An increasing number of organizations run applications that depend on
MySQL multi-master replication between remote sites. I have worked on
several such implementations recently. This article summarizes the
lessons from those experiences that seem most useful when deploying
multi-master on existing as well as new applications.
Let's start by defining terms.
Multi-master replication means
that applications update the same tables on different masters, and the
changes replicate automatically between those masters.
Remote sites
mean that the masters are separated by a wide area network (WAN), which
implies high average network latency of 100ms or more. WAN network
latency is also characterized by a
long tail, ranging from seconds due to congestion to hours or even days if a ship runs over the wrong undersea cable.
With the definitions in mind we can proceed to the lessons. The list is
not exhaustive but includes a few insights that may not be obvious if
you are new to multi-master topologies. Also, I have omitted issues
like monitoring replication, using InnoDB to make slaves crash-safe, or
provisioning new nodes. If you use master/slave replication, you are
likely familiar with these topics already.
1. Use the Right Replication Technology and Configure It Properly
The best overall tool for MySQL multi-master replication between sites is
Tungsten.
The main reason for this assertion is that Tungsten uses a flexible,
asynchronous, point-to-point, master/slave replication model that
handles a wide variety of topologies such as star replication or
all-to-all. Even so, you have to configure Tungsten properly. The
following topology is currently my favorite:
- All-to-all topology. Each master replicates directly to
every other master. This handles prolonged network outages or
replication failures well, because one or more masters can drop out
without breaking replication between the remaining masters or requiring
reconfiguration. When the broken master(s) return, replication just
resumes on all sides. All-to-all does not work well if you have a large
number of masters.
- Updates are not logged on slaves. This keeps master binlogs
simple, which is helpful for debugging, and eliminates the possibility
of loops. It also requires some extra configuration if the masters have
their own slaves, as would be the case in a Tungsten Enterprise cluster.
There are many ways to set up multi-master replication replication, and
the right choice varies according to the number of masters, whether you
have local clustering, or other considerations.
Giuseppe Maxia has described many topologies, for example
here, and the Tungsten Cookbook
has even more details.
One approach you should approach with special caution is
MySQL circular replication.
In topologies of three or more nodes, circular replication results in
broken systems if one of the masters fails. Also, you should be wary of
any kind of synchronous multi-master replication across sites that are
separated by more than 50 kilometers (i.e. 1-2ms latency). Synchronous
replication makes a siren-like promise of consistency but the price you
pay is slow performance under normal conditions and broken replication
when WAN links go down.
2. Use Row-Based Replication to Avoid Data Drift
Replication depends on deterministic updates--a transaction that changes
10 rows on the original master should change exactly the same rows when
it executes against a replica. Unfortunately many SQL statements that
are deterministic in master/slave replication are non-deterministic in
multi-master topologies. Consider the following example, which gives a
10% raise to employees in department #35.
UPDATE emp SET salary = salary * 1.1 WHERE dep_id = 35;
If all masters add employees, then the number of employees who actually
get the raise will vary depending on whether such additions have
replicated to all masters. Your servers will very likely become
inconsistent with statement replication. The fix is to enable row-based
replication using
binlog-format=row in my.cnf. Row replication transfers the exact row updates from each master to the others and eliminates ambiguity.
3. Prevent Key Collisions on INSERTs
For applications that use auto-increment keys, MySQL offers a useful
trick to ensure that such keys do not collide between masters using
the auto-increment-increment and auto-increment-offset parameters in
my.cnf. The following example ensures that auto-increment keys start at
1 and increment by 4 to give values like 1, 5, 9, etc. on this server.
server-id=1
auto-increment-offset = 1
auto-increment-increment = 4
This works so long as your applications use auto-increment keys
faithfully. However, any table that either does not have a primary key
or where the key is not an auto-increment field is suspect. You need to
hunt them down and ensure the application generates a proper key that
does not collide across masters, for example using UUIDs or by putting
the server ID into the key. Here is a query on the MySQL information
schema to help locate tables that do not have an auto-increment primary
key.
SELECT t.table_schema, t.table_name
FROM information_schema.tables t
WHERE NOT EXISTS
(SELECT * FROM information_schema.columns c
WHERE t.table_schema = c.table_schema
AND t.table_name = c.table_name
AND c.column_key = 'PRI'
AND c.extra = 'auto_increment')
4. Beware of Semantic Conflicts in Applications
Neither Tungsten nor MySQL native replication can resolve conflicts,
though we are starting to design this capability for Tungsten. You need
to avoid them in your applications. Here are a few tips as you go
about this.
First, avoid obvious conflicts. These include inserting data with the
same keys on different masters (described above), updating rows in two
places at once, or deleting rows that are updated elsewhere. Any of
these can cause errors that will break replication or cause your masters
to become out of sync. The good news is that many of these problems
are not hard to detect and eliminate using properly formatted
transactions. The bad news is that these are the easy conflicts. There
are others that are much harder to address.
For example, accounting systems need to generate unbroken sequences of
numbers for invoices. A common approach is to use a table that holds
the next invoice number and increment it in the same transaction that
creates a new invoice. Another accounting example is reports that need
to read the value of accounts consistently, for example at monthly
close. Neither example works off-the-shelf in a multi-master system
with asynchronous replication, as they both require some form of
synchronization to ensure global consistency across masters. These and
other such cases may force substantial application changes. Some
applications simply do not work with multi-master topologies for this
reason.
5. Remove Triggers or Make Them Harmless
Triggers are a bane of replication. They conflict with row replication
if they run by accident on the slave. They can also create strange
conflicts due to weird behavior/bugs (like
this) or other problems like needing definer accounts present. MySQL native replication turns
triggers off on slaves when using row replication, which is a very nice feature that prevents a lot of problems.
Tungsten on the other hand cannot suppress slave-side triggers. You
must instead alter each trigger to add an IF statement that prevents the
trigger from running on the slave. The technique is
described in the Tungsten Cookbook.
It is actually quite flexible and has some advantages for cleaning up
data because you can also suppress trigger execution on the master.
You should regard all triggers with suspicion when moving to
multi-master. If you cannot eliminate triggers, at least find them,
look at them carefully to ensure they do not generate conflicts, and
test them very thoroughly before deployment. Here's a query to help you
hunt them down:
SELECT trigger_schema, trigger_name
FROM information_schema.triggers;
6. Have a Plan for Sorting Out Mixed Up Data
Master/slave replication has its discontents, but at least sorting out
messed up replicas is simple: re-provision from another slave or the
master. No so with multi-master topologies--you can easily get into a
situation where all masters have transactions you need to preserve and
the only way to sort things out is to track down differences and update
masters directly. Here are some thoughts on how to do this.
- Ensure you have tools to detect inconsistencies. Tungsten has built-in consistency checking with the 'trepctl check' command. You can also use the Percona Toolkit pt-table-checksum
to find differences. Be forewarned that neither of these works
especially well on large tables and may give false results if more than
one master is active when you run them.
- Consider relaxing foreign key constraints. I love foreign
keys because they keep data in sync. However, they can also create
problems for fixing messed up data, because the constraints may break
replication or make it difficult to go table-by-table when synchronizing
across masters. There is an argument for being a little more relaxed
in multi-master settings.
- Switch masters off if possible. Fixing problems is a lot easier if you can quiesce applications on all but one master.
- Know how to fix data. Being handy with SQL is very helpful for fixing up problems. I find SELECT INTO OUTFILE and LOAD DATA INFILE quite
handy for moving changes between masters. Don't forget SET SESSION
LOG_FILE_BIN=0 to keep changes from being logged and breaking
replication elsewhere. There are also various synchronization tools
like pt-table-sync, but I do not know enough about them to make recommendations.
At this point it's probably worth mentioning commercial support. Unless
you are a replication guru, it is very comforting to have somebody to
call when you are dealing with messed up masters. Even better, expert
advice early on can help you avoid problems in the first place.
(Disclaimer:
My company sells support for Tungsten so I'm not unbiased. That said, commercial outfits really earn their keep on problems like this.)
7. Test Everything
Cutting corners on testing for multi-master can really hurt. This
article has described a lot of things to look for, so put together a
test plan and check for them. Here are a few tips on procedure:
- Set up a realistic pre-prod test with production data snapshots.
- Have a way to reset your test environment quickly from a single
master, so you can get back to a consistent state to restart testing.
- Run tests on all masters, not just one. You never know if things are properly configured everywhere until you try.
- Check data consistency after tests. Quiesce your applications and run a consistency check to compare tables across masters.
It is tempting to take shortcuts or slack off, so you'll need to find
ways to improve your motivation. If it helps, picture yourself
explaining to the people you work for why your DBMS servers have
conflicting data with broken replication, and the problem is getting
worse because you cannot take applications offline to fix things. It is
a lot easier to ask for more time to test. An even better approach is
to hire great QA people and give them time to do the job right.
Summary
Before moving to a multi-master replication topology you should ask
yourself whether the trouble is justified. You can get many of the
benefits of multi-master with
system-of-record architectures with
a lot less heartburn. That said, an increasing number of applications
do require full multi-master across multiple sites. If you operate one
of them, I hope this article is helpful in getting you deployed or
improving what you already have.
Tungsten does a pretty good job of multi-master replication already, but
I am optimistic we can make it much better. There is a wealth of
obvious features around conflict resolution, data repair, and up-front
detection of problems that will make life better for Tungsten users and
reduce our support load. Plus I believe we can make it easier for
developers to write applications that run on multi-master DBMS
topologies. You will see more about how we do this in future articles
on this blog.