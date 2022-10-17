Computers in a cluster always need a common truth. The Raft Consensus algorithm works with majority votes and thus avoids conflicts.

When people have to work together in a group, it can get tiring – and the typical sentences that are part of everyday life in every office are said: “I sent that around!”, “You still have the old version , the new one is there in the folder!” and “Oh, you were on vacation when we changed that.” All of these symptoms belong to a big problem: How do you ensure that all members of a team share a common truth, i.e. a data status as a working basis?

This problem is not unique to humans; for computers, too, it is no trivial task to work smoothly in a team and agree on a common truth. Computers have it comparatively easy with each other: They work deterministically, i.e. produce identical results under identical conditions. They also know no emotions and human weaknesses such as envy, resentment and morbid ambition. An emotionless machine would not think of pushing ahead or interfering in someone else’s workspace.

It might therefore be so easy to develop an algorithm that produces a common truth among computers – and yet it took decades until a method that is functional, robust and easy to implement prevailed: the Raft consensus algorithm, which is found in many distributed systems today. This inconspicuous algorithm has become an important pillar of the Internet: The key-value database etcd, for example, works with Raft and is itself the foundation for the container orchestrator Kubernetes – and on this pillar there are many large and very large applications. Without Raft, Spotify, Netflix or Zalando would not exist in this form.

Why a consensus algorithm?

As long as a computer works alone, everything is simple: it accepts requests or tasks, obtains the necessary data from its data storage, uses it for processing and returns a result. A stand-alone SQL database server, for example, can answer read and write queries equally quickly and does not have to coordinate with anyone. What he needs to know is on his hard drive or, for frequently asked questions, in the main memory. But a single database server as the backbone of an application has its weaknesses. If it fails, nothing works. And with higher read and write loads, the admin can only plug more and more hardware into the loner.

It would be nice if you could entrust the data to a network of database servers. There are two procedures of different complexity: In the simplest case, a person appoints a server to be responsible (called the master in many applications) for all write access, and only this accepts write requests. The master then sends each change to other replicating servers, which maintain a copy of the data and only respond to read access or are even only available as a reserve for emergencies. Distributing the read access relieves the master and also increases stability, but under unfortunate circumstances a server can sometimes return outdated data. Also, in such a system there is a clear hierarchy created by a human by appointing one server as leader and the others as copy managers. If the leader has serious problems, a human could and should intervene and transfer the role to another server.

Shared Common Truth

The supreme discipline is a cluster in which no human is needed to provide servers with roles. In such a system, all machines have equal rights, and as a user you can be sure that the most recently valid truth is included in the processing of every request. An SQL database that implements such a concept is CockroachDB, which is also available with an open source license and which we have already presented in detail. CockroachDB uses the Raft common truth algorithm at its core and builds on top of it all the features you’d expect from a SQL database server.

It quickly becomes clear that distributed SQL databases must share a common truth. However, not only systems on which a distributed database is to be stored need a consensus algorithm, but also those that are to share work orders. Suppose you want to build an environment in which to drop computational tasks for processing – for example, computationally intensive scientific models. A large army of powerful machines (so-called worker nodes) should always grab a task and complete it.

A common database is also needed for such a system: It contains a list of tasks (sorted, for example, by date of receipt or by priority). This list must reliably show for each task whether it already has a worker node in progress and whether it may have already been processed. This is the only way to ensure that a task is not processed more than once. Imagine the chaos that would ensue in a bank if a transfer task was executed by multiple workers just because the task list wasn’t perfectly synchronized.

What the algorithm has to do

Whether it is a shared database or a system for distributed computing, the requirements for a procedure that coordinates the shared truth are identical in both cases: an approach is sought that ensures at all times that a query can only be answered with the last written truth . The system has to deal with the adversities that can occur in any distributed system. Delays in the network, packet losses along the way, as well as double or interchanged network packets are part of everyday life. The distributed database must therefore not fail due to hiccups in the network – at best, the individual servers must be able to be distributed over data centers that are connected to one another via the Internet.

In addition, the algorithm should ensure that temporary or permanent failures of individual cluster members do not mean that the entire system can no longer process requests or even provide incorrect results. Restarts, updates or power failures happen and must remain without consequences. If such failures were a problem, you would only have scaled the complexity, but gained nothing at all in terms of high availability and fault tolerance. It would also be unpleasant if all servers had to ask all their colleagues in the cluster for the current truth for each read request – then you would have planned a pretty lame system.

trust and betrayal

One condition Raft explicitly tries not to meet: dealing with so-called Byzantine errors. This is what researchers call all problems caused by malicious cluster members, borrowing from an anecdote with Byzantine generals – if a server in the cluster lies to the others or willfully withholds messages, it could endanger the common truth. In practice, however, this is not a problem: A cluster is usually set up by an administrator and all servers are equipped with the same software. There is a technical solution for Byzantine environments apart from Raft: blockchains. Even if the conditions in the vast majority of company networks are non-Byzantine, the obsession with blockchains is still present in companies today, because resourceful sellers have recognized that software with blockchain is more interesting and attractive than software with a comparatively boring consensus algorithm.

Appearance of Raft

The raft algorithm was invented and published by Diego Ongaro and John Ousterhout from Stanford University in 2014. Their approach, which they describe in their scientific paper “In Search of an Understandable Consensus Algorithm”, is remarkable. Comprehensibility as a goal appears for the first time in the title – and the topic runs through the entire article. The authors’ central belief was that a good consensus algorithm must be easy to explain. This is the only way to implement it well and stably, maintain distributed systems properly and react to problems. Comprehensibility should therefore help developers and admins of raft systems alike.

The two researchers came to this conclusion through bad experiences with the then dominant consensus process called Paxos or, more precisely, Multi-Paxos. According to the authors, this is so tricky that, after numerous interviews, they could not find anyone who could fully and correctly explain Multi-Paxos. Most explanations relate to the substructure of single-decree paxos, which alone is not intuitive to understand – multi-paxos adds even more complexity levels. In short: in 2014, the state of the art was an impenetrable construct which, to make matters worse, was always implemented somewhat differently, also in proprietary software without public source code. And the purely academic Paxos teaching was not included everywhere that said Paxos.

Rather than tweaking and detoxifying Paxos like other researchers had tried before, Ongaro and Ousterhout opted for a radical fresh start with refreshingly few components. In a Raft Cluster, each server can only be in one of three states: Leader, Follower, or Candidate. In the normal state, these roles are clearly divided: there is always only one leader, all other servers are followers and there are no candidates. In this state, a cluster works most of the day and can accept read and write tasks from clients.

How a raft cluster works

No human intervention is required to get into this basic state – when setting up a Raft cluster, the administrator simply starts several absolutely equal machines and gives each machine a list of addresses of all other players. The most important condition for success: The servers must be in a network and reach each other over it, and they should all have the same time. In the original paper, the systems communicate via remote procedure calls (RPC), but theoretically Raft could also be implemented with any other mechanism.

At the start, each server first declares itself a follower and waits for instructions from a leader, more precisely for the so-called heartbeat signal, which only leaders emit – but that would take forever because a fresh cluster is initially without a leader. To prevent all servers from waiting permanently, each server generates a random waiting time (called election timeout) when it starts up, which is within a time span specified in the implementation (the authors suggest between 150 and 300 milliseconds). Each member is therefore – determined by chance – differently patient.

voting procedure

The server that loses patience first opens a new election, switches to the role of candidate and confidently votes for itself. Then it increases the number of the election period (the so-called term) in its memory and broadcasts to all other cluster members an election notification (with an RPC of type RequestVote ). There is no election campaign – all other servers, which are just waiting without a leader, gratefully accept the offer and immediately vote for the first colleague who has called an election by answering him with approval.

As soon as the candidate has received the majority of the possible votes as an answer, it appoints itself as the leader and begins its official business: it sends heartbeat messages via RPC, all other servers suddenly recognize it as a leader and switch to the follower state. If, by unfortunate coincidence, other servers have instigated an election at the same time, they immediately cancel it when they receive a heartbeat message and immediately follow the leader.

Now the cluster is ready to accept requests from clients. Only the leader will answer such requests, but an inexperienced client does not know him and therefore always starts by asking a randomly selected server – the client therefore needs a list of all servers in the cluster. If the server being surveyed is not currently the leader, it must reveal the address of its leader. The client can first remember this and ask there in the future. If the server in question is currently separated from the rest of the cluster, the client has to choose another server at random and knock there.

leaders and subjects

Once the client has found the leader, he can question him. The fresh cluster is still empty, so there is not much to learn. As a simple example, let the system manage a single number – let’s say it’s some kind of account balance. In this fictitious system, the first writing command arrives at the leader after a successful choice: the number should be changed to 100. In a raft system, each server maintains two data structures, a log containing all write commands and the state machine, which always manages the current truth.

First, the leader writes the received change order to its log, then it sends an RPC of type AppendEntries parallel to all followers. They also write the change in their log and confirm receipt to the leader. If this has confirmations from more than half of the servers, it considers the command as committed, executes the change request (increase the number to 100) in its state machine and sends the client the answer: New value is 100. Only then does it say all followers know that the change is committed and they too can implement the change in their state machines. This simple comparison already ensures that the state machines of all servers usually contain the same value.

dealing with problems

In essence, that is the secret of Raft. In a perfect world, the system could continue to work like this forever – it only gets exciting because the world is not perfect and all sorts of things can go wrong. What feels like the most difficult problem is solved most quickly in a raft cluster: the loss of a leader. Suppose the admin shuts down the server for an update. The followers will quickly notice this condition because the regular heartbeat messages are missing. As with setting up the cluster, a server will first run out of patience and hold an election. In return, he makes himself a candidate again and opens a new term – whether this choice can be successful depends on the size of the cluster.

A typical Raft cluster consists of three or five servers. Important for understanding: All servers have a list of all participants, so they also know the total size of the cluster and thus know where the limit for a majority in elections is. In an environment with three servers, it’s not a problem if one fails, even if it’s the leader. One of the others stands for election, the other votes for him and the election ends with two out of three votes, i.e. a majority.

However, two servers must not fail at the same time, otherwise the remaining one could no longer achieve a majority. It is ineffective to increase a cluster of three to four members. In this case, the servers would need three votes for an absolute majority, so only one may fail, as in a three-person cluster. For this reason, all raft-based software documentation recommends odd cluster sizes. With five players, two can drop out at the same time, the remaining three can easily choose. Raft experts advise against clusters with more than seven servers – then the system will only become more sluggish and no longer stable.

Missing subjects

The cluster can free itself from a state without a leader in a few milliseconds and continue to serve clients with a new leader. But what about the failure of a follower? If one of them leaves, the leader notices this at the latest with the next write command – and you don’t even have to wait for a writing client for this, because technically the heartbeat messages are only write commands ( AppendEntries ) without content.

So the leader will try to get an acknowledgment for a AppendEntries message very soon. If this does not happen, he will try again and again – but a requesting client does not have to wait for this ceremony, he will get his answer as soon as half of the followers have answered. So if a follower is gone for a few minutes due to network disruptions or a restart, he will end up with a list of change orders and will work through them one after the other. So that there is no confusion, all write requests to the followers are numbered and always contain the number of the last request marked as committed as well as the number of the election period.

Before a follower sends a confirmation to their leader, they check whether they have received the previous message. Through this check and confirmation, each leader can keep a list of the status of their followers. If there is a discrepancy due to adversity in the network, the leader intervenes: He looks in his list to see the message up to which the follower knows the correct status, then orders the deletion of all later log entries and sends him the changes again correct order. As soon as he has a confirmation for the last entry, the follower is back on track.

Additional Rules

In the event of new elections, the Raft authors have come up with another protective mechanism: Up until now, every candidate who called for a new election was sure of the votes of his colleagues. However, a restriction (the leader completeness property) is necessary so that only a server that knows the state last known as committed becomes a leader. To do this, each candidate sends RequestVote the consecutive number and the term number of their last log entry as part of the message. The others would deny him the vote if they had an entry with a higher number themselves.

Two essential components of Raft, the election of the leader and the committing of new log entries, only work with a majority. In this way, Raft prevents a situation that is quite possible in other consensus algorithms and feared by administrators: the split-brain scenario, in which a cluster splits into two parts (e.g. due to a missing network connection) and in which both parts of themselves claim to administer the truth.

Joining and leaving

The last major construction site that the Raft authors dealt with is member management: It would be impractical to shut down a cluster when changes are made and start it again with a new list of members – servers should be able to be added and removed during operation. To ensure this, Ongaro and Ousterhout have decided to treat the membership management like the user data and to replicate it with the Raft mechanisms. As soon as a configuration change (adding or removing a member) is disseminated, all followers start working with it.

For new servers, however, there is still a useful exception: They cannot meaningfully participate in the cluster in the first few minutes because they start with a completely empty state machine and empty log and are initially bombarded by the leader with old logs. In this phase they are neither actively nor passively entitled to vote and can process the data in peace. As soon as they have processed the last log entry, they join as a full voting member.

Log Cleanup

With these manageable components, Raft already meets all the requirements in terms of stability and common truth – but one problem that is not just cosmetic remains: the list of log entries is getting longer and longer and takes up more and more storage space. To manage a single number in the state machine, gigabytes of logs can accrue after weeks of operation, additionally bloated with billions of empty heartbeat messages.

To keep Raft workable, the authors invented snapshots that are taken periodically (depending on the implementation). A snapshot merges old log entries, and instead of dragging along thousands of change requests, one command is left that only contains the latest result. The compressed logs are discarded. The snapshots not only relieve the hard disk, they also make it easier for new servers to get started – they get snapshots from the leader and are therefore ready to use more quickly.

In practice

In the wild, the raft algorithm is particularly common in comparatively new applications that have a high-availability mode. If the documentation for a new database mentions at least three servers, that’s a good indication for Raft. In addition to the etcd and CockroachDB already mentioned, these are often applications from the cloud-native environment, i.e. those that are supposed to run redundantly and scalably in containers: Docker Swarm uses Raft, as does the message distribution system NATS and the popular database MongoDB.

For administrators, Raft is comparatively easy to maintain. You start an odd number of servers and leave everything else to the algorithm – you should also make sure that they all get their time from the same NTP server and that the latencies in the network are small. Raft can cope well with machine failures, theoretically for hours and days. So there is no magical limit beyond which a failed server should not be restarted – the leader would send it a list of orders after a short or long failure so that it can get back on its feet.

Nevertheless, admins of Raft-based software are well advised to read the “Disaster Recovery” sections in the documentation in detail and run through the scenarios in a prepared test environment. Some of the applications that are based on Raft introduce their own time limits for servers that are switched off and also bring commands with them to cleanly take a server offline for a while (so-called draining). And very important: just because Raft stores the data on multiple machines doesn’t mean that backups can be omitted. Even a raft cluster can say goodbye in such a way that it cannot free itself on its own. Regular backups are therefore mandatory, and importing the backups into a fresh cluster should be tried out before use.

If you, as a developer, are toying with the idea of ​​building Raft into your own software that is supposed to run with high availability, you will find fully implemented Raft libraries in various programming languages. In many cases you can make life easier and use a Raft based database like etcd or CockroachDB. This saves you having to implement a backup mechanism, for example.

Conclusion

Simplicity as the key to success: The authors of the Raft paper, Diego Ongaro and John Ousterhout, have chosen an unusual path for new algorithms and have developed a process using methods such as user surveys that is primarily easy to explain and understand and on the other hand all the essentials Requirements fulfilled. The original paper does not provide mathematical proof that Raft works, but practice has provided the proof: Raft quickly made a name for itself, became a quasi-standard for newly developed distributed systems and since then has been proving every day, for example as part of Kubernetes, that it works very smoothly.