Datacenter to datacenter Replication
At some point in the growth of a database, there comes a need forreplicating it across multiple datacenters.
Reasons for that can be:
- Fallback in case of a disaster in one datacenter.
- Regional availability
- Separation of concerns
And many more.
This tutorial describes what the ArangoSync datacenter to datacenterreplication solution (ArangoSync from now on) offers,when to use it, when not to use it and how to configure,operate, troubleshoot it & keep it safe.
ArangoSync is a solution that enables you to asynchronously replicatethe entire structure and content in an ArangoDB cluster in one place to a clusterin another place. Typically it is used from one datacenter to another.It is not a solution for replicating single server instances.
The replication done by ArangoSync is asynchronous. This means that whena client is writing data into the source datacenter, it will consider therequest finished before the data has been replicated to the other datacenter.The time needed to completely replicate changes to the other datacenter istypically in the order of seconds, but this can vary significantly depending onload, network & computer capacity.
ArangoSync performs replication in a single direction only. That means thatyou can replicate data from cluster A to cluster B or from cluster B to cluster A,but never at the same time.Data modified in the destination cluster will be lost!
Replication is a completely autonomous process. Once it is configured it isdesigned to run 24/7 without frequent manual intervention.This does not mean that it requires no maintenance or attention at all.As with any distributed system some attention is needed to monitor its operationand keep it secure (e.g. certificate & password rotation).
Once configured, ArangoSync will replicate both structure and data of anentire cluster. This means that there is no need to make additional configurationchanges when adding/removing databases or collections.Also meta data such as users, Foxx application & jobs are automatically replicated.
When to use it… and when not
ArangoSync is a good solution in all cases where you want to replicatedata from one cluster to another without the requirement that the datais available immediately in the other cluster.
ArangoSync is not a good solution when one of the following applies:
- You want to replicate data from cluster A to cluster B and from cluster Bto cluster A at the same time.
- You need synchronous replication between 2 clusters.
- There is no network connection between cluster A and B.
- You want complete control over which database, collection & documents are replicate and which not.
To use ArangoSync you need the following:
- Two datacenters, each running an ArangoDB Enterprise Edition cluster,version 3.3 or higher, using the RocksDB storage engine.
- A network connection between both datacenters with accessible endpointsfor several components (see individual components for details).
- TLS certificates for ArangoSync master instances (can be self-signed).
- TLS certificates for Kafka brokers (can be self-signed).
- Optional (but recommended) TLS certificates for ArangoDB clusters (can be self-signed).
- Client certificates CA for ArangoSync masters (typically self-signed).
- Client certificates for ArangoSync masters (typically self-signed).
- One instances of the ArangoSync worker on every machine in each datacenter.
Note: In several places you will need a (x509) certificate.The section below provides more guidance for creatingand renewing these certificates.
Besides the above list, you probably want to use the following:
- An orchestrator to keep all components running. In this tutorial we will use as an example.
- A log file collector for centralized collection & access to the logs of all components.
- A metrics collector & viewing solution such as Prometheus + Grafana.
In the following paragraphs you’ll learn which components have to be deployedfor datacenter to datacenter replication using the
direct message queue.For detailed deployment instructions or instructions for the
kafka message queue,consult the reference manual.
Datacenter to datacenter replication requires an ArangoDB cluster in both data centers,configured with the
rocksdb storage engine.
Since the cluster Agents are so critical to the availability of both the ArangoDB and the ArangoSync cluster,it is recommended to run Agents on dedicated machines. Consider these machines “pets”.
Coordinators and DB-Servers can be deployed on other machines that should be considered “cattle”.
The Sync Master is responsible for managing all synchronization, creating tasks and assigningthose to workers. At least 2 instances must be deployed in each datacenter.One instance will be the “leader”, the other will be an inactive slave. When the leaderis gone for a short while, one of the other instances will take over.
With clusters of a significant size, the sync master will require a significant set of resources.Therefore it is recommended to deploy sync masters on their own servers, equipped with sufficientCPU power and memory capacity.
Since the sync masters can be CPU intensive when running lots of databases & collections,it is recommended to run them on dedicated machines with a lot of CPU power.
Consider these machines “pets”.
The Sync Worker is responsible for executing synchronization tasks. For optimal performance at least 1 worker instance must be placed onevery machine that has an ArangoDB DB-Server running. This ensures that taskscan be executed with minimal network traffic outside of the machine.
Since sync workers will automatically stop once their TLS server certificate expires(which is set to 2 years by default),it is recommended to run at least 2 instances of a worker on every machine in the datacenter.That way, tasks can still be assigned in the most optimal way, even when a worker in temporarilydown for a restart.
The sync worker must be reachable on a TCP port 8729 (default).This port must be reachable from inside the datacenter (by sync masters).
The sync workers should be run on all machines that also contain an ArangoDB DB-Server.The sync worker can be memory intensive when running lots of databases & collections.
Consider these machines “cattle”.
Prometheus & Grafana (optional)
ArangoSync provides metrics in a format supported by .We also provide a standard set of dashboards for viewing those metrics in Grafana.
If you want to use these tools, go to their websites for instructions on how to deploy them.
After deployment, you must configure prometheus using a configuration file that instructsit about which targets to scrape. For ArangoSync you should configure scrape targets forall sync masters and all sync workers.Consult the for a sample configuration.
Prometheus can be a memory & CPU intensive process. It is recommended to keep themon other machines than used to run the ArangoDB cluster or ArangoSync components.
Consider these machines “cattle”, unless you configure alerting on prometheus,in which case it is recommended to consider these machines “pets”.
Once all components of the ArangoSync solution have been deployed and arerunning properly, ArangoSync will not automatically replicate database structureand content. For that, it is is needed to configure synchronization.
To configure synchronization, you need the following:
- The endpoint of the sync master in the target datacenter.
- The endpoint of the sync master in the source datacenter.
- A certificate (in keyfile format) used for client authentication of the sync master(with the sync master in the source datacenter).
- A CA certificate (public key only) for verifying the integrity of the sync masters.
- A username+password pair (or client certificate) for authenticating the configurerequire with the sync master (in the target datacenter)
With that information, run:
The command will finish quickly. Afterwards it will take some time untilthe clusters in both datacenters are in sync.
Use the following command to inspect the status of the synchronization of a datacenter:
Note: Invoking this command on the target datacenter will return different results frominvoking it on the source datacenter. You need insight in both results to get a “complete picture”.
ArangoSync has more command to inspect the status of synchronization.Consult the reference manual for details.
If you no longer want to synchronize data from a source to a target datacenteryou must stop it. To do so, run the following command:
If the source datacenter is no longer available it is not possible to stop synchronization ina graceful manner. Consult the for instructions how to abort synchronization in this case.
Reversing synchronization direction
If you want to reverse the direction of synchronization (e.g. after a failurein datacenter A and you switched to the datacenter B for fallback), youmust first stop (or abort) the original synchronization.
Once that is finished (and cleanup has been applied in case of abort),you must now configure the synchronization again, but with swappedsource & target settings.
ArangoSync is a distributed system with a lot different components.As with any such system, it requires some, but not a lot, of operationalsupport.
All of the components of ArangoSync provide means to monitor their status.Below you’ll find an overview per component.
- Sync master & workers: The
arangosyncservers running as either masteror worker, provide:
- A status API, see
arangosync get status. Make sure that all statuses report
running.For even more detail the following commands are also available:
arangosync get tasks, &
arangosync get workers.
- A log on the standard output. Log levels can be configured using
- A metrics API
GET /metrics. This API is compatible with Prometheus.Sample Grafana dashboards for inspecting these metrics are available.
- A status API, see
- ArangoDB cluster: The
arangodservers that make up the ArangoDB clusterprovide:
- A log file. This is configurable with settings with a
- A statistics API
- A log file. This is configurable with settings with a
What to look for while monitoring status
The very first thing to do when monitoring the status of ArangoSync is tolook into the status provided by
arangosync get status … -v.When not everything is in the
running state (on both datacenters), this is anindication that something may be wrong. In case that happens, give it some time(incremental synchronization may take quite some time for large collections)and look at the status again. If the statuses do not change (or change, but not reach
running)it is time to inspects the metrics & log files. When the metrics or logs seem to indicate a problem in a sync master or worker, it issafe to restart it, as long as only 1 instance is restarted at a time.Give restarted instances some time to “catch up”.
‘What if …’
Please consult the reference manualfor details descriptions of what to do in case of certain problems and how andwhat information to provide to support so they can assist you best when needed.
ArangoSync (master & worker) provide metrics that can be used for monitoring the ArangoSyncsolution. These metrics are available using the following HTTPS endpoints:
/metrics: Provides metrics in a format supported by Prometheus.
Both endpoints include help information per metrics.
Note: Both endpoints require authentication. Besides the usual authentication methodsthese endpoints are also accessible using a special bearer token specified using the
—monitoring.tokencommand line option.
Consult the for sample output of the metrics endpoints.
The components of ArangoSync use (TCP) network connections to communicate with each other.
Consult the reference manualfor a detailed list of connections and the ports that should be accessible.
Digital certificates are used in many places in ArangoSync for both encryptionand authentication.
In ArangoSync all network connections are using Transport Layer Security (TLS),a set of protocols that ensure that all network traffic is encrypted.For this TLS certificates are used. The server side of the network connectionoffers a TLS certificate. This certificate is (often) verified by the client side of the networkconnection, to ensure that the certificate is signed by a trusted Certificate Authority (CA).This ensures the integrity of the server.
In several places additional certificates are used for authentication. In those casesthe client side of the connection offers a client certificate (on top of an existing TLS connection).The server side of the connection uses the client certificate to authenticatethe client and (optionally) decides which rights should be assigned to the client.
Note: ArangoSync does allow the use of certificates signed by a well know CA (eg. verisign)however it is more convenient (and common) to use your own CA.
Consult the for detailed instructions on how to create these certificates.
All certificates have meta information in them the limit their use in function,target & lifetime. A certificate created for client authentication (function) cannot be used as a TLSserver certificate (same is true for the reverse). A certificate for host
myserver (target) cannot be used for host . A certificate that is valid until October 2017 (lifetime) cannot be used after October 2017.
If anything changes in function, target or lifetime you need a new certificate.