Etcd and fleet [LWN.net]

By Jonathan Corbet
October 22, 2014

CoreOS is a Linux distribution designed for clustered server systems. It relies on a number of interesting technologies, including the Docker container system, to get its job done. But some of the technologies used in CoreOS have been developed in house. At LinuxCon Europe, CoreOS founder Brandon Philips gave a couple of talks about two of those tools: etcd and fleet. Between the two, they provide CoreOS with a flexible way of configuring and administering services across a cluster.

Etcd

"Etcd" stands for "/etc distributed"; it is meant to be a highly reliable configuration mechanism that provides a uniform view across a cluster of machines. It offers "sequential consistency," meaning that changes are visible in the same order on all machines — though not necessarily at the same time. Unlike competing projects (like Zookeeper), Brandon said, etcd allows for runtime reconfigurability.

Clusters built around etcd are highly interconnected (but not necessarily completely so). There is one system that is elected to be the "leader"; all others are "followers." At its core, etcd is a simple key/value data store. Along with the usual store, fetch, and delete operations, etcd provides an atomic compare-and-swap operation; there is a compare-and-delete operation as well. The etcdctrl command-line tool can be used to make changes to the etcd database or to watch for changes made by others.

The sequential consistency feature ensures that all etcd changes appear in the same order on all machines in the cluster. Changes may not happen at the same time; some machines may see a specific change before others do. So there may be periods of time where a pair of machines may disagree on the value of a specific parameter stored in etcd. Changes have sequence numbers attached to them; those numbers can be used to wait until a given change has been distributed throughout the cluster. Sequence numbers are unique and are not reused; getting a value at a specific sequence number will always return the same result, anywhere in the cluster.

Etcd supports the notion of a "quorum get," which is guaranteed to return the latest version of a given parameter. Quorum gets will be a bit slower, though, since they must be run via the cluster leader. It is also possible to wait for a change in a given parameter; the HTTP "long poll" mechanism is used to implement this operation.

With regard to availability, etcd will, on a cluster with 2f+1 systems, continue working in the presence of f failures. Once that point has been exceeded, changes to the database will no longer be accepted. The loss of the leader system will cause the service to be briefly unavailable until the remaining systems can run an election and continue under the new leader. The recovery time, Brandon said, is about ten times the round-trip time between systems in the cluster.

Beyond service configuration, there are a number of practical applications for etcd's functionality. The "locksmith" system is intended to bring order to system updates. When an update needs to be rolled out, it would be nice to avoid rebooting all of the systems in the cluster at once. Locksmith uses etcd to implement a cluster-wide reboot lock. Each system, when it gets ready to reboot, will decrement a semaphore stored in etcd. Once it has successfully rebooted, it increments the semaphore, letting the next system in line perform its update.

Kubernetes is a cluster management system from Google that was built on top of etcd. The CoreOS "fleet" utility (about which more will be said shortly) performs a similar task: it schedules tasks on machines in the cluster. The work description for a given task is written into an etcd key; agents on the other machines then pick up work assignments from etcd and use it to report their results.

At the core of etcd is a consensus algorithm called raft. Consensus algorithms have been around for some time; the most popular among them is a system called "Paxos." But Paxos is complex and difficult to understand, Brandon said, so they ~~came up with~~ adopted raft, which he described as "an engineer's approach to Paxos." Raft was originally developed by Diego Ongaro and John Ousterhout; it is, Brandon said, far more understandable and easy to work with than Paxos.

There were a number of mistakes made while developing etcd. The first of those was log files, which, he said, are hard to do right. If you are not careful, filesystems will corrupt or truncate data. There need to be checksums within a logfile to ensure that it is sane. Brandon expressed a wish that the kernel developers would simply document the best way to safely write log files.

Another problem had to do with naming in etcd; they trusted their users to come up with proper, unique names. "Never trust users," Brandon said. The result was a lot of misconfigured systems and, presumably, a lot of phone calls for the CoreOS support team. Now naming is handled by generating a unique ID number when a cluster member starts up.

Plans for the future, and the upcoming 1.0 release in particular, include the addition of nonblocking snapshots. An MVCC data store is on the list. There is a general effort to improve the scalability of read and write operations. There will be a read-only proxy system that can handle all get requests locally; that should help users avoid the use of expensive watch operations. Finally, there will be a "fast promotion" mechanism that allows a hot-standby node to join a cluster quickly if need be.

Fleet

Etcd is good for passing information to tasks on a clustered system, but what about starting, stopping, and managing those tasks in general? That is the responsibility of the fleet tool. Fleet, too, was developed in house, but the developers did not have to start from scratch; instead, fleet is based on systemd, which, Brandon said, gives them "a lot of good stuff." Systemd handles resource limits, control groups, and the secure computing (seccomp) subsystem; it can also take care of process monitoring and the notification of dependent processes. It is, he said, the first time they have had an init system driven by an API that gives them control over the system as a whole.

Fleet is a cluster scheduler, meaning that its job is to distribute tasks across the machines in a cluster. It needs to respond to events like a machine going down and reschedule tasks as needed. The fleet scheduler gets its marching orders (the "manifest") via etcd, then gets systemd to do the real work. It is thus not surprising that fleet's commands look a lot like systemd commands. One uses "fleetctl start" to start a task in the cluster, for example; it will cause the named service file to be scheduled on some remote machine.

Fleet can handle a number of requirements attached to the tasks it runs. Some tasks, for example, need to be run together on the same machine; others need to run on a specific system within the cluster. Information about such requirements goes into the systemd unit files, using the special "X sections" that are ignored by systemd itself.

Fleet works well, but, naturally, there is a list of desired enhancements. At the top of the list is an official stable API release so other programs can know how to talk to fleet. A signed schedule mechanism will add security to the system. And, while the service discovery mechanism built into the system now works, a better one is planned for the future.

To summarize, etcd and fleet form a part of the core of CoreOS. Between them, they allow the specification and coordination of tasks run across a cluster of systems. While these tools were developed for use within CoreOS, it would not be surprising to see them expand to uses in other settings as well.

Index entries for this article
Conference	LinuxCon Europe/2014

to post comments

Etcd and fleet

Posted Oct 25, 2014 16:34 UTC (Sat) by kleptog (subscriber, #1183) [Link] (6 responses)

The last few years have been awesome in the Linux space. Docker bringing Linux containers to the masses. An extensible declarative system for describing services from systemd. And now the combination with stuff like etcd and fleet looks to completely change the way servers are set up and run.

Stuff like fleet would not have been possible with sysvinit, that's for sure.

I'm a little bummed by the fact that CoreOS is based on Gentoo though. Bad experiences.

Etcd and fleet

Posted Oct 25, 2014 19:14 UTC (Sat) by dlang (guest, #313) [Link] (4 responses)

why would something like fleet be impossible with sysvinit?

Etcd and fleet

Posted Oct 25, 2014 20:55 UTC (Sat) by kleptog (subscriber, #1183) [Link] (2 responses)

Because to be able to have a stable system and to do things like failover you have to be able to answer the question "is this service still running?" and be able to receive a notification when a service dies. Sysvinit doesn't do that, it just starts services and forgets about them.

Things like daemontools are a step up, since it can at least tell when something dies, but it doesn't have the same kind of control.

Since unit files can also do things like job scheduling, you'd have to write something to distribute cron jobs as well.

You could probably attempt it with sysinit, but you'd get completely lost in the half-baked status scripts, inconsistent logging and other annoyances.

Etcd and fleet

Posted Oct 25, 2014 21:01 UTC (Sat) by dlang (guest, #313) [Link] (1 responses)

"Is this service still running" is a rather complex question to answer, and it's far from clear that what an init system can do is sufficient.

There are lots of times when the process has not exited that the service is not healthy enough to function and failover is needed.

Sysvinit does support restarting processes if they exit, that's what inittab did. It did the job well and wasn't hard to manage (I had a server at one time with several hundred entries in inittab

Etcd and fleet

Posted Oct 25, 2014 23:42 UTC (Sat) by anselm (subscriber, #2796) [Link]

In sysvinit, when you run your services from inittab, you give up the convenience of being able to start and stop them manually using “/etc/init.d/SCRIPT start” (or whatever). You also give up the ability to start them in a defined order so as to obey dependencies on other services. When you run your services by means of init scripts, you give up automatic restarts (and must add them again by means of piling on more hacks). This is an arbitrary and inconvenient dichotomy.

Systemd handles all services identically, whether they're automatically restarted or not. Dependencies and manual start/stop are available for all services. Exactly under what conditions a service is restarted, as well as rate-limiting for restarts, can be extensively configured. Systemd also supports “watchdog” functionality that can restart a service if the process appears to be running but hasn't shown signs of life for a specific time. In this respect systemd is in fact considerably superior to sysvinit.

Claiming that ”sysvinit does support restarting processes if they exit” is technically correct (under certain limited circumstances, anyway). Claiming that sysvinit does it as well as systemd, however, is ludicrous.

Etcd and fleet

Posted Oct 28, 2014 5:17 UTC (Tue) by raven667 (guest, #5198) [Link]

On sysvinit a tool like fleet would have to do all of its own service management, it would have to a parent of all the processes, manage cgroups, etc., in effect it would have to be systemd itself.

Etcd and fleet

Posted Nov 2, 2014 1:07 UTC (Sun) by philipsbd (subscriber, #33789) [Link]

I want to clarify that CoreOS uses the same build system as Gentoo (portage) but a user of CoreOS will not know this. The CoreOS update mechanism is completely different[1], there is no emerge package manager on board and we ship very few user space tools relying on containers instead.

Please give it a shot. It is a quite different system than Gentoo. In fact the ChromeOS team basis their build system on Gentoo's portage too, but you would never know it.

[1] https://coreos.com/using-coreos/updates/

Etcd and fleet

Posted Oct 28, 2014 2:38 UTC (Tue) by kjp (guest, #39639) [Link] (2 responses)

a new consensus algorithm thats allegedly simpler than paxos? oh great, there goes my free reading time...

Etcd and fleet

Posted Nov 2, 2014 1:08 UTC (Sun) by philipsbd (subscriber, #33789) [Link]

If you want a concrete implementation of raft check out the one we built for etcd[1]. It pairs quite nicely with the paper.

[1] https://github.com/coreos/etcd/tree/master/raft

Etcd and fleet

Posted Nov 2, 2014 1:20 UTC (Sun) by philipsbd (subscriber, #33789) [Link]

Oh, there there are a number of great resources here: https://raftconsensus.github.io

Etcd and fleet

Posted Nov 3, 2014 0:39 UTC (Mon) by sourcedelica (subscriber, #99308) [Link] (2 responses)

CoreOS came up with Raft? I thought Diego Ongaro came up with as part of the RAMCloud project. https://ramcloud.stanford.edu/raft.pdf

Etcd and fleet

Posted Nov 3, 2014 23:17 UTC (Mon) by philipsbd (subscriber, #33789) [Link] (1 responses)

Yea, I sent an email to the editor to get this fixed but it hasn't been fixed yet. A very complete resource is here: http://raftconsensus.github.io/

Fixed

Posted Nov 4, 2014 12:50 UTC (Tue) by corbet (editor, #1) [Link]

I have adjusted the text to reflect the actual origin of Raft. My apologies for my misunderstanding and any confusion it may have caused!

ZooKeeper runtime reconfigurability

Posted Nov 13, 2014 16:52 UTC (Thu) by jaybuff (guest, #97725) [Link]

My understanding was that with ZK 3.5.0 it is possible to reconfigure during runtime. See https://issues.apache.org/jira/browse/ZOOKEEPER-107 and http://web.stanford.edu/class/cs347/reading/zab.pdf