parallelvirtualcluster
/
pvc
1
0
Fork 0
Code Issues 15 Pull Requests Projects Releases 106 Wiki Activity

Add cluster peering for DR/replication #169

New Issue
Open
opened 2023-11-26 03:11:17 -05:00 by joshuaboniface · 3 comments
joshuaboniface commented 2023-11-26 03:11:17 -05:00
Owner
Copy Link

Add the ability to do cross-cluster asynchronous replication/DR.

The original plans in #122 were for synchronous replication. The problem there is sheer complexity, requiring numerous daemons to be running on both sides.

However, time-based asynchronous replication is much more feasible: we already have most of the scaffolding in place with VM backups in recent versions, so most of the remaining work would be in handling the "VM" part of it in a more consistent way.

I'm envisioning a new "replica" state for VMs, which allows them to be tracked on the remote side. For the storage, there can be backup-like full or incremental sends on regular schedules or on manual intervention, which then can be used to bring VMs online on the remote side after stopping them (or, them being stopped by a disaster) on the source side.

Part of implementing this would be to move the existing backup/autobackup/restore functionality out of the CLI client and into Celery workers, which then also eliminates the need for the triggering commands to run on the primary coordinator. This will also allow this to be tracked a bit more nicely (likely in Postgres rather than Zookeeper), which will improve the backup system as well. The choice could then be to write "backups" out to either disk images (as they are now) or to remote clusters.

The main complexity would be the ability of the second cluster to receive the inputs: this is going to bring in some API-to-API communication that does not currently exist, but shouldn't be too hard.

Adding to the 1.0 milestone as this would be a very nice feature to have for that release.

Add the ability to do cross-cluster asynchronous replication/DR. The original plans in #122 were for synchronous replication. The problem there is sheer complexity, requiring numerous daemons to be running on both sides. However, time-based asynchronous replication is much more feasible: we already have most of the scaffolding in place with VM backups in recent versions, so most of the remaining work would be in handling the "VM" part of it in a more consistent way. I'm envisioning a new "replica" state for VMs, which allows them to be tracked on the remote side. For the storage, there can be backup-like full or incremental sends on regular schedules or on manual intervention, which then can be used to bring VMs online on the remote side after stopping them (or, them being stopped by a disaster) on the source side. Part of implementing this would be to move the existing backup/autobackup/restore functionality out of the CLI client and into Celery workers, which then also eliminates the need for the triggering commands to run on the primary coordinator. This will also allow this to be tracked a bit more nicely (likely in Postgres rather than Zookeeper), which will improve the backup system as well. The choice could then be to write "backups" out to either disk images (as they are now) or to remote clusters. The main complexity would be the ability of the second cluster to receive the inputs: this is going to bring in some API-to-API communication that does not currently exist, but shouldn't be too hard. Adding to the 1.0 milestone as this would be a very nice feature to have for that release.
joshuaboniface added this to the 1.0 milestone 2023-11-26 03:11:17 -05:00
joshuaboniface added the
Client
Daemon
feature
 labels 2023-11-28 16:48:07 -05:00
joshuaboniface commented 2024-04-26 00:18:08 -04:00
Author
Owner
Copy Link

Thoughts - the core scaffolding shouldn't be too difficult here.

  1. We need to introduce the notion of peer clusters. A cluster can have exactly one peer, bidirectional. Peers exchange information about their capabilities and resources (VMs, networks, etc.) and establish a VPN connection on port 7373. Perhaps bi-directional Wireguard instances with one-way routes? Will need some investigation there as I don't really want any one side to be a "leader" per se.

  2. We must move backups/autobackups into the pvcworkerd workers as planned.

  3. We add the ability to export a backup to the peer node. The system would handle the logic of creating receiving disks and performing the RBD export/import over the VPN connection, defining the VM in a custom state (replica?) on the peer, and handling snapshot logic.

  4. At this point we have a POC of this issue, but we could then look into extending this to synchronous replication as well.

The main problem is testing and validating assumptions as I need two clusters to work with. Will have to investigate the feasibility of this.

Thoughts - the core scaffolding shouldn't be too difficult here. 1. We need to introduce the notion of peer clusters. A cluster can have exactly one peer, bidirectional. Peers exchange information about their capabilities and resources (VMs, networks, etc.) and establish a VPN connection on port 7373. Perhaps bi-directional Wireguard instances with one-way routes? Will need some investigation there as I don't really want any one side to be a "leader" per se. 2. We must move backups/autobackups into the `pvcworkerd` workers as planned. 3. We add the ability to export a backup to the peer node. The system would handle the logic of creating receiving disks and performing the RBD export/import over the VPN connection, defining the VM in a custom state (`replica`?) on the peer, and handling snapshot logic. 4. At this point we have a POC of this issue, but we could then look into extending this to synchronous replication as well. The main problem is testing and validating assumptions as I need two clusters to work with. Will have to investigate the feasibility of this.
joshuaboniface changed title from Add asynchronous cross-cluster replication/DR to Add cluster peering for DR/replication 2024-04-26 00:19:27 -04:00
joshuaboniface commented 2024-05-03 01:58:03 -04:00
Author
Owner
Copy Link

More digging has revealed that this current plan is not possible using Wireguard as long as we support Debian 10, since Wireguard packages are not available for Debian 10. This would leave only OpenVPN, who's performance characteristics are suboptimal, and I would not like to go down the suboptimal route just for that legacy support.

The alternative is to drop Debian 10, which would be prudent, but would require work from a practical side as numerous deployed clusters use Debian 10. This would have to be done first and Debian 10 support officially dropped before this plan could proceed.

More digging has revealed that this current plan is not possible using Wireguard as long as we support Debian 10, since Wireguard packages are not available for Debian 10. This would leave only OpenVPN, who's performance characteristics are suboptimal, and I would not like to go down the suboptimal route just for that legacy support. The alternative is to drop Debian 10, which would be prudent, but would require work from a practical side as numerous deployed clusters use Debian 10. This would have to be done first and Debian 10 support officially dropped before this plan could proceed.
joshuaboniface commented 2024-08-20 23:30:30 -04:00
Author
Owner
Copy Link

With the implementation of snapshot import/export functionality in #185, much of the scaffolding for this is now in place.

The current plan is to implement a pvc vm snapshot send command, which will take a peer cluster as an argument. The command will handle all aspects of sending the VM to the peer, exporting the RBD images and VM configuration via the API to the peer cluster. No work will be needed on the destination. These sends can be, like pvc vm snapshot export commands, either full or incremental. On the peer, the VM would be in the special replica state, to denote that it is a snapshot replica.

This completely removes the need for any sort of persistence in the connectivity, or any running long-term process on either side. I do believe that some sort of tunnel between the two clusters is ideal for the RBD send, but will try a few different implementations to see how well they work.

Since snapshots are already crash-consistent, as long as the snapshot send is recent enough, failover would be as simple as bringing up the VM on the destination.

For DR purposes, it would be important to ensure the VM won't start back up on the source cluster, so that would have to be carefully controlled, but I believe this would be rare enough an event that manual intervention would certainly be required.

For migration purposes, this works well to keep downtime minimal: a full snapshot can be sent, the VM stopped on the source, a final incremental sent, and then the VM started on the peer. This could also be automatically integrated with a command like pvc vm cluster-move.

Currently all this is planned for version 0.9.100.

With the implementation of snapshot import/export functionality in #185, much of the scaffolding for this is now in place. The current plan is to implement a `pvc vm snapshot send` command, which will take a peer cluster as an argument. The command will handle all aspects of sending the VM to the peer, exporting the RBD images and VM configuration via the API to the peer cluster. No work will be needed on the destination. These sends can be, like `pvc vm snapshot export` commands, either full or incremental. On the peer, the VM would be in the special `replica` state, to denote that it is a snapshot replica. This completely removes the need for any sort of persistence in the connectivity, or any running long-term process on either side. I do believe that some sort of tunnel between the two clusters is ideal for the RBD send, but will try a few different implementations to see how well they work. Since snapshots are already crash-consistent, as long as the snapshot send is recent enough, failover would be as simple as bringing up the VM on the destination. For DR purposes, it would be important to ensure the VM won't start back up on the source cluster, so that would have to be carefully controlled, but I believe this would be rare enough an event that manual intervention would certainly be required. For migration purposes, this works well to keep downtime minimal: a full snapshot can be sent, the VM stopped on the source, a final incremental sent, and then the VM started on the peer. This could also be automatically integrated with a command like `pvc vm cluster-move`. Currently all this is planned for version 0.9.100.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
snapshot-send
v0.9.100
v0.9.99
v0.9.98
v0.9.97
v0.9.96
v0.9.95
v0.9.94
v0.9.93
v0.9.92
v0.9.91
v0.9.90
v0.9.89
v0.9.88
v0.9.87
v0.9.86
v0.9.85
v0.9.84
v0.9.83
v0.9.82
v0.9.81
v0.9.80
v0.9.79
v0.9.78
v0.9.77
v0.9.76
v0.9.75
v0.9.74
v0.9.73
v0.9.72
v0.9.71
v0.9.70
v0.9.69
v0.9.68
v0.9.67
v0.9.66
v0.9.65
v0.9.64
v0.9.63
v0.9.62
v0.9.61
v0.9.60
v0.9.59
v0.9.58
v0.9.57
0.9.56
v0.9.55
v0.9.54
v0.9.53
v0.9.52
v0.9.51
v0.9.50
v0.9.49
v0.9.48
v0.9.47
v0.9.46
v0.9.45
v0.9.44
v0.9.43
v0.9.42
v0.9.41
v0.9.40
v0.9.39
v0.9.38
v0.9.37
v0.9.36
v0.9.35
v0.9.34
v0.9.33
v0.9.32
v0.9.31
v0.9.30
v0.9.29
v0.9.28
v0.9.27
v0.9.26
v0.9.25
v0.9.24
v0.9.23
v0.9.22
v0.9.21
v0.9.20
v0.9.19
v0.9.18
v0.9.17
v0.9.16
v0.9.15
v0.9.14
v0.9.13
v0.9.12
v0.9.11
v0.9.10
v0.9.9
v0.9.8
v0.9.7
v0.9.6
v0.9.5
v0.9.4
v0.9.3
v0.9.2
v0.9.1
v0.9.0
list
v0.8-1
v0.8
v0.7
v0.6
v0.5
v0.3
Labels
Clear labels   
API

   
blocked

Issue blocked by another issue

  
bug

   
CLI

   
Client

Issues abut the client frontends

  
Daemon

Issues abut the node daemon

  
debt

Technical debt that should be investigated or cleaned up

  
documentation

   
feature

   
improvement
No Label
API
blocked
bug
CLI
Client
Daemon
debt
documentation
feature
improvement
Milestone
Clear milestone
No items
No Milestone
1.0
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: parallelvirtualcluster/pvc#169
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?