partition.so

berkeley db 4.6.21的源码。berkeley db是一个简单的数据库管理系统

m4_comment([$Id: partition.so,v 1.6 2006/08/25 12:56:00 bostic Exp $])

m4_ref_title(m4_db Replication,
    Network partitions,, rep/trans, rep/faq)

m4_p([dnl
The m4_db replication implementation can be affected by network
partitioning problems.])

m4_p([dnl
For example, consider a replication group with N members.  The network
partitions with the master on one side and more than N/2 of the sites
on the other side.  The sites on the side with the master will continue
forward, and the master will continue to accept write queries for the
databases.  Unfortunately, the sites on the other side of the partition,
realizing they no longer have a master, will hold an election.  The
election will succeed as there are more than N/2 of the total sites
participating, and there will then be two masters for the replication
group.  Since both masters are potentially accepting write queries, the
databases could diverge in incompatible ways.])

m4_p([dnl
If multiple masters are ever found to exist in a replication group, a
master detecting the problem will return m4_ref(DB_REP_DUPMASTER).  If
the application sees this return, it should reconfigure itself as a
client (by calling m4_ref(rep_start)), and then call for an election
(by calling m4_ref(rep_elect)).  The site that wins the election may be
one of the two previous masters, or it may be another site entirely.
Regardless, the winning system will bring all of the other systems into
conformance.])

m4_p([dnl
As another example, consider a replication group with a master
environment and two clients A and B, where client A may upgrade to
master status and client B cannot.  Then, assume client A is partitioned
from the other two database environments, and it becomes out-of-date
with respect to the master.  Then, assume the master crashes and does
not come back on-line.  Subsequently, the network partition is restored,
and clients A and B hold an election.  As client B cannot win the
election, client A will win by default, and in order to get back into
sync with client B, possibly committed transactions on client B will be
unrolled until the two sites can once again move forward together.])

m4_p([dnl
In both of these examples, there is a phase where a newly elected master
brings the members of a replication group into conformance with itself
so that it can start sending new information to them.  This can result
in the loss of information as previously committed transactions are
unrolled.])

m4_p([dnl
In architectures where network partitions are an issue, applications
may want to implement a heart-beat protocol to minimize the consequences
of a bad network partition.  As long as a master is able to contact at
least half of the sites in the replication group, it is impossible for
there to be two masters.  If the master can no longer contact a
sufficient number of systems, it should reconfigure itself as a client,
and hold an election.  Replication Manager does not currently
implement such a feature, so this technique is only available to
applications which use the Base replication API.])

m4_p([dnl
There is another tool applications can use to minimize the damage in
the case of a network partition.  By specifying an m4_arg(nsites)
argument to m4_ref(rep_elect) that is larger than the actual number of
database environments in the replication group, applications can keep
systems from declaring themselves the master unless they can talk to
a large percentage of the sites in the system.  For example, if there
are 20 database environments in the replication group, and an argument
of 30 is specified to the m4_refT(rep_elect), then a system will have
to be able to talk to at least 16 of the sites to declare itself the
master.])

m4_p([dnl
Replication Manager uses the value of m4_arg(nsites) (configured by
the m4_refT(rep_set_nsites)) for elections as well as in calculating how
many acknowledgements to wait for when sending a
m4_ref(DB_REP_PERMANENT) message.  So this technique may be useful here
as well, unless the application uses the m4_ref(DB_REPMGR_ACKS_ALL) or
m4_ref(DB_REPMGR_ACKS_ALL_PEERS) acknowledgement policies.])

m4_p([dnl
Specifying a m4_arg(nsites) argument to m4_ref(rep_elect) that is
smaller than the actual number of database environments in the
replication group has its uses as well.  For example, consider a
replication group with 2 environments.  If they are partitioned from
each other, neither of the sites could ever get enough votes to become
the master.  A reasonable alternative would be to specify a
m4_arg(nsites) argument of 2 to one of the systems and a m4_arg(nsites)
argument of 1 to the other.  That way, one of the systems could win
elections even when partitioned, while the other one could not.  This
would allow one of the systems to continue accepting write
queries after the partition.])

m4_p([dnl
In a 2-site group, Replication Manager reacts to the loss of
communication with the master by assuming the master has crashed: the
surviving client simply declares itself to be master.  Thus it avoids
the problem of the survivor never being able to get enough votes to
prevail.  But it does leave the group vulnerable to the risk of
multiple masters, if both sites are running but cannot communicate.])

m4_p([dnl
These scenarios stress the importance of good network infrastructure in
m4_db replicated environments.  When replicating database environments
over sufficiently lossy networking, the best solution may well be to
pick a single master, and only hold elections when human intervention
has determined the selected master is unable to recover at all.])

m4_page_footer