I had another read through for the CEP and had some follow up questions/thoughts.
Write Path - for recovery, how does a node safely recover the highest hybrid logical clock it has issued? Checking the last entry in the addressable log is insufficient unless we ensure every individual update is durable, rather than batched/periodic. Something like leasing to an upper bound could work. SSTable Metadata - is this just a simple set of mutation ids, or do they map to mutated partitions, or is it a multimap of partitions to mutation id? (question is motivated by not understanding how they are used after log truncation and during bootstrap). Log Reconciliation - how is this scheduled within a replica group? Are there any interactions/commonality with CEP-37 the unified repair scheduler? Cohort reconciliation - Are the cohorts ad-hoc for each partial reconciliation, are there restrictions about how many cohorts an instance belongs to (one at a time)? What determines the membership of a cohort, is it agreed as part of running the partial reconciliation? Other members of the cohort may be able to see a different subset of the nodes e.g. network misconfiguration with three DCs where one DC is missing routing to another. - I assume the cohort reconciliation id is reused for subsequent partial reconciliations only if the cohort members remain the same. - Are the reconciled mutations in the addressable log rewritten under the cohort reconciliation id, or is the reference to them updated? - When the partition heals, if you process a read request that contains a cohort reconciliation id, is there a risk that you have to transfer large amounts of data before you can process, or does the addressable log allow filtering by partition? - Should the code be structured that cohort reconciliations are the expected case, and as an optimization if all replicas are in the cohort, then they can bump the lower id. - Are cohort ids issued the same way as regular mutation ids issued by a single host (the initiator?) or do they have a different structure? Log truncation - if log truncation occurs and mutations come from sstables, will the mutations be the actual logged mutation (seems unlikely), or will Cassandra have to construct pseudo-mutations that represent the current state in the sstable? If so, would the inclusion of later mutations after the mutation/cohort id in that partition cause any issues with reconciliation? (I see there's a hint about this in the bootstrap section below) Repair - Will sstables still be split into repaired/pending/unrepaired? Preserving that would make it possible to switch between strategies, it doesn't seem that complex, but maybe I'm missing something. Bootstrap/topology changes - what about RF changes. I don't think TCM currently handles that. Would it need to be added to make mutation tracking work? Where would the metadata be stored to indicate preferred sources for missing mutations? Would that also extend to nodes that have had to perform log truncation? Additional concerns Compaction - how are the mutation ids in sstable metadata handled when multiple sstables are compacted, particularly with something like range aware writers or when splitting the output over multiple size-bounded sstables. A simple union could expand the number of sstables to consider after log truncation. Thanks! Jon On Thu, Jan 16, 2025 at 11:51 AM Blake Eggleston <beggles...@apple.com> wrote: > I’m not sure Josh. Jon brought up paging and the documentation around it > because our docs say we provide mutation level atomicity, but we also > provide drivers that page transparently. So from the user’s perspective, a > single “query” breaks this guarantee unpredictably. Occasional exceptions > with a clear message explaining what is happening, why, and how to fix it > is going to be less confusing that tracking down application misbehavior > caused by this. > > It would also be easy to make the time horizon for paging constant and > configurable (keep at least 20 minutes of logs, for instance), that would > at least provide a floor of predictability. > > On Jan 16, 2025, at 10:08 AM, Josh McKenzie <jmcken...@apache.org> wrote: > > The other issue is that there isn’t a time bound on the paging payload, so > if the application is taking long enough between pages that the log has > been truncated, we’d have to throw an exception. > > My hot-take is that this relationship between how long you're taking to > page, how much data you're processing / getting back, and ingest / flushing > frequency all combined leading to unpredictable exceptions would be a bad > default from a UX perspective compared to a default of "a single page of > data has atomicity; multiple pages do not". Maybe it's just because that's > been our default for so long. > > The simplicity of having a flag that's "don't make my pages atomic and > they always return vs. make my pages atomic and throw exceptions if the > metadata I need is yoinked while I page" is pretty attractive to me. > > Really interesting thought, using these logs as "partial MVCC" while > they're available specifically for what could/should be a very tight > timeline use-case (paging). > > On Thu, Jan 16, 2025, at 12:41 PM, Jake Luciani wrote: > > This is very cool! > > I have done a POC that was similar but more akin to Aurora paper > whereby the commitlog itself would repair itself from peers > proactively using the seekable commitlog. > > Can you explain the reason you prefer to reconcile on read? Having a > consistent commitlog would solve so many problems like CDC, PITR, MVs > etc. > > Jake > > On Thu, Jan 16, 2025 at 12:13 PM Blake Eggleston <beggles...@apple.com> > wrote: > > > > I’ve been thinking about the paging atomicity issue. I think it could be > fixed with mutation tracking and without having to support full on MVCC. > > > > When we reach a page boundary, we can send the highest mutation id we’ve > seen for the partition we reached the paging boundary on. When we request > another page, we send that high water mark back as part of the paging > request. > > > > Each sstable and memtable contributing to the read responses will know > which mutations it has in each partition, so if we encounter one that has a > higher id than we saw in the last page, we reconstitute its data from > mutations in the log, excluding the newer mutations., or exclude it > entirely if it only has newer mutations. > > > > This isn’t free of course. When paging through large partitions, each > page request becomes more likely to encounter mutations it needs to > exclude, and it’s unclear how expensive that will be. Obviously it’s more > expensive to reconstitute vs read, but on the other hand, only a single > replica will be reading any data, so on balance it would still probably be > less work for the cluster than running the normal read path. > > > > The other issue is that there isn’t a time bound on the paging payload, > so if the application is taking long enough between pages that the log has > been truncated, we’d have to throw an exception. > > > > This is mostly just me brainstorming though, and wouldn’t be something > that would be in a v1. > > > > On Jan 9, 2025, at 2:07 PM, Blake Eggleston <beggles...@apple.com> > wrote: > > > > So the ids themselves are in the memtable and are accessible as soon as > they’re written, and need to be for the read path to work. > > > > We’re not able to reconcile the ids until we can guarantee that they > won’t be merged with unreconciled data, that’s why they’re flushed before > reconciliation. > > > > > > On Jan 9, 2025, at 10:53 AM, Josh McKenzie <jmcken...@apache.org> wrote: > > > > We also can't remove mutation ids until they've been reconciled, so in > the simplest implementation, we'd need to flush a memtable before > reconciling, and there would never be a situation where you have purgeable > mutation ids in the memtable. > > > > Got it. So effectively that data would be unreconcilable until such time > as it was flushed and you had those id's to work with in the sstable > metadata, and the process can force a flush to reconcile in those cases > where you have mutations in the MT/CL combo that are transiently not > subject to the reconciliation process due to that log being purged. Or you > flush before purging the log, assuming we're not changing MT data > structures to store id (don't recall if that's specified in the CEP...) > > > > Am I grokking that? > > > > > > On Thu, Jan 9, 2025, at 1:49 PM, Blake Eggleston wrote: > > > > Hi Josh, > > > > You can think of reconciliation as analogous to incremental repair. Like > incremental repair, you can't mix reconciled/unreconciled data without > causing problem. We also can't remove mutation ids until they've been > reconciled, so in the simplest implementation, we'd need to flush a > memtable before reconciling, and there would never be a situation where you > have purgeable mutation ids in the memtable. > > > > The production version of this will be more sophisticated about how it > keeps this data separate to it can reliably support automatic > reconciliation cadences that are higher than what you can do with > incremental repair today, but that’s the short answer. > > > > It's also likely that the concept of log truncation will be removed in > favor of going straight to cohort reconciliation in longer outages. > > > > Thanks, > > > > Blake > > > > On Jan 9, 2025, at 8:27 AM, Josh McKenzie <jmcken...@apache.org> wrote: > > > > Question re: Log Truncation (emphasis mine): > > > > When the cluster is operating normally, logs entries can be discarded > once they are older than the last reconciliation time of their respective > ranges. To prevent unbounded log growth during outages however, logs are > still deleted once they reach some configurable amount of time (maybe 2 > hours by default?). From here, all reconciliation processes behave the same > as before, but they use mutation ids stored in sstable metadata for listing > mutation ids and transmit missing partitions. > > > > > > What happens when / if we have data living in a memtable past that time > threshold that hasn't yet been flushed to an sstable? i.e. low velocity > table or a really tightly configured "purge my mutation reconciliation logs > at time bound X". > > > > On Thu, Jan 9, 2025, at 10:07 AM, Chris Lohfink wrote: > > > > Is this something we can disable? I can see scenarios where this would > be strictly and severely worse then existing scenarios where we don't need > repairs. ie short time window data, millions of writes a second that get > thrown out after a few hours. If that data is small partitions we are > nearly doubling the disk use for things we don't care about. > > > > Chris > > > > On Wed, Jan 8, 2025 at 9:01 PM guo Maxwell <cclive1...@gmail.com> wrote: > > > > After a brief understanding, there are 2 questions from me, If I ask > something inappropriate, please feel free to correct me : > > > > 1、 Does it support changing the table to support mutation tracking > through ALTER TABLE if it does not support mutation tracking before? > > 2、 > > > > Available options for tables are keyspace, legacy, and logged, with the > default being keyspace, which inherits the keyspace setting > > > > > > Do you think that keyspace_inherit (or other keywords that clearly > explain the behavior ) is better than name keyspace ? > > In addition, is legacy appropriate? Because this is a new feature, there > is only the behavior of turning it on and off. Turning it off means not > using this feature. > > If the keyword legacy is used, from the user's perspective, is it using > an old version of the mutation tracking? Similar to the relationship > between SAI and native2i. > > > > Jon Haddad <j...@rustyrazorblade.com> 于2025年1月9日周四 06:14写道: > > > > JD, the fact that pagination is implemented as multiple queries is a > design choice. A user performs a query with fetch size 1 or 100 and they > will get different behavior. > > > > I'm not asking for anyone to implement MVCC. I'm asking for the docs > around this to be correct. We should not use the term guarantee here, it's > best effort. > > > > > > > > > > On Wed, Jan 8, 2025 at 2:06 PM J. D. Jordan <jeremiah.jor...@gmail.com> > wrote: > > > > > > Your pagination case is not a violation of any guarantees Cassandra > makes. It has never made guarantees across multiple queries. > > Trying to have MVCC/consistent data across multiple queries is a very > different issue/problem from this CEP. If you want to have a discussion > about MVCC I suggest creating a new thread. > > > > -Jeremiah > > > > On Jan 8, 2025, at 3:47 PM, Jon Haddad <j...@rustyrazorblade.com> wrote: > > > > > > > It's true that we can't offer multi-page write atomicity without some > sort of MVCC. There are a lot of common query patterns that don't involve > paging though, so it's not like the benefit of fixing write atomicity would > only apply to a small subset of carefully crafted queries or something. > > > > Sure, it'll work a lot, but we don't say "partition level write > atomicity some of the time". We say guarantee. From the CEP: > > > > > In the case of read repair, since we are only reading and correcting > the parts of a partition that we're reading and not the entire contents of > a partition on each read, read repair can break our guarantee on partition > level write atomicity. This approach also prevents meeting the monotonic > read requirement for witness replicas, which has significantly limited its > usefulness. > > > > I point this out because it's not well known, and we make a guarantee > that isn't true, and while the CEP will reduce the number of cases in which > we violate the guarantee, we will still have known edge cases that it > doesn't hold up. So we should stop saying it. > > > > > > > > > > On Wed, Jan 8, 2025 at 1:30 PM Blake Eggleston <beggles...@apple.com> > wrote: > > > > Thanks Dimitry and Jon, answers below > > > > 1) Is a single separate commit log expected to be created for all tables > with the new replication type? > > > > > > The plan is to still have a single commit log, but only index mutations > with a mutation id. > > > > 2) What is a granularity of storing mutation ids in memtable, is it per > cell? > > > > > > It would be per-partition > > > > 3) If we update the same row multiple times while it is in a memtable - > are all mutation ids appended to a kind of collection? > > > > > > They would yes. We might be able to do something where we stop tracking > mutations that have been superseded by newer mutations (same cells, higher > timestamps), but I suspect that would be more trouble than it's worth and > would be out of scope for v1. > > > > 4) What is the expected size of a single id? > > > > > > It's currently 12bytes, a 4 byte node id (from tcm), and an 8 byte hlc > > > > 5) Do we plan to support multi-table batches (single or multi-partition) > for this replication type? > > > > > > This is intended to support all existing features, however the tracking > only happens at the mutation level, so the different mutations coming out > of a multi-partition batch would all be tracked individually > > > > So even without repair mucking things up, we're unable to fulfill this > promise except under the specific, ideal circumstance of querying a > partition with only 1 page. > > > > > > It's true that we can't offer multi-page write atomicity without some > sort of MVCC. There are a lot of common query patterns that don't involve > paging though, so it's not like the benefit of fixing write atomicity would > only apply to a small subset of carefully crafted queries or something. > > > > Thanks, > > > > Blake > > > > On Jan 8, 2025, at 12:23 PM, Jon Haddad <j...@rustyrazorblade.com> wrote: > > > > Very cool! I'll need to spent some time reading this over. One thing I > did notice is this: > > > > > Cassandra promises partition level write atomicity. This means that, > although writes are eventually consistent, a given write will either be > visible or not visible. You're not supposed to see a partially applied > write. However, read repair and short read protection can both "tear" > mutations. In the case of read repair, this is because the data resolver > only evaluates the data included in the client read. So if your read only > covers a portion of a write that didn't reach a quorum, only that portion > will be repaired, breaking write atomicity. > > > > Unfortunately there's more issues with this than just repair. Since we > lack a consistency mechanism like MVCC while paginating, it's possible to > do the following: > > > > thread A: reads a partition P with 10K rows, starts by reading the first > page > > thread B: another thread writes a batch to 2 rows in partition P, one on > page 1, another on page 2 > > thread A: reads the second page of P which has the mutation. > > > > I've worked with users who have been surprised by this behavior, because > pagination happens transparently. > > > > So even without repair mucking things up, we're unable to fulfill this > promise except under the specific, ideal circumstance of querying a > partition with only 1 page. > > > > Jon > > > > > > > > > > > > On Wed, Jan 8, 2025 at 11:21 AM Blake Eggleston <beggles...@apple.com> > wrote: > > > > Hello dev@, > > > > We'd like to propose CEP-45: Mutation Tracking for adoption by the > community. CEP-45 proposes adding a replication mechanism to track and > reconcile individual mutations, as well as processes to actively reconcile > missing mutations. > > > > For keyspaces with mutation tracking enabled, the immediate benefits of > this CEP are: > > * reduced replication lag with a continuous background reconciliation > process > > * eliminate the disk load caused by repair merkle tree calculation > > * eliminate repair overstreaming > > * reduce disk load of reads on cluster to close to 1/CL > > * fix longstanding mutation atomicity issues caused by read repair and > short read protection > > > > Additionally, although it's outside the scope of this CEP, mutation > tracking would enable: > > * completion of witness replicas / transient replication, making the > feature usable for all workloads > > * lightweight witness only datacenters > > > > The CEP is linked here: > https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-45%3A+Mutation+Tracking, > but please keep the discussion on the dev list. > > > > Thanks! > > > > Blake Eggleston > > > > > > > > > -- > http://twitter.com/tjake > > >
