Page MenuHomePhabricator
Create Task
Maniphest T4292

Implement repository replication
Closed, ResolvedPublic
Actions

Description

@zeeg asked about this on IRC:

epriestley how are you planning to deal w/ mirroring commits
commit hooks and round robin? central master that pushes to all mirrors?

I don't have a highly specific concrete plan yet, but here are some general ideas.

  • I want masters/slaves to be transparent to users. They should always push/pull from the same URL and get the same results.
  • I want pulls to always reflect all changes pushed at the point when the pull started. That is, if you run git push and it exits, and then you run git pull, you should always get the changes you pushed. Similarly, git pull + git pull should never connect you to a repository which is behind the second time.
    • In cases where installs can accept mirror latency, they should just use mirroring, which already exists. We could bring this more onboard if there's need for it (i.e., easy in-Phabricator mirrors) but I think the technical implementation is already complete and correct. Mirrors just get pushed to, don't support write operations from normal clients, and may be behind. We'll just ignore these for the purposes of replication.
  • I want things to be self-healing without additional pushes, which generally means commit hooks can not be the only replication trigger, as we don't have a way to fire them again.
  • Replication should have the smallest impact on the runtime of git push that it can. That is, we don't want git push to cost O(N) in the number of replicas.

Here are how other systems work:

Gitolite

Gitolite supports master/slave setups:

It offers some level of transparency by proxying SSH requests, although I'm not sure if it supports putting multiple hosts behind a loadbalanced domain name.

Gitolite does not offer a consistency guarantee:

From v3.5.3 on, gitolite uses an asynchronous push to the slaves, so that the main push returns immediately, without waiting for the slave pushes to complete. Keep this in mind if you're writing scripts that do a push, and then read one of the slaves immediately -- you will need to add a few seconds of sleep in your script.

From the documentation, I'm not sure if replication is self-healing, but it's fairly moot without a consistency guarantee.

It looks like it moved from O(N) to O(1) costs in v3.

Gerrit

Gerrit only appears to support what we call mirroring, not real replication. No consistency and replicas aren't and don't look writable.

WanDisco Git Multisite (??)

http://www.wandisco.com/git/multisite

I've never heard of this and have no clue how it works. It claims to offer all the properties one would expect, but is a super enterprisey mess and I don't know what it actually does under the hood.

GitHub Enterprise

No real support, I think?

Here are some components we can build to achieve replication. There are a few different approaches we can take, but they'd be based on these fundamentals:

  1. Logical clocks for repositories. Basically, every repository has a version which starts at 0 and increments when it gets pushed.
  2. Blocking pulls. When you pull from a host, it checks the master/largest logical clock for the repository and does a pull if it's behind. Then it processes your request.
  3. SSH forwarding. When you pull or push from a host, it checks the master/largest logical clock for the repository and forwards you to a host which is up to date.
  4. Global locks. When you try to push to a host, we acquire a global lock on the repository, do a blocking pull if necessary, and then process your request.
  5. Passive replication. Fully backgrounded replication which pulls copies with lagging logical clocks. This amortizes the replication cost toward 0 in most cases.

My initial thinking is to do this:

  • We build logical clocks.
  • For pulls, we do blocking pulls.
  • For pushes, I'm not sure if locks or forwarding are better. They seem about equal, with a mixture of advantages and disadvantages. I'm leaning toward locks, since every node can be writable.
  • We do passive replication.

This gives us all the desired properties, fairly easy administration, and no real bad thundering herd cases. We can also build almost all of this stuff very gradually, and run at least some of it meaningfully even on non-replicated repositories.

I think the worst case is that pushes may cost a pull plus a push if you beat passive replication and happen to hit a different master. This doesn't seem like a big deal. If we bump into issues, we can do SSH forwarding to masters instead. I think either approach could easily be faster on average, though, depending on where things are geographically and the size and frequency of pushes.

We could also look at SSH forwarding for pulls, but that can create a thundering herd immediately after a push of a large commit. If someone pushes 1GB of dumb changes, I'd much rather make everyone wait than kill the master (doubly so if we can print "waiting for alincoln's dumb huge change to replicate").

Generally, this is a much easier problem than, say, database replication, because it's completely fine to have average lock overhead of like 50ms and almost arbitrarily long worst cases (the worst case is where we wait for a huge push to replicate), and we have a very small number of mutable objects which we can think of as append-only, none of which would be OK with a database.

Revisions and Commits

rP Phabricator
D15986rPf5f784f4c1d0 Version clustered, observed repositories in a reasonable way (by largest…
D15903rP1c73ad6a1bb0 Make repository daemon locks more granular and forgiving
D15798rPdc3a13c5e834 Add `bin/repository clusterize` and document setup and migration for clusters
D15795rP2c870bad8688 Document how to register cluster devices with Almanac
D15786rP00885edc47d4 Don't try to synchronize repositories with no working copy
D15783rP711f13660e54 Synchronize working copies before doing a "bypassCache" commit read
D15772rP9656fe48bcfe Add a "Repository Servers" cluster administration panel
D15761rP287e761f1991 Make repository synchronization safer when leaders are ambiguous
D15759rP6edf181a7eff Record which cluster host received a push
D15758rPd87c500002d7 Synchronize (hosted, clustered, Git) repositories over Conduit + HTTP
D15757rP31bc023eff76 Synchronize (hosted, git, clustered, SSH) repositories prior to reads
D15755rPc70f4815a958 Allow cluster devices to SSH to one another without acting as a user
D15754rP0db6eaca4173 Consolidate handling of SSH usernames
D15752rP575c01373ee7 Extract repository command construction from Repositories
D15748rPf424f9f2d206 Record more details about where a write is taking place while holding a…
D15747rP368d2d1ddb11 Improve robustness of cluster version bookkeeping
D15688rP4244cad99073 Move toward multi-master replicated repositories
D15685rP58eef68b7c60 Rough cut of repository cluster status panel
D15683rP8a153c1fe96f Rough cut at new "pro" Diffusion edit UI skeleton

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
joshuaspence added a subscriber: joshuaspence.Jul 25 2014, 7:50 AM
kofalt added a subscriber: kofalt.Aug 4 2014, 6:05 AM
defuzz added a subscriber: defuzz.Nov 5 2014, 1:29 AM
bougyman added a subscriber: bougyman.Nov 5 2014, 11:13 PM
nickz added a subscriber: nickz.Nov 5 2014, 11:16 PM
fabe added a subscriber: fabe.Dec 23 2014, 12:57 PM
epriestley added a subtask: T2783: Make working-copy operations service-oriented.Dec 23 2014, 1:52 PM
chad edited projects, added Diffusion; removed Repositories.Jan 16 2015, 4:30 PM
epriestley mentioned this in T7346: Anticipate scaling challenges in the Phacility cluster.Feb 21 2015, 1:04 PM
epriestley mentioned this in T7559: integration with reverse caching proxies such as squid, varnish.Mar 16 2015, 4:05 AM
epriestley mentioned this in Starmap.Apr 15 2015, 11:34 AM
epriestley mentioned this in T8685: Move secure.phabriactor.com halfway into the cluster.Jun 26 2015, 5:54 PM
devurandom added a subscriber: devurandom.Aug 19 2015, 6:00 AM
epriestley mentioned this in Z1336: General Chat.Oct 14 2015, 11:15 PM
paladox added a subscriber: paladox.Nov 5 2015, 6:51 PM

Is there any way on replicating from gerrit to phabricator like refs/changes/

WikiChad added a subscriber: WikiChad.Nov 5 2015, 7:27 PM
In T4292#143345, @paladox wrote:

Is there any way on replicating from gerrit to phabricator like refs/changes/

That's outside the scope of this task and an implementation detail for us at WMF, to be honest.

WikiChad added a comment.Nov 5 2015, 7:42 PM

Per IRC, for posterity: it's a combination of implementation detail for our fetches at WMF, as well as seeing this done: T6878: Tagged commits which are not ancestors of any branch head don't get imported

20after4 added a subscriber: 20after4.Dec 4 2015, 9:06 AM
epriestley mentioned this in T4209: Multiserver / High-Availability Configuration.Dec 4 2015, 12:20 PM
michel-slm added a subscriber: michel-slm.Dec 7 2015, 12:37 PM
eadler added a project: Restricted Project.Jan 8 2016, 11:09 PM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
hach-que added a subscriber: hach-que.Jan 17 2016, 10:55 PM

I'm guessing this is still years (or decades) away on the road map, but we want to be able to run build agents in the us-west-2 region and our Phabricator cluster currently resides in ap-southeast-2. Having a way of replication repositories across AWS regions (by setting up Phabricator cluster instances in us-west-2 and having the repositories replicate over to them) would be very useful in terms of reducing our git clone times.

epriestley mentioned this in T10366: General support for multiple URIs for a repository.Feb 23 2016, 8:09 PM
epriestley mentioned this in T10246: Deploy Drydock in the Phacility cluster.Feb 26 2016, 2:56 PM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 7 2016, 6:35 PM
Herald added a subscriber: eadler. · View Herald TranscriptApr 7 2016, 6:35 PM
defuzz removed a subscriber: defuzz.Apr 7 2016, 6:37 PM
epriestley mentioned this in T10751: Make Phabricator Highly Available.Apr 8 2016, 6:23 PM
epriestley added a parent task: T10751: Make Phabricator Highly Available.
epriestley closed subtask T2783: Make working-copy operations service-oriented as Resolved.Apr 8 2016, 8:41 PM
epriestley mentioned this in T10756: Make daemons work correctly no matter where they are or how many copies are running.Apr 8 2016, 9:46 PM
epriestley added a revision: D15683: Rough cut at new "pro" Diffusion edit UI skeleton.Apr 11 2016, 5:35 PM
epriestley added a revision: D15685: Rough cut of repository cluster status panel.Apr 11 2016, 6:40 PM
epriestley added a revision: D15688: Move toward multi-master replicated repositories.Apr 12 2016, 12:22 PM
epriestley added a comment.Apr 12 2016, 12:37 PM

Some additional cases with this:

  • When choosing a device to proxy to while serving Diffusion HTTP requests, we should try to proxy to (or even require?) an up-to-date device (some thundering herd risk? But these requests are usually small/infrequent/easy to serve).
  • The PullLocal daemon needs to start treating version clocks as being similar to the NEEDS_UPDATE flag.
epriestley added a commit: rP8a153c1fe96f: Rough cut at new "pro" Diffusion edit UI skeleton.Apr 12 2016, 12:37 PM
epriestley added a commit: rP58eef68b7c60: Rough cut of repository cluster status panel.
epriestley added a commit: rP4244cad99073: Move toward multi-master replicated repositories.Apr 12 2016, 3:58 PM
epriestley added a revision: D15747: Improve robustness of cluster version bookkeeping.Apr 18 2016, 3:20 PM
epriestley added a revision: D15748: Record more details about where a write is taking place while holding a cluster lock.Apr 18 2016, 3:30 PM
epriestley added a commit: rP368d2d1ddb11: Improve robustness of cluster version bookkeeping.Apr 18 2016, 6:55 PM
epriestley added a commit: rPf424f9f2d206: Record more details about where a write is taking place while holding a….
epriestley added a revision: D15752: Extract repository command construction from Repositories.Apr 19 2016, 12:16 AM
epriestley added a commit: rP575c01373ee7: Extract repository command construction from Repositories.Apr 19 2016, 11:51 AM
epriestley added a revision: D15754: Consolidate handling of SSH usernames.Apr 19 2016, 1:03 PM
epriestley added a revision: D15755: Allow cluster devices to SSH to one another without acting as a user.Apr 19 2016, 1:28 PM
epriestley added a revision: D15757: Synchronize (hosted, git, clustered, SSH) repositories prior to reads.Apr 19 2016, 2:49 PM
epriestley added a revision: D15758: Synchronize (hosted, clustered, Git) repositories over Conduit + HTTP.Apr 19 2016, 5:02 PM
epriestley added a revision: D15759: Record which cluster host received a push.Apr 19 2016, 5:13 PM
epriestley added a revision: D15761: Make repository synchronization safer when leaders are ambiguous.Apr 19 2016, 7:37 PM
epriestley added a commit: rP0db6eaca4173: Consolidate handling of SSH usernames.Apr 19 2016, 8:04 PM
epriestley added a commit: rPc70f4815a958: Allow cluster devices to SSH to one another without acting as a user.
epriestley added a commit: rP31bc023eff76: Synchronize (hosted, git, clustered, SSH) repositories prior to reads.
epriestley added a commit: rPd87c500002d7: Synchronize (hosted, clustered, Git) repositories over Conduit + HTTP.
epriestley added a commit: rP6edf181a7eff: Record which cluster host received a push.Apr 19 2016, 8:06 PM
epriestley added a commit: rP287e761f1991: Make repository synchronization safer when leaders are ambiguous.
epriestley mentioned this in T10748: Implement `diffusion.repository.edit`, for creating and editing repositories via the API.Apr 19 2016, 9:06 PM
eadler added a subtask: T10366: General support for multiple URIs for a repository.Apr 19 2016, 9:17 PM
epriestley added a revision: D15772: Add a "Repository Servers" cluster administration panel.Apr 20 2016, 7:32 PM
epriestley added a commit: rP9656fe48bcfe: Add a "Repository Servers" cluster administration panel.Apr 21 2016, 6:56 PM
epriestley added a comment.Apr 21 2016, 6:59 PM

The diffusion.querycommits method needs to sync-before-read (at least, if bypassCache is provided?) but currently does not. This can lead to tasks failing on the daemon on an un-synchronized node. Things self-heal, but it would be nice to prevent this.

epriestley added a revision: D15783: Synchronize working copies before doing a "bypassCache" commit read.Apr 22 2016, 11:03 AM
epriestley added a revision: D15786: Don't try to synchronize repositories with no working copy.Apr 22 2016, 12:41 PM
epriestley added a commit: rP711f13660e54: Synchronize working copies before doing a "bypassCache" commit read.Apr 22 2016, 3:11 PM
epriestley added a commit: rP00885edc47d4: Don't try to synchronize repositories with no working copy.
epriestley created subtask T10860: After an inconsistent cluster repository write, consider just ignoring the lock.Apr 23 2016, 1:06 PM
epriestley created subtask T10861: Provide a tool to rewind the push log for a repository.Apr 23 2016, 1:42 PM
epriestley added a revision: D15795: Document how to register cluster devices with Almanac.Apr 25 2016, 1:38 PM
epriestley added a commit: rP2c870bad8688: Document how to register cluster devices with Almanac.Apr 25 2016, 9:59 PM
epriestley added a revision: D15798: Add `bin/repository clusterize` and document setup and migration for clusters.Apr 26 2016, 2:47 AM
epriestley added a commit: rPdc3a13c5e834: Add `bin/repository clusterize` and document setup and migration for clusters.Apr 26 2016, 5:07 PM
epriestley mentioned this in Blog Post: Development Notes (2016 Week 18).Apr 30 2016, 2:06 AM
epriestley closed subtask T10366: General support for multiple URIs for a repository as Resolved.May 4 2016, 11:32 PM
epriestley closed subtask T10860: After an inconsistent cluster repository write, consider just ignoring the lock as Resolved.May 12 2016, 2:10 PM
epriestley added a comment.May 12 2016, 3:17 PM

T10748 is moving into production, which is the last major new piece here. Remaining cleanup work I plan to do in this phase:

T10751 has additional discussion about followups, and will eventually spawn tasks covering future work.

epriestley added a revision: D15903: Make repository daemon locks more granular and forgiving.May 12 2016, 11:24 PM
epriestley added a comment.May 13 2016, 12:27 AM

T10940 should be resolved now, D15903 should resolve lock granularity.

I'm going to chew on observed repository versioning, I don't currently have a simple, elegant plan for it but imagine one may come to me in a dream. If nothing does I have some reasonable but inelegant approaches we can pursue.

epriestley added a commit: rP1c73ad6a1bb0: Make repository daemon locks more granular and forgiving.May 13 2016, 12:17 PM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.May 13 2016, 9:38 PM
scode added a subscriber: scode.May 25 2016, 9:37 PM
epriestley mentioned this in T11045: Inching an install toward repository clustering.May 26 2016, 8:24 PM
epriestley added a comment.May 27 2016, 2:02 PM

Strategy I'm pursuing (for Git) is:

  • The "version" of an observed repository is the largest internal commit ID of any of the active refs (branch heads and tags) in the repository.
  • Commit discovery is topological so in normal cases this is always a reasonable logical clock.
  • This clock may regress if you publish a branch, then delete it.
    • We won't actually wind the clock backward, just keep it at the high water mark.
    • This probably doesn't cause any real problems.

The deletion case means that branch deletion will not actively propagate in the cluster until the next push. It can still propagate passively. It's generally fine for a commit we don't expect to exist to actually exist: this is normal because git doesn't GC commits for a while anyway.

There may still be some potential situations where branches appear and disappear in the UI if you load Diffusion multiple times. I expect these will be so rare and unconcerning that no one will ever notice.

We could eventually move to putting a logical clock on ref changes, which is more like pretending each fetch from the remote is a push to us (we could even write synthetic push logs). This would allow us to increment the version on branch deletion, but is a larger and more complicated change which is more difficult to implement, understand, and administrate, and currently crosses process and lock boundaries.

Herald added a subscriber: faulconbridge. · View Herald TranscriptMay 27 2016, 2:02 PM
yelirekim added a subscriber: yelirekim.May 27 2016, 11:51 PM
epriestley added a revision: D15986: Version clustered, observed repositories in a reasonable way (by largest discovered HEAD).May 30 2016, 2:49 PM
epriestley added a commit: rPf5f784f4c1d0: Version clustered, observed repositories in a reasonable way (by largest….May 30 2016, 4:53 PM
epriestley closed this task as Resolved.May 30 2016, 5:14 PM

That last part which I just landed hasn't been vetted in production for very long yet, but I think this all works now.

I think the only major known limitation is that there's no Mercurial support. This is likely easy to provide later, but we don't have any installs that are interested yet.

From here, there are many improvements we could make (like T10883), and I'm sure some bugs and such will turn up. See T10751 and followups for discussion.

timhirsh mentioned this in T11313: Empty git repositories fail to update cleanly.Jul 11 2016, 3:57 PM
urzds added a subscriber: urzds.Jul 12 2017, 11:13 AM
Phabricator · Built by Phacility