Rethinking Disaster Recovery for MPP Databases - Part 2

As illustrated in my previous article, managing MPP Postgres logical backups can be a chore. Does not matter if it is Broadcom Greenplum, EnterpriseDB Warehouse PG, or Apache Cloudberry – all suffer from the same effects:

• elongated backup times,
• table locks,
• slower queries
• equally long restore times, and
• backup management headaches.

A long-time banking customer had been suffering from all of the above. I pitched Broadcom's recently released Greenplum Disaster Recovery (GPDR) in 2023. By early 2024, pressure from the organization was applied to get it under control. Two day backups and a follow-on two day restore were not meeting their standards. This is an account of our journey reducing RPO as well as RTO from 2 days to under 15 minutes each with zero impact to application architecture.

Discovery

Sun Tzu is often quoted as saying "First seek to understand". Paraphrase at best but applicable all the same. In those few words, we can expand into the following initial questions:

• What are we getting into?
• What are we dealing with?
• Can we afford to meet organization requirements?

Answering "how" will wait.

What are we getting into? / Mole hill or mountain?

The organization had been using Greenplum for years. During that time, many applications adopted it as their data warehouse. Due to Greenplum's success, the data warehouse management team had gotten a pass regarding backups. That pass had expired.

Each application used its own schema. To minimize the impact of backups causing locks, logical backups were done in groups of applications / schemas. For years, existing group backup had worked but with greater adoption and growth it was taking two days to complete all job groups.

Offsite was a disaster recovery cluster. Every backup was replicated and restored however logical backups took an equal amount of time to restore: two days.

What were our RPO and RTO goals? Brief definition on each since they are sometimes confused. RPO, or Restore Point Objective, is the maximum acceptable amount of data loss typically measured in time. Their existing process "delivered" two days, that is two days of data loss. RTO, or Restore Time Objective, is the maximum time the system could be tolerated being down for recovery without a major impact to business.

The answer I got: Two hour RPO and two hour RTO. On top of that, minimum one week retention of all backups.

Sure. No problem. Right?

What are we dealing with? / Taking inventory

By the numbers, their production cluster was home to many applications with:

• 400 TB of storage,
• on 96 primary segments with two RAID-5 volumes, and
• across 16 segment hosts.

Not small but not terrible either.

Existing backup infrastructure included:

• cluster hosts with active-active private network interfaces,
• 10 Gbps private network, and
• DataDomain with four 25 Gbps capable network interfaces and 150 TB of storage.

My takeaway from this:

• Applaud for them using active-active. Trust all gear will fail eventually from NIC to switch port and everything in between.
• A private 10 Gbps network is a good start and may suffice however is something to be watched.

Regarding their DataDomain, I knew it was a capable NAS solution including data deduplication, compression, and replication. That coupled with DDBoost could make it very usable. DDBoost is an add on from DataDomain optimizing and at times negating the need for data transfers. Think along the lines of "server wants to send block X, DataDomain says it already has it, server moves on to next block." Neat, right?

Can we afford to meet organization requirements? / What's the budget?

Fortunately, I knew this organization was about preparation and doing the right thing. Of course justification was necessary. In advance of project kickoff I learned their antiquated offsite disaster recovery cluster was being replaced with new gear complete with NVMe storage. Big win!

DataDomain was already replicating to the same site as well and had equal storage and specs.

Known was this system's struggle with clean up's. Clean up for DataDomain as well as any other gear performing deduplication is the final removal of unnecessary blocks.

Deduplication and clean up's by way of a simple example:

• A 1 GB file may be broken up into 32 KB blocks therefore represented by 31,250 blocks
• If the identical file is stored, 1 GB of storage is used.

What if 1 block changes? 31,249 blocks are reused and two copies of the now slightly differing files consumes 1 GB + 32 KB storage. Deduplication demands tracking of these blocks and order of each for every file referencing each. This is one way solutions like DataDomain's can retain multiple backups representing hundreds of TB's on as little as 100 TB of actual storage.

Clean up's are necessary to release unreferenced blocks and the storage they consume. Some solutions do it continuously and others only periodically. This customer had their DataDomain on a once/week schedule. While clean up's were running, the storage was slow to the point of almost unresponsive. From experience, the 7-day backup retention had to be pushed to 8-days allowing for backups to complete before old were removed. This includes WAL files. This was a concern.

A second concern was the amount of storage itself. If we assume 400 TB will compress to 100 TB then 66% of actual storage will be used. We haven't gotten to WAL files.

WAL files produced is a good measure of overall database activity. Knowing how many would be critical, a simple WAL tracking system was implemented at the beginning of the project. After one month, we had real statistics.

• 5,408 average WAL's per hour
• 129,788 average WAL's per day

Postgres MPP software uses 64 MB per WAL file. An average day of uncompressed WAL files then is roughly 8.3 TB. We have 4:1 compression and deduplication though… no we don't