Google Git
Sign in
apache / activemq-website / 00e759a001d5ca8126984daeb49d46f143828dba / . / src / components / artemis / documentation / 2.32.0 / ha.html
blob: c091f4a4e8cee7979fb567a940094ec93b9654d5 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Asciidoctor 2.0.18">
<link rel="icon" type="image/png" href="images/favicon.png">
<title>High Availability and Failover</title>
<link rel="stylesheet" href="css/asciidoctor.css">
<link rel="stylesheet" href="css/font-awesome.css">
<link rel="stylesheet" href="css/rouge-github.css">
</head>
<body class="book toc2 toc-left">
<div id="header">
<h1>High Availability and Failover</h1>
<div id="toc" class="toc2">
<div id="toctitle"><a href="index.html">User Manual for 2.32.0</a></div>
<ul class="sectlevel1">
<li><a href="#terminology">1. Terminology</a>
<ul class="sectlevel2">
<li><a href="#configuration">1.1. Configuration</a></li>
<li><a href="#runtime">1.2. Runtime</a></li>
</ul>
</li>
<li><a href="#primarybackup-groups">2. Primary/Backup Groups</a>
<ul class="sectlevel2">
<li><a href="#ha-policies">2.1. HA Policies</a></li>
<li><a href="#important-note-on-pluggable-quorum-vote-feature">2.2. IMPORTANT NOTE ON PLUGGABLE QUORUM VOTE FEATURE</a></li>
<li><a href="#data-replication">2.3. Data Replication</a></li>
<li><a href="#shared-store">2.4. Shared Store</a></li>
<li><a href="#failing-back-to-primary-server">2.5. Failing Back to Primary Server</a></li>
<li><a href="#scaling-down">2.6. Scaling Down</a></li>
</ul>
</li>
<li><a href="#client-failover">3. Client Failover</a>
<ul class="sectlevel2">
<li><a href="#handling-blocking-calls-during-failover">3.1. Handling Blocking Calls During Failover</a></li>
<li><a href="#handling-failover-with-transactions">3.2. Handling Failover With Transactions</a></li>
<li><a href="#getting-notified-of-connection-failure">3.3. Getting Notified of Connection Failure</a></li>
<li><a href="#application-level-failover">3.4. Application-Level Failover</a></li>
</ul>
</li>
</ul>
</div>
</div>
<div id="content">
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>We define high availability as the <em>ability for the system to continue functioning after failure of one or more of the servers</em>.</p>
</div>
<div class="paragraph">
<p>A part of high availability is <em>failover</em> which we define as the <em>ability for client connections to migrate from one server to another in event of server failure so client applications can continue to operate</em>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="terminology"><a class="anchor" href="#terminology"></a><a class="link" href="#terminology">1. Terminology</a></h2>
<div class="sectionbody">
<div class="paragraph">
<p>In order to discuss both configuration and runtime behavior consistently we need to define a pair of nouns and adjectives.
These terms will be used throughout the documentation, configuration, source code, and runtime logs.</p>
</div>
<div class="sect2">
<h3 id="configuration"><a class="anchor" href="#configuration"></a><a class="link" href="#configuration">1.1. Configuration</a></h3>
<div class="paragraph">
<p>These nouns identify how the broker is <em>configured</em>, e.g. in <code>broker.xml</code>.</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">primary</dt>
<dd>
<p>This identifies the main broker in the high availability configuration.
Oftentimes the hardware on this broker will be higher performance than the hardware on the backup broker.
Typically, this broker is started before the backup and is active most of the time.</p>
</dd>
<dt class="hdlist1">backup</dt>
<dd>
<p>This identifies the broker that should take over when the primary broker fails in a high availability configuration.
Oftentimes the hardware on this broker will be lower performance than the hardware on the primary broker.
Typically, this broker is started after the primary and is passive most of the time.</p>
</dd>
</dl>
</div>
</div>
<div class="sect2">
<h3 id="runtime"><a class="anchor" href="#runtime"></a><a class="link" href="#runtime">1.2. Runtime</a></h3>
<div class="paragraph">
<p>These adjectives describe the <em>behavior</em> of the broker at runtime. For example, you could have a <em>passive</em> primary or an <em>active</em> backup.</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">active</dt>
<dd>
<p>This identifies a broker in a high-availability configuration which is accepting remote connections.
For example, consider the scenario where the primary broker has failed and its backup has taken over.
The backup would be described as <em>active</em> at that point since it is accepting remote connections.</p>
</dd>
<dt class="hdlist1">passive</dt>
<dd>
<p>This identifies a broker in a high-availability configuration which is <strong>not</strong> accepting remote connections.
For example, consider the scenario where the primary broker was started and then the backup broker was started.
The backup broker would be <em>passive</em> since it is not accepting remote connections.
It is waiting for the primary to fail before it activates and begins accepting remote connections.</p>
</dd>
</dl>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="primarybackup-groups"><a class="anchor" href="#primarybackup-groups"></a><a class="link" href="#primarybackup-groups">2. Primary/Backup Groups</a></h2>
<div class="sectionbody">
<div class="paragraph">
<p>Apache ActiveMQ Artemis allows servers to be linked together as <em>primary/backup</em> groups where each primary server can have 1 or more backup servers.
A backup server is owned by only one primary server.
Backup servers are not operational until failover occurs.
However, one chosen backup, which will be passive, announces its status and waits to take over the primary server&#8217;s work.</p>
</div>
<div class="paragraph">
<p>Before failover, only the primary server is active, serving clients while the backup servers remain passive, awaiting to become active when the primary fails.
When a primary server crashes or is brought down in the correct mode the backup server currently in passive mode will activate.
If a primary server restarts after a failover then it will be passive and have priority and be the next server to become active when the current active backup server goes down.
If the active backup server is configured to allow automatic failback then it will detect the primary server coming back up and automatically stop.</p>
</div>
<div class="sect2">
<h3 id="ha-policies"><a class="anchor" href="#ha-policies"></a><a class="link" href="#ha-policies">2.1. HA Policies</a></h3>
<div class="paragraph">
<p>Apache ActiveMQ Artemis supports two different strategies for backing up a server:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>shared store</p>
</li>
<li>
<p>replication</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>These are configured via the <code>ha-policy</code> configuration element, e.g.:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication/&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>or</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;shared-store/&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>As well as these 2 strategies there is also a 3rd called <code>primary-only</code>.
This of course means there will be no Backup Strategy and is the default if none is provided, however this is used to configure <code>scale-down</code> which we will cover in a later chapter.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>The <code>ha-policy</code> configurations replaces any current HA configuration in the root of the <code>broker.xml</code> configuration.
All old configuration is now deprecated although best efforts will be made to honour it if configured this way.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>Only persistent message data will survive failover.
Any non persistent message data will not be available after failover.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>The <code>ha-policy</code> type configures which strategy a cluster should use to provide the backing up of a server&#8217;s data.
Within this configuration element we configure how a server should behave within the cluster, either as a primary (active), backup (passive) or colocated (both active and passive).
This would look something like:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;primary/&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>or</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;shared-store&gt;</span>
<span class="nt">&lt;backup/&gt;</span>
<span class="nt">&lt;/shared-store&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>or</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;colocated/&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p><em>Replication</em> allows the configuration of two new roles to enable <em>pluggable quorum</em> provider configuration, by using:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;primary/&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>to configure the classic <em>primary</em> role, and</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;backup/&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>for the classic <em>backup</em> one.</p>
</div>
<div class="paragraph">
<p>If <em>replication</em> is configured using such new roles some additional element are required to complete configuration as detailed later.</p>
</div>
</div>
<div class="sect2">
<h3 id="important-note-on-pluggable-quorum-vote-feature"><a class="anchor" href="#important-note-on-pluggable-quorum-vote-feature"></a><a class="link" href="#important-note-on-pluggable-quorum-vote-feature">2.2. IMPORTANT NOTE ON PLUGGABLE QUORUM VOTE FEATURE</a></h3>
<div class="paragraph">
<p>This feature is still <strong>EXPERIMENTAL</strong>.
Extra testing should be done before running this feature into production.
Please raise issues eventually found to the ActiveMQ Artemis Mail Lists.</p>
</div>
<div class="paragraph">
<p>It means:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>it&#8217;s configuration can change until declared as <strong>officially stable</strong></p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="data-replication"><a class="anchor" href="#data-replication"></a><a class="link" href="#data-replication">2.3. Data Replication</a></h3>
<div class="paragraph">
<p>When using replication, the primary and the backup servers do not share the same data directories, all data synchronization is done over the network.
Therefore all (persistent) data received by the primary server will be duplicated to the backup.</p>
</div>
<div class="paragraph">
<p>Notice that upon start-up the backup server will first need to synchronize all existing data from the primary server before becoming capable of replacing the primary server should it fail.
So unlike when using shared storage, a replicating backup will not be a fully operational backup right after start-up, but only after it finishes synchronizing the data with its primary server.
The time it will take for this to happen will depend on the amount of data to be synchronized and the connection speed.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>In general, synchronization occurs in parallel with current network traffic so this won&#8217;t cause any blocking on current clients.
However, there is a critical moment at the end of this process where the replicating server must complete the synchronization and ensure the replica acknowledges this completion.
This exchange between the replicating server and replica will block any journal related operations.
The maximum length of time that this exchange will block is controlled by the <code>initial-replication-sync-timeout</code> configuration element.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Replication will create a copy of the data at the backup.
One issue to be aware of is: in case of a successful fail-over, the backup&#8217;s data will be newer than the primary&#8217;s data.
If you configure your backup to allow failback to the primary then when the primary is restarted it will be passive and the active backup will synchronize its data with the passive primary before stopping to allow the passive primary to become active again.
If both servers are shutdown then the administrator will have to determine which one has the latest data.</p>
</div>
<div class="paragraph">
<p>The replicating primary and backup pair must be part of a cluster.
The Cluster Connection also defines how backup servers will find the remote primary servers to pair with.
Refer to <a href="clusters.html#clusters">Clusters</a> for details on how this is done, and how to configure a cluster connection.
Notice that:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Both primary and backup servers must be part of the same cluster.
Notice that even a simple primary/backup replicating pair will require a cluster configuration.</p>
</li>
<li>
<p>Their cluster user and password must match.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Within a cluster, there are two ways that a backup server will locate a primary server to replicate from. These are:</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">specifying a node group</dt>
<dd>
<p>You can specify a group of primary servers that a backup server can connect to.
This is done by configuring <code>group-name</code> in either the <code>primary</code> or the <code>backup</code> element of the <code>broker.xml</code>.
A backup will only connect to a primary that shares the same node group name.</p>
</dd>
<dt class="hdlist1">connecting to any live</dt>
<dd>
<p>This will be the behaviour if <code>group-name</code> is not configured allowing a backup server to connect to any primary server.</p>
</dd>
</dl>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>A <code>group-name</code> example: suppose you have 5 primary servers and 6 backup servers:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>primary1</code>, <code>primary2</code>, <code>primary3</code>: with <code>group-name=fish</code></p>
</li>
<li>
<p><code>primary4</code>, <code>primary5</code>: with <code>group-name=bird</code></p>
</li>
<li>
<p><code>backup1</code>, <code>backup2</code>, <code>backup3</code>, <code>backup4</code>: with <code>group-name=fish</code></p>
</li>
<li>
<p><code>backup5</code>, <code>backup6</code>: with <code>group-name=bird</code></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>After joining the cluster the backups with <code>group-name=fish</code> will search for primary servers with <code>group-name=fish</code> to pair with.
Since there is one backup too many, the <code>fish</code> will remain with one spare backup.</p>
</div>
<div class="paragraph">
<p>The 2 backups with <code>group-name=bird</code> (<code>backup5</code> and <code>backup6</code>) will pair with primary servers <code>primary4</code> and <code>primary5</code>.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>The backup will search for any primary server that it is configured to connect to.
It then tries to replicate with each primary server in turn until it finds a primary server that has no current backup configured.
If no primary server is available it will wait until the cluster topology changes and repeats the process.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>This is an important distinction from a shared-store backup, if a backup starts and does not find a primary server, the server will just activate and start to serve client requests.
In the replication case, the backup just keeps waiting for a primary server to pair with.
Note that in replication the backup server does not know whether any data it might have is up to date, so it really cannot decide to activate automatically.
To activate a replicating backup server using the data it has, the administrator must change its configuration to make it a primary server by changing <code>backup</code> to <code>primary</code>.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Much like in the shared-store case, when the primary server stops or crashes, its backup will become active and take over its duties.
Specifically, the backup will become active when it loses connection to its primary server.
This can be problematic because it can also happen as the result of temporary network problem.</p>
</div>
<div class="paragraph">
<p>The issue can be solved in two different ways, depending on which replication roles are configured:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><strong>non-pluggable replication</strong>: backup will try to determine whether it still can connect to the other servers in the cluster.
If it can connect to more than half the servers, it will become active. If more than half the servers also disappeared with the primary, the backup will wait and try reconnecting with the primary.
This avoids a split brain situation.</p>
</li>
<li>
<p><strong>pluggable replication</strong>: backup relies on a pluggable quorum provider (configurable via <code>manager</code> xml element) to detect if there&#8217;s any active primary.</p>
</li>
</ul>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>A backup in the <strong>pluggable replication</strong> still needs to carefully configure <a href="connection-ttl.html#detecting-dead-connections">connection-ttl</a> in order to promptly send a request to the quorum manager to become active before failing-over.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="sect3">
<h4 id="configuration-2"><a class="anchor" href="#configuration-2"></a><a class="link" href="#configuration-2">2.3.1. Configuration</a></h4>
<div class="paragraph">
<p>To configure a non-pluggable replication&#8217;s primary and backup servers to be a replicating pair, configure the primary server in ' <code>broker.xml</code> to have:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;primary/&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span>
...
<span class="nt">&lt;cluster-connections&gt;</span>
<span class="nt">&lt;cluster-connection</span> <span class="na">name=</span><span class="s">"my-cluster"</span><span class="nt">&gt;</span>
...
<span class="nt">&lt;/cluster-connection&gt;</span>
<span class="nt">&lt;/cluster-connections&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>The backup server must be similarly configured but as a <code>backup</code></p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;backup/&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>To configure a pluggable quorum replication&#8217;s primary and backup use:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;primary/&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span>
...
<span class="nt">&lt;cluster-connections&gt;</span>
<span class="nt">&lt;cluster-connection</span> <span class="na">name=</span><span class="s">"my-cluster"</span><span class="nt">&gt;</span>
...
<span class="nt">&lt;/cluster-connection&gt;</span>
<span class="nt">&lt;/cluster-connections&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>and</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;backup/&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="all-replication-configuration"><a class="anchor" href="#all-replication-configuration"></a><a class="link" href="#all-replication-configuration">2.3.2. All Replication Configuration</a></h4>
<div class="sect4">
<h5 id="primary"><a class="anchor" href="#primary"></a><a class="link" href="#primary">Primary</a></h5>
<div class="paragraph">
<p>The following table lists all the <code>ha-policy</code> configuration elements for HA strategy Replication for <code>primary</code>:</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">check-for-active-server</dt>
<dd>
<p>Whether to check the cluster for a (live) server using our own server ID when starting up.
This is an important option to avoid split-brain when failover happens and the primary is restarted.
Default is <code>false</code>.</p>
</dd>
<dt class="hdlist1">cluster-name</dt>
<dd>
<p>Name of the cluster configuration to use for replication.
This setting is only necessary if you configure multiple cluster connections.
If configured then the connector configuration of the cluster configuration with this name will be used when connecting to the cluster to discover if an active server is already running, see <code>check-for-active-server</code>.
If unset then the default cluster connections configuration is used (the first one configured).</p>
</dd>
<dt class="hdlist1">group-name</dt>
<dd>
<p>If set, backup servers will only pair with primary servers with matching <code>group-name</code>.</p>
</dd>
<dt class="hdlist1">initial-replication-sync-timeout</dt>
<dd>
<p>The amount of time the replicating server will wait at the completion of the initial replication process for the replica to acknowledge it has received all the necessary data.
The default is 30,000 milliseconds.</p>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
during this interval any journal related operations will be blocked.
</td>
</tr>
</table>
</div>
</dd>
</dl>
</div>
</div>
<div class="sect4">
<h5 id="backup"><a class="anchor" href="#backup"></a><a class="link" href="#backup">Backup</a></h5>
<div class="paragraph">
<p>The following table lists all the <code>ha-policy</code> configuration elements for HA strategy Replication for <code>backup</code>:</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">cluster-name</dt>
<dd>
<p>Name of the cluster configuration to use for replication.
This setting is only necessary if you configure multiple cluster connections.
If configured then the connector configuration of the cluster configuration with this name will be used when connecting to the cluster to discover if an active server is already running, see <code>check-for-active-server</code>.
If unset then the default cluster connections configuration is used (the first one configured).</p>
</dd>
<dt class="hdlist1">group-name</dt>
<dd>
<p>If set, backup servers will only pair with primary servers with matching group-name</p>
</dd>
<dt class="hdlist1">max-saved-replicated-journals-size</dt>
<dd>
<p>This option specifies how many replication backup directories will be kept when server starts as replica.
Every time when server starts as replica all former data moves to 'oldreplica.{id}' directory, where id is growing backup index, this parameter sets the maximum number of such directories kept on disk.</p>
</dd>
<dt class="hdlist1">allow-failback</dt>
<dd>
<p>Whether a server will automatically stop when another places a request to take over its place.
The use case is when the backup has failed over.</p>
</dd>
<dt class="hdlist1">initial-replication-sync-timeout</dt>
<dd>
<p>After failover and the backup has become active, this is set on the new active server.
It represents the amount of time the replicating server will wait at the completion of the initial replication process for the replica to acknowledge it has received all the necessary data.
The default is 30,000 milliseconds.</p>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
During this interval any journal related operations will be blocked.
</td>
</tr>
</table>
</div>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect3">
<h4 id="pluggable-quorum-vote-replication-configurations"><a class="anchor" href="#pluggable-quorum-vote-replication-configurations"></a><a class="link" href="#pluggable-quorum-vote-replication-configurations">2.3.3. Pluggable Quorum Vote Replication configurations</a></h4>
<div class="paragraph">
<p>Pluggable Quorum Vote replication configuration options are a bit different from classic replication, mostly because of its customizable nature.</p>
</div>
<div class="paragraph">
<p><a href="https://curator.apache.org/">Apache curator</a> is used by the default quorum provider.</p>
</div>
<div class="paragraph">
<p>Below some example configurations to show how it works.</p>
</div>
<div class="paragraph">
<p>For <code>primary</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;primary&gt;</span>
<span class="nt">&lt;manager&gt;</span>
<span class="nt">&lt;class-name&gt;</span>org.apache.activemq.artemis.quorum.zookeeper.CuratorDistributedPrimitiveManager<span class="nt">&lt;/class-name&gt;</span>
<span class="nt">&lt;properties&gt;</span>
<span class="nt">&lt;property</span> <span class="na">key=</span><span class="s">"connect-string"</span> <span class="na">value=</span><span class="s">"127.0.0.1:6666,127.0.0.1:6667,127.0.0.1:6668"</span><span class="nt">/&gt;</span>
<span class="nt">&lt;/properties&gt;</span>
<span class="nt">&lt;/manager&gt;</span>
<span class="nt">&lt;/primary&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>And <code>backup</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;backup&gt;</span>
<span class="nt">&lt;manager&gt;</span>
<span class="nt">&lt;class-name&gt;</span>org.apache.activemq.artemis.quorum.zookeeper.CuratorDistributedPrimitiveManager<span class="nt">&lt;/class-name&gt;</span>
<span class="nt">&lt;properties&gt;</span>
<span class="nt">&lt;property</span> <span class="na">key=</span><span class="s">"connect-string"</span> <span class="na">value=</span><span class="s">"127.0.0.1:6666,127.0.0.1:6667,127.0.0.1:6668"</span><span class="nt">/&gt;</span>
<span class="nt">&lt;/properties&gt;</span>
<span class="nt">&lt;/manager&gt;</span>
<span class="nt">&lt;allow-failback&gt;</span>true<span class="nt">&lt;/allow-failback&gt;</span>
<span class="nt">&lt;/backup&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>The configuration of <code>class-name</code> as follows</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;class-name&gt;</span>org.apache.activemq.artemis.quorum.zookeeper.CuratorDistributedPrimitiveManager<span class="nt">&lt;/class-name&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>isn&#8217;t really needed, because Apache Curator is the default provider, but has been shown for completeness.</p>
</div>
<div class="paragraph">
<p>The <code>properties</code> element:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;properties&gt;</span>
<span class="nt">&lt;property</span> <span class="na">key=</span><span class="s">"connect-string"</span> <span class="na">value=</span><span class="s">"127.0.0.1:6666,127.0.0.1:6667,127.0.0.1:6668"</span><span class="nt">/&gt;</span>
<span class="nt">&lt;/properties&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>can specify a list of <code>property</code> elements in the form of key-value pairs, appropriate to what is supported by the specified <code>class-name</code> provider.</p>
</div>
<div class="paragraph">
<p>Apache Curator&#8217;s provider allows the following properties:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="https://curator.apache.org/apidocs/org/apache/curator/framework/CuratorFrameworkFactory.Builder.html#connectString(java.lang.String)"><code>connect-string</code></a>: (no default)</p>
</li>
<li>
<p><a href="https://curator.apache.org/apidocs/org/apache/curator/framework/CuratorFrameworkFactory.Builder.html#sessionTimeoutMs(int)"><code>session-ms</code></a>: (default is 18000 ms)</p>
</li>
<li>
<p><a href="https://curator.apache.org/apidocs/org/apache/curator/framework/CuratorFrameworkFactory.Builder.html#simulatedSessionExpirationPercent(int)"><code>session-percent</code></a>: (default is 33);
should be &lt;= default, see <a href="https://cwiki.apache.org/confluence/display/CURATOR/TN14" class="bare">https://cwiki.apache.org/confluence/display/CURATOR/TN14</a> for more info</p>
</li>
<li>
<p><a href="https://curator.apache.org/apidocs/org/apache/curator/framework/CuratorFrameworkFactory.Builder.html#connectionTimeoutMs(int)"><code>connection-ms</code></a>: (default is 8000 ms)</p>
</li>
<li>
<p><a href="https://curator.apache.org/apidocs/org/apache/curator/retry/RetryNTimes.html#%3Cinit%3E(int,int)"><code>retries</code></a>: (default is 1)</p>
</li>
<li>
<p><a href="https://curator.apache.org/apidocs/org/apache/curator/retry/RetryNTimes.html#%3Cinit%3E(int,int)"><code>retries-ms</code></a>: (default is 1000 ms)</p>
</li>
<li>
<p><a href="https://curator.apache.org/apidocs/org/apache/curator/framework/CuratorFrameworkFactory.Builder.html#namespace(java.lang.String)"><code>namespace</code></a>: (no default)</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Configuration of the <a href="https://zookeeper.apache.org/">Apache ZooKeeper</a> ensemble is the responsibility of the user, but there are few <strong>suggestions to improve the reliability of the quorum service</strong>:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>broker <code>session_ms</code> must be <code>&gt;= 2 * server tick time</code> and <code>&lt;= 20 * server tick time</code> as by <a href="https://zookeeper.apache.org/doc/r3.6.3/zookeeperAdmin.html">ZooKeeper 3.6.3 admin guide</a>: it directly impacts how fast a backup can failover to an isolated/killed/unresponsive live;
the higher, the slower.</p>
</li>
<li>
<p>GC on broker machine should allow keeping GC pauses within 1/3 of <code>session_ms</code> in order to let the ZooKeeper heartbeat protocol work reliably.
If that is not possible, it is better to increase <code>session_ms</code>, accepting a slower failover.</p>
</li>
<li>
<p>ZooKeeper must have enough resources to keep GC (and OS) pauses much smaller than server tick time: please consider carefully if broker and ZooKeeper node should share the same physical machine, depending on the expected load of the broker</p>
</li>
<li>
<p>network isolation protection requires configuring &gt;=3 ZooKeeper nodes</p>
</li>
</ul>
</div>
<div class="sidebarblock">
<div class="content">
<div class="title">Important Notes on pluggable quorum replication configuration</div>
<div class="paragraph">
<p>There are some classic replication configuration options which are no longer needed, i.e.:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>vote-on-replication-failure</code></p>
</li>
<li>
<p><code>quorum-vote-wait</code></p>
</li>
<li>
<p><code>vote-retries</code></p>
</li>
<li>
<p><code>vote-retries-wait</code></p>
</li>
<li>
<p><code>check-for-active-server</code></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><strong>Regarding replication configuration with the <a href="https://curator.apache.org/">Apache curator</a> quorum provider&#8230;&#8203;</strong></p>
</div>
<div class="paragraph">
<p>As noted previously, <code>session-ms</code> affects the failover duration. The passive broker can activate after <code>session-ms</code> expires or if the active broker voluntary gives up its role e.g. during a fail-back/manual broker stop, it happens immediately.</p>
</div>
<div class="paragraph">
<p>For the former case (session expiration with active broker no longer present), the passive broker can detect an unresponsive active broker by using:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>cluster connection PINGs (affected by <a href="connection-ttl.html#detecting-dead-connections">connection-ttl</a> tuning)</p>
</li>
<li>
<p>closed TCP connection notification (depends on TCP configuration and networking stack/topology)</p>
</li>
</ol>
</div>
<div class="paragraph">
<p>The suggestion is to tune <code>connection-ttl</code> low enough to attempt failover as soon as possible, while taking in consideration that the whole fail-over duration cannot last less than the configured <code>session-ms</code>.</p>
</div>
</div>
</div>
<div class="sect4">
<h5 id="peer-or-multi-primary"><a class="anchor" href="#peer-or-multi-primary"></a><a class="link" href="#peer-or-multi-primary">Peer or Multi Primary</a></h5>
<div class="paragraph">
<p>With coordination delegated to the quorum service, roles are less important.
It is possible to have two peer servers compete for activation;
the winner activating as live, the looser taking up a backup role.
On restart, 'any' peer server with the most up to date journal can activate.
The instances need to know in advance, what identity they will coordinate on.
In the replication 'primary' ha policy we can explicitly set the 'coordination-id' to a common value for all peers in a cluster.</p>
</div>
<div class="paragraph">
<p>For <code>multi primary</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;primary&gt;</span>
<span class="nt">&lt;manager&gt;</span>
<span class="nt">&lt;class-name&gt;</span>org.apache.activemq.artemis.quorum.zookeeper.CuratorDistributedPrimitiveManager<span class="nt">&lt;/class-name&gt;</span>
<span class="nt">&lt;properties&gt;</span>
<span class="nt">&lt;property</span> <span class="na">key=</span><span class="s">"connect-string"</span> <span class="na">value=</span><span class="s">"127.0.0.1:6666,127.0.0.1:6667,127.0.0.1:6668"</span><span class="nt">/&gt;</span>
<span class="nt">&lt;/properties&gt;</span>
<span class="nt">&lt;/manager&gt;</span>
<span class="nt">&lt;coordination-id&gt;</span>peer-journal-001<span class="nt">&lt;/coordination-id&gt;</span>
<span class="nt">&lt;/primary&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
the string value provided will be converted internally into a 16 byte UUID, so it may not be immediately recognisable or human-readable, however it will ensure that all 'peers' coordinate.
</td>
</tr>
</table>
</div>
</div>
</div>
</div>
<div class="sect2">
<h3 id="shared-store"><a class="anchor" href="#shared-store"></a><a class="link" href="#shared-store">2.4. Shared Store</a></h3>
<div class="paragraph">
<p>When using a shared store both primary and backup servers share the <em>same</em> entire data directory using a shared file system.
This means the paging directory, journal directory, large messages and binding journal.</p>
</div>
<div class="paragraph">
<p>When failover occurs and a backup server takes over, it will load the persistent storage from the shared file system and clients can connect to it.</p>
</div>
<div class="paragraph">
<p>This style of high availability differs from data replication in that it requires a shared file system which is accessible by both the primary and backup nodes.
Typically this will be some kind of high performance Storage Area Network (SAN).
We do not recommend you use Network Attached Storage (NAS), e.g. NFS mounts to store any shared journal (NFS is slow).</p>
</div>
<div class="paragraph">
<p>The advantage of shared-store high availability is that no replication occurs between the primary and backup nodes. This means it does not suffer any performance penalties due to the overhead of replication during normal operation.</p>
</div>
<div class="paragraph">
<p>The disadvantage of shared store replication is that it requires a shared file system, and when the backup server activates it needs to load the journal from the shared store which can take some time depending on the amount of data in the store.</p>
</div>
<div class="paragraph">
<p>If you require the highest performance during normal operation then acquire access to a fast SAN and deal with a slightly slower failover (depending on amount of data).</p>
</div>
<div class="imageblock">
<div class="content">
<img src="images/ha-shared-store.png" alt="ha shared store">
</div>
</div>
<div class="sect3">
<h4 id="configuration-3"><a class="anchor" href="#configuration-3"></a><a class="link" href="#configuration-3">2.4.1. Configuration</a></h4>
<div class="paragraph">
<p>To configure the primary and backup servers to share their store use the <code>ha-policy</code> configuration in <code>broker.xml</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;shared-store&gt;</span>
<span class="nt">&lt;primary/&gt;</span>
<span class="nt">&lt;/shared-store&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span>
...
<span class="nt">&lt;cluster-connections&gt;</span>
<span class="nt">&lt;cluster-connection</span> <span class="na">name=</span><span class="s">"my-cluster"</span><span class="nt">&gt;</span>
...
<span class="nt">&lt;/cluster-connection&gt;</span>
<span class="nt">&lt;/cluster-connections&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>The backup server must also be configured as a backup.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;shared-store&gt;</span>
<span class="nt">&lt;backup/&gt;</span>
<span class="nt">&lt;/shared-store&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>In order for primary/backup groups to operate properly with a shared store, both servers must have configured the location of journal directory to point to the <em>same shared location</em> (as explained in <a href="persistence.html#persistence">Configuring the message journal</a>)</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>todo write something about GFS</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Also each node, primary and backups, will need to have a cluster connection defined even if not part of a cluster.
The Cluster Connection info defines how backup servers announce there presence to its primary server or any other nodes in the cluster.
Refer to <a href="clusters.html#clusters">Clusters</a> for details on how this is done.</p>
</div>
</div>
</div>
<div class="sect2">
<h3 id="failing-back-to-primary-server"><a class="anchor" href="#failing-back-to-primary-server"></a><a class="link" href="#failing-back-to-primary-server">2.5. Failing Back to Primary Server</a></h3>
<div class="paragraph">
<p>After a primary server has failed and a backup taken has taken over its duties, you may want to restart the primary server and have clients fail back.</p>
</div>
<div class="sect3">
<h4 id="shared-store-2"><a class="anchor" href="#shared-store-2"></a><a class="link" href="#shared-store-2">2.5.1. Shared Store</a></h4>
<div class="paragraph">
<p>In case of "shared disk" you have a couple of options:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Simply restart the primary and kill the backup.
You can do this by killing the process itself.</p>
</li>
<li>
<p>Alternatively you can set <code>allow-fail-back</code> to <code>true</code> on the backup which will force the backup that has become active to automatically stop.
This configuration would look like:</p>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;shared-store&gt;</span>
<span class="nt">&lt;backup&gt;</span>
<span class="nt">&lt;allow-failback&gt;</span>true<span class="nt">&lt;/allow-failback&gt;</span>
<span class="nt">&lt;/backup&gt;</span>
<span class="nt">&lt;/shared-store&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
</li>
</ol>
</div>
<div class="paragraph">
<p>It is also possible, in the case of shared store, to cause failover to occur on normal server shutdown, to enable this set the following property to true in the <code>ha-policy</code> configuration on either the <code>primary</code> or <code>backup</code> like so:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;shared-store&gt;</span>
<span class="nt">&lt;primary&gt;</span>
<span class="nt">&lt;failover-on-shutdown&gt;</span>true<span class="nt">&lt;/failover-on-shutdown&gt;</span>
<span class="nt">&lt;/primary&gt;</span>
<span class="nt">&lt;/shared-store&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>By default this is set to false, if by some chance you have set this to false but still want to stop the server normally and cause failover then you can do this by using the management API as explained at <a href="management.html#management">Management</a></p>
</div>
<div class="paragraph">
<p>You can also force the active backup to shutdown when the primary comes back up allowing the primary to take over automatically by setting the following property in the <code>broker.xml</code> configuration file as follows:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;shared-store&gt;</span>
<span class="nt">&lt;backup&gt;</span>
<span class="nt">&lt;allow-failback&gt;</span>true<span class="nt">&lt;/allow-failback&gt;</span>
<span class="nt">&lt;/backup&gt;</span>
<span class="nt">&lt;/shared-store&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="replication"><a class="anchor" href="#replication"></a><a class="link" href="#replication">2.5.2. Replication</a></h4>
<div class="paragraph">
<p>As with shared storage the <code>allow-failback</code> option can be set for both non-pluggable and pluggable replication.</p>
</div>
<div class="sect4">
<h5 id="non-pluggable"><a class="anchor" href="#non-pluggable"></a><a class="link" href="#non-pluggable">Non-Pluggable</a></h5>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;backup&gt;</span>
<span class="nt">&lt;allow-failback&gt;</span>true<span class="nt">&lt;/allow-failback&gt;</span>
<span class="nt">&lt;/backup&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>With non-pluggable replication you need to set an extra property <code>check-for-active-server</code> to <code>true</code> in the <code>primary</code> configuration.
If set to <code>true</code> then during start-up the primary server will first search the cluster for another active server using its nodeID.
If it finds one it will contact this server and try to "fail-back".
Since this is a remote replication scenario the primary will have to synchronize its data with the backup server running with its ID. Once they are in sync it will request the other server (which it assumes it is a backup that has assumed its duties) to shutdown in order for it to take over.
This is necessary because otherwise the primary server has no means to know whether there was a fail-over or not, and if there was, if the server that took its duties is still running or not.
To configure this option at your <code>broker.xml</code> configuration file as follows:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;primary&gt;</span>
<span class="nt">&lt;check-for-active-server&gt;</span>true<span class="nt">&lt;/check-for-active-server&gt;</span>
<span class="nt">&lt;/primary&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<i class="fa icon-warning" title="Warning"></i>
</td>
<td class="content">
<div class="title">For Non-Pluggable Replication</div>
<div class="paragraph">
<p>Be aware that if you restart a primary server after failover has occurred then <code>check-for-active-server</code> must be set to <code>true</code>.
If not the primary server will restart and serve the same messages that the backup has already handled causing duplicates.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
<div class="sect4">
<h5 id="pluggable"><a class="anchor" href="#pluggable"></a><a class="link" href="#pluggable">Pluggable</a></h5>
<div class="paragraph">
<p>One key difference between pluggable replication and non-pluggable replication is that with non-pluggable replication if the primary cannot reach any active server with its nodeID then it activates unilaterally.
With pluggable replication the responsibilities of coordination are delegated to the quorum provider. There are no unilateral decisions.
The primary will only activate when it knows that it has the most up to date version of the journal identified by its nodeID.</p>
</div>
<div class="paragraph">
<p>In short: <strong>a primary cannot become active without consensus when using pluggable replication</strong>.</p>
</div>
<div class="paragraph">
<p>Here&#8217;s an example configuration:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;manager&gt;</span>
<span class="c">&lt;!-- some meaningful configuration --&gt;</span>
<span class="nt">&lt;/manager&gt;</span>
<span class="nt">&lt;primary&gt;</span>
<span class="c">&lt;!-- no need to check-for-active-server anymore --&gt;</span>
<span class="nt">&lt;/primary&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
</div>
</div>
<div class="sect3">
<h4 id="all-shared-store-configuration"><a class="anchor" href="#all-shared-store-configuration"></a><a class="link" href="#all-shared-store-configuration">2.5.3. All Shared Store Configuration</a></h4>
<div class="sect4">
<h5 id="primary-2"><a class="anchor" href="#primary-2"></a><a class="link" href="#primary-2">Primary</a></h5>
<div class="paragraph">
<p>The following lists all the <code>ha-policy</code> configuration elements for HA strategy shared store for <code>primary</code>:</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">failover-on-shutdown</dt>
<dd>
<p>If set to <code>true</code> then when this server is stopped normally the backup will become active assuming failover.
If false then the backup server will remain passive.
Note that if <code>false</code> and you want failover to occur then you can use the management API as explained at <a href="management.html#management">Management</a>.</p>
</dd>
<dt class="hdlist1">wait-for-activation</dt>
<dd>
<p>If set to true then server startup will wait until it is activated.
If set to false then server startup will be done in the background.
Default is <code>true</code>.</p>
</dd>
</dl>
</div>
</div>
<div class="sect4">
<h5 id="backup-2"><a class="anchor" href="#backup-2"></a><a class="link" href="#backup-2">Backup</a></h5>
<div class="paragraph">
<p>The following lists all the <code>ha-policy</code> configuration elements for HA strategy Shared Store for <code>backup</code>:</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">failover-on-shutdown</dt>
<dd>
<p>In the case of a backup that has become active then when set to <code>true</code> and this server is stopped normally the passive primary will become active assuming failover.
If <code>false</code> then the primary server will remain passive.
Note that if <code>false</code> and you want failover to occur then you can use the management API as explained at <a href="management.html#management">Management</a>.</p>
</dd>
<dt class="hdlist1">allow-failback</dt>
<dd>
<p>Whether a server will automatically stop when another places a request to take over its place.
The use case is when the backup has failed over.</p>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect3">
<h4 id="colocated-backup-servers"><a class="anchor" href="#colocated-backup-servers"></a><a class="link" href="#colocated-backup-servers">2.5.4. Colocated Backup Servers</a></h4>
<div class="paragraph">
<p>It is also possible when running standalone to colocate backup servers in the same JVM as another primary server.
Primary Servers can be configured to request another primary server in the cluster to start a backup server in the same JVM either using shared store or replication.
The new backup server will inherit its configuration from the primary server creating it apart from its name, which will be set to <code>colocated_backup_n</code> where n is the number of backups the server has created, and any directories and its Connectors and Acceptors which are discussed later on in this chapter.
A primary server can also be configured to allow requests from backups and also how many backups a primary server can start.
This way you can evenly distribute backups around the cluster.
This is configured via the <code>ha-policy</code> element in the <code>broker.xml</code> file like so:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;colocated&gt;</span>
<span class="nt">&lt;request-backup&gt;</span>true<span class="nt">&lt;/request-backup&gt;</span>
<span class="nt">&lt;max-backups&gt;</span>1<span class="nt">&lt;/max-backups&gt;</span>
<span class="nt">&lt;backup-request-retries&gt;</span>-1<span class="nt">&lt;/backup-request-retries&gt;</span>
<span class="nt">&lt;backup-request-retry-interval&gt;</span>5000<span class="nt">&lt;/backup-request-retry-interval&gt;</span>
<span class="nt">&lt;primary/&gt;</span>
<span class="nt">&lt;backup/&gt;</span>
<span class="nt">&lt;/colocated&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>the above example is configured to use replication, in this case the <code>primary</code> and <code>backup</code> configurations must match those for normal replication as in the previous chapter.
<code>shared-store</code> is also supported</p>
</div>
<div class="imageblock">
<div class="content">
<img src="images/ha-colocated.png" alt="ActiveMQ Artemis ha-colocated.png">
</div>
</div>
</div>
<div class="sect3">
<h4 id="configuring-connectors-and-acceptors"><a class="anchor" href="#configuring-connectors-and-acceptors"></a><a class="link" href="#configuring-connectors-and-acceptors">2.5.5. Configuring Connectors and Acceptors</a></h4>
<div class="paragraph">
<p>If the HA Policy is <code>colocated</code> then <code>connectors</code> and <code>acceptors</code> will be inherited from the primary server creating it and offset depending on the setting of <code>backup-port-offset</code> configuration element.
If this is set to say 100 (which is the default) and a connector is using port 61616 then this will be set to 61716 for the first server created, 61816 for the second, and so on.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>for INVM connectors and Acceptors the id will have <code>colocated_backup_n</code> appended, where n is the backup server number.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
<div class="sect3">
<h4 id="remote-connectors"><a class="anchor" href="#remote-connectors"></a><a class="link" href="#remote-connectors">2.5.6. Remote Connectors</a></h4>
<div class="paragraph">
<p>It may be that some of the Connectors configured are for external servers and hence should be excluded from the offset.
for instance a connector used by the cluster connection to do quorum voting for a replicated backup server, these can be omitted from being offset by adding them to the <code>ha-policy</code> configuration like so:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;colocated&gt;</span>
...
<span class="nt">&lt;excludes&gt;</span>
<span class="nt">&lt;connector-ref&gt;</span>remote-connector<span class="nt">&lt;/connector-ref&gt;</span>
<span class="nt">&lt;/excludes&gt;</span>
...
<span class="nt">&lt;/colocated&gt;</span>
<span class="err">&lt;</span>/replication
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="configuring-directories"><a class="anchor" href="#configuring-directories"></a><a class="link" href="#configuring-directories">2.5.7. Configuring Directories</a></h4>
<div class="paragraph">
<p>Directories for the Journal, Large messages and Paging will be set according to what the HA strategy is.
If shared store the requesting server will notify the target server of which directories to use.
If replication is configured then directories will be inherited from the creating server but have the new backups name appended.</p>
</div>
<div class="paragraph">
<p>The following table lists all the <code>ha-policy</code> configuration elements for colocated policy:</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">request-backup</dt>
<dd>
<p>If true then the server will request a backup on another node</p>
</dd>
<dt class="hdlist1">backup-request-retries</dt>
<dd>
<p>How many times the primary server will try to request a backup, <code>-1</code> means for ever.</p>
</dd>
<dt class="hdlist1">backup-request-retry-interval</dt>
<dd>
<p>How long to wait for retries between attempts to request a backup server.</p>
</dd>
<dt class="hdlist1">max-backups</dt>
<dd>
<p>How many backups a primary server can create</p>
</dd>
<dt class="hdlist1">backup-port-offset</dt>
<dd>
<p>The offset to use for the Connectors and Acceptors when creating a new backup server.</p>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect2">
<h3 id="scaling-down"><a class="anchor" href="#scaling-down"></a><a class="link" href="#scaling-down">2.6. Scaling Down</a></h3>
<div class="paragraph">
<p>An alternative to using primary/backup groups is to configure <em>scaledown</em>.
When configured for scale down a server can copy all its messages and transaction state to another active server.
The advantage of this is that you don&#8217;t need full backups to provide some form of HA, however there are disadvantages with this approach the first being that it only deals with a server being stopped and not a server crash.
The caveat here is if you configure a backup to scale down.</p>
</div>
<div class="paragraph">
<p>Another disadvantage is that it is possible to lose message ordering.
This happens in the following scenario, say you have 2 active servers and messages are distributed evenly between the servers from a single producer, if one of the servers scales down then the messages sent back to the other server will be in the queue after the ones already there, so server 1 could have messages 1,3,5,7,9 and server 2 would have 2,4,6,8,10, if server 2 scales down the order in server 1 would be 1,3,5,7,9,2,4,6,8,10.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="images/ha-scaledown.png" alt="ActiveMQ Artemis ha-scaledown.png">
</div>
</div>
<div class="paragraph">
<p>The configuration for an active server to scale down would be something like:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;primary-only&gt;</span>
<span class="nt">&lt;scale-down&gt;</span>
<span class="nt">&lt;connectors&gt;</span>
<span class="nt">&lt;connector-ref&gt;</span>server1-connector<span class="nt">&lt;/connector-ref&gt;</span>
<span class="nt">&lt;/connectors&gt;</span>
<span class="nt">&lt;/scale-down&gt;</span>
<span class="nt">&lt;/primary-only&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>In this instance the server is configured to use a specific connector to scale down, if a connector is not specified then the first INVM connector is chosen, this is to make scale down from a backup server easy to configure.
It is also possible to use discovery to scale down, this would look like:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;primary-only&gt;</span>
<span class="nt">&lt;scale-down&gt;</span>
<span class="nt">&lt;discovery-group-ref</span> <span class="na">discovery-group-name=</span><span class="s">"my-discovery-group"</span><span class="nt">/&gt;</span>
<span class="nt">&lt;/scale-down&gt;</span>
<span class="nt">&lt;/primary-only&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="sect3">
<h4 id="scale-down-with-groups"><a class="anchor" href="#scale-down-with-groups"></a><a class="link" href="#scale-down-with-groups">2.6.1. Scale Down with groups</a></h4>
<div class="paragraph">
<p>It is also possible to configure servers to only scale down to servers that belong in the same group.
This is done by configuring the group like so:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;primary-only&gt;</span>
<span class="nt">&lt;scale-down&gt;</span>
...
<span class="nt">&lt;group-name&gt;</span>my-group<span class="nt">&lt;/group-name&gt;</span>
<span class="nt">&lt;/scale-down&gt;</span>
<span class="nt">&lt;/primary-only&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>In this scenario only servers that belong to the group <code>my-group</code> will be scaled down to</p>
</div>
</div>
<div class="sect3">
<h4 id="scale-down-and-backups"><a class="anchor" href="#scale-down-and-backups"></a><a class="link" href="#scale-down-and-backups">2.6.2. Scale Down and Backups</a></h4>
<div class="paragraph">
<p>It is also possible to mix scale down with HA via backup servers.
If a backup is configured to scale down then after failover has occurred, instead of starting fully the backup server will immediately scale down to another active server.
The most appropriate configuration for this is using the <code>colocated</code> approach.
It means that as you bring up primary servers they will automatically be backed up, and as they are shutdown their messages are made available on another active server.
A typical configuration would look like:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;ha-policy&gt;</span>
<span class="nt">&lt;replication&gt;</span>
<span class="nt">&lt;colocated&gt;</span>
<span class="nt">&lt;backup-request-retries&gt;</span>44<span class="nt">&lt;/backup-request-retries&gt;</span>
<span class="nt">&lt;backup-request-retry-interval&gt;</span>33<span class="nt">&lt;/backup-request-retry-interval&gt;</span>
<span class="nt">&lt;max-backups&gt;</span>3<span class="nt">&lt;/max-backups&gt;</span>
<span class="nt">&lt;request-backup&gt;</span>false<span class="nt">&lt;/request-backup&gt;</span>
<span class="nt">&lt;backup-port-offset&gt;</span>33<span class="nt">&lt;/backup-port-offset&gt;</span>
<span class="nt">&lt;primary&gt;</span>
<span class="nt">&lt;group-name&gt;</span>purple<span class="nt">&lt;/group-name&gt;</span>
<span class="nt">&lt;check-for-active-server&gt;</span>true<span class="nt">&lt;/check-for-active-server&gt;</span>
<span class="nt">&lt;cluster-name&gt;</span>abcdefg<span class="nt">&lt;/cluster-name&gt;</span>
<span class="nt">&lt;/primary&gt;</span>
<span class="nt">&lt;backup&gt;</span>
<span class="nt">&lt;group-name&gt;</span>tiddles<span class="nt">&lt;/group-name&gt;</span>
<span class="nt">&lt;max-saved-replicated-journals-size&gt;</span>22<span class="nt">&lt;/max-saved-replicated-journals-size&gt;</span>
<span class="nt">&lt;cluster-name&gt;</span>33rrrrr<span class="nt">&lt;/cluster-name&gt;</span>
<span class="nt">&lt;restart-backup&gt;</span>false<span class="nt">&lt;/restart-backup&gt;</span>
<span class="nt">&lt;scale-down&gt;</span>
<span class="c">&lt;!--a grouping of servers that can be scaled down to--&gt;</span>
<span class="nt">&lt;group-name&gt;</span>boo!<span class="nt">&lt;/group-name&gt;</span>
<span class="c">&lt;!--either a discovery group--&gt;</span>
<span class="nt">&lt;discovery-group-ref</span> <span class="na">discovery-group-name=</span><span class="s">"wahey"</span><span class="nt">/&gt;</span>
<span class="nt">&lt;/scale-down&gt;</span>
<span class="nt">&lt;/backup&gt;</span>
<span class="nt">&lt;/colocated&gt;</span>
<span class="nt">&lt;/replication&gt;</span>
<span class="nt">&lt;/ha-policy&gt;</span></code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="scale-down-and-clients"><a class="anchor" href="#scale-down-and-clients"></a><a class="link" href="#scale-down-and-clients">2.6.3. Scale Down and Clients</a></h4>
<div class="paragraph">
<p>When a server is stopping and preparing to scale down it will send a message to all its clients informing them which server it is scaling down to before disconnecting them.
At this point the client will reconnect however this will only succeed once the server has completed the scaledown process.
This is to ensure that any state such as queues or transactions are there for the client when it reconnects.
The normal reconnect settings apply when the client is reconnecting so these should be high enough to deal with the time needed to scale down.</p>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="client-failover"><a class="anchor" href="#client-failover"></a><a class="link" href="#client-failover">3. Client Failover</a></h2>
<div class="sectionbody">
<div class="paragraph">
<p>Apache ActiveMQ Artemis clients can be configured to receive knowledge of all primary and backup servers, so that in event of connection failure the client will detect this and reconnect to the backup server.
The backup server will then automatically recreate any sessions and consumers that existed on each connection before failover, thus saving the user from having to hand-code manual reconnection logic.
For further details see <a href="client-failover.html#core-client-failover">Client Failover</a></p>
</div>
<div class="sidebarblock">
<div class="content">
<div class="title">A Note on Server Replication</div>
<div class="paragraph">
<p>Apache ActiveMQ Artemis does not replicate full server state between active and passive servers.
When the new session is automatically recreated on the backup it won&#8217;t have any knowledge of messages already sent or acknowledged in that session.
Any in-flight sends or acknowledgements at the time of failover might also be lost.</p>
</div>
<div class="paragraph">
<p>By replicating full server state, theoretically we could provide a 100% transparent seamless failover, which would avoid any lost messages or acknowledgements, however this comes at a great cost: replicating the full server state (including the queues, session, etc.).
This would require replication of the entire server state machine; every operation on the primary server would have to replicated on the replica server(s) in the exact same global order to ensure a consistent replica state.
This is extremely hard to do in a performant and scalable way, especially when one considers that multiple threads are changing the active&#8217;s server state concurrently.</p>
</div>
<div class="paragraph">
<p>It is possible to provide full state machine replication using techniques such as <em>virtual synchrony</em>, but this does not scale well and effectively serializes all operations to a single thread, dramatically reducing concurrency.</p>
</div>
<div class="paragraph">
<p>Other techniques for multi-threaded active replication exist such as replicating lock states or replicating thread scheduling but this is very hard to achieve at a Java level.</p>
</div>
<div class="paragraph">
<p>Consequently it has been decided that it worth not worth massively reducing performance and concurrency for the sake of 100% transparent failover.
Even without 100% transparent failover, it is simple to guarantee <em>once and only once</em> delivery, even in the case of failure, by using a combination of duplicate detection and retrying of transactions.
However this is not 100% transparent to the client code.</p>
</div>
</div>
</div>
<div class="sect2">
<h3 id="handling-blocking-calls-during-failover"><a class="anchor" href="#handling-blocking-calls-during-failover"></a><a class="link" href="#handling-blocking-calls-during-failover">3.1. Handling Blocking Calls During Failover</a></h3>
<div class="paragraph">
<p>If the client code is in a blocking call to the server, waiting for a response to continue its execution, when failover occurs, the new session will not have any knowledge of the call that was in progress.
This call might otherwise hang for ever, waiting for a response that will never come.</p>
</div>
<div class="paragraph">
<p>To prevent this, Apache ActiveMQ Artemis will unblock any blocking calls that were in progress at the time of failover by making them throw a <code>javax.jms.JMSException</code> (if using JMS), or a <code>ActiveMQException</code> with error code <code>ActiveMQException.UNBLOCKED</code>.
It is up to the client code to catch this exception and retry any operations if desired.</p>
</div>
<div class="paragraph">
<p>If the method being unblocked is a call to commit(), or prepare(), then the transaction will be automatically rolled back and Apache ActiveMQ Artemis will throw a <code>javax.jms.TransactionRolledBackException</code> (if using JMS), or a <code>ActiveMQException</code> with error code <code>ActiveMQException.TRANSACTION_ROLLED_BACK</code> if using the core API.</p>
</div>
</div>
<div class="sect2">
<h3 id="handling-failover-with-transactions"><a class="anchor" href="#handling-failover-with-transactions"></a><a class="link" href="#handling-failover-with-transactions">3.2. Handling Failover With Transactions</a></h3>
<div class="paragraph">
<p>If the session is transactional and messages have already been sent or acknowledged in the current transaction, then the server cannot be sure that messages sent or acknowledgements have not been lost during the failover.</p>
</div>
<div class="paragraph">
<p>Consequently the transaction will be marked as rollback-only, and any subsequent attempt to commit it will throw a <code>javax.jms.TransactionRolledBackException</code> (if using JMS), or a <code>ActiveMQException</code> with error code <code>ActiveMQException.TRANSACTION_ROLLED_BACK</code> if using the core API.</p>
</div>
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<i class="fa icon-warning" title="Warning"></i>
</td>
<td class="content">
<div class="paragraph">
<p>The caveat to this rule is when XA is used either via JMS or through the core API.
If 2 phase commit is used and prepare has already been called then rolling back could cause a <code>HeuristicMixedException</code>.
Because of this the commit will throw a <code>XAException.XA_RETRY</code> exception.
This informs the Transaction Manager that it should retry the commit at some later point in time, a side effect of this is that any non persistent messages will be lost.
To avoid this use persistent messages when using XA.
With acknowledgements this is not an issue since they are flushed to the server before prepare gets called.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>It is up to the user to catch the exception, and perform any client side local rollback code as necessary.
There is no need to manually rollback the session - it is already rolled back.
The user can then just retry the transactional operations again on the same session.</p>
</div>
<div class="paragraph">
<p>Apache ActiveMQ Artemis ships with a fully functioning example demonstrating how to do this, please see <a href="examples.html#examples">the examples</a> chapter.</p>
</div>
<div class="paragraph">
<p>If failover occurs when a commit call is being executed, the server, as previously described, will unblock the call to prevent a hang, since no response will come back.
In this case it is not easy for the client to determine whether the transaction commit was actually processed before failure occurred.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>If XA is being used either via JMS or through the core API then an <code>XAException.XA_RETRY</code> is thrown.
This is to inform Transaction Managers that a retry should occur at some point.
At some later point in time the Transaction Manager will retry the commit.
If the original commit has not occurred then it will still exist and be committed, if it does not exist then it is assumed to have been committed although the transaction manager may log a warning.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>To remedy this, the client can simply enable duplicate detection (<a href="duplicate-detection.html#duplicate-message-detection">Duplicate Message Detection</a>) in the transaction, and retry the transaction operations again after the call is unblocked.
If the transaction had indeed been committed successfully before failover, then when the transaction is retried, duplicate detection will ensure that any durable messages resent in the transaction will be ignored on the server to prevent them getting sent more than once.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>By catching the rollback exceptions and retrying, catching unblocked calls and enabling duplicate detection, <em>once and only once</em> delivery guarantees can be provided for messages in the case of failure, guaranteeing 100% no loss or duplication of messages.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="sect3">
<h4 id="handling-failover-with-non-transactional-sessions"><a class="anchor" href="#handling-failover-with-non-transactional-sessions"></a><a class="link" href="#handling-failover-with-non-transactional-sessions">3.2.1. Handling Failover With Non Transactional Sessions</a></h4>
<div class="paragraph">
<p>If the session is non transactional, messages or acknowledgements can be lost in the event of a failover.</p>
</div>
<div class="paragraph">
<p>If you wish to provide <em>once and only once</em> delivery guarantees for non transacted sessions too, enable duplicate detection, and catch unblock exceptions as described in <a href="#handling-blocking-calls-during-failover">Handling Blocking Calls During Failover</a></p>
</div>
</div>
<div class="sect3">
<h4 id="use-client-connectors-to-fail-over"><a class="anchor" href="#use-client-connectors-to-fail-over"></a><a class="link" href="#use-client-connectors-to-fail-over">3.2.2. Use client connectors to fail over</a></h4>
<div class="paragraph">
<p>Apache ActiveMQ Artemis clients retrieve the backup connector from the topology updates that the cluster brokers send.
If the connection options of the clients don&#8217;t match the options of the cluster brokers the clients can define a client connector that will be used in place of the connector in the topology.
To define a client connector it must have a name that matches the name of the connector defined in the <code>cluster-connection</code> of the broker, i.e. supposing to have a primary broker with the cluster connector name <code>node-0</code> and a backup broker with the <code>cluster-connector</code> name <code>node-1</code> the client connection url must define 2 connectors with the names <code>node-0</code> and <code>node-1</code>:</p>
</div>
<div class="paragraph">
<p>Primary broker config:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;connectors&gt;</span>
<span class="c">&lt;!-- Connector used to be announced through cluster connections and notifications --&gt;</span>
<span class="nt">&lt;connector</span> <span class="na">name=</span><span class="s">"node-0"</span><span class="nt">&gt;</span>tcp://localhost:61616<span class="nt">&lt;/connector&gt;</span>
<span class="nt">&lt;/connectors&gt;</span>
...
<span class="nt">&lt;cluster-connections&gt;</span>
<span class="nt">&lt;cluster-connection</span> <span class="na">name=</span><span class="s">"my-cluster"</span><span class="nt">&gt;</span>
<span class="nt">&lt;connector-ref&gt;</span>node-0<span class="nt">&lt;/connector-ref&gt;</span>
...
<span class="nt">&lt;/cluster-connection&gt;</span>
<span class="nt">&lt;/cluster-connections&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>Backup broker config</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="rouge highlight nowrap"><code data-lang="xml"><span class="nt">&lt;connectors&gt;</span>
<span class="c">&lt;!-- Connector used to be announced through cluster connections and notifications --&gt;</span>
<span class="nt">&lt;connector</span> <span class="na">name=</span><span class="s">"node-1"</span><span class="nt">&gt;</span>tcp://localhost:61617<span class="nt">&lt;/connector&gt;</span>
<span class="nt">&lt;/connectors&gt;</span>
<span class="nt">&lt;cluster-connections&gt;</span>
<span class="nt">&lt;cluster-connection</span> <span class="na">name=</span><span class="s">"my-cluster"</span><span class="nt">&gt;</span>
<span class="nt">&lt;connector-ref&gt;</span>node-1<span class="nt">&lt;/connector-ref&gt;</span>
...
<span class="nt">&lt;/cluster-connection&gt;</span>
<span class="nt">&lt;/cluster-connections&gt;</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>Client connection url</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="nowrap">(tcp://localhost:61616?name=node-0,tcp://localhost:61617?name=node-1)?ha=true&amp;reconnectAttempts=-1</pre>
</div>
</div>
</div>
</div>
<div class="sect2">
<h3 id="getting-notified-of-connection-failure"><a class="anchor" href="#getting-notified-of-connection-failure"></a><a class="link" href="#getting-notified-of-connection-failure">3.3. Getting Notified of Connection Failure</a></h3>
<div class="paragraph">
<p>JMS provides a standard mechanism for getting notified asynchronously of connection failure: <code>java.jms.ExceptionListener</code>.
Please consult the JMS javadoc or any good JMS tutorial for more information on how to use this.</p>
</div>
<div class="paragraph">
<p>The Apache ActiveMQ Artemis core API also provides a similar feature in the form of the class <code>org.apache.activemq.artemis.core.client.SessionFailureListener</code></p>
</div>
<div class="paragraph">
<p>Any ExceptionListener or SessionFailureListener instance will always be called by ActiveMQ Artemis on event of connection failure, <strong>irrespective</strong> of whether the connection was successfully failed over, reconnected or reattached, however you can find out if reconnect or reattach has happened by either the <code>failedOver</code> flag passed in on the <code>connectionFailed</code> on <code>SessionfailureListener</code> or by inspecting the error code on the <code>javax.jms.JMSException</code> which will be one of the following:</p>
</div>
<div class="paragraph">
<p>JMSException error codes:</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">FAILOVER</dt>
<dd>
<p>Failover has occurred and we have successfully reattached or reconnected.</p>
</dd>
<dt class="hdlist1">DISCONNECT</dt>
<dd>
<p>No failover has occurred and we are disconnected.</p>
</dd>
</dl>
</div>
</div>
<div class="sect2">
<h3 id="application-level-failover"><a class="anchor" href="#application-level-failover"></a><a class="link" href="#application-level-failover">3.4. Application-Level Failover</a></h3>
<div class="paragraph">
<p>In some cases you may not want automatic client failover, and prefer to handle any connection failure yourself, and code your own manually reconnection logic in your own failure handler.
We define this as <em>application-level</em> failover, since the failover is handled at the user application level.</p>
</div>
<div class="paragraph">
<p>To implement application-level failover, if you&#8217;re using JMS then you need to set an <code>ExceptionListener</code> class on the JMS connection.
The <code>ExceptionListener</code> will be called by Apache ActiveMQ Artemis in the event that connection failure is detected.
In your <code>ExceptionListener</code>, you would close your old JMS connections, potentially look up new connection factory instances from JNDI and creating new connections.</p>
</div>
<div class="paragraph">
<p>For a working example of application-level failover, please see <a href="examples.html#application-layer-failover">the Application-Layer Failover Example</a>.</p>
</div>
<div class="paragraph">
<p>If you are using the core API, then the procedure is very similar: you would set a <code>FailureListener</code> on the core <code>ClientSession</code> instances.</p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>