We won’t be fixing this race condition
During the work on restoring backup, the developer in charge came up with the following problematic scenario.
- Start restoring backup of database Northwind on node A, which can take quite some time for large database
- Create a database named Northwind on node B while the restore is taking place.
The problem is that during the restore the database doesn’t exists in a proper form in the cluster until it is done restoring. During that time, if an administrator is attempting to create a database it will look like it is working, but it will actually create a new database on all the other nodes and fail on the node where the restore is going on.
When the restore will complete, it will either remove the previously created database or it will join it and replicate the restored data to the rest of the nodes, depending exactly on when the restore and the new db creation happened.
Now, trying to resolve this issue involve us coordinating the restore process around the cluster. However, that also means that we need to do heartbeats during the restore process (to the entire cluster), handle timeouts and recovery and effectively take upon us a pretty big burden of pretty complicated code. Indeed, the first draft of the fix for this issue suffered from the weakness that it would only work when running on a single node, and only work in a cluster mode in very specific cases.
In this case, it is a very rare scenario that require an admin (not just a standard user) to do two things that you’ll not usually expect them together, and the outcome of this is a bit confusing even if you managed, but there isn’t any data loss.
The solution was to document that during the restore process you shouldn’t create a database with the same name but instead let RavenDB complete and then let the database span additional nodes. That is a much simpler alternative to going in to a distributed mode reasoning just for something that is an operator error in the first place.
Comments
So, as I understand the worst thing that might happen is that if you add some data to the created database you might lose it. I think it is perfectly acceptable behavior.
Jesus, Yes, that is the point. Protecting against something like this is hard, and has a lot of impact for normal operations.
Comment preview