Zephyr: Live Migration in Shared Nothing Databases for Elastic Cloud Platforms

Zephyr: Live Migration in Shared Nothing Databases for Elastic

Cloud Platforms

Aaron J. Elmore, Sudipto Das, Divyakant Agrawal, Amr El Abbadi

Distributed Systems LabUniversity of California Santa Barbara

Sudipto Das {sudipto@cs.ucsb.edu}

Serve thousands of applications (tenants)◦ AppEngine, Azure, Force.com

Tenants are (typically)◦ Small

◦ SLA sensitive

◦ Erratic load patterns

◦ Subject to flash crowds i.e. the fark, digg, slashdot, reddit effect (for now)

Support for Multitenancy is critical Our focus: DBMSs serving these platforms

Cloud Application Platforms

Multitenancy…

What the tenant wants…

What the service provider wants…

Unused resources

Cloud Infrastructure is Elastic

Static provisioning for peak is inelastic

Traditional Infrastructures Deployment in the Cloud

Demand

Capacity

Demand

Capacity

Slide Credits: Berkeley RAD Lab

Elasticity in a Multitenant DB

Database tier

Load Balancer

Application/Web/Caching tier

Live Database Migration

Migrate a tenant’s database in a Live system◦ A critical operation to support elasticity

Different from◦ Migration between software versions

◦ Migration in case of schema evolution

VM Migration for DB Elasticity

VM migration [Clark et al., NSDI 2005]

One tenant-per-VM ◦ Pros: allows fine-grained load balancing

◦ Cons Performance overhead Poor consolidation ratio [Curino et al., CIDR 2011]

Multiple tenants in a VM◦ Pros: good performance

◦ Cons: Migrate all tenants Coarse-grained load balancing

Problem Formulation Multiple tenants share the same database process◦ Shared process multitenancy

◦ Example systems: SQL Azure, ElasTraS, RelationalCloud, and may more

Migrate individual tenants VM migration cannot be used for fine-grained

migration Target architecture: Shared Nothing

◦ Shared storage architectures: see our VLDB 2011 Paper

Shared nothing architecture

How to ensure no downtime? Need to migrate the persistent database image (tens of

MBs to GBs) How to guarantee correctness during failures?

Nodes can fail during migration How to ensure transaction atomicity and durability? How to recover migration state after failure?

Nodes recover after a failure

How to guarantee serializability? Transaction correctness equivalent to normal operation

How to minimize migration cost? …

Why is Live Migration hard?

Downtime ◦ Time tenant is unavailable

Service Interruption◦ Number of operations failing/transactions aborting

Migration Overhead/Performance impact◦ During normal operation, migration, and after

migration

Additional Data Transferred ◦ Data transferred in addition to DB’s persistent image

Migration Cost Metrics

Migration executed in phases Starts with transfer of minimal information to destination

(“wireframe”) Source and destination concurrently execute

transactions in one migration phase Database pages used as granule of

migration Pages “pulled” by destination on-demand

Minimal transaction synchronization A page is uniquely owned by either source or destination Leverage page level locking

Logging and handshaking protocols to tolerate failures

How did we do it?

For this talk◦ Small tenants

i.e. not sharded across nodes.

◦ No replication

◦ No structural changes to indices

Extensions in the paper◦Relaxes these assumptions

Simplifying Assumptions

Design Overview

Owned Pages

Active transactions

Page owned by Node

Page not owned by Node

TS1,…, TSk

Source Destination

Init Mode

Owned Pages

Active transactions

Un-owned Pages

Freeze index wireframe and migrate

Page owned by Node

TS1,…, TSk

Source Destination

What is an index wireframe?

Source Destination

Dual ModeRequests for un-owned pages can block

Old, still active transactions

New transactions

Page owned by Node

TSk+1,…, TSl

TD1,…, TDm

P3 accessed by TDi

P3 pulled from

source

Source Destination

Index wireframes remain frozen

Finish ModePages can be pulled by the destination, if needed

Completed

Page owned by Node

Source Destination

P1, P2, … pushed

from source TDm+1,

…, TDn

Normal Operation

Page owned by Node

Source Destination

TDn+1,…, TDp

Index wireframe un-frozen

Once migrated, pages are never pulled back by source◦ Transactions at source accessing migrated pages are

aborted

No structural changes to indices during migration◦ Transactions (at both nodes) that make structural

changes to indices abort

Destination “pulls” pages on-demand◦ Transactions at the destination experience higher

latency compared to normal operation

Artifacts of this design

Only concern is “dual mode”◦ Init and Finish: only one node is executing transactions

Local predicate locking of internal index and exclusive page level locking between nodes no phantoms

Strict 2PL Transactions are locally serializable

Pages transferred only once ◦ No Tdest Tsource conflict dependency

Guaranteed serializability

Serializability (proofs in paper)

Transaction recovery◦ For every database page, transactions at source

ordered before transactions at destination

◦ After failure, conflicting transactions replayed in the same order

Migration recovery◦ Atomic transitions between migration modes

Logging and handshake protocols◦ Every page has exactly one owner

Bookkeeping at the index level

Recovery (proofs in paper)

In the presence of arbitrary repeated failures, Zephyr ensures:◦ Updates made to database pages are consistent

◦ A failure does not leave a page without an owner

◦ Both source and destination are in the same migration mode

Guaranteed termination and starvation freedom

Correctness (proofs in paper)

Replicated Tenants Sharded Tenants Allow structural changes to the indices◦ Using shared lock managers in the dual mode

Extensions (Details in the paper)

Prototyped using an open source OLTP database H2◦ Supports standard SQL/JDBC API

◦ Serializable isolation level

◦ Tree Indices

◦ Relational data model

Modified the database engine◦ Added support for freezing indices

◦ Page migration status maintained using index

◦ Details in the paper…

Tungsten SQL Router migrates JDBC connections during migration

Implementation

Two database nodes, each with a DB instance running

Synthetic benchmark as load generator◦ Modified YCSB to add transactions

Small read/write transactions Compared against Stop and Copy (S&C)

Experimental Setup

Experimental Methodology

Metadata

Default transaction parameters:

10 operations per transaction 80% Read,

15% Update, 5% Inserts

Hardware: 2.4 Ghz Intel Core 2 Quads, 8GB

RAM, 7200 RPM SATA HDs with 32 MB Cache

Gigabit ethernet

Workload: 60 sessions100 Transactions per

session

System Controller

Migrate

Default DB Size: 100k rows (~250 MB)

Downtime (tenant unavailability)◦S&C: 3 – 8 seconds (needed to migrate,

unavailable for updates)

◦Zephyr: No downtime. Either source or destination is available

Service interruption (failed operations)◦S&C: ~100 s – 1,000s. All transactions with

updates are aborted

◦Zephyr: ~10s – 100s. Orders of magnitude less interruption

Results Overview

Average increase in transaction latency (compared to the 6,000 transaction workload without migration)◦ S&C: 10 – 15%. Cold cache at destination

◦ Zephyr: 10 – 20%. Pages fetched on-demand

Data transfer◦ S&C: Persistent database image

◦ Zephyr: 2 – 3% additional data transfer (messaging overhead)

Total time taken to migrate◦ S&C: 3 – 8 seconds. Unavailable for any writes

◦ Zephyr: 10 – 18 seconds. No-unavailability

Results Overview

Failed Operations

Orders of magnitude fewer failed operations

Proposed Zephyr, a live database migration technique with no downtime for shared nothing architectures◦ The first end to end solution with safety,

correctness and liveness guarantees

Prototype implementation on a relational OLTP database

Low cost on a variety of workloads

Contributions

Back-up

More details

Source Destination

Freeze indexes

Source Destination

Duplicate indexes with sentinels

Source Destination

Dual Mode

Source Destination

Finish Mode

Source Destination

Finish Mode

Source Destination

Either source or destination is serving the tenant◦ No downtime

Serializable transaction execution◦ Unique page ownership

◦ Local multi-granularity locking

Safety in the presence of failures◦ Transactions are atomic and durable

◦ Migration state is recovered from log Ensure consistency of the database state

Guarantees

Wireframe copy Typically orders of magnitude smaller than

data Operational overhead during migration

Extra data (in addition to database pages) transferred

Transactions aborted during migration

Migration Cost Analysis

Effect of Inserts on Zephyr

Failures due to attempted modification of Index structure

Average Transaction Latency

Only committed transaction reported

Loss of cache for both migration types

Zephyr results in a remote fetch

Zephyr: Live Migration in Shared Nothing Databases for Elastic Cloud Platforms

Technology

Transcript of Zephyr: Live Migration in Shared Nothing Databases for Elastic Cloud Platforms

California Zephyr

Zephyr Teachout decision

Zephyr - Modern Forms

Zephyr Project Overview - eLinux.org · 2017. 10. 23. · Zephyr Eco-System Zephyr “Community ... Kernel / HAL •Scheduler •Kernel objects and services •low-level architecture

Zephyr Catalog

Zephyr 2010

NCI Report: Zephyr

Welcome to ZEPHYR

ZEPHYR - Cheyenne Zonta

Zephyr Endobronchial Valve System Instructions for Use · • Zephyr 4.0-LP Endobronchial Valve (Zephyr 4.0-LP EBV) • Zephyr 5.5 Endobronchial Valve (Zephyr 5.5 EBV) ... Pneumothorax

Zephyr brochure_ang

Zephyr (Z)

Model: Zephyr - 3D: Mark Florquindownloads.agisoft.ru/photoscan/sample07/sample07.pdfModel: Zephyr - 3D: Mark Florquin

Final Zephyr

Zephyr: Live Migration in Shared Nothing Databases for ...people.cs.uchicago.edu/~aelmore/papers/Elmore-Zephyr.pdf · Zephyr: Live Migration in Shared Nothing Databases for Elastic

Zephyr Salvo Services

Copyright © Zephyr Technology. All rights reserved Zephyr Confidential Slide 1 Zephyr Measure Life... Anywhere WPI Body Area Network Conference "Practicality.

Zephyr Song - Tab

Zephyr 2009

Zephyr 2007