HADR Takeover

This page discusses takeover related topics: role switch, failover, and primary reintegration.

Table of Contents

What is takeover

The " takeover hadr " command does role switch, or failover, with just a single command. The command can only be issued on the standby (the standby takes over to become a primary). There are two flavors:

  • Non-forced takeover (a.k.a, graceful takeover, role switch): Primary and standby switch roles. Guaranteed no data loss. This is used for planned maintenance, such as rolling update .
  • Forced takeover (ie. failover): Standby becomes primary, but old primary remains primary. This is used in failover, where old primary may not be reachable from the standby. When old primary is reachable, standby sends a message to it to disable it, to avoid split brain.
    • A "peer window only" option can be added to "takeover by force" command. With this option, if the standby is in peer window when the command is issued, takeover will proceed and the there will not be any data loss. If standby is not in peer window, the takeover command will fail. This option is often used for "safe" automated takeover. See also peer window .

For multiple standby , takeover (both flavors) is allowed on any standby. After takeover, all new standbys will be auto reconfigured to connect to the new primary.

Primary reintegration

After a failover, the old primary can rejoin the new primary as a standby. This is known as primary reintegration. Primary reintegration will succeed only if there is no data loss during the failover (ie. log streams of the two databases have not diverged). If there is no data loss, then the new primary has all the log data of the old primary and it will continue logging on the common log stream. If there is data loss, then the old primary has some log data not replicated to the new primary. As the new primary starts its logging at the takeover point in the log stream, it writes different data than the old primary's, effectively forking off a new log stream. The following diagram shows diverging log streams: 

        common log data    takeover_point   old primary's not replicated data
        -------------------------+--------------------------------------------
                                 |
                                 ---------------------------------------------
                                            new primary's log data

Run "start HADR ... as standby" command on the old primary to convert it to a new standby.

The command will change the database role to standby, start the database in standby role, then return. When the command returns success, it does NOT mean that primary reintegration has succeeded. The new standby has yet to connect to the new primary to check if its log stream is compatible to the new primary's. The "start HADR ... as standby" command does not wait for the check because it can take a long time. For example, the new standby may not even be able to connect to the primary for an extended time. User should continue to monitor the new standby until it connects to the primary and enters remote catchup or peer state. If reintegration fails (two databases have diverging log streams), the new standby will shut itself down. Check db2diag.log file for details.

What happens during a takeover

Non forced takeover

The following steps are performed during a non forced takeover:

  • Primary forces all applications off. Open transactions are rolled back.
  • Ship all logs generated on the primary to standby, including log data generated by rolling back open transactions.
  • Primary turns into standby role.
  • Standby forces all applications off if reads on standby is enabled,
  • Standby completes replay of all received logs. There will be no open transactions at end of replay because open transactions have been rolled back when replaying roll back records from the primary.
  • Standby turns into primary role, after completing log replay and receiving notification from primary that the old primary has turned into a standby (this rule avoids split brain (two primaries) in all cases, but may result in two standbys in error cases).

To minimize takeover time, forcing applications on primary, forcing applications on standby, log shipping, and log replay are all performed in parallel.

Forced takeover

The following steps are performed during a forced takeover:

  • If primary and standby are connected, standby sends a message to primary to stop its log writing immediately. Open transactions are not rolled back on the primary, because roll back needs to write log records. To minimize data loss, standby gives the old primary a few seconds to ship over logs already written. To avoid blocking failover, log shipping is stopped after a few seconds even if end of log is not reached. If primary and standby are not connected, nothing is done to the old primary. User is responsible for taking old primary offline.
  • Standby forces all applications off if reads on standby is enabled,
  • Standby completes replay of all received logs.
  • Standby rolls back all open transactions at end of replay (similar to "roll forward stop").
  • Standby turns into primary role, after rolling back open transactions.

To minimize takeover time, forcing apps on standby, log shipping, and log replay are all performed in parallel.

To avoid split brain, it is best practice to take the old primary offline before failover and keep it offline after failover. Standby stopping log writing on old primary is only best effort and it does not prevent read only access.

What affects takeover speed

The main factors affecting takeover time are:

Non forced takeover

  • Size and number of open transactions on the primary when takeover is issued. This determines how long it will take the primary to roll back these transactions. Large transactions or large number of transactions will slow down takeover.
  • How soon log shipping completes. Standby must receive all log data generated by the primary. Primary can generate rollback log records after takeover has started. For superAsync mode, there can be a big primary-standby log gap at beginning of takeover because takeover is allowed in remote catchup state. For other sync modes, non forced takeover is allowed only in peer state, where log gap is small (about one flush, typically a few pages).
  • How soon standby can finish replay of all received logs. Log buffering and spooling can result in a large receive-replay log gap at start of takeover. This backlog needs to be replayed before takeover finishes. Logs generated after takeover starts (roll back log records) need to be replayed too.

In superAsync mode, it is recommended to issue non forced takeover only when primary-standby log gap is relatively small. Throttle or stop primary workload before takeover if needed.

It is best practice to check the followings before issuing a non forced takeover:

  • HADR state (peer state is required unless sync mode is superAsync).
  • Number and type of applications connected to the primary.
  • Primary-standby log gap.
  • Standby receive-replay log gap.

Forced takeover

  • Size and number of open transactions when replay reaches end of logs received from the primary. Standby will need to roll back these transactions. Large transactions or large number of transactions will slow down takeover. User can estimate end of replay open transaction status before issuing takeover by understanding general primary workload property, and looking at transaction status on the standby during replay via the "db2pd -transaction" command.
  • Log shipping in forced takeover is limited to a few seconds if old primary is still connected. If it is not connected, then log shipping ends immediately. So generally we expect only a small amount of of additional logs or no additional logs to arrive from the primary after takeover starts.
  • How soon standby can finish replay of all logs received from the primary. Log buffering and spooling can result in a large receive-replay log gap at start of takeover. This backlog needs to be replayed before takeover finishes.

It is best practice to check the followings before issuing a forced takeover:

  • HADR state (forced takeover is not allowed in local catchup and remote catchup states).
  • Number and type of applications in primary workload.
  • Primary-standby log gap. Data in the gap will likely be lost in a failover.
  • Standby receive-replay log gap.

How to monitor takeover

Use the "db2pd -hadr -db <dbname>" to monitor overral progress of takeover. During a takeover, there may be a time window when clients cannot connect to either primary or standby, so SQL based methods such as table function won't work.

  • Monitor TAKEOVER_APP_REMAINING_PRIMARY and TAKEOVER_APP_REMAINING_STANDBY fields for the progress of forcing applications off the primary and standby. This is especially useful when there are a large number of clients or long transactions. Note that "db2pd -hadr" shows these fields only when takeover is in progress.
  • Monitor PRIMARY_LOG_POS, STANDBY_LOG_POS, and HADR_LOG_GAP fields for progress of log shipping. While rolling back a large transaction, remaining application status may not change for some time, but log position should move as more undo records are generated.
  • Monitor STANDBY_LOG_POS, STANDBY_REPLAY_LOG_POS, and STANDBY_RECV_REPLAY_GAP fields for the progress of replay. Standby must finish replaying all received logs before becoming a primary. The gap can be large when log spooling is enabled. Note that more logs can arrive after takeover starts (STANDBY_LOG_POS can move).

Use the "db2pd -applications -db <dbname>" command to view details of remaining applications. Note that this command lists both user applications and DB2 internal connections. For example, the replay agent on standby is also listed. It can be identified as having "Appid" like "*LOCAL.DB2.121029205843" (the 2nd field is the user name for user applications. "DB2" is used for internal apps. The ending number is a time stamp for "2012-10-29 20:58:43", which is the start time of the application in GMT) and "SystemAuthID" as "n/a".

Use the "db2pd -transactions -db <dbname>." command to get additional information on the applications. Pay attention to the State, Firstlsn, Lastlsn, SpaceReserved, and LogSpace fields. During roll back, State will be "ABORT". Unless a transaction hangs, Lastlsn should be increasing. LogSpace shows how big the transaction is (it is the sum of space already used and SpaceReserved). SpaceReserved shows estimation of log data yet to be written for this transaction.

Use the "db2pd -recovery -db <dbname>" command to get details of the current status of recovery, which is part of the takeover process. The output shows the LSN and LSO values that are being replayed/compensated currently. There is also the “progress” section at the bottom showing the progress of the recovery, including the description, starting time, and total work done for each phase. If these values change over time, then the recovery process must be progressing, and takeover has not hanged.

For more info on db2pd, see DB2 V9.7 Info Center , and DB2 V10.1 Info Center .

How to recover from failed takeover

For non forced takeover, first examine the role of both databases after takeover failure. You may end up with two standby databases, but you will never end up with two primary databases. If a database is offline, use "HADR database role" field from "db2 get db cfg for <dbname>" command to determine the role. Do not attempt to restart a database before examining its role and working out a recovery plan.

  • If neither database has changed its role, you may retry takeover after correcting the root cause.
  • If old primary has changed into standby role, but old standby has not changed into primary role, you have two standbys. You may choose either one to issue a forced takeover to change it into a primary. The two standby databases have identical log streams at this point. So either one can become a primary while keeping the other one compatible to it. To decide which one will become the new primary, consider the following:
    • Which database's location works better as primary for your business?
    • How long will the forced takeover take? You may start the two databases as usual in their standby role, then examine their replay positions. In DB2 V10.1 and later, see STANDBY_REPLAY_LOG_POS field. In earlier releases, see STANDBY_LOG_POS field. You may want to choose the one with a higher replay position (less log to replay before becoming a primary). Generally, the old primary is likely to have a higher replay position.
  • If both databases have changed into their new roles, simply restart any crashed databases and the pair should connect and function.

For forced takeover, examine the role of the old standby after the failure (role of old primary is never changed). Assuming you still want to use the old standby as the new primary (chances are that this is a failover and old primary is not available):

  • If the old standby has not changed its role, you may retry takeover after correcting the root cause.
  • If the old standby has changed its role, restart it and it should function as the new primary.

How to deal with hanging takeover

If a takeover appears hang, first monitor it to find out what is hanging (see "How to monitor takeover" above). If possible, resolve the issue and let the takeover end by itself. As a last resort, you can forcefully end the takeover. This may be necessary because while takeover is hanging, you lose service availability (neither database can serve clients). Use the following procedure to stop takeover:

  • Try deactivating the old standby. If deactivation fails or hang, kill the database.
  • Try deactivating the old primary. If deactivation fails or hang, kill the database.
  • Use the "How to recover from failed takeover" procedure above to recover.

Takeover takes a long time to initiate

When a takeover is initiated, the other side must receive a connection from the takeover for it to proceed. This takeover connection can potentially end up competing with connection requests from client applications. A large number of connection requests coinciding with takeover can cause a delay in takeover being able to proceed. It's recommended to control and limit as much as possible incoming connections prior to initiating takeover.

There are a few methods to help alleviate the competition of the takeover with other connections:

  1. Use db2trc to suspend the tcp/ip communication manager from establishing new connections. See the technote here: Preventing application database connections from automatically activating a database after db2start.
  2. Configure your clients to wait between connection attempts to reduce the number of incoming connections. The acrRetryInterval variable, set in the db2dsdriver config file, can be used to control client reconnection intervals. See here: Configuration of Db2 automatic client reroute support for applications other than Java
  3. Upgrade to at least Db2 v11.1.4.4 for the latest improvements in streamlining the latching involved for new incoming connections to determine if a takeover request is in progress and if so, to stop trying to connect.

Database accessibility during HADR takeover

Beginning in 11.1.2.2, the database can be configured to allow connectivity during the backward phase of crash recovery or takeover. The backward phase is divided into two parts. The first part is synchronous, for undoing transactions with DDL, catalog changes, column-organized tables, etc. This part still does not allow connections. The second part is asynchronous, for undoing transactions that only touch regular objects. In this part the database can be connectable.

By setting the registry variable DB2_ONLINERECOVERY=YES before takeover, the takeover command will return at the start of asynchronous backward phase, when the database become connectable. At this moment, the tables, indexes, or objects NOT associated with uncommitted transactions will be fully accessible.

Another registry variable DB2_ONLINERECOVERY_WITH_UR_ACCESS will control if the tables, indexes, or objects associated with these uncommitted transactions are accessible using UR isolation level. As these uncommitted transactions are compensated, the locks on the associated objects will be released and they will become fully accessible.

For details on this new feature, please see this Knowledge Center article .