PDF of this tutorialIn a hot-standby database pair, there is always some delay before the standby database can take over from the downed active database. Designers of systems with stringent reliability requirements seek to reduce this repair time and make it deterministic.
A 1-Safe architecture is characterized by a relatively long and unpredictable recovery time. For a 1-Safe standby database to take over, it must first drain the queue of pending log records coming from the active database. The length of this queue is unpredictable and depends on such factors as the relative speeds of the two database machines and the transaction load on the system. Next, if data loss is a concern, applications must query the database to determine which transactions were lost during the failover period, and re-execute them. This may be quite complex, and will take an indeterminate length of time.
A 2-Safe Received system must drain the queue of log records received from the active database. As with 1-Safe, the length of this queue is unpredictable and depends on such factors as the relative speeds of the two database machines and the transaction load on the system. However, except under extraordinary circumstances, applications do not have to worry about data loss. Most application developers will ignore the case of multiple simultaneous machine failures because it is extremely rare.
In the 2-Safe Durable architecture, recovery time is much shorter and deterministic, because all transactions committed at the active node have already been committed at the standby node. The standby database has no recovery to perform, and can immediately take over from the downed database. For applications with stringent MTTR SLAs, 2-Safe Durable may be the only acceptable option.
|
Figure 13: MTTR Considerations
