}.
  104. 104.

    Erlang: A Functional Language • Single Assignment Variables • Tail-Recursion

    • Pattern Matching {op,  {set,  Key,    Val}}  =  {op,  {set,  <<“job”>>,  <<“developer”>>}} • Bit Syntax Header  =  <<Sha1:20/binary,  Type:8,  Term:64,  Index:64,  DataSize:32>>
  105. 105.

    Erlang: A Distributed Language Location Transparency: Processes can send messages

    to other processes without having to know if the other process is local. %%  Send  to  a  local  gen_server  process gen_server:cast(peer1,  do_something) %%  Send  to  a  gen_server  on  another  machine gen_server:cast({‘peer1@rafter1.basho.com’},  do_something) %%  wrapped  in  a  function  with  a  variable  name  for  a  clean  client  API do_something(Name)  -­‐>  gen_server:cast(Name,  do_something). %%  Using  the  API Result  =  do_something(peer1).
  106. 106.

    Erlang: A Reliable Language •Erlang embraces “Fail-Fast” •Code for the

    good case. Fail otherwise. •Supervisors relaunch failed processes •Links and Monitors alert other processes of failure •Avoids coding most error paths and helps prevent logic errors from propagating
  107. 107.

    OTP • OTP is a set of modules and standards

    that simplifies the building of reliable, well engineered erlang applications. • The gen_server, gen_fsm and gen_event modules are the most important parts of OTP • They wrap processes as server “behaviors” in order to facilitate building common, standardized distributed applications that integrate well with the Erlang Runtime
  108. 108.

    Implementation github.com/andrewjstone/rafter

  109. 109.

    Peers •Each peer is made up of two supervised processes

    •A gen_fsm that implements the raft consensus fsm •A gen_server that wraps the persistent log •An API module hides the implementation
  110. 110.

    Rafter API • The entire user api lives in rafter.erl

    • rafter:start_node(peer1, kv_sm). • rafter:set_config(peer1, [peer1, peer2, peer3, peer4, peer5]). • rafter:op(peer1, {set, <<“Omar”>>, <<“gonna get got”>>}). • rafter:op(peer1, {get, <<“Omar”>>}).
  111. 111.

    Output State Machines •Commands are applied in order to each

    peer’s state machine as their entries are committed •All peers in a consensus group can only run one type of state machine passed in during start_node/2 •Each State machine must export apply/1
  112. 112.

    Hypothetical KV store %%  API kv_sm:set(Key,  Val)  -­‐>    

         Peer  =  get_local_peer(),        rafter:op(Peer,  {set,  Key,  Value}). %%  State  Machine  callback kv_sm:apply({set,  Key,  Value})  -­‐>  ets:insert({kv_sm_store,   {Key,  Value}); kv_sm:apply({get,  Key})  -­‐>  ets:lookup(kv_sm_store,  Key).
  113. 113.

    rafter_consensus_fsm •gen_fsm that implements Raft •3 states - follower, candidate,

    leader •Messages sent and received between fsm’s according to raft protocol •State handling functions pattern match on messages to simplify and shorten handler clauses.
  114. 114.

    rafter_log.erl • Log API used by rafter_consensus_fsm and rafter_config •

    Utilizes Binary pattern matching for reading logs • Writes out entries to append only log. • State machine commands encoded with term_to_binary/1
  115. 115.

    rafter_config.erl •Rafter handles dynamic reconfiguration of it’s clusters at runtime

    •Depending upon the configuration of the cluster, different code paths need navigating, such as whether a majority of votes has been received. •Instead of embedding this logic in the consensus fsm, it was abstracted out into a module of pure functions
  116. 116.

    rafter_config.erl API -­‐spec  quorum_min(peer(),    #config{},  dict())  -­‐>  non_neg_integer(). -­‐spec

     has_vote(peer(),  #config{})  -­‐>  boolean(). -­‐spec  allow_config(#config{},  list(peer()))  -­‐>  boolean(). -­‐spec  voters(#config{})  -­‐>  list(peer()).
  117. 117.

    Testing

  118. 118.

    Property Based Testing •Use Erlang QuickCheck •Too complex to get

    into now •Come hear me talk about it at Erlang Factory Lite in Berlin! shameless plug
  119. 119.

    Other Raft Implementations https://ramcloud.stanford.edu/wiki/display/logcabin/LogCabin http://coreos.com/blog/distributed-configuration-with-etcd/index.html https://github.com/benbjohnson/go-raft https://github.com/coreos/etcd

  120. 120.

    github.com/andrewjstone/rafter

  121. 121.

    Plugs Shameless (a few more)

  122. 122.

    RICON West http://ricon.io/west.html Études for Erlang http://meetup.com/Erlang-NYC

  123. 123.

    Andy Gross - Introducing us to Raft Diego Ongaro -

    writing Raft, clarifying Tom’s understanding, reviewing slides Chris Meiklejohn - http://thinkdistributed.io - being an inspiration Justin Sheehy - reviewing slides, correcting poor assumptions Reid Draper - helping rubber duck solutions Kelly McLaughlin - helping rubber duck solutions John Daily - for his consistent pedantry concerning Tom’s abuse of English Basho - letting us indulge our intellect on the company’s dime (we’re hiring) Thanks File
  124. 124.

    Any and all questions can be sent to /dev/null @tsantero

    @andrew_j_stone