PingCAP CTO here, I really enjoy the cooperation with Kyle this two months. I want to talk a little bit about my feelings.
Before the "official" Jepsen test, TiDB has already written its own Jepsen test cases for a long time. Our past Jepsen test code has become a good starting point in this test. In addition, as a result, the test case written by the database developer will inevitably have some blind spots. This is even if you have your own Jepsen test passed, I still recommend you to do the official test by Kyle's team.
In the process of testing, we have no way to influence what Kyle tests. Usually, only Kyle will tell us when abnormal behaviour occurs. Our main job is to analyze the cause and then fix it.
Here are some tips for recommending friends who want to do Jepsen test in the future:
1. Carefully check your documentation before testing to make sure it is consistent with your database implementation.
2. It is best for someone on the team to understand and build your own Jepsen test environment internally and test parallelly with the Kyle team.
3. Simplified deployment process is very helpful
4. Be sure the version of your DB before testing. Usually, you can select one when starting the test and select one before the end.
I really enjoy working with Kyle. I would say Kyle has a good sense of humor :), and I hopes to have another chance to cooperate Kyle and his team in the future! Thank you.
@aphyr I love reading these discussions about Jepsen! How would an individual contributor get involved with Jepsen and contribute during free time? Is most of the work related to adding public Jepsen tests for each database or is there work available with the framework as well? I'd love to learn more about Jepsen and distributed systems testing!
Hi there! There's work to do on both, and I encourage you to contribute to core if you like! We could really use performance improvements on the checkers--Knossos and set-full are great, but much more expensive than they need to be. It'd be nice to have a robust mechanism for adjusting CLOCK_MONOTONIC & friends. I don't have a good way to inject filesystem level faults, like simulated node crashes where non-fsynced data is lost. jepsen.control is plagued by what I think are race conditions in Jsch, which I've never had the chance to dig in and fix.
This is great, I've been evaluating CockroachDB for a high-write data situation, and TiDB came up as an alternative. CRDB having a Jepsen test and TiDB not having one made the decision pretty favored to CRDB. Looks like I can really give both a look now.
Most Jepsen reports seem to find glaring flaws, including subsystems that add complexity while reducing correctness, like the “auto-retry” features here, or novel consensus schemes that just aren’t airtight and therefore technically don’t work.
I think Bryan Cantrill put it well in one of his more recent talks. Jepsen reports used to be a lot more fun because projects made grand claims first, and then Jepsen came to actually test than. Now projects run Jepsen ahead of time to qualify their claims so there's less big GOTCHA! moments.
So, less fun but better quality products. A few more years and maybe Jepson won't find many flaws at all as they'll be identified in development using the same tools.
I've noted TiDB's weak transaction isolation guarantees before, which were not well documented. In particular, they claimed phantom reads were not possible, which this test shows isn't true.
That said, it looks like these issues aren't fundamental design problems and can be fixed.
I don't think these particular phantoms are likely to be fixed--they're legal under SI, and that's all TiDB is intended to provide, at least right now. They might do serializability later though!
This is great news. The only blocker is lack of FK constraints. I know this is a performance issue, but it's a blocker for those expecting it to behave like MySQL. We have a lot of bad queries (unfortunately) that rely on constraints for correctness. It's too dangerous to do any migration that eliminates them without at least a reduced performance setting to warn about violations that we can run for a month or two before committing 100%.
It pains me to say this, but strong ties to China company-wide will likely mean my org never adopts this, fk constraints aside. A victim of the trade war? Yes. But many of our clients are strictly "no Chinese vendors for libraries or dependencies", even if the data is on our own servers.
I'm not sure if anything can be done at this point, but building an isolated US based org would help immensely with adoption. The cap table also being mostly Chinese investors is enough to stop most US companies at the DD phase
"We have not evaluated filesystem or disk faults with TiDB, and cannot speak to crash recovery. Nor have we tested dynamic membership changes. Both might be fruitful avenues of investigation for future research."
How do you choose what components to test once you get past obvious stuff like the highest claimed isolation level?
I give suggestions to my clients, and ask them what they care about testing most, and we... pretty much always agree on what direction the research goes next. FS/disk faults I don't have good tooling for yet, so I'd have to invest some time into developing those tools--makes sense to defer that work. Membership changes are infrequent and surprisingly difficult to write automation for, so I think it makes more sense to focus on the static-cluster case first.
I don't see what's merciless about it. DB systems have various claims, he just goes about asserting if those claims are true. I think a serious take away from these is that all DB systems have issues, there are some faults that do happen, know them and design for it. Any DB that claims to have no fault is lying.
Hi @aphyr. I'm a great fan of your work with Jepsen although I know very little about the fault tolerance of distributed systems. Are there any resources you would recommend on the subject? I am an application developer so I don't see myself writing a database in the future. Still it would be great to learn about the concepts.
[+] [-] dongxu|6 years ago|reply
In the process of testing, we have no way to influence what Kyle tests. Usually, only Kyle will tell us when abnormal behaviour occurs. Our main job is to analyze the cause and then fix it. Here are some tips for recommending friends who want to do Jepsen test in the future:
1. Carefully check your documentation before testing to make sure it is consistent with your database implementation.
2. It is best for someone on the team to understand and build your own Jepsen test environment internally and test parallelly with the Kyle team.
3. Simplified deployment process is very helpful
4. Be sure the version of your DB before testing. Usually, you can select one when starting the test and select one before the end.
I really enjoy working with Kyle. I would say Kyle has a good sense of humor :), and I hopes to have another chance to cooperate Kyle and his team in the future! Thank you.
[+] [-] yingw787|6 years ago|reply
[+] [-] aphyr|6 years ago|reply
Writing tests is also great! Pick a system you like and dive in. There's a full tutorial (https://github.com/jepsen-io/jepsen/tree/master/doc/tutorial) that walks you through designing and running a test from scratch.
[+] [-] gregorygoc|6 years ago|reply
[+] [-] orthecreedence|6 years ago|reply
[+] [-] dgreensp|6 years ago|reply
[+] [-] kbenson|6 years ago|reply
So, less fun but better quality products. A few more years and maybe Jepson won't find many flaws at all as they'll be identified in development using the same tools.
[+] [-] atombender|6 years ago|reply
I've noted TiDB's weak transaction isolation guarantees before, which were not well documented. In particular, they claimed phantom reads were not possible, which this test shows isn't true.
That said, it looks like these issues aren't fundamental design problems and can be fixed.
[+] [-] aphyr|6 years ago|reply
[+] [-] nullwasamistake|6 years ago|reply
It pains me to say this, but strong ties to China company-wide will likely mean my org never adopts this, fk constraints aside. A victim of the trade war? Yes. But many of our clients are strictly "no Chinese vendors for libraries or dependencies", even if the data is on our own servers.
I'm not sure if anything can be done at this point, but building an isolated US based org would help immensely with adoption. The cap table also being mostly Chinese investors is enough to stop most US companies at the DD phase
[+] [-] ryanworl|6 years ago|reply
"We have not evaluated filesystem or disk faults with TiDB, and cannot speak to crash recovery. Nor have we tested dynamic membership changes. Both might be fruitful avenues of investigation for future research."
How do you choose what components to test once you get past obvious stuff like the highest claimed isolation level?
[+] [-] aphyr|6 years ago|reply
[+] [-] orthecreedence|6 years ago|reply
[+] [-] jinqueeny|6 years ago|reply
[+] [-] PeterCorless|6 years ago|reply
[+] [-] segmondy|6 years ago|reply
[+] [-] gorn|6 years ago|reply
Cheers!
[+] [-] aphyr|6 years ago|reply
[+] [-] shenli3514|6 years ago|reply
[+] [-] shirly1314520|6 years ago|reply
[deleted]
[+] [-] sykp241095|6 years ago|reply
[deleted]