Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: ccc323f524
Branches Tags
elasticsearch
/
docs
/
reference
/
docs
/
data-replication.asciidoc

data-replication.asciidoc 11 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161 
  1. 

  2. [[docs-replication]]
    3. 

  3. === Reading and Writing documents
    4. 

  4. 

  5. [float]
    6. 

  6. ==== Introduction
    7. 

  7. 

  8. Each index in Elasticsearch is <<scalability,divided into shards>>
    9. 

  9. and each shard can have multiple copies. These copies are known as a _replication group_ and must be kept in sync when documents
    10. 

  10. are added or removed. If we fail to do so, reading from one copy will result in very different results than reading from another.
    11. 

  11. The process of keeping the shard copies in sync and serving reads from them is what we call the _data replication model_.
    12. 

  12. 

  13. Elasticsearch’s data replication model is based on the _primary-backup model_ and is described very well in the
    14. 

  14. https://www.microsoft.com/en-us/research/publication/pacifica-replication-in-log-based-distributed-storage-systems/[PacificA paper] of
    15. 

  15. Microsoft Research. That model is based on having a single copy from the replication group that acts as the primary shard.
    16. 

  16. The other copies are called _replica shards_. The primary serves as the main entry point for all indexing operations. It is in charge of
    17. 

  17. validating them and making sure they are correct. Once an index operation has been accepted by the primary, the primary is also
    18. 

  18. responsible for replicating the operation to the other copies.
    19. 

  19. 

  20. This purpose of this section is to give a high level overview of the Elasticsearch replication model and discuss the implications
    21. 

  21. it has for various interactions between write and read operations.
    22. 

  22. 

  23. [float]
    24. 

  24. ==== Basic write model
    25. 

  25. 

  26. Every indexing operation in Elasticsearch is first resolved to a replication group using <<index-routing,routing>>,
    27. 

  27. typically based on the document ID. Once the replication group has been determined,
    28. 

  28. the operation is forwarded internally to the current _primary shard_ of the group. The primary shard is responsible
    29. 

  29. for validating the operation and forwarding it to the other replicas. Since replicas can be offline, the primary
    30. 

  30. is not required to replicate to all replicas. Instead, Elasticsearch maintains a list of shard copies that should
    31. 

  31. receive the operation. This list is called the _in-sync copies_ and is maintained by the master node. As the name implies,
    32. 

  32. these are the set of "good" shard copies that are guaranteed to have processed all of the index and delete operations that
    33. 

  33. have been acknowledged to the user. The primary is responsible for maintaining this invariant and thus has to replicate all
    34. 

  34. operations to each copy in this set.
    35. 

  35. 

  36. The primary shard follows this basic flow:
    37. 

  37. 

  38. . Validate incoming operation and reject it if structurally invalid (Example: have an object field where a number is expected)
    39. 

  39. . Execute the operation locally i.e. indexing or deleting the relevant document. This will also validate the content of fields
    40. 

  40.    and reject if needed (Example: a keyword value is too long for indexing in Lucene).
    41. 

  41. . Forward the operation to each replica in the current in-sync copies set. If there are multiple replicas, this is done in parallel.
    42. 

  42. . Once all replicas have successfully performed the operation and responded to the primary, the primary acknowledges the successful
    43. 

  43.    completion of the request to the client.
    44. 

  44. 

  45. [float]
    46. 

  46. ===== Failure handling
    47. 

  47. 

  48. Many things can go wrong during indexing -- disks can get corrupted, nodes can be disconnected from each other, or some
    49. 

  49. configuration mistake could cause an operation to fail on a replica despite it being successful on the primary. These
    50. 

  50. are infrequent but the primary has to respond to them.
    51. 

  51. 

  52. In the case that the primary itself fails, the node hosting the primary will send a message to the master about it. The indexing
    53. 

  53. operation will wait (up to 1 minute, by <<dynamic-index-settings,default>>) for the master to promote one of the replicas to be a
    54. 

  54. new primary. The operation will then be forwarded to the new primary for processing. Note that the master also monitors the
    55. 

  55. health of the nodes and may decide to proactively demote a primary. This typically happens when the node holding the primary
    56. 

  56. is isolated from the cluster by a networking issue. See <<demoted-primary,here>> for more details.
    57. 

  57. 

  58. Once the operation has been successfully performed on the primary, the primary has to deal with potential failures
    59. 

  59. when executing it on the replica shards. This may be caused by an actual failure on the replica or due to a network
    60. 

  60. issue preventing the operation from reaching the replica (or preventing the replica from responding). All of these
    61. 

  61. share the same end result: a replica which is part of the in-sync replica set misses an operation that is about to
    62. 

  62. be acknowledged. In order to avoid violating the invariant, the primary sends a message to the master requesting
    63. 

  63. that the problematic shard be removed from the in-sync replica set. Only once removal of the shard has been acknowledged
    64. 

  64. by the master does the primary acknowledge the operation. Note that the master will also instruct another node to start
    65. 

  65. building a new shard copy in order to restore the system to a healthy state.
    66. 

  66. 

  67. [[demoted-primary]]
    68. 

  68. While forwarding an operation to the replicas, the primary will use the replicas to validate that it is still the
    69. 

  69. active primary. If the primary has been isolated due to a network partition (or a long GC) it may continue to process
    70. 

  70. incoming indexing operations before realising that it has been demoted. Operations that come from a stale primary
    71. 

  71. will be rejected by the replicas. When the primary receives a response from the replica rejecting its request because
    72. 

  72. it is no longer the primary then it will reach out to the master and will learn that it has been replaced. The
    73. 

  73. operation is then routed to the new primary.
    74. 

  74. 

  75. .What happens if there are no replicas?
    76. 

  76. ************
    77. 

  77. This is a valid scenario that can happen due to index configuration or simply
    78. 

  78. because all the replicas have failed. In that case the primary is processing operations without any external validation,
    79. 

  79. which may seem problematic. On the other hand, the primary cannot fail other shards on its own but request the master to do
    80. 

  80. so on its behalf. This means that the master knows that the primary is the only single good copy. We are therefore guaranteed
    81. 

  81. that the master will not promote any other (out-of-date) shard copy to be a  new primary and that any operation indexed
    82. 

  82. into the primary will not be lost. Of course, since at that point we are running with only single copy of the data, physical hardware
    83. 

  83. issues can cause data loss. See <<index-wait-for-active-shards>> for some mitigation options.
    84. 

  84. ************
    85. 

  85. 

  86. [float]
    87. 

  87. ==== Basic read model
    88. 

  88. 

  89. Reads in Elasticsearch can be very lightweight lookups by ID or a heavy search request with complex aggregations that
    90. 

  90. take non-trivial CPU power. One of the beauties of the primary-backup model is that it keeps all shard copies identical
    91. 

  91. (with the exception of in-flight operations). As such, a single in-sync copy is sufficient to serve read requests.
    92. 

  92. 

  93. When a read request is received by a node, that node is responsible for forwarding it to the nodes that hold the relevant shards,
    94. 

  94. collating the responses, and responding to the client. We call that node the _coordinating node_ for that request. The basic flow
    95. 

  95. is as follows:
    96. 

  96. 

  97. . Resolve the read requests to the relevant shards. Note that since most searches will be sent to one or more indices,
    98. 

  98.    they typically need to read from multiple shards, each representing a different subset of the data.
    99. 

  99. . Select an active copy of each relevant shard, from the shard replication group. This can be either the primary or
    100. 

  100.    a replica. By default, Elasticsearch will simply round robin between the shard copies.
    101. 

  101. . Send shard level read requests to the selected copies.
    102. 

  102. . Combine the results and respond. Note that in the case of get by ID look up, only one shard is relevant and this step can be skipped.
    103. 

  103. 

  104. [float]
    105. 

  105. [[shard-failures]]
    106. 

  106. ===== Shard failures
    107. 

  107. 

  108. When a shard fails to respond to a read request, the coordinating node sends the
    109. 

  109. request to another shard copy in the same replication group. Repeated failures
    110. 

  110. can result in no available shard copies.
    111. 

  111. 

  112. To ensure fast responses, the following APIs will
    113. 

  113. respond with partial results if one or more shards fail:
    114. 

  114. 

  115. * <<search-search, Search>>
    116. 

  116. * <<search-multi-search, Multi Search>>
    117. 

  117. * <<docs-bulk, Bulk>>
    118. 

  118. * <<docs-multi-get, Multi Get>>
    119. 

  119. 

  120. Responses containing partial results still provide a `200 OK` HTTP status code.
    121. 

  121. Shard failures are indicated by the `timed_out` and `_shards` fields of
    122. 

  122. the response header.
    123. 

  123. 

  124. [float]
    125. 

  125. ==== A few simple implications
    126. 

  126. 

  127. Each of these basic flows determines how Elasticsearch behaves as a system for both reads and writes. Furthermore, since read
    128. 

  128. and write requests can be executed concurrently, these two basic flows interact with each other. This has a few inherent implications:
    129. 

  129. 

  130. Efficient reads:: Under normal operation each read operation is performed once for each relevant replication group.
    131. 

  131.    Only under failure conditions do multiple copies of the same shard execute the same search.
    132. 

  132. 

  133. Read unacknowledged:: Since the primary first indexes locally and then replicates the request, it is possible for a
    134. 

  134.   concurrent read to already see the change before it has been acknowledged.
    135. 

  135. 

  136. Two copies by default:: This model can be fault tolerant while maintaining only two copies of the data. This is in contrast to
    137. 

  137.   quorum-based system where the minimum number of copies for fault tolerance is 3.
    138. 

  138. 

  139. [float]
    140. 

  140. ==== Failures
    141. 

  141. 

  142. Under failures, the following is possible:
    143. 

  143. 

  144. A single shard can slow down indexing:: Because the primary waits for all replicas in the in-sync copies set during each operation,
    145. 

  145.   a single slow shard can slow down the entire replication group. This is the price we pay for the read efficiency mentioned above.
    146. 

  146.   Of course a single slow shard will also slow down unlucky searches that have been routed to it.
    147. 

  147. 

  148. Dirty reads:: An isolated primary can expose writes that will not be acknowledged. This is caused by the fact that an isolated
    149. 

  149.   primary will only realize that it is isolated once it sends requests to its replicas or when reaching out to the master.
    150. 

  150.   At that point the operation is already indexed into the primary and can be read by a concurrent read. Elasticsearch mitigates
    151. 

  151.   this risk by pinging the master every second (by default) and rejecting indexing operations if no master is known.
    152. 

  152. 

  153. [float]
    154. 

  154. ==== The Tip of the Iceberg
    155. 

  155. 

  156. This document provides a high level overview of how Elasticsearch deals with data. Of course, there is much much more
    157. 

  157. going on under the hood. Things like primary terms, cluster state publishing, and master election all play a role in
    158. 

  158. keeping this system behaving correctly. This document also doesn't cover known and important
    159. 

  159. bugs (both closed and open). We recognize that https://github.com/elastic/elasticsearch/issues?q=label%3Aresiliency[GitHub is hard to keep up with].
    160. 

  160. To help people stay on top of those, we maintain a dedicated https://www.elastic.co/guide/en/elasticsearch/resiliency/current/index.html[resiliency page]
    161. 

  161. on our website. We strongly advise reading it.
    162.