This is the second in a series of posts reviewing methods for MySQL master discovery: the means by which an application connects to the master of a replication tree. Moreover, the means by which, upon master failover, it identifies and connects to the newly promoted master.
These posts are not concerned with the manner by which the replication failure detection and recovery take place. I will share orchestrator specific configuration/advice, and point out where cross DC orchestrator/raft setup plays part in discovery itself, but for the most part any recovery tool such as MHA, replication-manager, severalnines or other, is applicable.
We discuss asynchronous (or semi-synchronous) replication, a classic single-master-multiple-replicas setup. A later post will briefly discuss synchronous replication (Galera/XtraDB Cluster/InnoDB Cluster).
Master discovery via VIP
In part 1 we saw that one the main drawbacks of DNS discovery is the time it takes for the apps to connect to the promoted master. This is the result of both DNS deployment time as well as client’s TTL.
A quicker method is offered: use of VIPs (Virtual IPs). As before, apps would connect to cluster1-writer.example.net, cluster2-writer.example.net, etc. However, these would resolve to specific VIPs.
Say cluster1-writer.example.net resolves to 10.10.0.1. We let this address float between servers. Each server has its own IP (say 10.20.0.XXX) but could also potentially claim the VIP 10.10.0.1.
VIPs can be assigned by switches and I will not dwell into the internals, because I’m not a network expert. However, the following holds:
- Acquiring a VIP is a very quick operation.
- Acquiring a VIP must take place on the acquiring host.
- A host may be unable to acquire a VIP should another host holds the same VIP.
- A VIP can only be assigned within a bounded space: hosts connected to the same switch; hosts in the same Data Center or availability zone.
A non planned failover illustration #1
Master M has died, the box had a power failure. R gets promoted in its place. Our recovery tool:
- Attempts to connect to
Mso that it can give up the VIP. The attempt fails becauseMis dead. - Connects to
Rand instructs it to acquire the VIP. SinceMis dead there is no objection, andRsuccessfully grabs the VIP. - Any new connections immediately route to the new master
R. - Clients with connections to
Mcannot connect, issue retries, immediately route toR.
A non planned failover illustration #2
Master M gets network isolated for 30 seconds, during which time we failover. R gets promoted. Our tool:
- Attempts to connect to
Mso that it can give up the VIP. The attempt fails becauseMis network isolated. - Connects to
Rand instructs it to acquire the VIP. SinceMis network isolated there is no objection, andRsuccessfully grabs the VIP. - Any new connections immediately route to the new master
R. - Clients with connections to
Mcannot connect, issue retries, immediately route toR. 30seconds laterMreappears, but no one pays any attention.
A non planned failover illustration #3
Master M box is overloaded. It is not responsive to new connections but may slowly serves existing connections. Our tool decides to failover:
- Attempts to connect to
Mso that it can give up the VIP. The attempt fails becauseMis very loaded. - Connects to
Rand instructs it to acquire the VIP. Unfortunately,Mhasn’t given up the VIP and still shows up as owning it. - All existing and new connections keep on routing to
M, even asRis the new master. - This continues until some time has passed and we are able to manually grab the VIP on
R, or until we forcibly network isolateMor forcibly shut it down.
We suffer outage.
Planned failover illustration
We wish to replace the master, for maintenance reasons. We successfully and gracefully promote R.
Mis available and responsive, we ask it to give up the VIP, which is does.- We ask
Rto grab the VIP, which it does. - All new connections route to
R. - We may still see old connections routing to
M. We can forcibly network isolateMto break those connections so as to cause reconnects, or restart apps.
Discussion
As with DNS discovery, the apps are never told of the change. They may be forcibly restarted though.
Grabbing a VIP is a quick operation. However, consider:
- It is not guaranteed to succeed. I have seen it fail in various situations.
- Since releasing/acquiring of VIP can only take place on the demoted/promoted servers, respectively, our failover tool will need to:
- Remote SSH onto both boxes, or
- Remote exec a command on those boxes
- Moreover, the tool will do so sequentially. First we must connect to demoted master to give up the VIP, then to promoted master to acquire it.
- This means the time at which the new master grabs the VIP depends on how long it takes to connect to the old master to give up the VIP. Seeing that the old master had trouble causing failover, we can expect correlation to not being able to connect to old master, or seeing slow connect time.
- An alternative exists, in the form of Pacemaker. Consider Percona’s Replication Manager guide for more insights. Pacemaker provides a single point of access from where the VIP can be moved, and behind the scenes it will communicate to relevant nodes. This makes it simpler on the failover solution configuration.
- We are constrained by physical location.
- It is still possible for existing connection to keep on communicating to the demoted master, even while the VIP has been moved.
VIP & DNS combined
Per physical location, we could choose to use VIP. But should we need to failover to a server in another DC, we could choose to combine the DNS discovery, discussed in part 1.
We can expect to see faster failover time on a local physical location, and longer failover time on remote location.
Sample orchestrator configuration
What kind of remote exec method will you have? In this sample we will use remote (passwordless) SSH.
An orchestrator configuration would look like this:
"ApplyMySQLPromotionAfterMasterFailover": true,
"PostMasterFailoverProcesses": [
"ssh {failedHost} 'sudo ifconfig the-vip-interface down'",
"ssh {successorHost} 'sudo ifconfig the-vip-interface up'",
"/do/what/you/gotta/do to apply dns change for {failureClusterAlias}-writer.example.net to {successorHost}"
],
In the above:
- Replace
SSHwith any remote exec method you may use.- But you will need to set up the access/credentials for
orchestratorto run those operations.
- But you will need to set up the access/credentials for
- Replace
ifconfigwithservice quagga stop/startor any method you use to release/grab VIPs.
See orchestrator configuration documentation.
All posts in this series
- MySQL master discovery methods, part 1: DNS
- MySQL master discovery methods, part 2: VIP & DNS
- MySQL master discovery methods, part 3: app & service discovery
- MySQL master discovery methods, part 4: Proxy heuristics
- MySQL master discovery methods, part 5: Service discovery & Proxy
- MySQL master discovery methods, part 6: other methods
Using ‘VIP’ to refer to ‘virtual IP’ is confusing, you should call it ‘vIP’ like ‘vGPU’ means ‘virtual GPU’, ‘vCPU’ means ‘virtual CPU’ and ‘vRAM’ means ‘virtual RAM’ whereas ‘VRAM’ means ‘video RAM’.
@Jouni, thank you — I’ve never seen this vIP notation, and have always seen VIP notation. https://en.wikipedia.org/wiki/Virtual_IP_address
Wonder why someone made it that hard.