TWO-PHASE COMMIT ATTRIBUTION 5/11/2018. George Porter May 9 and 11, 2018

Similar documents
PRIMARY-BACKUP REPLICATION

Causal Consistency and Two-Phase Commit

CONCURRENCY CONTROL, TRANSACTIONS, LOCKING, AND RECOVERY

Transactions. CS 475, Spring 2018 Concurrent & Distributed Systems

ATOMIC COMMITMENT Or: How to Implement Distributed Transactions in Sharded Databases

REPLICATED STATE MACHINES

CSE 124: REPLICATED STATE MACHINES. George Porter November 8 and 10, 2017

Distributed Commit in Asynchronous Systems

Fault Tolerance. Distributed Systems. September 2002

Module 8 Fault Tolerance CS655! 8-1!

The transaction. Defining properties of transactions. Failures in complex systems propagate. Concurrency Control, Locking, and Recovery

Potential Name Syntax. Properties of Naming. Naming and system components. Naming and layering. Replicated storage, consistency

Module 8 - Fault Tolerance

Chapter 8 Fault Tolerance

Today: Fault Tolerance

Fault Tolerance. Basic Concepts

Chapter 8 Fault Tolerance

Agreement and Consensus. SWE 622, Spring 2017 Distributed Software Engineering

CSE 124: LAMPORT AND VECTOR CLOCKS. George Porter October 30, 2017

Fault Tolerance. o Basic Concepts o Process Resilience o Reliable Client-Server Communication o Reliable Group Communication. o Distributed Commit

CS October 2017

Fault Tolerance. Distributed Systems IT332

CprE Fault Tolerance. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University

Today: Fault Tolerance. Fault Tolerance

PEER-TO-PEER NETWORKS, DHTS, AND CHORD

Beyond FLP. Acknowledgement for presentation material. Chapter 8: Distributed Systems Principles and Paradigms: Tanenbaum and Van Steen

Today: Fault Tolerance. Replica Management

CS 425 / ECE 428 Distributed Systems Fall 2017

Consistency. CS 475, Spring 2018 Concurrent & Distributed Systems

TIME ATTRIBUTION 11/4/2018. George Porter Nov 6 and 8, 2018

Dep. Systems Requirements

Distributed Systems Fault Tolerance

Distributed Systems Principles and Paradigms. Chapter 08: Fault Tolerance

Fault-Tolerance I: Atomicity, logging, and recovery. COS 518: Advanced Computer Systems Lecture 3 Kyle Jamieson

Topics. File Buffer Cache for Performance. What to Cache? COS 318: Operating Systems. File Performance and Reliability

Synchronization Part 2. REK s adaptation of Claypool s adaptation oftanenbaum s Distributed Systems Chapter 5 and Silberschatz Chapter 17

CSE 5306 Distributed Systems. Fault Tolerance

CSC 261/461 Database Systems Lecture 20. Spring 2017 MW 3:25 pm 4:40 pm January 18 May 3 Dewey 1101

Fault Tolerance. it continues to perform its function in the event of a failure example: a system with redundant components

Topics in Reliable Distributed Systems

Database Systems. Announcement

Byzantine Fault Tolerance

CSC 261/461 Database Systems Lecture 24

Lectures 8 & 9. Lectures 7 & 8: Transactions

Recovering from a Crash. Three-Phase Commit

Transactions and ACID

CSE 5306 Distributed Systems

CS6450: Distributed Systems Lecture 13. Ryan Stutsman

The objective. Atomic Commit. The setup. Model. Preserve data consistency for distributed transactions in the presence of failures

CSE 544 Principles of Database Management Systems. Alvin Cheung Fall 2015 Lecture 14 Distributed Transactions

CSE 124: TIME SYNCHRONIZATION, CRISTIAN S ALGORITHM, BERKELEY ALGORITHM, NTP. George Porter October 27, 2017

Distributed Systems COMP 212. Revision 2 Othon Michail

Fault Tolerance Part I. CS403/534 Distributed Systems Erkay Savas Sabanci University

Synchronization. Clock Synchronization

Coordination 1. To do. Mutual exclusion Election algorithms Next time: Global state. q q q

Basic concepts in fault tolerance Masking failure by redundancy Process resilience Reliable communication. Distributed commit.

Distributed Systems COMP 212. Lecture 19 Othon Michail

Transactions. 1. Transactions. Goals for this lecture. Today s Lecture

Database Management System Prof. D. Janakiram Department of Computer Science & Engineering Indian Institute of Technology, Madras Lecture No.

Distributed Systems Principles and Paradigms

Transaction Management & Concurrency Control. CS 377: Database Systems

Consensus in Distributed Systems. Jeff Chase Duke University

Synchronization. Chapter 5

Today: Fault Tolerance. Failure Masking by Redundancy

Synchronization Part II. CS403/534 Distributed Systems Erkay Savas Sabanci University

Distributed Transactions

Distributed File System

Control. CS432: Distributed Systems Spring 2017

Database Technology. Topic 8: Introduction to Transaction Processing

1/9/13. + The Transaction Concept. Transaction Processing. Multiple online users: Gives rise to the concurrency problem.

Distributed systems. Lecture 6: distributed transactions, elections, consensus and replication. Malte Schwarzkopf

Distributed Transaction Management 2003

CSE 486/586: Distributed Systems

Distributed Systems

Fault Tolerance. Chapter 7

Fault Tolerance. Goals: transparent: mask (i.e., completely recover from) all failures, or predictable: exhibit a well defined failure behavior

Primary/Backup. CS6450: Distributed Systems Lecture 3/4. Ryan Stutsman

CS5412: TRANSACTIONS (I)

Frequently asked questions from the previous class survey

Replication. Feb 10, 2016 CPSC 416

CS455: Introduction to Distributed Systems [Spring 2018] Dept. Of Computer Science, Colorado State University

Fault tolerance with transactions: past, present and future. Dr Mark Little Technical Development Manager, Red Hat

CS6450: Distributed Systems Lecture 11. Ryan Stutsman

Lecture X: Transactions

Fault Tolerance. Fall 2008 Jussi Kangasharju

CS /15/16. Paul Krzyzanowski 1. Question 1. Distributed Systems 2016 Exam 2 Review. Question 3. Question 2. Question 5.

Distributed Systems. Characteristics of Distributed Systems. Lecture Notes 1 Basic Concepts. Operating Systems. Anand Tripathi

Distributed Systems. Characteristics of Distributed Systems. Characteristics of Distributed Systems. Goals in Distributed System Designs

Distributed Systems. Fault Tolerance. Paul Krzyzanowski

Today: Fault Tolerance. Reliable One-One Communication

CSE 190D Database System Implementation

Distributed Database Management System UNIT-2. Concurrency Control. Transaction ACID rules. MCA 325, Distributed DBMS And Object Oriented Databases

Chapter 5: Distributed Systems: Fault Tolerance. Fall 2013 Jussi Kangasharju

CS 167 Final Exam Solutions

Distributed Transaction Management

MYE017 Distributed Systems. Kostas Magoutis

FAULT TOLERANCE. Fault Tolerant Systems. Faults Faults (cont d)

COMMENTS. AC-1: AC-1 does not require all processes to reach a decision It does not even require all correct processes to reach a decision

Consistency and Scalability

Fault Tolerance Causes of failure: process failure machine failure network failure Goals: transparent: mask (i.e., completely recover from) all

Transcription:

TWO-PHASE COMMIT George Porter May 9 and 11, 2018 ATTRIBUTION These slides are released under an Attribution-NonCommercial-ShareAlike 3.0 Unported (CC BY-NC-SA 3.0) Creative Commons license These slides incorporate material from: Tanenbaum and Van Steen, Dist. Systems: Principles and Paradigms Kyle Jamieson, Princeton University (also under a CC BY-NC-SA 3.0 Creative Commons license) 1

ANNOUNCEMENTS Outline 1. Fault tolerance in a nutshell 2. Safety and liveness 3. Two-phase commit 4. Two-phase commit failure scenarios 2

WHAT IS FAULT TOLERANCE? Building reliable systems from unreliable components Three basic steps 1. Detecting errors: discovering the presence of an error in a data value or control signal 2. Containing errors: limiting how far errors propagate 3. Masking errors: designing mechanisms to ensure a system operates correctly despite error (and possible correct error) WHY IS FAULT TOLERANCE HARD? Failures Propagate Say one bit in a DRAM fails it flips a bit in a memory address the kernel is writing to......causes big memory error elsewhere, or a kernel panic......program is running one of many distributed file system storage servers......a client can t read from FS, so it hangs. 3

SO WHAT TO DO? 1. Do nothing: silently return the failure 2. Fail fast: detect the failure and report at interface Ethernet station jams medium on detecting collision 3. Fail safe: transform incorrect behavior or values into acceptable ones Failed traffic light controller switches to blinking-red 4. Mask the failure: operate despite failure Retry op for transient errors, use error-correcting code for bit flips, replicate data in multiple places MASKING FAILURES We mask failures on one server via Atomic operations Logging and recovery In a distributed system with multiple servers, we might replicate some or all servers But if you have some replicated servers You re going to want a way to keep them all consistent in a fault tolerant way 4

Outline 1. Fault tolerance in a nutshell 2. Safety and liveness 3. Two-phase commit 4. Two-phase commit failure scenarios REASONING ABOUT FAULT TOLERANCE This is hard! How do we design fault-tolerant systems? How do we know if we re successful? Often use properties that hold true for every possible execution We focus on safety and liveness properties 5

SAFETY Bad things don t happen No stopped or deadlocked states No error states Examples Mutual exclusion: two processes can t be in a critical section at the same time Bounded overtaking: if process 1 wants to enter a critical section, process 2 can enter at most once before process 1 LIVENESS Good things happen eventually Examples Starvation freedom: process 1 can eventually enter a critical section as long as process 2 terminates Eventual consistency: if a value in an application doesn t change, two servers will eventually agree on its value 6

OFTEN A TRADEOFF Good and bad are application-specific Safety is very important in banking transactions May take some time to confirm a transaction Liveness is very important in social networking sites See updates right away (what about the breakup problem?) Outline 1. Fault tolerance in a nutshell 2. Safety and liveness 3. Two-phase commit 4. Two-phase commit failure scenarios 7

MOTIVATION: SENDING MONEY send_money(a, B, amount) { Begin_Transaction(); if (A.balance - amount >= 0) { A.balance = A.balance - amount; B.balance = B.balance + amount; Commit_Transaction(); } else { Abort_Transaction(); } } SINGLE-SERVER: ACID Atomicity: all parts of the transaction execute or none (A s decreases and B s balance increases) Consistency: the transaction only commits if it preserves invariants (A s balance never goes below 0) Isolation: the transaction executes as if it executed by itself (even if C is accessing A s account, that will not interfere with this transaction) Durability: the transaction s effects are not lost after it executes (updates to the balances will remain forever) 8

DISTRIBUTED TRANSACTIONS? Partition databases across multiple machines for scalability (A and B might not share a server) A transaction might touch more than one partition How do we guarantee that all of the partitions commit the transactions or none commit the transactions? TWO-PHASE COMMIT (2PC) Goal: General purpose, distributed agreement on some action, with failures Different entities play different roles in the action Running example: Transfer money from A to B Debit at A, credit at B, tell the client okay Require both banks to do it, or neither Require that one bank never act alone 9

STRAW MAN PROTOCOL 1. C TC: go! Client C Transaction Coordinator TC go! Bank A B STRAW MAN PROTOCOL Client C 1. C TC: go! Transaction Coordinator TC go! okay 2. TC A: debit $20! TC B: credit $20! TC C: okay Bank A B A, B perform actions on receipt of messages 10

REASONING ABOUT THE STRAW MAN PROTOCOL What could possibly go wrong? 1. Not enough money in A s bank account? 2. B s bank account no longer exists? 3. A or B crashes before receiving message? 4. The best-effort network to B fails? 5. TC crashes after it sends debit to A but before sending to B? SAFETY VERSUS LIVENESS Note that TC, A, and B each have a notion of committing We want two properties: 1. Safety If one commits, no one aborts If one aborts, no one commits 2. Liveness If no failures and A and B can commit, action commits If failures, reach a conclusion ASAP 11

A CORRECT ATOMIC COMMIT PROTOCOL 1. C TC: go! Client C Transaction Coordinator TC go! Bank A B A CORRECT ATOMIC COMMIT PROTOCOL Client C 1. C TC: go! Transaction Coordinator TC 2. TC A, B: prepare! prepare! prepare! Bank A B 12

A CORRECT ATOMIC COMMIT PROTOCOL 1. C TC: go! Client C Transaction Coordinator TC 2. TC A, B: prepare! 3. A, B P: yes or no Bank A B A CORRECT ATOMIC COMMIT PROTOCOL 1. C TC: go! Client C Transaction Coordinator TC commit! Bank A B commit! 2. TC A, B: prepare! 3. A, B P: yes or no 4. TC A, B: commit! or abort! TC sends commitif bothsay yes TC sends abortif eithersay no 13

A CORRECT ATOMIC COMMIT PROTOCOL 1. C TC: go! Client C Transaction Coordinator TC okay Bank A B 2. TC A, B: prepare! 3. A, B P: yes or no 4. TC A, B: commit! or abort! TC sends commitif bothsay yes TC sends abortif eithersay no 5. TC C: okay or failed A, B commit on receipt of commit message REASONING ABOUT ATOMIC COMMIT Why is this correct? Neither can commit unless both agreed to commit What about performance? 1. Timeout: I m up, but didn t receive a message I expected Maybe other node crashed, maybe network broken 2. Reboot: Node crashed, is rebooting, must clean up 14

TIMEOUTS IN ATOMIC COMMIT Where do hosts wait for messages? 1. TC waits for yes or no from A and B TC hasn t yet sent any commit messages, so can safely abort after a timeout But this is conservative: might be network problem We ve preserved correctness, sacrificed performance 2. A and B wait for commit or abort from TC If it sent a no, it can safely abort (why?) If it sent a yes, can it unilaterally abort? Can it unilaterally commit? A, B could wait forever, but there is an alternative SERVER TERMINATION PROTOCOL Consider Server B (Server A case is symmetric) waiting for commit or abort from TC Assume B voted yes (else, unilateral abort possible) B A: status? A then replies back to B. Four cases: (No reply from A): no decision, B waits for TC Server A received commit or abort from TC: Agree with the TC s decision Server A hasn t voted yet or voted no: both abort TC can t have decided to commit Server A voted yes: both must wait for the TC TC decided to commit if both replies received TC decided to abort if it timed out 15

REASONING ABOUT THE SERVER TERMINATION PROTOCOL What are the liveness and safety properties? Safety: if servers don t crash, all processes will reach the same decision Liveness: if failures are eventually repaired, then every participant will eventually reach a decision Can resolve some timeout situations with guaranteed correctness Sometimes however A and B must block Due to failure of the TC or network to the TC But what will happen if TC, A, or B crash and reboot? HOW TO HANDLE CRASH AND REBOOT? Can t back out of commit if already decided TC crashes just after sending commit! A or B crash just after sending yes If all nodes knew their state before crash, we could use the termination protocol Use write-ahead log to record commit! and yes to disk 16

RECOVERY PROTOCOL WITH NON-VOLATILE STATE If everyone rebooted and is reachable, TC can just check for commit record on disk and resend action TC: If no commit record on disk, abort You didn t send any commit! messages A, B: If no yes record on disk, abort You didn t vote yes so TC couldn t have committed A, B: If yes record on disk, execute termination protocol This might block TWO-PHASE COMMIT This recovery protocol with non-volatile logging is called Two-Phase Commit (2PC) Safety: All hosts that decide reach the same decision No commit unless everyone says yes Liveness: If no failures and all say yes then commit But if failures then 2PC might block TC must be up to decide Doesn t tolerate faults well: must wait for repair 17

Outline 1. Fault tolerance in a nutshell 2. Safety and liveness 3. Two-phase commit 4. Two-phase commit failure scenarios WHAT IF PARTICIPANT FAILS BEFORE SENDING RESPONSE? 18

WHAT IF PARTICIPANT FAILS AFTER SENDING VOTE WHAT IF PARTICIPANT LOST A VOTE? 19

WHAT IF COORDINATOR FAILS BEFORE SENDING PREPARE? WHAT IF COORDINATOR FAILS AFTER SENDING PREPARE? 20

WHAT IF COORDINATOR FAILS AFTER RECEIVING VOTES WHAT IF COORDINATOR FAILS AFTER SENDING DECISION? 21

DO WE NEED THE COORDINATOR? 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback