Feature request: Fail over should be enabled during Maintenance [111521234]

Verified

Feature Request

Status Update

No update yet.

Description

oa...@google.com

created issue #1

Jul 17, 2018 12:07AM

The documentation[1] states that one of the conditions for the Failover to be triggered on a PostgreSQL instance with High availability configuration is that the master instance must be in a normal operating state. That is, the failover would not be triggered whenever the master instance is undergoing maintenance.

This request is for a feature that allows an automatic trigger of the failover on an instance that has the high availability configuration enabled.

[1]

https://cloud.google.com/sql/docs/mysql/high-availability#when_failover_is_triggered

Comments

sc...@joinhandshake.com <sc...@joinhandshake.com> #2Jul 17, 2018 12:15AM

To add details: Google Cloud SQL does maintenance on databases, and in some cases that maintenance causes HA database to shutdown completely, thus bringing down the application it supports with it. It can be a long maintenance window, sometimes > 10 mins.

Ideally the Cloud SQL team would do the maintenance in a way that HA instances do not shut down, and stay up serving requests.

[Deleted User] <[Deleted User]> #3Jan 31, 2019 08:20PM

+1, this is preventing me from migrating workloads that cannot tolerate downtime

ch...@gmail.com <ch...@gmail.com> #4Feb 15, 2019 09:06AM

Yeah, yesterday's total shutdown of HA CloudSQL cluster was kind of unexpected...

+1 to auto-failover before maintenance.

[Deleted User] <[Deleted User]> #5Apr 22, 2019 07:54PM

+1, We are exploring migration from AWS to GCP, and this behavior was a significant surprise. An HA configuration as described shouldn't need to take the 5 minutes of downtime I've repeatedly seen when modifying an instance size or during pre-scheduled maintenance. RDS instance modifications and maintenance have achieved this with only a failover's worth of downtime, and we need parity or better to consider cutting this service over.

ko...@sakartvelosoft.com <ko...@sakartvelosoft.com> #6Jun 21, 2019 03:41PM

Hello.
I am not a supe-rskilled rockstar of system programming, but I will drop few cents.

How I see true high-availabiity.
1) a proxy sits on top of 2+ MySQL servers deployed in managed autoscaling group like at google compute. 1 master and 1+ slave/read replica
2) If request is read-only (only select statements without select-into and without procedure calls, dispatch them among read-replicas or lsaves of managed group.
3) if request is not readonly, send to master.
4) if master is going to maintence (planned to go under maintenance, promote new master instance using a read replica/slave and set server to �maintenaince� state.
5) if maintenance completes, sync the instance and join it back to group as read-replica/slave
* at (4) the replica with shortest pending requests synced and promoted to new master.

With this approach all requests are go through the group�s umbrella proxy and it decides where to send a request.
All transactional requests are go to current master as considered as non-readonly.
Master transition must be done I such way:
0) replica promotion started (state changed to �becoming master�)
1) all non-readonly requests queued
2) as soon master promoted, all pending and non-readonly requests sent to it.

Requests queueing must start only when started syncing and promotion of new master, not earlier.

Hope this have sense.

Easiest way to make existing HA feature MUCH more usable, is to make sure that failover server maintenance happens like in 3-5 minutes later after primary instance maintenance completed, similar to rollout up[date of google compute groups

[Deleted User] <[Deleted User]> #7Jul 26, 2019 04:30PM

+1 this seems like a glaring omission. The downtime is not acceptable for us as it triggers unnecessary on-call paging and impacts the user experience.

je...@twinkl.com.au <je...@twinkl.com.au> #8Aug 25, 2019 12:03AM

+1 - this is preventing our workload migration, we could certainly tolerate a short failover event, but "HA" cloudsql maintenance doesn't work this way... instead taking the whole cluster offline for maintenance. I've seen plenty of sql instances failing to stop in under a minute and plenty of 30 minute+ crash-recovery cycles!

an...@dapperlabs.com <an...@dapperlabs.com> #9Oct 22, 2019 05:31PM

This routinely brings down production workloads for us and is becoming enough of an issue that we are halting creation of new Postgres instances on GCP and potentially moving the workloads we do have to Amazon's RDS.

How this is acceptable for an "HA" deployment is beyond me, much less how this issue has 60 stars and has been open since July of 2018 without even being so much as assigned. Someone at least add an update that the GCP Postgres team is at a minimum aware of the issue and admits it's a problem.

al...@gmail.com <al...@gmail.com> #10Oct 22, 2019 05:54PM

Our team waited for this to be resolved and after having our production down for over 10 minutes several times migrated over to

https://aiven.io/ (still hosted on google cloud infrastructure)
They promised 30-60 second fail-overs & maintenance and actually delivered on it so far.

hn...@gmail.com <hn...@gmail.com> #11Oct 22, 2019 06:49PM

Today, we actually also decided to go for another provider because of this.
Everyone from our engineering team is genuinely perplexed when we tell them
what HA in Cloud SQL actually means...

On Tue, 22 Oct 2019, 19:55 , <buganizer-system@google.com> wrote:

- Show quoted text -

to...@gmail.com <to...@gmail.com> #12Oct 23, 2019 06:22AM

We're evaluating 2nd Quadrant's Postgres with bi-directional replication, which advertises failover times less than 100 miliseconds. We've experienced several 5-10 minutes long downtimes over the past six months. We hoped that this situation would get addressed somehow, but given the lack of feedback here I'm assuming this is not the case and it's time to move on before our customers decide to move on.

ch...@gmail.com <ch...@gmail.com> #13Oct 23, 2019 11:46AM

Looks like they are doing the same with Cloud SQL for MySQL: previously you was adding HA instance to the main one, now you just enable HA and it starts using regional storage to replicate disk block device, making fast failover technically impossible =(

[Deleted User] <[Deleted User]> #14Oct 24, 2019 06:42AM

This is truly as bad as described by other comments.

I imagine what happens when Google decides to roll-out an upgrade to Cloud SQL instances. Any SRE who pushes the button must think about how they gonna bring down production of thousands of highly-available databases...
</sarcasm>

Would be great if we could get an update from the product team.

[Deleted User] <[Deleted User]> #15Nov 12, 2019 07:53PM

This is pushing our team as well very close to moving to AWS Aurora to avoid this. As it happens it should be a simple procedure for Google to
Begin maintenance on the failover cluster
patch it completely
stand it up and sync it
promote it to master.

Post swap perform maintenance on the now defunct master
place it back as the failover slave after maintenance.

ke...@gmail.com <ke...@gmail.com> #16Mar 18, 2020 04:33AM

Any updates? Could we please get some feedback from the product team?

ke...@gmail.com <ke...@gmail.com> #17Aug 14, 2020 07:15AM

Is this feature being worked on? Any updates?

ot...@gmail.com <ot...@gmail.com> #18Sep 7, 2020 08:32AM

+1 Any updates?

mi...@gmail.com <mi...@gmail.com> #19Sep 23, 2020 09:41PM

There is nothing 'Highly Available' about Cloud SQL if it experiences minutes of downtime every week

jo...@everflow.io <jo...@everflow.io> #20Sep 29, 2020 12:44AM

1+ this is a pretty important requirement for us

[Deleted User] <[Deleted User]> #21Oct 3, 2020 06:21PM

+1 this seems like a very sensible thing to do, not sure why it hasn't been done.

ni...@sada.com <ni...@sada.com> #22Oct 16, 2020 07:51PM

+1, this is an ask that has come from multiple customers that I am supporting currently / looking to leverage CloudSQL

[Deleted User] <[Deleted User]> #23Oct 20, 2020 12:53PM

[Deleted User] <[Deleted User]> #24Oct 20, 2020 12:53PM

cl...@d-teknoloji.com.tr <cl...@d-teknoloji.com.tr> #25Oct 20, 2020 12:54PM

az...@gmail.com <az...@gmail.com> #26Oct 20, 2020 12:54PM

[Deleted User] <[Deleted User]> #27Oct 20, 2020 12:55PM

[Deleted User] <[Deleted User]> #28Oct 20, 2020 12:55PM

or...@gmail.com <or...@gmail.com> #29Oct 20, 2020 01:00PM

la...@gmail.com <la...@gmail.com> #30Oct 20, 2020 01:42PM

hn...@gmail.com <hn...@gmail.com> #31Oct 20, 2020 01:51PM

Interesting, it's the only P0 issue at this tracker for SQL and it still doesn't have a resolution (after two years). That doesn't give us much hope, unfortunately... Is it because of PostgreSQL specifics, like, it cannot be made resilient or what (I would be surprised by that)? I must admit it's a bit frustrating not to hear anything from Google on this issue :-( .

Btw. P0 priority is (according to

https://developers.google.com/issue-tracker/concepts/issues):

> An issue that needs to be addressed immediately and with as many resources as is required. Such an issue causes a full outage or makes a critical function of the product to be unavailable for everyone, without any known workaround.

Tue Oct 20 2020 15:47:31 GMT+0200 (Central European Summer Time).png

173 KB

View

Download

ch...@gmail.com <ch...@gmail.com> #32Oct 20, 2020 01:58PM

Guys, your "+1" are useless and annoying. Use "Star" to star the issue, that's what they look at.

ox...@gmail.com <ox...@gmail.com> #33Jan 17, 2021 11:54AM

a P0 issue, 2 years.
definately pushing people to Other cloud providers isn't it?

ko...@bilt.com <ko...@bilt.com> #34Jan 18, 2021 02:01AM

Just go with Aiven and have them deploy their (much better) managed Postgres solution in GCP. Honestly Google should just retire Cloud SQL. It's lazy, poorly supported and is way behind what the competition offers, it just paints Google as a company that lost it sheen years ago and is now just moving on inertia.

an...@dapperlabs.com <an...@dapperlabs.com> #35Jan 19, 2021 05:34PM

No official word from Google so I'm inclined to weigh in here with the little I do know and suspect. (I obviously don't speak for Google, so grain of salt and all that.)

The focus of the Cloud SQL is minimizing the duration of the downtime windows, and the frequency in which they happen, but not to completely eliminate the possibility of instances ever going down. For that, there is Cloud Spanner, which is arguably the flagship product of GCP and what I suspect GCP uses internally for everything. There's little incentive for them to pour time and resources into making postgres never-down when that is the bread and butter of Spanner, especially when no one is using it internally.

GCP is keenly aware of this issue and I've raised it through as many channels as I could. The occasional update to the metadata here suggests it does get looked at, and I don't envy the product manager that would have to try and explain why this never gets priority to the mob, so maybe it's just best to let this issue rot. Keep adding to the 123 stars, but 30+ comments of "+1" and "we're leaving to X" is probably enough.

For what it's worth, we track outages caused by this database roll, and while they do still happen, year-over-year they are going nothing but down. Breaking updates that take our HA cluster offline seem to happen less, though they do take about the same amount of time to come back up as they always have. We shifted a few downtime-sensitive DB's elsewhere, and as our data got global enough to merit it, have started exploring spanner and its associated price tag more seriously.

As much as I'd love for this to be solved, we've accepted it where we can, and moved on where we couldn't.

be...@backmarket.com <be...@backmarket.com> #36Mar 1, 2021 02:11PM

Hey there, from the release notes

https://cloud.google.com/sql/docs/release-notes#February_24_2021, seems like there has been some improvements in the way CloudSQL handles maintenance on PostgreSQL and MySQL ?
Has someone experienced that improvement?
Maintenance still does not involves a failover to standby instances from what we can see in the docs (

https://cloud.google.com/sql/docs/mysql/maintenance#what_is_maintenance).

Message last modified on Mar 1, 2021 02:12PM

sa...@gmail.com <sa...@gmail.com> #37Mar 24, 2021 08:49AM

Any updates on this issue or feature? looks like maintenance causes downtime. But wouldn't that be the cool feature if failover happens before that and once maintenance done it has to fail back?

be...@banked.com <be...@banked.com> #38Jun 28, 2021 10:04AM

This is actually embarrassing from Google, we've moved to Spanner to avoid this, but the library coverage for spanner is pretty sparse, so to get a data layer that you can depend on for up to 4 9's, you need to move to one of the other cloud providers.

Three years of silence from Google, jokeshop.

Message last modified on Jun 28, 2021 01:50PM

aj...@google.com <aj...@google.com> #39Sep 16, 2021 08:19PM

Accepted by aj...@google.com.

Hello Cloud SQL users,

This year, Cloud SQL redesigned our maintenance workflow to reduce maintenance downtime by 80%. Our new workflow utilizes a shared disk failover approach, in which we first update a failover target VM with the maintenance patch while the original is still running. Once the update is complete, we stop the original instance, switch over the disk, failover the IP address, and resume traffic on the updated VM. Typical maintenance downtime per engine is below:

PostgreSQL - 30 seconds or less
MySQL - 60 seconds or less
SQL Server - 120 seconds or less

For more information, you can read our blog on the new maintenance process:

https://cloud.google.com/blog/products/databases/how-cloud-sql-maintenance-works-to-keep-instances-updated

Since the shared disk failover approach has been implemented, we plan to mark this issue tracker ticket as "Fixed" in one week's time. When combining faster maintenance with scheduling controls like maintenance windows and deny maintenance periods, many Cloud SQL customers are no longer impacted by maintenance.

However, for 24/7 business-critical applications that have very high uptime requirements, maintenance may still be disruptive. For these customers, we continue to invest in reducing maintenance downtime. To indicate that your application requires further improvement in mainteance downtime, please star this new issue tracker ticket so we can track interest.

https://issuetracker.google.com/issues/200192156

All the best,

Akhil

Cloud SQL Product Manager

Message last modified on Sep 16, 2021 08:20PM

aj...@google.com <aj...@google.com> Sep 23, 2021 04:54PM

Verified by aj...@google.com.