JBossDeveloper

"clebert.suconic@jboss.com" wrote:


Based on what we talked before, a client connection to a nodeA will always have to faile to a nodeB. A server rule will determine this.

What we should do then if a connectionState has a non clustered queue on its hierarchy during a connection failure event then? Throw an exception? Disconnect the Consumer?

So far I think we could (don't know if we should) reconnect non clustered topics on the new node. We won't be able to guarantee deliveries, but at least we wouldn't interrupt the client. Now if the requirement is to fail over only on ClusteredQueues we should know what to do then.

I will be able to refactor anything if we get some problem. I'm constructing this piece by piece, we will be able to refactor later.

"clebert.suconic@jboss.com" wrote:

Wouldn't a queue.load take care of this? Maybe I didn't understand your point here.

This is a persistent queue

This is a thread created to discuss client-side fail-over. How about keeping it focused on this? Tim created a different thread for server-side fail-over discussions: http://www.jboss.org/index.html?module=bb&op=viewtopic&t=92225

Clebert, would you kindly summarize the server-side situation so far, post it there, and continue the discussion on the other side?

Until then, I have a whole bunch of questions/suggestions related to the client-side.

Clebert wrote:

If the consumer receives a message from CallBack but if it didn't send an ACK yet, after the failover, the server not knowing the message might throw an exception (messageId not known).

There are a couple of use cases we have to consider.
- Persistent Messages. (how to treat a redelivery).
- Should we send the list of previously ACKs to the server?
- Should we ignore ACKs for non existent messages on the server?

Clebert wrote:

Second point also:
What to do when a durable subscriber gets the queue refilled?
- The client will probably receive the message again. I would just ignore redeliveries.

Tim wrote:

Yes - we should send the ids of every persistent message as part of the failover protocol - the server then repopulates the delivery list in the server consumer endpoint

Tim wrote:

Clebert wrote:

- Should we ignore ACKs for non existent messages on the server?

Non existent messages on the server will be non persistent messages that didn't survive the failover.
They should be removed from the client side list on failover so the acks will never get sent.

Clebert wrote:

failoever receives a new ClientConnectionDelegate as the parameter. The idea is to get a new connection, but keep the actual delegates we are using.

Clebert wrote:

Creating a new connection on the new server will create a new server Object, consequently a new ServerId.

Clebert wrote:

Tim wrote:

Clebert wrote:

Second point also:
What to do when a durable subscriber gets the queue refilled?
- The client will probably receive the message again. I would just ignore redeliveries.

I don't understand the issue here. Can you explain more?

The consumer is going to be recreated the same way the connection on the previous example. (creating a new consumer / replacing the IDs on the old objects).

On that case, the new server will think it's a new client connecting and it will resend non committed messages from a durable subscription. (So I hope).

On that case, I'm considering to ignore message previously sent, and on the list of CurrentTransaction.ACKs(). I just want to know if this is everybody's expected behavior.

Tim wrote:

So to summarise:
1) Detect failover
2) Find the "correct" failover server. (This may take several hops)
3) Let the server "stall" you until server failover has completed
4) Recreate the conections, sessions, consumers, producers and browsers. (Swapping ids here sounds fine)
5) Delete any non persistent messages from the client list of unacked messages in any sessions in the failed connection.
6) Send a list of the ids of the peristent messages for each consumer that failed to the server. For each list recreate the ServerConsumerEndpoint delivery list by removing the refs from the channel and creating deliveries and putting in the list.
7) The connection is now ready to be used

Clebert wrote:

At this point I'm not detecting the failure at remoting level yet.

Tim wrote:

So to summarise:
...
3) Let the server "stall" you until server failover has completed
...

Tim wrote:

So to summarise:
...
5) Delete any non persistent messages from the client list of unacked messages in any sessions in the failed connection.
...

Tim wrote:

So to summarise:
...
6) Send a list of the ids of the peristent messages for each consumer that failed to the server. For each list recreate the ServerConsumerEndpoint delivery list by removing the refs from the channel and creating deliveries and putting in the list.
...

Tim wrote:

Note: We must also ensure that no new connections are created on the failover node while old connections are being recreated, otherwise we can have a situation where the new connections grab the messages which have already been delivered to consumers in the failed connecton!

Clebert wrote:

Tim wrote:

I don't see why anything would be received twice (apart from non persistent
messages since we lose the acks for them but that's fine)

There are some scenarios I'm thinking about, all of them under incomplete transactions.

I will create few testcases and will come up with them to the discussion later.

Clebert wrote:

Every time a new serverObject is created [...]

I thought we had gone over all this already, but here goes again....

"ovidiu.feodorov@jboss.com" wrote:

A client may happen to be sending a message when the failure occurs. If the message is sent individually (not in the context of a transaction), then the on-going synchronous invocation is going to fail, the client code will catch the exception, and most likely will re-try to send the message,

"Ovidiu" wrote:

If the client happens to send message in the context of a transaction when the failure occurs, we could either throw an exception, and discard everything, or go for the more elegant solution of transparently copying the transactional state (the corresponding TxState instance) into the new ResourceManager and send the messages over the new connection when transaction commits. We're probably not doing this right now, but this is what should be doing.

"Ovidiu" wrote:

It is interesting to consider also what happens when the failure occurs right in the middle of "sentTransaction()" invocation.

"Ovidiu" wrote:


What is more interesting is what happens with the messages that are already in the MessageCallbackHandler's buffer.

For a seamless fail-over, they will need to be transferred in the new MessageCallbackHandler's buffer. Also important, immediately after the failover condition is detected, any in-progress read should be completed, and no further reads should be accepted until the client-side fail-over is complete ("client side failover lockdown"). The next post-failover read should be done from the new MessagingCallbackHandler's buffer.

"Ovidiu" wrote:

Contrary to what has been discussed so far on this thread, I think we can also salvage non-persistent messages, with minimum of effort. I'll address this issue again later. The acknowledgments for these messages (persistent and non-persistent) will be sent by the new Connection Delegate.

We also have the acknowledgments accumulated in a transaction on the client-side. The case should be dealt with similarly with the way we handle transacted messages (copy the TxState instance).

"Ovidiu" wrote:

Tim wrote:

Yes - we should send the ids of every persistent message as part of the failover protocol - the server then repopulates the delivery list in the server consumer endpoint

I think we can go a step further and also send the IDs of non-persistent messages that have been "failed-over" on the client side. This way, the client will continue to receive (and successfully acknowledge) non-persistent messages that otherwise would have been lost.

"Ovidiu" wrote:

Tim wrote:

Clebert wrote:

- Should we ignore ACKs for non existent messages on the server?

Non existent messages on the server will be non persistent messages that didn't survive the failover.
They should be removed from the client side list on failover so the acks will never get sent.

Not necessarily. See my above comment. We could also include the ids of non-persistent messages with the list of message ID sent to the server as part of the failover protocol, and thus be able to "salvage" those messages as well. I don't see any problem if we do that. We get better fault tolerance.

"Ovidiu" wrote:

What about the "fail-over protocol"? Your statement above seem to assume that the new server node is called into without any "preparation", as would a completely new client that creates a new connection, session and consumer endpoints. This is not going to work, those server-side objects need to undergo a "post-failover" preparation phase, where deliveries for the client-side failed over messages are created and so forth.

"Ovidiu" wrote:

Tim wrote:

So to summarise:
...
3) Let the server "stall" you until server failover has completed
...

What exactly does this mean?

"Ovidiu" wrote:

Tim wrote:

So to summarise:
...
5) Delete any non persistent messages from the client list of unacked messages in any sessions in the failed connection.
...

Why? See my comment above. Why do you think "salvaging" non-persistent messages too isn't going to work?

"Ovidiu" wrote:


Non-persistent message ids too.

Tim wrote:

I thought we had gone over all this already, but here goes again....

ovidiu.feodorov@jboss.com wrote:

A client may happen to be sending a message when the failure occurs. If the message is sent individually (not in the context of a transaction), then the on-going synchronous invocation is going to fail, the client code will catch the exception, and most likely will re-try to send the message,

What do you mean the "client code" will catch the exception?
Do you mean the application code?
If so, this is incorrect - JBoss Messaging failover is supposed to be automatic - this is one of our selling points.
Applications shouldn't have to catch connection exceptions and retry like in JBossMQ.

Ovidiu wrote:

If the client happens to send message in the context of a transaction when the failure occurs, we could either throw an exception, and discard everything, or go for the more elegant solution of transparently copying the transactional state (the corresponding TxState instance) into the new ResourceManager and send the messages over the new connection when transaction commits. We're probably not doing this right now, but this is what should be doing.

Same reasoning applies as previous comment. It should be transparent.

Tim wrote:

This makes no sense. When server A fails and server B takes over, only the persistent messages are resurrected into server B's queues.
The non persistent messages are lost.
Therefore it's not possible that the non persistent messages can be successfully acknowledged on server B, since server B won't know about them.
This is why I said the non persistent messages should be removed from the client state so they don't attempt to be acked.

"ovidiu.feodorov@jboss.com" wrote:

Please consider this simple example: the non-persistent messages N1 (id = 1) and N2 (id=2), sent by the server A, sit in the client-side buffer. The server A fails, the VM goes down. The connection is re-established (transparently) to server B. Server B knows that is a secondary server for the connection that just has established (as a result of the failover protocol). So, it could naturally assume that there are undelivered non-persistent messages in the client-side buffer. Which have not been lost. It also learns that the id of the messages are 1 and 2 (as a result of the fail-over protocol). So, what is stopping the server B (again, knowing that is a secondary server that has just been failed-over to), to accept acknowledgments for non-persistent messages that have been salvaged this way?

"ovidiu.feodorov@jboss.com" wrote:

To spell this out for you, so you won't go over is again: The current code, that is in the SVN, does not behave this way. This is understandable, it's just a prototype. I was going over the use cases for which we need test cases, so we can make sure the correct behavior is preserved in the future. The correct behavior is "transparently copying the transactional state (the corresponding TxState instance) into the new ResourceManager and send the messages over the new connection when transaction commits." Please note the use of the word "transparent".