|
A replica set has at most one primary at a given time. If a majority of the set is up, the most up-to-date secondary will be elected primary. If a majority of the set is not up or reachable, no member will be elected primary. There is no way to tell (from the set's point of view) the difference between a network partition and nodes going down, so members left in a minority will not attempt to become master (to prevent a set from ending up with masters on either side of a partition). This means that, if there is no majority on either side of a network partition, the set will be read only (thus, we suggest an odd number of servers: e.g., two servers in one data center and one in another). The upshot of this strategy is that data is consistent: there are no multi-master conflicts to resolve. There are several important concepts concerning data integrity with replica sets that you should be aware of: 1. A write is (cluster-wide) committed once it has replicated to a majority of members of the set.For important writes, the client should request acknowledgement of this with a getLastError({w:...}) call. (If you do not call getLastError, the servers do exactly the same thing; the getlasterror call is simply to get confirmation that committing is finished.) 2. Queries in MongoDB and replica sets have "READ UNCOMMITTED" semantics.Writes which are committed at the primary of the set may be visible before the cluster-wide commit completes. The read uncommitted semantics (an option on many databases) are more relaxed and make theoretically achievable performance and availability higher (for example we never have an object locked in the server where the locking is dependent on network performance). 3. On a failover, if there are writes which have not replicated from the primary, the writes are rolled back. Thus we use getlasterror as in #1 above when we need to confirm a cluster-wide commit.The data is backed up to files in the rollback directory, although the assumption is that in most cases this data is never recovered as that would require operator intervention. However, it is not "lost," it can be manually applied at any time with mongorestore. RationaleMerging back old operations later, after another node has accepted writes, is a hard problem. One then has multi-master replication, with potential for conflicting writes. Typically that is handled in other products by manual version reconciliation code by developers. We think that is too much work : we want MongoDB usage to be less developer work, not more. Multi-master also can make atomic operation semantics problematic. It is possible (as mentioned above) to manually recover these events, via manual DBA effort, but we believe in large system with many, many nodes that such efforts become impractical. CommentsSome drivers support 'safe' write modes for critical writes. For example via setWriteConcern in the Java driver. Additionally, defaults for { w : ... } parameter to getLastError can be set in the replica set's configuration. Note a call to getLastError will cause the client to have to wait for a response from the server. This can slow the client's throughput on writes if large numbers are made because of the client/server network turnaround times. Thus for "non-critical" writes it often makes sense to make no getLastError check at all, or only a single check after many writes. See Also |
PLEASE POST QUESTIONS IN THE USER GROUPS FORUM. Post non-question comments and helpful hints here.
blog comments powered by Disqus