Deuxfleurs/garage
37
58
Fork 76
Code Issues 102 Pull requests 17 Releases 30 Wiki Activity

Durability Concerns Regarding Disk Failure in Multi-Datacenter Deployments #890

New issue
Closed
opened 2024-10-20 09:55:50 +00:00 by hooloovoo · 6 comments
hooloovoo commented 2024-10-20 09:55:50 +00:00
Copy link

I am trying to better understand the durability design of GarageHQ.

According to the documentation, it is recommended to run on raw HDDs without RAID, using XFS. However, I have concerns about the following scenario:

  1. Assume we have 3 datacenters, each with 20 disks. And GarageHQ try best to distribute data across disks evenly.
  2. The replication factor is set to 3, meaning each datacenter holds a copy of the data.
  3. If a single disk fails simultaneously in each datacenter (1/20 failure rate in each), this could lead to some permanent data loss.
  4. As the number of disks increases, the likelihood of multiple simultaneous failures also grows linearly, increasing the risk of data loss.

Is this assumption correct? If so, would it be more advisable to recommend a deployment on ZFS Z2 for added resilience, rather than relying on raw HDDs?

Thank you for your insights!

I am trying to better understand the durability design of GarageHQ. According to the documentation, it is recommended to run on raw HDDs without RAID, using XFS. However, I have concerns about the following scenario: 1. Assume we have 3 datacenters, each with 20 disks. And GarageHQ try best to distribute data across disks evenly. 2. The replication factor is set to 3, meaning each datacenter holds a copy of the data. 3. If a single disk fails simultaneously in each datacenter (1/20 failure rate in each), this could lead to some permanent data loss. 4. As the number of disks increases, the likelihood of multiple simultaneous failures also grows linearly, increasing the risk of data loss. Is this assumption correct? If so, would it be more advisable to recommend a deployment on ZFS Z2 for added resilience, rather than relying on raw HDDs? Thank you for your insights!
kirick commented 2024-10-23 12:04:24 +00:00
Copy link

I think the issue might be with the replication factor. As the amount of data grows, it’s not enough to simply add more disks to resolve your concerns. You also need to scale up the number of servers in the cluster, otherwise the risk of failure remains.

I feel like increasing the replication factor — to 5 or even 7 — would be a better way to improve durability as your dataset grows. If you have the option to add more servers, this could be fine. But if you're limited in how many servers you can run and can only add more disks, then yeah, it might make sense to go against the devs recommendation and still consider RAID to protect against multiple disk failures.

I think the issue might be with the replication factor. As the amount of data grows, it’s not enough to simply add more disks to resolve your concerns. You also need to scale up the number of servers in the cluster, otherwise the risk of failure remains. I feel like increasing the replication factor — to 5 or even 7 — would be a better way to improve durability as your dataset grows. If you have the option to add more servers, this could be fine. But if you're limited in how many servers you can run and can only add more disks, then yeah, it might make sense to go against the devs recommendation and still consider RAID to protect against multiple disk failures.
maximilien commented 2024-10-31 12:26:38 +00:00
Owner
Copy link

It all depends on your durability target. For a simple 3 site deployment with replica set to 3, we feel like it's interesting to use the disks as is, so you can lose any disks in one zone without actual data loss (akin to raid5). If your number of disks or zone increases, then you might have to increase the number of replicas and/or use some kind of redundancy, in the same way that no one would recommend doing a raid5 stripped over 12 disks.

It all depends on your durability target. For a simple 3 site deployment with replica set to 3, we feel like it's interesting to use the disks as is, so you can lose any disks in one zone without actual data loss (akin to raid5). If your number of disks or zone increases, then you might have to increase the number of replicas and/or use some kind of redundancy, in the same way that no one would recommend doing a raid5 stripped over 12 disks.
maximilien commented 2024-10-31 12:30:44 +00:00
Owner
Copy link

To be clear we don't discourage you to run garage on a RAID data pool (be it mdadm, Btrfs, zfs or hardware raid), we simply feel like you should give a though to the resiliency afforded by the geo-distributed replicas first, and leverage local resiliency if needed. I would also say that local resiliency is suggested for metadata folders, and that it can be somewhat easier to deal with hardware failures on a RAID volume rather than deal with the consequences of a dead disk with an actively used filesystem on time (you'll very likely have to restart the server to make the kernel happy).

To be clear we don't discourage you to run garage on a RAID data pool (be it mdadm, Btrfs, zfs or hardware raid), we simply feel like you should give a though to the resiliency afforded by the geo-distributed replicas first, and leverage local resiliency if needed. I would also say that local resiliency _is_ suggested for metadata folders, and that it can be somewhat easier to deal with hardware failures on a RAID volume rather than deal with the consequences of a dead disk with an actively used filesystem on time (you'll very likely have to restart the server to make the kernel happy).
hooloovoo commented 2024-11-01 16:49:46 +00:00
Author
Copy link

Thank you for clarifying the durability model. It seems that GarageHQ’s durability approach resembles a RAID-10 configuration, with each datacenter functioning like a RAID-0 set while the replication across datacenters acts as a “mirrored” layer.

Without internal redundancy (RAID-1 or RAID-Z2) within each datacenter, simultaneous disk failures across datacenters could result in data loss, especially when disks grows.

If erasure coding is not planned, increasing the replication factor for large datasets could be a solution, but this does have substantial resource costs. In this case, it might be beneficial to provide guidance or documentation noting that each datacenter essentially behaves like a RAID-0, with the implications for durability decrease as disk count scales.

I think one approach that could help would be to implement parameters like rack or max-strip-disks that define a maximum strip size (e.g., maybe limit to 3/6 disks) within each datacenter. This would enable configurations where data is only striped across a limited number of disks per bucket, reducing exposure to failures. This would help maintain durability even as the disk count grows, allowing users to manage risk more effectively.

Thank you for clarifying the durability model. It seems that GarageHQ’s durability approach resembles a RAID-10 configuration, with each datacenter functioning like a RAID-0 set while the replication across datacenters acts as a “mirrored” layer. Without internal redundancy (RAID-1 or RAID-Z2) within each datacenter, simultaneous disk failures across datacenters could result in data loss, especially when disks grows. If erasure coding is not planned, increasing the replication factor for large datasets could be a solution, but this does have substantial resource costs. In this case, it might be beneficial to provide guidance or documentation noting that **each datacenter essentially behaves like a RAID-0**, with the implications for durability decrease as disk count scales. I think one approach that could help would be to implement parameters like rack or max-strip-disks that define a maximum strip size (e.g., maybe limit to 3/6 disks) within each datacenter. This would enable configurations where data is only striped across a limited number of disks per bucket, reducing exposure to failures. This would help maintain durability even as the disk count grows, allowing users to manage risk more effectively.
maximilien commented 2024-11-02 19:47:45 +00:00
Owner
Copy link

Thank you for clarifying the durability model. It seems that GarageHQ’s durability approach resembles a RAID-10 configuration, with each datacenter functioning like a RAID-0 set while the replication across datacenters acts as a “mirrored” layer.

Yes and no: because the data is chunked and not stripped, losing a disk on a site doesn't incur the same penalty as a raid0 would: the disk can be replaced and the lost blocks can be recovered from other sites relatively quickly, because only that disk need to be rebuilt.
The node is also able to serve blocks from other disks. The loss of a disk is hence significantly less impactful than losing a disk in a large stripped array, so the number of disk on a node is not that impactful.

Garage was also built for heavily geo-distributed systems, think small nodes with a handful of disks each, not to compete with existing softwares (minio, ceph...) in datacenter-rack deployements where you have nodes with 6+ disks and are looking at efficiency (ie. getting the most storage for you money).

> Thank you for clarifying the durability model. It seems that GarageHQ’s durability approach resembles a RAID-10 configuration, with each datacenter functioning like a RAID-0 set while the replication across datacenters acts as a “mirrored” layer. Yes and no: because the data is chunked and not stripped, losing a disk on a site doesn't incur the same penalty as a raid0 would: the disk can be replaced and the lost blocks can be recovered from other sites relatively quickly, because _only that disk need to be rebuilt_. The node is also able to serve blocks from other disks. The loss of a disk is hence significantly less impactful than losing a disk in a large stripped array, so the number of disk on a node is not that impactful. Garage was also built for heavily geo-distributed systems, think small nodes with a handful of disks each, not to compete with existing softwares (minio, ceph...) in datacenter-rack deployements where you have nodes with 6+ disks and are looking at efficiency (ie. getting the most storage for you money).
maximilien commented 2024-11-19 22:35:31 +00:00
Owner
Copy link

Closing for now as the questions has been answered

Closing for now as the questions has been answered
maximilien added the
scope
documentation
 label 2024-11-19 22:36:25 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
naersk
crate2nix
update-quickstart-docs-layout-apply
next-v2
update-dependencies-1.1
feat-metrics-metadata-engine
improve-secret-error-message
hotfix/1.0.0-rc1-red-ftr-wquorum
main-0.9.x
db-no-unsafe
main-0.8.x
k2v/shared_http_client
feat/website-redir
smithy2
test/compilation
poc/nomad-ci
test-ci-wait
pnet_datalink-0.33.0
optimal-layout
k2v-watch-range
db-debug-log
build-convert-db
demonstrate-cargo2nix-bug
dangerous/no-fsync
dev0.7.3
doc/benchmarks
bug/check_static
bucket-cors-more
storage-optimizations
old-main
v1.0.1
v1.0.0
v0.9.4
v1.0.0-rc1
v0.8.7
v0.9.3
v0.9.2
v0.8.6
v0.9.2-rc1
v0.9.1
v0.8.5
v0.10.0-beta1
v0.9.0
v0.9.0-rc2
v0.9.0-rc1
v0.9.0-beta4
v0.9.0-beta3
v0.9.0-beta2
v0.8.4
v0.9.0-beta1
v0.8.3
v0.8.3-rc1
format_table-v0.1.1
format_table-v0.1.0
v0.8.2
v0.8.1
v0.8.0
v0.8.0-rc2
v0.8.0-rc1
v0.8.0-dangerous-no-fsync
v0.8.0-beta2-k2v
v0.8.0-beta2
v0.8.0-beta1-k2v
v0.8.0-beta1
v0.7.99.3-k2v
v0.7.3
v0.7.3-beta2
v0.7.3-beta1
v0.7.2.1
v0.7.2
v0.7.2_ci-test-2
v0.7.2+ci-test-version
v0.7.99.2-k2v
v0.7.99.1-k2v
v0.7.99-k2v
v0.7.2-k2v
v0.7.1-admin-k2v-2
v0.7.1-admin-k2v
v0.7.1-k2v
v0.7.1
v0.7.0
v0.7.0-rc1
v0.6.1
v0.6.0
v0.6.0-rc1
v0.5.1
v0.5.0.1
v0.5.0
v0.5-beta1
v0.4.0
v0.4-rc2
v0.4-rc1
0.4-beta
0.4-alpha
v0.3.0.2
v0.3.0.1
v0.3.0
v0.2.1.5
v0.2.1
v0.2.0
0.1.1b
0.1.1
0.1.0b
0.1.0
Labels
Clear labels   
action
check-aws
The behaviour should be checked against AWS S3

  
action
discussion-needed
We need to discuss if the feature is desirable and/or better specify the envisioned behavior or technical implementation

  
action
for-external-contributors
Core team does not plan working on this in the near future however an external contribution will be reviewed & merged

  
action
for-newcomers
An issue that should be newcomer friendly.

  
action
more-info-needed
More information is needed to investigate this issue

  
action
need-funding
This issue represents lots of work, we need to find money to pay our core team work

  
action
triage-required
It's not very clear what we want to do with this issue yet, more thoughts is required

  
kind
correctness
Issues of theoretical correctness that may impact edge-case scenarios

  
kind
ideas
For abstract ideas/proposal to make Garage better, to better communicate our not yet achieved aims

  
kind
improvement
Feature requests that do not fall in other categories

  
kind
performance
Deceptive performance observed OR idea to improve performances

  
kind
testing
Functional tests, integration tests, Jepsen, etc.

  
kind
usability
Propositions to make Garage easier to operate, by improving error reporting, CLI, etc.

  
kind
wrong-behavior
Unintended behavior

  
prio
critical
Could impact integrity or availability of production clusters

  
prio
low
For issues that we don't want to spend time on until made absolutely necessary

  
scope
admin-api
Issues concerning the administration API

  
scope
background-healing
Background healing covers repair tasks, anti-entropy, merkle trees, etc. ; everything related to replicating data appropriately.

  
scope
build
Issues with Nix, Drone, Rust Compiler, etc.

  
scope
documentation

  
scope
k8s
Kubernetes related, including Helm Charts

  
scope
layout
Linked to the cluster layout and storage management

  
scope
metadata
Metadata Engine (LMDB, sqlite, etc.)

  
scope
ops
Operations related to operations/maintenance issue, tooling related (like CLI missing info ; impossible, too dangerous, too complicated migration, etc.)

  
scope
rpc
Linked to RPC

  
scope
s3-api
Related to the S3 API (especially compatibility issues).

  
scope
security
Cryptography-related, auth-related, authorization-related issues

  
scope
telemetry
OpenTelemetry (traces, metrics, etc.)

No labels
action
check-aws
action
discussion-needed
action
for-external-contributors
action
for-newcomers
action
more-info-needed
action
need-funding
action
triage-required
kind
correctness
kind
ideas
kind
improvement
kind
performance
kind
testing
kind
usability
kind
wrong-behavior
prio
critical
prio
low
scope
admin-api
scope
background-healing
scope
build
scope
documentation
scope
k8s
scope
layout
scope
metadata
scope
ops
scope
rpc
scope
s3-api
scope
security
scope
telemetry
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Deuxfleurs/garage#890
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?