Replication with More Granularity (Tiramisu)

In Mitaka, replication v2.1 (Cheesecake) was implemented to support a disaster recovery scenario when an entire host can be failed over to a secondary site. Cheesecake API was admin facing. At the Mitaka mid-cycle meetup, Cinder team decided that after Cheesecake is implemented, Tiramisu will be the next step. Tiramisu is the code name for a new set of replication APIs with more granularity. Tiramisu API will be tenant facing. It gives tenant more control on what should be replicated together, i.e., a group of volumes. Note: This spec does not address replication at the single volume level because it is built upon generic volume groups. Change-Id: I377fd84bd19ae78dc2e952a7846573546bc83f2c blueprint: replication-cg
2015-08-25 09:10:29 -04:00 · 2015-08-25 09:10:29 -04:00 · 496fd716fc
commit 496fd716fc
parent 7d8dccabcd
1 changed files with 368 additions and 0 deletions
--- a/specs/pike/replication-group.rst
+++ b/specs/pike/replication-group.rst
@ -0,0 +1,368 @@
 ..
 This work is licensed under a Creative Commons Attribution 3.0 Unported
 License.
 http://creativecommons.org/licenses/by/3.0/legalcode
 ============================================
 Replication with More Granularity (Tiramisu)
 ============================================
 https://blueprints.launchpad.net/cinder/+spec/replication-cg
 In Mitaka, replication v2.1 (Cheesecake) [1][2] was implemented to support
 a disaster recovery scenario when an entire host can be failed over to
 a secondary site. The Cheesecake API was admin facing.
 At the Mitaka mid-cycle meetup, Cinder team decided that after Cheesecake
 is implemented, Tiramisu will be the next step. Tiramisu is the code name
 for tenant facing replication APIs with more granularity. It gives tenant
 more control of what should be replicated together.
 Problem description
 ===================
 Replication v2.1, which was implemented in Mitaka as an admin API, was
 designed to solve a true DR scenario when the entire backend has to be
 failed over to the backend on the secondary site. This is definitely a
 very important use case.
 There are other cases where the customers also want to have more control
 over the granularity of replication. The ability to replicate a group
 of volumes and test failover without affecting the entire backend is
 also a desired feature. A tenant facing API is needed to meet this
 requirement because only a tenant knows what volumes should be grouped
 together for his/her application.
 It is true that you can do group based replication with Cheesecake by
 creating a volume type with replication information and creating volumes
 of that volume type so all volumes created with that type belongs to
 the same group. So what can Tiramisu do that Cheesecake cannot?
 In Tiramisu, a group construct will be used to manage the group of
 volumes to be replicated together for the ease of management.
 * The group constuct designed in the Generic Volume Group spec [3] will
  provide tenant facing group APIs to allow a tenant to decide what
  volumes should be grouped together and when and what volumes
  should be added to or removed from the group.
 * Enable replication function will be added to allow the tenant to
  decide when all volumes needed for a particular application have
  been added to the group and signal the start of the replication
  process.
 * Disable replication function will be added to allow the tenant to
  decide when to stop the replication process and make adjustments
  to the group.
 * Failover replication function will be added for the tenant to
  test a failover of a group and make sure that data for the
  application will not be compromised after a failover.
 * A tenant can test a failover without affecting the entire backend.
 * A tenant can decide when and whether to failover when the disaster
  strikes.
 If a tenant has already failed over a group using the Tiramisu API
 and then a true DR situation happens, the Cheesecake API can still
 be used to failover the entire backend. The group of volumes already
 been failed over should not be failed over again. Tiramisu will be
 using the config options such as ``replication_device`` designed for
 Cheesecake.
 Use Cases
 =========
 * An application may have a database stored on one volume and logs stored on
  another and other related files on other volumes. The ability to replicate
  all the volumes used by the application together is important for some
  applications. So the concept to have a group of volumes replicated
  together is valuable.
 * A tenant wants to control what volumes should be grouped together during
  a failover and only the tenant has knowledge on what volumes belonging to
  the same application and should be put into the same group.
 * A tenant can determine when to start the replication process of a group
  by doing enable replication after all volumes used by an application
  have been added to the group.
 * A tenant can determine when to stop the replication process of a group
  by doing disable replication when he/she needs to make adjustments to
  the group.
 * A tenant wants the ability to verify that the data will not be compromised
  after a failover before a true DR strikes. He/she is only concerned about
  his/her own application and wants to be able to test the failover of
  his/her own group of volumes without affecting the entire backend.
 * A tenant wants to decide when and whether to failover when the disaster
  happens.
 Proposed change
 ===============
 The Generic Volume Group design is in a separate spec [3] and this spec
 depends on it. The URL for the group action API is from the Generic Volume
 Group spec:
    '/v3/<tenant_id>/groups/<group_uuid>/action'
 The following actions will be added to support replication for a group of
 volumes.
 * enable_replication
 * disable_replication
 * failover_replication
 * list_replication_targets
 If a volume is "in-use", a "allow-attached-volume" flag needs to set to
 True for failover_replication to work. This is to prevent the tenant
 from abusing the failover API and causing problems when forcefully
 failing over an attached volume. Either the tenant or the admin should
 detach the volume before failing over, or it will be handled by a higher
 layer project such as Karbor.
 Group type needs to have the following group_spec to support
 replication::
    'group_replication_enabled': <is> True
    or
    'consistent_group_replication_enabled': <is> True
 Driver also needs to report ``group_replication_enabled`` or
 ``consistent_group_replication_enabled`` as capabilities.
 Karbor or another data protection solution can be the consumer of the
 replication API in Cinder. The flow is like this:
 * Admin configures cinder.conf.
 * Admin sets up group type and volume types in Cinder.
 * Tenant creates a group that supports replication in Cinder.
 * Tenant creates volumes and puts into the group in Cinder.
 * In Karbor, a tenant chooses what resources to put in a protection group.
  For Cinder volume, Karbor can detect whether a selected volume belongs
  to a replication group and automatically selects all volumes in that
  group. For example, Karbor can check whether a Cinder volume group has
  ``group_replication_enabled`` or ``consistent_group_replication_enabled``
  in its group specs.
 * There are APIs to create/delete/update/list/show a group in the Generic
  Volume Group spec [3]. Karbor or another data protection solution can use
  those APIs to manage the groups for the tenant.
 * In Karbor, a protection action can be executed depending on the
  protection policies. If the protection action triggers a fail over,
  Karbor can call Cinder's replication API to failover the replication
  group.
 * As discussed during the Cinder Newton midcycle meetup [4], driver can
  report ``replication_status`` as part of volume_stats. The volume manager
  will check the ``replication_status`` in volume_stats and update database
  if ``replication_status`` is ``error``.
 Alternatives
 ------------
 Do not add a generic volume group construct. Instead, just use the existing
 consistency group to implement group replication.
 Data model impact
 -----------------
 None
 REST API impact
 ---------------
 Group actions will be added:
 * enable_replication
 * disable_replication
 * failover_replication
 * list_replication_targets
 URL for the group action API from the Generic Volume Group design::
    '/v2/<tenant_id>/groups/<group_uuid>/action'
 * Enable replication
  ** Method: POST
  ** JSON schema definition for V3::
        {
            'enable_replication':
            {
            }
        }
  ** Normal response codes: 202
  ** Error response codes: 400, 403, 404
 * Disable replication
  ** Method: POST
  ** JSON schema definition for V3::
        {
            'disable_replication':
            {
            }
        }
  ** Normal response codes: 202
  ** Error response codes: 400, 403, 404
 * Failover replication
  ** Method: POST
  ** JSON schema definition for V3::
        {
            'failover_replication':
            {
                'allow_attached_volume': False,
                'secondary_backend_id': 'vendor-id-1',
            }
        }
  ** Normal response codes: 202
  ** Error response codes: 400, 403, 404
 * List replication targets
  ** Method: POST
  ** JSON schema definition for V3::
        {
            'list_replication_targets':
            {
            }
        }
  ** Response example::
       {
           'replication_targets': [
               {
                   'backend_id': 'vendor-id-1',
                   'unique_key': 'val1',
                   ......
               },
               {
                   'backend_id': 'vendor-id-2',
                   'unique_key': 'val2',
                   ......
               }
            ]
       }
  ** Response example for non-admin::
       {
           'replication_targets': [
               {
                   'backend_id': 'vendor-id-1'
               },
               {
                   'backend_id': 'vendor-id-2'
               }
            ]
       }
 Security impact
 ---------------
 None
 Notifications impact
 --------------------
 Notifications will be added for enable, disable, and failover replication.
 Other end user impact
 ---------------------
 python-cinderclient needs to support the following actions.
 * enable_replication
 * disable_replication
 * failover_replication
 * list_replication_targets
 Performance Impact
 ------------------
 None
 Other deployer impact
 ---------------------
 None
 Developer impact
 ----------------
 Driver developers need to modify drivers to support Tiramisu.
 Implementation
 ==============
 Assignee(s)
 -----------
 Primary assignee:
  xing-yang
 Other contributors:
  jgriffith
 Work Items
 ----------
 1. Change capability reporting. Driver needs to report
   ``group_replication_enabled`` or
   ``consistent_group_replication_enabled``.
 2. Add group actions to support group replication.
 Dependencies
 ============
 This is built upon the Generic Volume Group spec which is already
 merged and implemented.
 Testing
 =======
 New unit tests will be added to test the changed code.
 Documentation Impact
 ====================
 Documentation changes are needed.
 References
 ==========
 [1] Replication v2.1 Cheesecake Spec:
    https://specs.openstack.org/openstack/cinder-specs/specs/mitaka/cheesecake.html
 [2] Replication v2.1 Cheesecake Devref:
    https://github.com/openstack/cinder/blob/master/doc/source/devref/replication.rst
 [3] Generic Volume Group:
    https://github.com/openstack/cinder-specs/blob/master/specs/newton/generic-volume-group.rst
 [4] Newton Midcycle Meetup:
    https://etherpad.openstack.org/p/newton-cinder-midcycle-day3