An advantage of distributed systems is the ability to continue to operate in the face of physical difficulties that would cripple a single, monolithic computing device. Such difficulties could include: sustained power outages, inclement weather, flooding, terrorist activity, and the like.
To compensate for the increased risk that individual member computing devices may become disconnected from the network, turned off, suffer a system malfunction, or otherwise become unusable, redundancy can be used to allow the distributed computing system to remain operational. Thus, the information stored or process executed on any one computing device can be redundantly stored on additional computing devices, allowing the information to remain accessible, even if one of the computing devices fails.
A distributed computing system can practice complete redundancy, in which every device within the system performs identical tasks and stores identical information. Such a system can allow users to continue to perform useful operations even if almost half of the devices should fail. Alternatively, such a system can be used to allow multiple copies of the same information to be distributed throughout a geographic region. For example, a multi-national corporation can establish a world-wide distributed computing system.
However, distributed computing systems can be difficult to maintain due to the complexity of properly ensuring that the individual devices comprising the system perform identical operations in the same order. To facilitate this often difficult task, a state machine approach is often used to coordinate activity among the individual devices. A state machine can be described by a set of states, a set of commands, a set of responses, and client commands that link a response/state pair to each command/state pair. A state machine can execute a command by changing its state and producing a response. Thus, a state machine can be completely described by its current state and the action it is about to perform.
The current state of a state machine is, therefore, dependent upon its previous state, the commands performed since then, and the order in which those commands were performed. To maintain synchronization between two or more state machines, a common initial state can be established, and each state machine can, beginning with the initial state, execute the identical commands in the identical order. Therefore, to synchronize one state machine to another, a determination of the commands performed by the other state machine needs to be made. The problem of synchronization, therefore, becomes a problem of determining the order of the commands performed, or, more specifically, determining the particular command performed for a given step.
One mechanism for determining which command is to be performed for a given step is known as the Paxos algorithm. In the Paxos algorithm, any of the individual devices can act as a leader and seek to propose a given client command for execution by every device in the system. Every such proposal can be sent with a proposal number to more easily track the proposals. Such proposal numbers need not bear any relation to the particular step for which the devices are attempting to agree upon a command to perform. Initially, the leader can suggest a proposal number for a proposal the leader intends to submit. Each of the remaining devices can then respond to the leader's suggestion of a proposal number with an indication of the last proposal they voted for, or an indication that they have not voted for any proposals. If, through the various responses, the leader does not learn of any other proposals that were voted for by the devices, the leader can propose that a given client command be executed by the devices, using the proposal number suggested in the earlier message. Each device can, at that stage, determine whether to vote for the action or reject it. A device should only reject an action if it has responded to another leader's suggestion of a higher proposal number. If a sufficient number of devices, known as a quorum, vote for the proposal, the proposed action is said to have been agreed upon, and each device performs the action and can transmit the results. In such a manner, each of the devices can perform actions in the same order, maintaining the same state among all of the devices.
Generally, the Paxos algorithm can be thought of in two phases, with an initial phase that allows a leader to learn of prior proposals that were voted on by the devices, as described above, and a second phase in which the leader can propose client commands for execution. Once the leader has learned of prior proposals, it need not continually repeat the first phase. Instead, the leader can continually repeat the second phase, proposing a series of client commands that can be executed by the distributed computing system in multiple steps. In such a manner, while each client command performed by the distributed computing system for each step can be thought of as one instance of the Paxos algorithm, the leader need not wait for the devices to vote on a proposed client command for a given step before proposing another client command for the next step.
The distributed computing system, as a whole, can be modeled as a state machine. Thus, a distributed computing system implementing complete redundancy can have each of the devices replicate the state of the overall system, so that each device hosts its own “replica” of the same state machine. Such a system requires that each replica maintain the same state. If some replicas believe that one client command was executed, while a second group of replicas believes that a different client command was executed, the overall system no longer operates as a single state machine. To avoid such a situation, a majority of the replicas can be generally required to select a proposed client command for execution by the system. Because any two groups of replicas, each having a majority, shares at least one replica, mechanisms, such as the Paxos algorithm, can be implemented that rely on the at least one common replica to prevent two groups, each containing a majority of replicas, from selecting different proposed client commands.
However, a system that is expected to run for an extended period of time must deal with devices becoming permanently retired or otherwise permanently failed. The system should therefore provide a means of swapping out some devices and replacing them with others (i.e., changing the set of state machine replicas) so that the system's tolerance of future failures is restored to its original level. Otherwise, once a quorum of failures occur, the system is no longer fault tolerant. Replacing failed devices restores the fault tolerance of the system to tolerate new failures. Additionally, the system should allow for the addition of new devices to increase the number of tolerable device failures and thereby provide greater fault tolerance. The original Paxos algorithm gives a simple description of how the system can decide to change the set of state machine replicas participating in the protocol. But the approach presented by the original Paxos algorithm does not address various special circumstances that can arise during a change in the replica set.