Proposal: lakeFS hard-delete

[N-o-Z]

Closes #1933 (but not really...)

Design proposals document for in-house hard-delete in lakeFS

The

[N-o-Z]

More or less hit a brick wall with this 😅
Please see the summary for all the proposal attempts, please share if you have any ideas

[arielshaqed]

I think we need some more detail on the precise sequence of staging. I think delete object is actually the hardest operation to get right.

[arielshaqed]

Also for backfill for existing installations.

[N-o-Z]

Added

[arielshaqed]

We've previously considered this and similar proposals. The blocker has always been how to stage tombstones for deletion of objects (we never figured out how to do it; that does not mean it is impossible!). So we have to detail how deletion works in this proposal.

[N-o-Z]

I couldn't come up with any sufficient solution to this problem. The only option I thought of is adding a metadata entry on the object which marks it as deleted

[arielshaqed]

I think this is an important issue to resolve. (I know it's hard because AFAIR we've had several rounds on it.)

Adding metadata doesn't work because then you need to get actual data for the object to know how to handle it. E.g. think of listing, suddenly it has to HEAD every object in the listing. So your only options are to use data available in ListObjectsV2, where every object is represented by an Object. AFAICT your only chance there is an ETag -- if you declared some sequence of bytes "The Deleted Object" then you could compute its ETag and try to upload that whenever you wanted to delete an object. I am not a fan of having fixed "forbidden" strings, however -- they're exactly the kind of thing people like me end up wanting to store inside actual objects.

[arielshaqed]

I know I was among those to voice this concern, but I am not sure that it is warranted. At some point after writing the staged object the writer has to stage it. It will discover that its staging token is no longer valid. Now it needs to retry by copying the object over to the new staging token.

AFAIU this gives:

• Incorrect metadata: if I upload twice, I can end up with the new object data but the old object metadata.
• Correct data, at the price of repeated copy operations when writing with concurrent commits. (We would hope that S3 copy will be faster than S3 upload.)

[N-o-Z]

The problem is that the set operation will happen regardless if the upload was succeeded the first time. It means that we write to the staging token (in this case - overwrite the object on the physical address). When the writer discovers the staging token has changed, we simply retry the operation with the new staging token. The new data will be written to both the old token and the new token. This is something we couldn't quite find a way to deal with in the new KV design.

[arielshaqed]

AFAICT this is actually correct for data. However we might have incorrect metadata for the commit.

[N-o-Z]

I think that's just a different perspective to the same problem 😄

[arielshaqed]

This is unsafe, you need to decrement-and-compare atomically. Otherwise we might end up deleting the object in the face of a concurrent LinkPhysicalAddress.

[N-o-Z]

True - another option:

1. Decrement counter
2. if counter == 0 -> hard delete

In all other flows - read counter first, if counter < 1 - treat file as deleted.
WDYT?

[arielshaqed]

I think you will still need a reference counter (fortunately that's possible on KV!). Consider concurrently re-linking a staged object and deleting its old name.

[N-o-Z]

I think the reference counting is inferred with this solution, it is an aggregation of all the references of a physical address which are not in state deleted

[arielshaqed]

This seems worrying:

1. I commit an object at physical path abcd during staging stg1. So I have committed at references/abcd/stg1.
2. Concurrently:
   • Background delete runs and deletes this entry (the intent is to keep abcd, it was committed).
   • A copy operation stages abcd into staging stg2
     After both of these, I can have staged at references/abcd/stg2 and nothing (no key!) at references/abcd/stg1.
3. Delete this object. Now references/abcd/stg2 is deleted.
4. The next background delete deletes abcd, despite it being referenced by a commit.

[N-o-Z]

Background delete runs and deletes this entry (the intent is to keep abcd, it was committed).

This will not happen since we will not delete references which have at least one entry with state committed

Additionally, something that was discussed and was omitted from the design (will add it), is that the background delete operation is time based. i.e. a candidate for delete is a physical address which all of its references are in state deleted and the last modified timestamp is bigger than 'x' (for example a day).
This ensures us that this physical address is no longer being in use or have a chance to be referenced again.

[eden-ohana]

Maybe it's possible to save it on the KV store instead under the same prefix, it can help make the flow commit atomic

[N-o-Z]

Saving it in the KV store will require changing the way we manage uncommitted data. Currently entries are saved per staging token. What you suggest requires saving them per physical address. This will break the current staging flows, and will incur a lot of overhead when reading from staging area

[itaiad200]

Why is base assumption 1 valid here? I don't think we need to change the way we copy in this solution.

[N-o-Z]

Yes, deeper examination of the copy object flow show's this assumption is irrelevant for option 3

[itaidavid]

I might be missing some context here, but what are the reasons to not consider an offline GC?

[N-o-Z]

Offline GC is also considered. We want to exhaust the options of implementing an online solution.
This document discusses only the online solutions

[itaidavid]

How about branch deletion, when committed objects are left unreferenced?
Does the ref count cover it too?

[N-o-Z]

Yes, on branch deletion, and as part of the staging token drop, we scan over token entries,
if entry was tombstone - we delete the reference entry, otherwise we modify the reference state to deleted

[N-o-Z]

This is the same as reset branch

[itaidavid]

I'm not sure I follow on this one - I'm asking about a branch with all data commited - no objects at staging are for that matter, and say a certain object is only referenced by this branch. What happens when the branch is deleted? The (now) unreferenced object is not accessible via any of staging tokens, as these are gone

[N-o-Z]

We do not track committed data references, once data is committed the reference keys will eventually be deleted (only the reference keys, not the data) by the background process. Data which is committed is referenced by its commit, not its branch. By design we do not deleted these objects. This proposal discusses only the garbage collection on uncommitted data. For committed data we have the external GC process retention policy. I hope I answered what was asked

[itaidavid]

Actually you did. Thanks

[itaidavid]

Great coverage of these options and mainley, and most importantly, of their imperfections.
Some questions inside

[itaiad200]

What if there's a commit pointing to that physical address?

[N-o-Z]

In addition to the address we will provide on GetPhysicalAddress a validation token which will have also an expiry time (corresponding with the retention policy of the garbage collection). On GetPhysicalAddress we will create a reference entry with state deleted.
LinkPhysicalAddress will check the token validity, if token is valid - create entry and add reference for physical address with state staged.
As part of the changes - I'm starting to think we should drop support altogether for StageObject

[itaiad200]

AsyncDrop is called after a successful commit. It cannot delete the objects

[N-o-Z]

Not to go into implementation details, there's a very simple way to modify this function to take into consideration the scenario from which it was called

[itaiad200]

How can it be committed?

[N-o-Z]

race between Commit and StageObject

[itaiad200]

That takes some time and not easily revertable.

[N-o-Z]

I wouldn't say that it is not easily revertible, but it is a process that requires to iterate over all the staged entries and update the reference state.

[N-o-Z]

I need to check further but it might be possible to perform the marking during the iteration over the changes as part of the commit process - this should save us some time

[itaiad200]

It's a different partition. You would be replacing 2 iterations over the staging area with a single iterations that does 2 things. I don't think it would optimize the runtime.

[itaiad200]

Or the ability to revert easily.

[arielshaqed]

Thanks! Historically being able to represent deleted objects in staging has been the breaker for many similar proposals. I think that we should definitively resolve the representation of deleted objects before proceeding.

That said, I am not sure why "online hard-delete" has to depend on "no-KV staging contents" -- an alternate way forward might be to find a formulation that does not depend on keeping the staging catalogue on S3.

[arielshaqed]

I think this is an important issue to resolve. (I know it's hard because AFAIR we've had several rounds on it.)

Adding metadata doesn't work because then you need to get actual data for the object to know how to handle it. E.g. think of listing, suddenly it has to HEAD every object in the listing. So your only options are to use data available in ListObjectsV2, where every object is represented by an Object. AFAICT your only chance there is an ETag -- if you declared some sequence of bytes "The Deleted Object" then you could compute its ETag and try to upload that whenever you wanted to delete an object. I am not a fan of having fixed "forbidden" strings, however -- they're exactly the kind of thing people like me end up wanting to store inside actual objects.

[itaidavid]

Where is the Commit flow?

[itaidavid]

Please define active

[itaidavid]

Not sure I understand - now we only keep a reference entry, for staged?

[arielshaqed]

Thanks!

IIUC we are only considering option 4 (and maybe 5). Can we remove the other options (and rephrase 4 without 3)? I think it would help clarify the proposal.

[arielshaqed]

Not sure I understand: We keep every committed physical address? Isn't this going to be huge?

[N-o-Z]

Eventually committed references will be deleted by the background job

[arielshaqed]

AFAICT the current LakeFSFileSystem uses stageObject for uploads. Does this mean that users will have to upgrade all old clients?

[N-o-Z]

The link you provided and what I saw myself (though not savvy with our Java code) is for renameObject (move).
For that purpose we should use the CopyObject instead.
Short answer: Yes - if and when these changes are implemented, the old client's renameObject will no longer work

[itaiad200]

What is "Lock"? How is it implemented, how is it released? How is it treated by other operations?

[N-o-Z]

Added more information about the lock. Operations which involve the locking mechanism are explicitly addressed.Operations that are not mentioned are agnostic to the lock. (If you think I missed any please tell)

[itaiad200]

If it's optional can we start without?

[N-o-Z]

AFAIU this is a requirement. The move operation was created to support a main flow in our Spark client which currently is being performed on the metadata level (by using copy + delete).
As per @arielshaqed, this is something that we do not want to support by a full copy due to the performance implications

[arielshaqed]

Note that Spark lakeFSFS and Hadoop S3A do not exactly require a "move". We currently use LinkPhysicalAddress followed by a delete. So it isn't atomic, but at least it requires only metadata operations.

[itaiad200]

If the physical path is predetermined by the logical path and the staging token, why do we need to delete anything?

[N-o-Z]

It is not - it was never suggested to couple the logical and physical path in this proposal (#5). We only ensure we have a single logical address for each physical address

[itaiad200]

How can we not have it? Can we live with a system that some entries are locked for good?

[N-o-Z]

IMHO this is not something that we can live with. But - we need to take into account that using a time based lock might introduce new problems

[itaiad200]

So let's break it down then

[N-o-Z]

As I see it - we should first try to solve issue #1 (Commit - Move Race), before taking the time to solve this one.
Seems like the commit move race is our blocker.

[arielshaqed]

Time based locks are inherently unsafe unless your infrastructure has fairly strict guarantees on clocks. We need to ensure that at least AWS + EKS provide such a guarantee.

[itaiad200]

Can we not support move and avoid all races? 👿

[N-o-Z]

See previous comment regarding Move

[arielshaqed]

Thanks!

IIUC we've ruled out options 1-4. Can we perhaps get rid of them? It would make it easier (for me) to focus. 🔍

[arielshaqed]

Time based locks are inherently unsafe unless your infrastructure has fairly strict guarantees on clocks. We need to ensure that at least AWS + EKS provide such a guarantee.

[arielshaqed]

Note that Spark lakeFSFS and Hadoop S3A do not exactly require a "move". We currently use LinkPhysicalAddress followed by a delete. So it isn't atomic, but at least it requires only metadata operations.

[N-o-Z]

Thanks!

IIUC we've ruled out options 1-4. Can we perhaps get rid of them? It would make it easier (for me) to focus. mag

Thanks @arielshaqed
I feel that as long as we didn't settle on any proposal, we should keep all of the proposals information. In case this will be eventually rejected we will benefit from having documentation of all the attempted solutions for future reference.

[wengchenyang1]

Thanks!
IIUC we've ruled out options 1-4. Can we perhaps get rid of them? It would make it easier (for me) to focus. mag

Thanks @arielshaqed I feel that as long as we didn't settle on any proposal, we should keep all of the proposals information. In case this will be eventually rejected we will benefit from having documentation of all the attempted solutions for future reference.

Hello @N-o-Z , may I ask for the progress of proposal 5? We face compliance issue because some files are not hard deleted on s3.

[N-o-Z]

@wengchenyang1,
All the suggested proposals in this document have inherent faults which make non of them a viable solution. We've decided for the time being to work in other directions for this problem.
We''re currently working on designing an offline solution similar to the current GC process we have.
I'll make sure to tag you once the PR is opened

[itaiad200]

@N-o-Z can we merge this proposal to rejected?

[N-o-Z]

@N-o-Z can we merge this proposal to rejected?

Yes - lets do that

Moving proposal to rejected

[itaiad200]

Although this was rejected, the hard work on this suggestion proved us that an online consistent, atomic & maintainable solution to this problem is not feasible. This output is better than implementing a design that cannot work :)

[N-o-Z]

Although this was rejected, the hard work on this suggestion proved us that an online consistent, atomic & maintainable solution to this problem is not feasible. This output is better than implementing a design that cannot work :)

@itaiad200, I still want to believe that in the future we will be able to find a working solution for this problem