Table of Contents |
---|
Introduction and strategy
Multi-tenant CockroachDB Cluster virtualization is a new way to structure the CockroachDB technology that achieves isolation between logical clusters. This is most useful when we share a common distributed storage across competing customers, i.e. multi-tenancy and Software-as-a-Service.
(As an analogy, multi-tenant CockroachDB CockroachDB’s cluster virtualization achieves the virtualization of CockroachDB SQL in a similar way that containers or VMs achieve a virtualization of hosted servers.)
Today (Early 2022Summer 2023), the multi-tenant architecture cluster virtualization is only available inside the CockroachCloud Serverless product. However, eventually, we wish to evolve CockroachDB to serve all application traffic using the multi-tenant architecturecluster virtualization, including inside CockroachCloud Dedicated and licensed CockroachDB self-hosted customers.
In the words of our CTO, “Multi-tenant CockroachDB “Virtual clusters is the way CockroachDB should have been designed from the start.”
This also means that we are now focusing our development to maximize the application developer experience on top of multi-tenantcluster virtualization.
Care must be taken to distinguish the internal product architecture, discussed here, from the ability to actually run two or more tenants virtual clusters side-by-side:
Cockroach Labs would retain exclusive right to define more than one tenant virtual clusters side-by-side on a shared storage cluster, via the Serverless product offering.
In CockroachCloud Dedicated and for self-hosted deployments, applications will be able to utilize a single pre-defined virtual cluster layered on top of the multi-tenant architecture, without the capability to define more tenants.
Overview of run-time components
...
Summary table
Logical components: the account administrator's view
What's virtualized | New name for the virtualized logical concept | Previous terminology | New name for the physical infrastructure |
The CockroachDB cluster service, as a whole | NEW: “Virtual cluster” or alternatively “logical cluster” | “Cluster” | N/A: the underlying infrastructure is not visible to end-users any more. |
Run-time state for a (virtual) cluster | “VC Servers/pods” | “Servers/pods” | NEW: “Shared storage servers/pods” |
On-disk state for a (virtual) cluster | NEW: “VC-specific data” or “virtual keyspace” | “CockroachDB data” | NEW: “Shared storage data” |
new: the SQL interface used to administer other virtual clusters = system interface (Previously “system tenant”) Beware of the difference between “Shared storage cluster” (deployed system) and “System interface” (logical cluster an administrator connects to, to create additional virtual clusters) | |||
Ownership (not data) | “Tenant” or “Workload” | “User” |
Deployment components: the deployment/SRE view
Description | In-code abstraction | In-memory instance | Unix process | Running container |
Routes SQL clients to the right server | “SQL proxy” | “SQL proxy instance” | “SQL proxy server” | “SQL proxy pod” |
Runs SQL queries |
“SQL” or “SQL gateway” | “SQL instance” | “SQL server”or “SQL-only server” to highlight server contains no KV instance | “SQL pod”(implies “SQL-only server”) | |
Runs KV queries | “KV components” (plural) | “KV instance” | “KV server” but the term is inclusive of mixed servers, we don't yet support KV-only servers. | N/A, we don't currently run KV-only servers. |
Stores data for multiple virtual clusters, 1 unit | NEW: “Shared storage server” | NEW: “Shared storage pod” | ||
Runs both SQL and KV queries | NEW: “Mixed SQL/KV servers” | NEW: “Mixed SQL/KV pods” | ||
Stores data for |
NEW: “Shared storage/DB server”
NEW: “Shared storage/DB pod”
all virtual clusters, fleet of all servers | NEW: “Shared storage cluster” | NEW: “Shared storage cluster” |
We also use the word “node” to designate either a unix process or Docker container, when the distinction does not matter.
Logical components: the account administrator's view
...
What's virtualized
...
New name for the virtualized logical concept
...
Previous terminology
...
New name for the physical infrastructure
...
The CockroachDB cluster service, as a whole
...
“Virtual cluster”
...
“Cluster”
...
N/A: the underlying infrastructure is not visible to end-users any more.
...
Run-time state for a (virtual) cluster
...
“Tenant servers/pods”
...
“Servers/pods”
...
NEW: “Shared storage/DB servers/pods”
...
On-disk state for a (virtual) cluster
...
“Tenant-specific data”
...
“CockroachDB data”
...
NEW: “Shared storage/DB data”
...
new: the virtual cluster used to administer other virtual clusters = system cluster
Beware of the difference between “Shared storage cluster” (deployed system) and “System cluster” (logical cluster an administrator connects to, to create additional virtual clusters)
...
Ownership (not data)
...
“Tenant”
...
All-the-things: host clusters
In CockroachCloud deployments, we need a word to designate a complete fleet consisting of:
a single storage cluster
all the SQL servers /pods connected to it
one or more SQL proxy directing traffic to the SQL pods
the corresponding DNS service, Prometheus instance, Kubernetes configuration, etc
This complete fleet of “All the things” is named a Serverless host cluster.
...
Architectural terms
SQL Proxy
...
Role:
Accepts incoming connections from client apps
Determines which tenant the connection is for
Routes each connection to a SQL instance
Segue: Instances, servers, pods and nodes
...
“Instance”: a run-time realization of a data structure in the source code. Think: class vs object.
TCP/UDP ports are attached to instances.“Server”: a unix process started from an executable file. Contains diverse instances.
CPU/memory/IOPS accounting commonly happens here.“Pod”: a container, a kind of reduced virtual machine that can be managed by Kubernetes.
Usually contains 1 process, can contain more.
IP addresses and storage volumes are attached to containers.
...
We use the word “Node” when the distinction between “server” and “pod” does not matter.
SQL
...
NB: The name is just “SQL”.
Derived as “SQL instance”, “SQL server”, “SQL pod”, “SQL node” depending on the run-time properties of interest.
...
Accepts incoming connections from SQL proxy.
Responsible for SQL query execution for client apps, scoped to one virtual cluster.
Performs KV data requests to a shared storage cluster.
Also offers tenant-specific HTTP APIs scoped to one virtual cluster.
Also known as “SQL-only server, pod, node” when the process only contains a SQL instance.
Shared storage cluster
...
Role (collective):
Accepts (KV) data requests from SQL instances.
Shared by many tenantsvirtual clusters.
Responsible for persisting (storing) data.
Abstract concept: KV-only server, pod, node
...
“KV instance”: Accepts and serves KV requests for SQL instances. This does exist.
“KV-only server”: This does not exist yet: we have not yet built the capability to run a process containing only a KV instance.
Storage server, pod, node
...
“Storage server”: a process that contains both a KV and SQL instance.
...
The SQL component here is “System SQL”
invisible to tenantsvirtual clusters.
used to administer virtual clusters and KV.
cockroach demo
: a hybrid server
'cockroach demo' is a tool built out of testing code, which is able to run a single server process containing a system cluster and, optionally when --multitenant=true
, one additional non-system virtual cluster.
This is organized at run-time as follows, given --nodes=N
:
N x KV instances
N x SQL instances for the system cluster.
Optionally, with
--multitenant=true
, N x additional SQL instances able to serve the one additional virtual cluster.
This gives a total of 2 or 3 times N instances able to run services, inside the same 'demo' process.
From the perspective of the users of 'cockroach demo', such a server process has two interfaces:
The SQL interface(s) to the non-system virtual cluster.
This is what is presented at the interactive prompt with
--multitenant=true
The SQL interface(s) to the system interface.
This is what is presented at the interactive prompt with
--multitenant=false
.This could (hypothetically) be used to create additional virtual clusters inside the demo process.
There's currently some UX misdesign, in that the existence of two separate virtual clusters is not clear to the user of cockroach demo
. We know about this shortcoming and it should get fixed at some point.
Serverless Host Clusters: all-the-things
The CC deployment tooling needs to name the fleet of all components running around a storage cluster to support Serverless tenants
...
.
We’ve called this the “Serverless Host Cluster”, often simplified “host cluster” and this includes:
one storage cluster
all the SQL servers connected to it
the accompanying Prometheus instance
the accompanying DNS glue service
one or more K8s clusters supporting the configuration (we need more than one when the host cluster is spread across multiple regions).
any other run-time components around the same storage cluster.
...
Logical concepts
The essence of the multi-tenant architecture cluster virtualization is to introduce logical boundaries inside of a shared architecture — for the purpose of separate billing, running client apps side-by-side, avoiding interference, etc. So we also need words to designate those things that have received logical boundaries.
These concepts exist on a different semantic level than the run-time “deployment” aspects covered above. Hence the need for a separate vocabulary.
Virtual CockroachDB clusters
To the extent that CockroachDB is perceived to serve a “database product” to end-users, the multi-tenant new architecture creates a virtualization of this product.
...
Datacenter hosting went from physical machines to virtual machines (VMs) running on a shared physical infrastructure.
Memory architectures have this same split between physical addressing (corresponding to hardware) and virtual addressing (multiple logical address spaces using shared hardware, coordinated by MMUs).
Operating systems enable sharing physical processing units (cores) to present virtual processing units (threads) to software.
Likewise, in multi-tenant CockroachDBCockroachDB’s cluster virtualization technology,
The “per-tenant” product that end-users see is a virtual CockroachDB cluster.
The architecture shares a physical cluster (a set of interconnected shared storage servers) to produce the illusion of many virtual clusters for end-users.
Tenants: the owners of virtual clusters
There's a lot of different data that is coordinated from a CockroachDB cluster: its KV persistent state, its backups (stored elsewhere, e.g. in storage buckets), its authentication service for logins, etc. All this is “owned” by an organization / customer / end-user, identified as a single entity in the control plane.
...
This “owner” abstraction exists beyond the CC serverless infrastructure: when our self-hosted customers ask us to deploy multi-tenant in their infrastructure, it's because they want to split ownership of a physical cluster between multiple sub-organizations.
What's a virtual cluster made of: tenant-specific data
A single tenant does not own just a virtual CockroachDB that can run SQL queries.
...
The state of a virtual cluster is the collection of all the related tenant-specific data.
...
VC servers and pods
Mostly for security reasons, and additionally for billing reasons, we find it important to ensure that a single SQL server process does not serve instances on behalf of more than one tenant.
...
We are thus tempted to equate the phrases “tenant server” = “SQL-only server” = “virtual cluster server/service”.
However, consider that next to SQL nodes (servers and pods), a deployment would also run other pods that are specific to just one tenant; for example, a Prometheus pod and a log collector.
We'll name the fleet of run-time nodes (servers and pods) that are serving just one tenant, the tenant nodes (servers and pods). This includes both SQL-only servers but also other tenant-specific services needed to serve a virtual cluster.
System
...
interface: the administrative environment
Currently, we have chosen to administer the creation/deletion of virtual clusters using SQL statements run in the context of a virtual cluster with special privileges.
...
So we need a word to designate that virtual cluster. To follow established terminology, we will call this the system clusterinterface.
Today, the term “system cluster” interface” largely overlaps with “shared storage cluster” because, implementation-wise, we have chosen to give SQL semantics to the keyspace that does not use a tenant VC prefix. However, this choice may be revisited in the future, such that we mandate a tenant VC prefix for all logical clusters including the system cluster. Should such plans materialize, the system cluster would become virtual interface would be supported by a virtual cluster too. It is thus useful to be disciplined about distinguishing the term “system cluster”interface”, which designates a logical cluster which is possibly virtualSQL interface, and “shared storage cluster”, which strictly designates the set of interconnected storage servers.
This system cluster interface and all its adjacent “own” data also has an owner, which in the context of CC is Cockroach Labs itself. The owner of the system cluster interface is the system tenant.
System instances and servers
Currently, we have chosen to co-host the SQL instances that can serve queries for the system cluster interface together with the KV instances for the storage servers.
...
the KV instances shared by all virtual clusters;
SQL instances specific to the system tenantinterface, able to serve access to the system storage cluster.
However, this is not the only way we can do this. In fact, we could also make a plan to enable running SQL instances for the system cluster interface in a separate SQL-only server.
Generally, we'll call any server that contains at least one SQL instance for the system clusterinterface, a system server. Our current shared storage servers are also system servers; our future SQL-only servers with system cluster capability will be system servers too.
Our unit tests also run many SQL instances side-by-side, including multiple SQL instances that operate on system clusters; inside the context of tests, these are system instances.
Shared state in a multi-tenant deployment
In addition to tenant-specific state that defines virtual clusters, a multi-tenant deployment needs shared state too:
At run-time:
The SQL proxy node(s) (server(s) and pod(s)), which routes SQL client apps to their own virtual cluster.
The shared storage/DB nodes (servers and pods).
The networked shared storage/DB cluster, as a fleet of nodes.
The run-time state of the system clusterinterface.
On disk:
The aggregate state of all virtual clusters stored on a single storage cluster.