snarkmaster
commented
5 years ago Thanks for your interest!
tl;dr — yes, Bistro is designed for high availability, for some definition of that phrase. It's not a real-time scheduler, so failover is not instant, but it's good enough for its various use-cases within Facebook. And our hardware fails, machines get rebooted, etc, without disrupting system operation.
I assume that you would have some kind of orchestration system restart the Bistro scheduler (possibly on a new host) if the current scheduler goes down or becomes unhealthy. When you do this, you'll also need to flip the scheduler discovery mechanism (in the OSS release, this is unfortunately DNS or a hardcoded IP) to point at the new scheduler instance, so that workers can start using it.
Is that what you mean by "HA"? Or are you going for zero downtime?
By the way, having to point the scheduler discovery mechanism (DNS?) at your new instance means the availability of the new instance could be subject to DNS caching latency. If you have a fancier discovery service, I'd be happy to discuss a patch to allow workers to use that instead of DNS. FB has a low-latency service discovery mechanism internally, so DNS latency isn't a problem for our failovers.
Bistro is designed[1] so that scheduler restarts do not affect the running workload. While the scheduler is down, no new work will start, but scheduling new tasks should[2] resume reasonably quickly after a restart.
Additionally, when a scheduler restarts, its API (and thus web UI) will be unavailable for a few seconds (usually, DNS latency will be worse anyway).
Unless orchestration mechanism uses a global lock (e.g. a Zookeeper-based wrapper) to ensure one and only one Bistro scheduler is running, you might accidentally start two schedulers at once. This is OK. Bistro's scheduler-worker communication protocol is designed to be robust against this, in the sense that workers will only take commands from the scheduler that the discovery mechanism (i.e. DNS) currently tells them to use, and will ignore the other instance.
Footnotes
[1] Seamless recovery from a scheduler restart requires a persistent TaskStore (see e.g. https://github.com/facebook/bistro/blob/master/bistro/statuses/SQLiteTaskStore.h). This is a very simple piece of code interacting with a SQL DB — the one that Bistro uses in production uses an FB-internal MySQL client, which is MySQLTaskStore it's not part of the open-source release. If there's interest, I'd be happy to help rectify this.
[2] You really don't have to understand this footnote deeply to start using Bistro (most client teams internally do not), but I prefer to be explicit about potential pitfalls. The time from a schedule restart until the scheduler will run new tasks is, unfortunately, a little complicated. It's called "initial wait" in the code & logs — it's the sum of a variety of timeouts. In the common case, it takes a few heartbeat intervals to recover, but if you have tens of thousands of workers, or other performance bottlenecks on the scheduler, the wait can be worse. This wait is due to a (in retrospect less-than-practical) design decision that I made. Specifically, Bistro does not use a DB to store its current worker set, and instead uses a distributed consensus protocol to derive it. To learn more about this whole problem, you could start here: https://github.com/facebook/bistro/blob/master/bistro/remote/README.worker_set_consensus — feel free to follow up with specific questions if the worker tracking issue is of concern.
nwong4932
Hi,
My company is interested in using Bistro for our task distributed system. We are reading the design and code of bistro, one important factor for us is how to achieve high availability of scheduler. Can you let me know if this is implemented? If not, how can I achieve it, where is the best place I can add HA logic?
Best regards Nathan