Changeset View
Changeset View
Standalone View
Standalone View
src/docs/user/cluster/cluster_databases.diviner
- This file was added.
| @title Cluster: Databases | |||||
| @group intro | |||||
| Configuring Phabricator to use multiple database hosts. | |||||
| Overview | |||||
| ======== | |||||
| WARNING: This feature is a very early prototype; the features this document | |||||
| describes are mostly speculative fantasy. | |||||
| You can deploy Phabricator with multiple database hosts, configured as a master | |||||
| and a set of replicas. The advantages of doing this are: | |||||
| - faster recovery from disasters by promoting a replica; | |||||
| - graceful degradation if the master fails; | |||||
| - reduced load on the master; and | |||||
| - some tools to help monitor and manage replica health. | |||||
| This configuration is complex, and many installs do not need to pursue it. | |||||
| Phabricator can not currently be configured into a multi-master mode, nor can | |||||
| it be configured to automatically promote a replica to become the new master. | |||||
| Setting up MySQL Replication | |||||
| ============================ | |||||
| TODO: Write this section. | |||||
| Configuring Replicas | |||||
| ==================== | |||||
| Once your replicas are in working order, tell Phabricator about them by | |||||
| configuring the `cluster.database` option. This option must be configured from | |||||
| the command line or in configuration files because Phabricator needs to read | |||||
| it //before// it can connect to databases. | |||||
| This option value will list all of the database hosts that you want Phabricator | |||||
| to interact with: your master and all your replicas. Each entry in the list | |||||
| should have these keys: | |||||
| - `host`: //Required string.// The database host name. | |||||
| - `role`: //Required string.// The cluster role of this host, one of | |||||
| `master` or `replica`. | |||||
| - `port`: //Optional int.// The port to connect to. If omitted, the default | |||||
| port from `mysql.port` will be used. | |||||
| - `user`: //Optional string.// The MySQL username to use to connect to this | |||||
| host. If omitted, the default from `mysql.user` will be used. | |||||
| - `pass`: //Optional string.// The password to use to connect to this host. | |||||
| If omitted, the default from `mysql.pass` will be used. | |||||
| - `disabled`: //Optional bool.// If set to `true`, Phabricator will not | |||||
| connect to this host. You can use this to temporarily take a host out | |||||
| of service. | |||||
| When `cluster.databases` is configured the `mysql.host` option is not used. | |||||
| The other MySQL connection configuration options (`mysql.port`, `mysql.user`, | |||||
| `mysql.pass`) are used only to provide defaults. | |||||
| Once you've configured this option, restart Phabricator for the changes to take | |||||
| effect, then continue to "Monitoring and Testing" to verify the configuration. | |||||
| Monitoring and Testing | |||||
| ====================== | |||||
| TODO: Write this part. | |||||
| Degradation to Read-Only Mode | |||||
| ============================= | |||||
| Phabricator will degrade to read-only mode when any of these conditions occur: | |||||
| - you turn it on explicitly; | |||||
| - you configure cluster mode, but don't set up any masters; | |||||
| - the master is misconfigured and unsafe to write to; or | |||||
| - the master is unreachable. | |||||
| When Phabricator is running in read-only mode, users can still read data and | |||||
| browse and clone repositories, but they can not edit, update, or push new | |||||
| changes. For example, users can still read disaster recovery information on | |||||
| the wiki or emergency contact information on user profiles. | |||||
| You can enable this mode explicitly by configuring `cluster.read-only`. Some | |||||
| reasons you might want to do this include: | |||||
| - to test that the mode works like you expect it to; | |||||
| - to make sure that information you need will be available; | |||||
| - to prevent new writes while performing database maintenance; or | |||||
| - to permanently archive a Phabricator install. | |||||
| You can also enable this mode implicitly by configuring `cluster.databases` | |||||
| but disabling the master, or by not specifying any host as a master. This may | |||||
| be more convenient than turning it on explicitly during the course of | |||||
| operations work. | |||||
| Before writing to a master, Phabricator will verify that the host is not | |||||
| configured as a replica. This is a safety feature to prevent data loss if your | |||||
| MySQL and Phabricator configurations disagree about replica configuration. If | |||||
| your `master` is currently replicating from another host, Phabricator will | |||||
| treat it as a `replica` instead and implicitly degrade into read-only mode. | |||||
| Finally, if Phabricator is unable to reach the master, it will degrade into | |||||
| read-only mode. For details on how Phabricator determines that a master is | |||||
| unreachable, see "Unreachable Masters" below. | |||||
| If a master becomes unreachable, this normally corresponds to loss of the | |||||
| master host, a severed network link, or some other sort of disaster. | |||||
| Phabricator will degrade and continue operating in read-only mode until the | |||||
| master recovers or operations personnel can assess the situation and intervene. | |||||
| If you end up in a situation where you have lost the master and can not get it | |||||
| back online (or can not restore it quickly) you can promote a replica to become | |||||
| the new master. See the next section, "Promoting a Replica", for details. | |||||
| Promoting a Replica | |||||
| =================== | |||||
| TODO: Write this, too. | |||||
| Unreachable Masters | |||||
| =================== | |||||
| This section describes how Phabricator determines that a master has been lost, | |||||
| marks it unreachable, and degrades into read-only mode. | |||||
| TODO: For now, it doesn't. | |||||
| Backups | |||||
| ====== | |||||
| Even if you configure replication, you should still retain separate backup | |||||
| snapshots. Replicas protect you from data loss if you lose a host, but they do | |||||
| not let you recover from data mutation mistakes. | |||||
| If something issues `DELETE` or `UPDATE` statements and destroys data on the | |||||
| master, the mutation will propagate to the replicas almost immediately and the | |||||
| data will be gone forever. Normally, the only way to recover this data is from | |||||
| backup snapshots. | |||||
| Although you should still have a backup process, your backup process can | |||||
| safely pull dumps from a replica instead of the master. This operation can | |||||
| be slow, so offloading it to a replica can make the perforance of the master | |||||
| more consistent. | |||||
| To dump from a replica, wait for this TODO to be resolved and then do whatever | |||||
| it says to do: | |||||
| TODO: Make `bin/storage dump` replica-aware. See T10758. | |||||
| Next Steps | |||||
| ========== | |||||
| Continue by: | |||||
| - returning to @{article:Clustering Introduction}. | |||||