Resiliency and Fault Tolerance

In this section, we will walk through different types of failure scenarios and discuss how MicroRaft handles each one of them. We will use MicroRaft's local testing utilities to demonstrate those failure scenarios. These utilities are mainly used for testing MicroRaft to a great extent without a distributed setting. Here, we will use them to run a Raft group in a single JVM process and inject different types of failures into the system.

In terms of safety, the fundamental guarantee of the Raft consensus algorithm and hence MicroRaft is, operations are committed in a single global order, and a committed operation is never lost, as long as there is no Byzantine failure in the system. In MicroRaft, restarting a Raft node that has no persistence layer with the same identity or restarting it with a corrupted persistence state are examples of Byzantine failure.

The availability of a Raft group mainly depends on if the majority (i.e., more than half) of the Raft nodes are alive and able to communicate with each other. The main rule is, 2f + 1 Raft nodes tolerate failure of f Raft nodes. For instance, a 3-node Raft group can tolerate failure of 1 Raft node, or a 5-node Raft group can tolerate failure of 2 Raft nodes without losing availability.

1. Handling high system load

Even if the majority of a Raft group is alive, we may encounter unavailability issues if the Raft group is under high load and cannot keep up with the request rate. In this case, the leader Raft node temporarily stops accepting new requests and notifies the futures returned from the RaftNode methods with CannotReplicateException. This exception means that there are too many operations pending to be committed in the leader's local Raft log, or too many queries pending to be executed, so it temporarily rejects accepting new requests. Clients should apply some backoff before retrying their requests.

We will demonstrate this scenario in a test below with a 3-node Raft group. In MicroRaft, a leader does not replicate log entries one by one. Instead, it keeps a buffer for incoming requests and replicates the log entries to the followers in batches in order to improve the throughput. Once this buffer is filled up, the leader stops accepting new requests. In this test, we allow the pending log entries buffer to keep at most 10 requests. We also slow down our followers synthetically by making them sleep for 3 seconds. Then, we start sending requests to the leader. After some time, our requests fail with CannotReplicateException.

To run this test on your machine, try the following:

$ gh repo clone MicroRaft/MicroRaft
$ cd MicroRaft && ./mvnw clean test -Dtest=io.microraft.faulttolerance.HighLoadTest -DfailIfNoTests=false -Ptutorial

You can also see it in the MicroRaft Github repository.


2. Minority failure

Failure of the minority (i.e, less than half) may cause the Raft group to lose availability temporarily, but eventually the Raft group continues to accept and commit new requests. If we have a persistence implementation (i.e, RaftStore), we can recover failed Raft nodes. On the other hand, if we don't have persistence or cannot recover the persisted Raft data, we can remove failed Raft nodes from the Raft group. Please note that when we remove a Raft node from a Raft group, the majority quorum size is re-calculated based on the new size of the Raft group. In order to replace a non-recoverable Raft node without hurting the overall availability of the Raft group, we should remove the crashed Raft node first and then add a fresh-new one.

If Raft nodes are created without an actual RaftStore implementation in the beginning, restarting crashed Raft nodes with the same Raft endpoint identity breaks the safety of the Raft consensus algorithm. Therefore, when there is no persistence layer, the only recovery option for a failed Raft node is to remove it from the Raft group, which is possible only if the majority of the Raft group is up and running.

To restart a crashed or terminated Raft node, we can read its persisted state into a RestoredRaftState object. Then, we can use this object to restore the Raft node back. Please note that terminating a Raft node manually without a persistence layer implementation is equivalent to a crash since there is no way to restore the Raft node back with its Raft state.

MicroRaft provides a basic in-memory RaftStore implementation to enable crash-recovery testing. In the following code sample, we use this utility, i.e., InMemoryRaftStore, to demonstrate how to recover from Raft node failures.

To run this test on your machine, try the following:

$ gh repo clone MicroRaft/MicroRaft
$ cd MicroRaft && ./mvnw clean test -Dtest=io.microraft.faulttolerance.RestoreCrashedRaftNodeTest -DfailIfNoTests=false -Ptutorial

You can also see it in the MicroRaft Github repository.

This time we provide a factory object to enable LocalRaftGroup to create InMemoryRaftStore objects while configuring our Raft nodes. Hence, after we terminate our Raft nodes, we will be able to read their persisted state. Once we start the Raft group, we commit a value via the leader, observe that value with a local query on a follower, and crash a follower. Then, we read its persisted state via our InMemoryRaftStore object and restore the follower back. Please ignore the details of RaftTestUtils.getRestoredState() and RaftTestUtils.getRaftStore(). Once the follower starts running again, it talks to the other Raft nodes, discovers the current leader Raft node and its commit index, and replays all committed operations on its state machine.

Our sysout lines in this test print the following:

replicate result: value, commit index: 1
monotonic local query successful on follower. query result: value, commit index: 1
monotonic local query successful on restarted follower. query result: value, commit index: 1

When a Raft node starts with a restored Raft state, it discovers the current commit index and replays the Raft log, i.e., automatically applies all the log entries up to the commit index. We should be careful about operations that have side effects because the Raft log replay process triggers those side effects again. Please refer to the State Machine for more details.


3. Raft leader failure

When a leader Raft node fails, the Raft group temporarily loses availability until the other Raft nodes notice the failure and elect a new leader. Delay of the detection of the leader's failure depends on the leader heartbeat timeout configuration. Please refer to the Configuration section to learn more about the leader election timeout and leader heartbeat timeout configuration parameters.

If a client notices that the current leader is not responding, it can contact other Raft nodes in the Raft group in a round-robin fashion and query the leader via the RaftNode.getReport() API. If the leader actually crashes, the followers eventually notice its failure and elect a new leader. Then, our client will be able to discover the new leader Raft endpoint via this API. However, if a client cannot communicate with an alive leader because of an environmental issue, such as a network problem, it cannot replicate new operations, or run QueryPolicy.LINEARIZABLE and QueryPolicy.LEADER_LOCAL queries. It means that the Raft group is unavailable for this particular client. This is due to MicroRaft's simplicity-oriented design philosophy. In MicroRaft, when a follower Raft node receives an API call that requires the leadership role, it does not internally forward the call to the leader Raft node. Instead, it fails the call with NotLeaderException. Please note that this mechanism can be also used for leader discovery. When a client needs to discover the leader, it can try talking to any Raft node. If its call fails with NotLeaderException, the client can check if the exception points the current leader Raft endpoint via NotLeaderException.getLeader(). Otherwise, it can try the same with another Raft node.

If a Raft leader crashes before a client receives response for an operation passed to RaftNode.replicate(), there are multiple possibilities:

  • If the leader failed before replicating the operation to any follower, then the operation certainly won't be committed.

  • If the failed leader replicated the operation to at least one follower, then the operation might be committed if a follower having that operation becomes leader. However, another follower could become the new leader and overwrite that operation if it was not replicated to the majority by the crashed leader.

  • The good thing about queries is, they are idempotent. Clients can safely retry their queries on the new leader.

It is up to the client to retry an operation whose result is not received, because a retry could cause the operation to be committed twice based on the actual failure scenario. MicroRaft goes for simplicity and does not employ deduplication (I have plans to implement an opt-in deduplication mechanism in future). If deduplication is needed, it can be done inside StateMachine implementations for now.

We will see the second scenario described above in a code sample. In the following test, we replicate an operation via the Raft leader, but block the responses sent back from the followers. Even though the leader managed to replicate our operation to the majority, it is not able to commit it because it couldn't learn that the followers also appended this operation to their logs. At this step, we crash the leader. We won't get any response for our operation now since the leader is gone, so we will just re-replicate it with the new leader. The thing is, the previous leader managed to replicate our first operation to the majority, so the new leader will commit it. Since we replicate it for the second time with the new leader, we cause a duplicate commit. When we query the new leader, we see that there are 2 values applied to the state machine.

To run this test on your machine, try the following:

$ gh repo clone MicroRaft/MicroRaft
$ cd MicroRaft && ./mvnw clean test -Dtest=io.microraft.faulttolerance.RaftLeaderFailureTest -DfailIfNoTests=false -Ptutorial

You can also see it in the MicroRaft Github repository.

Another trick could be designing our operations in an idempotent way and retry them automatically on leader failures, because duplicate commits do not make any harm for idempotent operations. However, it is not very easy to make every type of operation idempotent.


4. Majority failure

Failure of the majority causes the Raft group to lose its availability and stop handling new requests. The only recovery option is to recover some of failed Raft nodes so that the majority becomes available again. Otherwise, the Raft group cannot be recovered. MicroRaft does not support any unsafe recovery policy for now.

The duration of unavailability depends on how long the majority Raft nodes remain crashed. Clients won't be able to replicate any new operations or run linearizable queries in the meantime. However, we can still run local queries because QueryPolicy.EVENTUAL_CONSISTENCY does not require availability of the majority.

In MicroRaft, on each heartbeat tick a leader Raft node checks if it is still in charge, i.e, it has received Append Entries RPC responses from majority quorum size - 1 (majority quorum size minus the leader itself) in the last leader heartbeat timeout period. For instance, in a 3-node Raft group with 5 seconds of leader heartbeat timeout, a Raft leader keeps its leadership role as long as at least 1 follower has sent an Append Entries RPC response in the last 5 seconds. Otherwise, the leader Raft node demotes itself to the follower role and fails pending (i.e., locally appended but not yet committed) operations with IndeterminateStateException. This behaviour is due to the asynchronous nature of distributed systems. When the leader cannot get Append Entries RPC responses from some of its followers, it may not accurately decide if those followers are actually crashed, or just temporarily unreachable. If those unresponsive followers are actually alive and can form the majority, they can also elect a new leader among themselves and commit operations replicated by the previous leader. Hence, MicroRaft takes a defensive approach here and makes a leader Raft node step down from the leadership role.

It is up to the client to retry an operation which is notified with IndeterminateStateException, because a retry could cause the operation to be committed twice. MicroRaft goes for simplicity and does not employ deduplication (I have plans to implement an opt-in deduplication mechanism in future). If deduplication is needed, it can be done inside StateMachine implementations for now.

We will see another code sample to demonstrate how to restore from majority failure. In this part we use the InMemoryRaftStore utility we used in RestoreCrashedRaftNodeTest above. We start a 3-node Raft group, commit an operation, and terminate both of our 2 followers. Then, we try to replicate a new operation. However, in a few seconds the leader will notice that it has not received Append Entries RPC responses from the majority and step down from the leadership role. Because of that, it will also fail our operation with IndeterminateOperationStateException. Since it is a follower now, it will directly reject new RaftNode.replicate() calls with NotLeaderException. At this point, our Raft group is unavailable for RaftNode.replicate() calls, and RaftNode.query()calls for QueryPolicy.LINEARIZABLE, QueryPolicy.LEADER_LEASE, and QueryPolicy.BOUNDED_STALENESS but we can still perform a local query with QueryPolicy.EVENTUAL_CONSISTENCY. If we want to make the Raft group available again, we don't need to restore all crashed Raft nodes. In this particular scenario, it is sufficient to restore only 1 Raft node so that we will have the majority alive again. It is what we do in the last part of the test. Once we have 2 Raft nodes running again, they will be able to elect a new leader.

In this example, we waited until the leader demotes itself to the follower role before restarting the crashed Raft nodes. This is not a requirement for restoring crashed Raft nodes, and we did it here only for the sake of example. We can restore a crashed Raft node anytime and if the leader Raft node is still running there may not be a new leader election round and the restarted Raft node could just discover the leader Raft node. Our Raft group will restore its availability as long as there is a leader Raft node taking to the majority (including itself).

To run this test on your machine, try the following:

$ gh repo clone MicroRaft/MicroRaft
$ cd MicroRaft && ./mvnw clean test -Dtest=io.microraft.faulttolerance.MajorityFailureTest -DfailIfNoTests=false -Ptutorial

You can also see it in the MicroRaft Github repository.

Please note that you need to have a persistence-layer (i.e., RaftStore implementation) to make this recovery option work. If a crashed Raft node is restarted with the same identity but an empty state, it turns into a Byzantine-failure scenario, where already committed operations can be lost and consistency of the system can be broken. Please see the Corruption or loss of persistent Raft state part for more details.


5. Network partitions

Behaviour of a Raft group during a network partition depends on how Raft nodes are divided to different sides of the network partition, and with which Raft nodes our clients are interacting with. If any subset of the Raft nodes manage to form the majority, they remain available. If the Raft leader falls into the minority side, the Raft nodes in the majority side elect a new leader and restore their availability.

If our clients cannot talk to the majority side, it means that the Raft group is unavailable from the perspective of the clients.

Similar to the majority failure case described in the previous part, if the leader Raft node falls into a minority side of the network partition, it demotes itself to the follower role after the leader heartbeat timeout elapses, and fails all pending operations with IndeterminateStateException. To reiterate, this exception means that the demoted leader cannot decide if those operations have been committed or not.

When the network problem is resolved, Raft nodes connect to each other again. The Raft nodes that was on the minority side of the network partition catch up with the other Raft nodes, and the Raft group continues its normal operation.

One of the key points of the Raft consensus algorithm's and hence MicroRaft's network partition behaviour is the absence of split-brain. In any network partition scenario, there can be at most one functional leader.

We will see how our Raft nodes behave in a network partitioning scenario in the following test. Again, we have a 3-node Raft group here, and we create an artificial network disconnection between the leader and the followers. Since the leader cannot talk to the majority anymore, after the leader heartbeat timeout duration elapses, our leader demotes to the follower role. The followers on the other side elect a new leader among themselves and even commit a new operation. Once we fix the network problem, we see that the old leader connects back to the other Raft nodes, discovers the new leader and gets the new committed operation. Phew!

To run this test on your machine, try the following:

$ gh repo clone MicroRaft/MicroRaft
$ cd MicroRaft && ./mvnw clean test -Dtest=io.microraft.faulttolerance.NetworkPartitionTest -DfailIfNoTests=false -Ptutorial

You can also see it in the MicroRaft Github repository.


6. Corruption or loss of persistent Raft state

If a RestoredRaftState object is created with corrupted or partially-restored Raft state, the safety guarantees of the Raft consensus algorithm no longer hold. For instance, if a flushed log entry is not present in the RestoredRaftState object, then the restored RaftNode may not have a committed operation. If that Raft node becomes leader, it may commit another operation for the same log index with the lost operation and breaks the safety property of the Raft consensus algorithm.

RaftStore documents all the durability and integrity guarantees required by its implementations. Hence, it is the responsibility of RaftStore implementations to ensure durability and integrity of the persisted Raft state. RaftNode does not perform any error checks when they are restored with RestoredRaftState objects.