[Design Proposal] Add Remote Storage Options for Improved Durability

[sachinpkale]

This design proposal is WIP. We will continue to add details to Sections that are marked with ToDo.

Goal

This doc proposes a high level and low level design to provide durability guarantees for the indexed data using remote store. For more info on overview and challenges, please refer: Feature Proposal

Requirements

Functional

1. Store indexed data to the configured remote store
2. Provide a mechanism to restore data from the configured remote store
3. Provide durability guarantees based on configured remote store

Non-Functional

1. Correctness - data should not be missing or duplicated.
2. Performance impact should be minimal. Different knobs should be provided to user to tune the performance with remote store.
3. Scale - Enabling remote store should not impact the scale of the existing OpenSearch cluster.
4. Security - Data stored in the remote store should adhere to the security model of OpenSearch.
5. Integration with existing features - Even though it is not in the scope of durability, remote store can be extended to work with existing OpenSearch constructs like replication, peer recovery, snapshot etc.

Out of Scope

This design doc focuses on durability aspect of using the remote store. Even though the design will be extensible to integrate remote store with other constructs, those details will not be discussed here.

Approach

Hot data storage in OpenSearch is divided into two parts:

1. Translog
2. Segments

Successful indexing operation writes data to Translog. A periodic job consumes translog and creates segment files. Translog is purged once Lucene commit is triggered. In order to provide durability guarantees of the indexed data, we need to provide remote store support for translog as well as segments. In the following sections, we use remote translog and remote segment store to store translog and segments respectively.

Invariant

At any point in time, remote translog and remote segment store together contain all the indexed data.

Storage

• Each index operation will write to remote translog. This will be a sync operation in the indexing request path.
  • Will add the async mode with buffer for lower latency and tolerance to RPO worth of data
• Each refresh/commit will upload new segments to remote segment store.
  • Segments will only be uploaded from primary node of the shard.
  • Segment files are identified based on checksum and the diff is incrementally uploaded.
    • Remote store will keep metadata of all the segment files with checksum
  • Segment data can be duplicated with segment merge, failover etc. but this will not lead to data duplication similar to how it is handled in the local disk.
  • A periodic job will delete segments from remote store that are not part of the live data (merged away segments, segments from old primary).
  • We can consider segment age before deleting it. This will enable point-in-time restore in case of accidental deletes.
• Remote translog will be purged based on the sequence number of latest segment in the remote segment store
• In some scenario (will be discussed below), remote translog can grow continuously. We will apply write block if the remote translog size breaches X GB threshold.

Restore

• Manual, API based restore
  • It will replace all the segments on local with the segments in remote
  • Replace translog with remote translog and replay the translog
  • Optional timestamp parameter for point-in-time restore
• Index level restore
  • As translog and segment files will be stored at shard level in the remote store, index level restore can also be supported.
• Once we setup restore flow, the next step would be to add support for automated restore. If index state turns red and no replicas are configured, the system should be able to pull data from remote store to restore the red index.

High Level Design

Architecture Diagram

Remote Translog

Data Model

ToDo

Requirements

ToDo

Remote Segment Store

Data Model

• Remote segment store will contain segment files which are immutable. So, segment store can be seen as store of immutable blobs.
• Operations performed on these blobs (segment files): upload, download, delete
• In OpenSearch, Segments are created on a shard level. Two segment files of two different shards can have the same name. This requires to maintain index_UUID/shard_id hierarchy (the exact hierarchy may have more elements) in the remote store while storing the segment files.

Requirements

• Support for uploading large files: As Lucene segment files can grow big (forcemerge can create segment with size > 5GB), the segment store should be capable of storing large objects with low latency
• Data Integrity: When dealing with upload and download of files, it becomes important to check the correctness using checksum and remote store should provide the support for the same
• Scale: As OpenSearch cluster can support petabyte of data, remote segment store is expected to scale
• Availability and Durability: It is important to choose highly available and durable remote segment store as it will directly impact the durability guarantees.

API Design

ToDo: Add verb, payload, success and error response against each API

1. Enable/disable remote storage
2. Configure remote storage
3. Backfill existing data to remote store
4. Restore data from remote storage for a given index and shard
5. Get status of the restore operation
6. Get status of remote store sync

Low Level Design

Remote Translog

ToDo

Remote Segment Store

Class Diagram

• The interface for remote segment storage (RemoteDirectory) will be extended from Lucene’s Directory. Using APIs provided by Directory will ensure that remote segment store is able to provide the same functionality that local disk does. Using the same APIs for local disk and remote segment store will also make it extensible where local disk can be replaced by the remote segment store (this is not part of durability but should avoid re-architecture of the APIs/system later)

• Note: RemoteDirectory may not support all the APIs of Directory from the first release. Plan is to open up more and more Directory APIs based on the milestone targeted for the upcoming release.

• Today, with Snapshots, OpenSearch already supports writing segment files to remote blob store. It also supports reading these segment files while restoring data from segments. BlobContainer interface is defined to read and write segments (blobs) from a blob store (HDFS, Azure Blob Storage, S3).

• RemoteDirectory will have referece to BlobContainer and will delegate Directory API implementation to BlobContainer with the required pre and post processing. This will avoid duplicating the same code to read/write segment files from/to the remote store.

Sequence Diagram

• Following sequence diagrams explain the flow and components involved. Actual code flow will take care of optimizations (if any).

Segment Upload

Segment Restore

POST /_remotestore/_restore

{
    "indices": [
        "my-index-1",
        "my-index-2"
    ]
}

Scope

In V1, remote store will only be supported for newly created indices for which segment replication is also enabled.

Setup

1. Install and configure repository plugin corresponding to the remote store.
   1. If repository plugin is not available for a given remote store, user needs to write the plugin first.
   2. Existing plugin implementations: repository-hdfs, repository-azure, repository-s3, repository-gcs
2. Create a snapshot repository with name specific to remote store. It can be provided by the user.
3. Create an index with segment_replication and remote_store enabled.
   1. Remote store is supported only for the new indices with segment replication enabled.
   2. remote_store setting is non-dynamic. Once index is created, this setting can not be changed.

Storage

For an index with setting segment_replication = true and remote_store = true:

1. Translog is written to remote translog after each successful indexing operation.
2. Segments are written to remote store after each refresh. Segment upload will happen only from primary.
3. Segments deleted on the disk will be deleted from remote store.

Restore

1. Automated restore on data loss.
2. API to get status of restore operation.
3. API to get remote store sync status:
   1. in-sync with local disk
   2. out-of-sync with local disk
      1. Number of segment files not in remote store
      2. Number of segment files still not deleted from remote store

Lifecycle of data in remote store

V1

Store Data

• Install repository plugin - Remote store uses the implementation of repository plugin to upload the segments data to the configured remote store. https://opensearch.org/docs/latest/opensearch/install/plugins/
• Register a snapshot repository - with same name as cluster UUID. https://opensearch.org/docs/latest/opensearch/snapshot-restore/#register-repository. ToDo: Modify this after [Remote Store] Make repository name configurable #3286.
• Create a new index - with remote_store=true setting. As mentioned in the scope, remote store V1 is only supported for new indices created with remote_store=true setting.

PUT /my-index-1?pretty 
{
  "settings": {
    "index": {
      "number_of_shards": 1,
      "number_of_replicas": 0,
      "remote_store": true
    }
  }
}

• Once index is created, all the indexed data will also be stored to remote translog / remote segment store.
• Get remote store sync status - it will be used to understand till what point in time the data is uploaded to remote store.

ToDo: Add API details

Restore Data

• Restore data API - In case of data loss scenario (red index with no valid shard copy), data for a given set of indices can be restored using following API.

POST /_remotestore/_restore
{
    "indices": [
        "my-index-1",
        "my-index-2"
    ]
}

• Automated restore on data loss can also be enabled [Remote Store] Add support to auto restore data from remote store #3144.
• Get Restore Status - As restore operation time depends on size of data to be restored, following API will provide details on progress of restore operation

ToDo

Integration with existing constructs/features

Failover

ToDo: Evaluating different options here

Peer Recovery

ToDo

Replication Strategy

Document Based Replication

ToDo

Segment Based Replication

ToDo

Cross Cluster Replication

ToDo

Snapshot

ToDo

Point-In-Time Recovery

ToDo

Metrics/Stats

ToDo

Open Questions

1. Would it be a plugin based implementation?
2. What would be the durability guarantees?
3. Will the existing data be backfilled or durability starts from the point of enabling durability for the cluster?
   1. Can the existing snapshot data be used for backfilling?
4. Will it be built on the top of existing snapshot implementation?
5. What metrics/stats would be required around durability?

[sachinpkale]

Started adding low level design details for Remote Segment Store.

[andrross]

I'll offer some opinions on a few open questions :)

1. Would it be a plugin based implementation?

As long as it does not introduce new dependencies, then I think it should probably not be a plugin. The concrete implementation for interfacing with a remote store should be a plugin (like the current repository plugins), but the core logic of this feature can probably live directly inside the core and need not be a separate plugin.

2. What would be the durability guarantees?

I think the key guarantee needs to be that all acknowledged writes are persisted to the remote store. The specific durability guarantee will differ depending on the remote store, but I think OpenSearch's guarantee should be that the document is successfully persisted to the remote store before the write is acknowledged as successful to the user.

3. Will the existing data be backfilled or durability starts from the point of enabling durability for the cluster?

Is this new "durability" feature a property of the cluster or of an index? Assuming it is a property of an index, then I would assume you can enable for a new index at index creation time. Given that, a user should be able to use the reindex mechanism to effectively enable remote durability for an existing index by reindexing it to a new index with durability enabled. There may be future optimizations to make this process more lightweight, but I'd strongly consider leaving that out of scope for the initial version. (If durability is intended to be enabled at a cluster level and not per-index, then my comment doesn't really make sense)

4. Can the existing snapshot data be used for backfilling?

As stated above, I'd try to leave backfilling out of scope for the initial version if the reindex mechanism can work.

5. Will it be built on the top of existing snapshot implementation?

What exactly do you mean by "snapshot implementation"? I'd hope the existing repository interface can be used/extended to meet the needs of copying segment files to/from the remote store. Not sure about the translog as it will likely have a very different access pattern.

[muralikpbhat]

Nice proposal, few comments/questions below.

• How does it relate to “searchable remote index” [RFC] Searchable Remote Index #2900?
• What are the Performance knobs that we are planning to offer?
• Doesn’t this assume remote store itself is durable? Might want to clarify that.
• Any overlap with segment replication OpenSearch Segment Replication [RFC] #1694? Isn’t segment replication a pre-requisite?
• Is RemoteDirectory in addition to LocalDirectory or a replacement?
• As you are re-using the repository abstraction, does it unecessarily force remote store implementer to implement snapshot related interfaces also (and vice-versa)?
• Do we really need separate apis for restoring from remote store. Shouldn’t this automatically happen in case of primary loss similar to how peer recovers from primary in today’s world. Any shard irrespective of primary or replica should recover from remote storage automatically. If that is a requirement, is there a use case for explicit api to restore? I can think of some feature like clone index. Also, if we need an api for some reason, can it reuse snapshot restore api?

[sachinpkale]

How does it relate to “searchable remote index” #2900?

Searchable remote index is currently focused on supporting remote indices in snapshot format. As @sohami replied to one of the comments #2900 (comment), the plan is to support remote indices that will be stored as a part of this proposal. We need to work closely to understand the overlap and possible impact on the design.

What are the Performance knobs that we are planning to offer?

As of now, we are thinking of providing sync/async way to syncing data to the remote store. Sync mechanism will impact performance (for remote translog) and async mechanism will impact durability guarantees. We need to make the trade-off clear and user needs to choose based on the requirement. Having said this, the exact impact will be clear once we carry out performance tests.

Doesn’t this assume remote store itself is durable? Might want to clarify that.

It does but durability guarantees of different remote stores will be different. We called it out in feature proposal as one of the considerations. I will add the same in this doc as well.

Any overlap with segment replication #1694? Isn’t segment replication a pre-requisite?

In V1, we want to support only Segment Replication. Due to the same set of segments in primary and replica, Segment Replication makes it easy for the initial implementation of the remote store (more details here). We will support document replication in the subsequent releases.

Is RemoteDirectory in addition to LocalDirectory or a replacement?

It would be in addition to the LocalDirectory. Class diagram does not make it clear. I will update it to reflect both.

As you are re-using the repository abstraction, does it unecessarily force remote store implementer to implement snapshot related interfaces also (and vice-versa)?

Good point! It definitely adds an overhead of implementing corresponding Repository and RepositoryPlugin. But the amount of code requires to implement these is minimal. Example: AzureRepository and AzureRepositoryPlugin.
On the other hand, the BlobStore and BlobContainer interfaces that actually deal with reading/writing from/to the remote store will remain same and contain majority of changes in the plugin implementation. The advantage we get is re-use and we can avoid the duplicate implementation.

Do we really need separate apis for restoring from remote store. Shouldn’t this automatically happen in case of primary loss similar to how peer recovers from primary in today’s world. Any shard irrespective of primary or replica should recover from remote storage automatically. If that is a requirement, is there a use case for explicit api to restore?

Agree. My approach was to provide API in V1 and to provide automated approach in V2. But we can have automated restore as a part of V1 as well.

I can think of some feature like clone index. Also, if we need an api for some reason, can it reuse snapshot restore api?

Yes, snapshot API can be changed to take a query parameter where it understands to fetch segment and translog data from the remote store.

[sachinpkale]

Adding scope for V1 (Refer Meta Issue for tasks break-down)

Scope

In V1, remote store will only be supported for newly created indices for which segment replication is also enabled.

Setup

1. Install and configure repository plugin corresponding to the remote store.
   1. If repository plugin is not available for a given remote store, user needs to write the plugin first.
   2. Existing plugin implementations: repository-hdfs, repository-azure, repository-s3, repository-gcs
2. Create a snapshot repository with name specific to remote store. It can be provided by the user.
3. Create an index with segment_replication and remote_store enabled.
   1. Remote store is supported only for the new indices with segment replication enabled.
   2. remote_store setting is non-dynamic. Once index is created, this setting can not be changed.

Storage

For an index with setting segment_replication = true and remote_store = true:

1. Translog is written to remote translog after each successful indexing operation.
2. Segments are written to remote store after each refresh. Segment upload will happen only from primary.
3. Segments deleted on the disk will be deleted from remote store.

Restore

1. Automated restore on data loss.
2. API to get status of restore operation.
3. API to get remote store sync status:
   1. in-sync with local disk
   2. out-of-sync with local disk
      1. Number of segment files not in remote store
      2. Number of segment files still not deleted from remote store

[anasalkouz]

Thanks @sachinpkale for the detailed plan for V1 scope. Is there any reason why you set segment replication as prerequisite for remote storage? My understanding you should be able to copy segments to remote storage regardless of the replication method.

[sachinpkale]

Is there any reason why you set segment replication as prerequisite for remote storage? My understanding you should be able to copy segments to remote storage regardless of the replication method.

Yes @anasalkouz, you are right. The segments will be copied to remote storage irrespective of the replication method.
But there is a fundamental difference wrt segment creation in document and segment replication. In segment replication, the set of segments in primary and replica would be exactly same. It is not true in document replication as primary and replica creates segments locally.
When failover happens (primary goes down and one of the replicas becomes new primary), we need to sync new primary with remote store but we can't do it incrementally as segment files of new primary can be completely different than old primary. This requires either copying all segments from remote store to new primary or copying all segments from new primary to remote store. As this flow is not straightforward, we have decided to support document based replication in subsequent versions. We have covered this in one of the POCs: #2481

[Bukhtawar]

Thanks @sachinpkale for the proposal, overall looks great.
Few points/clarifications

1. Maybe we can keep an in-memory checkpoint for remote store and avoid list calls
2. Would we be able to concurrently write segments to local and remote store, we at least save the fsync time which might be low for a majority of times but would help with slow/degraded/NFS backed devices
3. Strongly agree all RED indices should be auto-recovered after an initial delay and auto-cancelled if the node that transiently dropped joins back quickly
4. Refresh interval can be at minimum set to 1s, would that result in remote store uploads lagging if there were significant number of actively written indices on a node. Do we plan to queue up uploads
5. Do we want to support soft-deletes on remote store to prevent accidental index deletions. Should actual deletions happen asynchronously periodically as such garbage collection task
6. If we plan on supporting snapshots concurrently with the remote store repository, would it mean more storage costs and most importantly constrained network bandwidth on primaries at the snapshot hour/min. Do we want to also think about snapshotting index metadata and performing the actual data copy between two remote repositories instead of double uploads. What would be the upload rates, would we allow a separate rate limit to control uploads?
7. Would we allow multiple remote store configurations just like we can configure more than one snapshot repositories
8. What are the various statistics that we would want to expose as API, like uploads, remote store stats, failures, queues etc

[mch2]

Hi @sachinpkale.

There are a few other requirements that are worth calling out for this to work with segment replication. While we don't have the first wave of segrep merged into main yet from our feature branch, we have a general idea of the files that need to be copied to/from a store.

Primaries will need to include a byte[] of its current SegmentInfos object in addition to the segments. The SegmentInfos is required so that we can copy out after refresh and not wait for the next commit point. I don't think anything in the directory API exists that would push this, it would be an addition.

Second, we'll need a way to fetch this SegmentInfos on replicas in addition to the segment files.

The general flow I'm thinking of is similar to what we have in the feature branch & in the proposal, with an interface (SegmentReplicationSource) extracted so we can implement for both node->node replication or a remote store using the same flow.

1. Primaries refresh and push all segments and SegmentInfos to a remote store. Primaries publish a checkpoint for replicas.
2. Replicas receive the new checkpoint and start a replication event.
3. First the replica calls SegmentReplicationSource.getCheckpointMetadata to fetch the checkpoint metadata, which means the StoreFileMetadata associated with the checkpoint and the SegmentInfos bytes[].
4. Replica computes a diff based on the metadata and makes a list of the files it needs.
5. Replica calls SegmentReplicationSource.getFiles and fetches the files.
6. Replica performs validation of all new files & updates its reader with the new SegmentInfos.

I'm thinking this SegmentReplicationSource interface would be something like.

interface SegmentReplicationSource {

       void getCheckpointMetadata(
        long replicationId,
        ReplicationCheckpoint checkpoint,
        StepListener<CheckpointMetadataResponse> listener);

where CheckpointMetadataResponse includes the list of StoreFileMetadata and byte[].

    void getFiles(
        long replicationId,
        ReplicationCheckpoint checkpoint,
        Store store,
        List<StoreFileMetadata> filesToFetch,
        StepListener<GetFilesResponse> listener)
}

Where getFiles does not complete the listener until all requested files have been copied.

Thoughts?

[mch2]

An alternative to pushing the SegmentInfos bytes in my previous comment is that with remote store enabled we change the behavior of a refresh to instead perform a Lucene commit. This way we continuously push an updated commit point / segments_N file to the remote store. We can disable the fsync on the local directory implementation to make commits less expensive because segments will be durably stored remotely. This would remove the need for a change to the directory implementation to push the SegmentInfos bytes. I'm not sure of the perf trade-off here.

Either way I think we can include the SegmentInfos object itself in CheckpointMetadataResponse above instead of the byte array and leave it up to the remote store implementation how it is constructed.

[sachinpkale]

@mch2 Thanks for the heads up.

I am inclined towards the first approach. In remote store, we can have another file (with suitable prefix/suffix to segments_N) which is re-uploaded at each refresh.
I would like to understand one thing though: is segments_N updated in memory at each refresh and not fsynced or it is only updated at commit? I will definitely check it from my side but if you already know this, it would help.

An alternative to pushing the SegmentInfos bytes in my previous comment is that with remote store enabled we change the behavior of a refresh to instead perform a Lucene commit.

Lucene commit is expensive and OpenSearch internally performs various operations (like purging translog) when flush is called. As commit makes things durable on local store, changing the behaviour would need to understand the complete commit flow (which I don't currently).

[Bukhtawar]

@mch2 based on the alternative proposal wouldn't it create bi-modal code paths which would couple itself up with the storage layer? I wouldn't recommend this. Lucene commit as @sachinpkale pointed out is certainly expensive and might need modifications in the OpenSearch flush flow as well.

[mch2]

I would like to understand one thing though: is segments_N updated in memory at each refresh and not fsynced or it is only updated at commit?

SegmentInfos is updated as new segments are created, on a refresh those new segments will be flushed to disk but the _N file is not updated. segments_N is only updated & flushed to disk on a commit.

@Bukhtawar. Sorry, I meant conceptually to perform more frequent commits instead of the existing refresh behavior, not splitting the code path of a refresh. I'd be curious how much more expensive commits are with fsyncs turned off. This would mean we could always write & re-read SegmentInfos from a stable _N file.

If we don't have a function on the Directory to push the byte[] as a stream writing the tmp file is not a problem. This would use similar logic to what SegmentInfos uses already to write for commits - SegmentInfos.write, we are already using the public write function to write to a byte[]. I wrote a little unit test to see that it works, the name of the file would need to be different to not conflict with the latest commit point.

    public void testWriteSegmentInfos() throws Exception {
        List<Engine.Operation> operations = generateHistoryOnReplica(
            between(1, 500),
            randomBoolean(),
            randomBoolean(),
            randomBoolean()
        );
        for (Engine.Operation op : operations) {
            applyOperation(engine, op);
        }
        final SegmentInfos latestSegmentInfos = engine.getLatestSegmentInfos();
        long nextGeneration = latestSegmentInfos.getGeneration();
        final String FILE_PREFIX = "latest_infos";
        String segmentFileName =
            IndexFileNames.fileNameFromGeneration(FILE_PREFIX, "", nextGeneration);

        try (IndexOutput output = store.directory().createOutput(segmentFileName, IOContext.DEFAULT)) {
            latestSegmentInfos.write(output);
        }

        try (final ChecksumIndexInput checksumIndexInput = store.directory().openChecksumInput(segmentFileName, IOContext.DEFAULT)) {
            final SegmentInfos segmentInfos = SegmentInfos.readCommit(store.directory(), checksumIndexInput, latestSegmentInfos.getGeneration());
            assertEquals(segmentInfos.files(true), latestSegmentInfos.files(true));
        }
    }

[sachinpkale]

@mch2 If we take remote store out of the picture, where are we planning to store SegmentInfos bytes[]? Will it be in memory of primary? Can we create a new file which is appended with new data (or if we want this file immutable, we can replace the file) each time refresh happens? This way, nothing changes once remote store comes into picture.

[mch2]

@mch2 If we take remote store out of the picture, where are we planning to store SegmentInfos bytes[]? Will it be in memory of primary?

@sachinpkale For node-node replication the byte[] isn't written to disk, we pull the primary's latest SegmentInfos in memory, ensure all segments it references are incRef'd for the duration of the copy event and then serialize it over the wire.

Can we create a new file which is appended with new data (or if we want this file immutable, we can replace the file) each time refresh happens? This way, nothing changes once remote store comes into picture.

We could, this is what the snippet above does. I would prefer we write the object directly to the remote store and avoid the extra flush to the local disk if we can. I think this is possible with what you've implemented in #3460 although theres an extra step of converting the IndexOutput back to Input. Something like...

        ByteBuffersDataOutput buffer = new ByteBuffersDataOutput();
        try (ByteBuffersIndexOutput tmpIndexOutput = new ByteBuffersIndexOutput(buffer, "temporary", "temporary")) {
            segmentInfos.write(tmpIndexOutput);
        }
        final BufferedChecksumIndexInput indexInput = new BufferedChecksumIndexInput(
            new ByteBuffersIndexInput(buffer.toDataInput(), "SegmentInfos")
        );
        copyBytes(indexInput...)

[sachinpkale]

@mch2 Please take a look at commit: sachinpkale@b195a2a#diff-45c1ec7b5c456e144972500c9883018f4e74f4e7d054c448bf44ef308dbbb8e6R116-R123. In this commit, we are uploading intermediate segments_N file after each refresh. Let me know if this works.

This will help remote store to keep track of uploaded files as well. It enables us to delete merged away segments in async flow.

[mashah]

@sachinpkale I'd like to help. Are there some small tasks that I can get started with? Thanks

[sachinpkale]

Sure @mashah . We are keeping track of all the issues in this meta issue: #2992