Backup and restore

Hi Colin - I am right now distracted with webDAV (see http://moodle.org/mod/forum/discuss.php?d=89123 ) but I am drafting some design notes on the side for this.

My thinking at the moment is based on avoiding dependance on metadata such as timecreated/timemodified -- it is a huge undertaking to add those fields to everything, and impossible to guarantee that all the modification paths update them.

Instead, there are some techniques we can use that are based on the identity of the content itself - similar techniques to what GIT uses internally, aggressively hashing everything. The trick will be in findingf the right granularity to break down the export/import to apply the hashing. At that point, we can design something that smartly decides how far behind each client is, and gives them a zipfile that contains exactly what they need. No more, no less.

Just need to find time to flesh out the design a bit

Incremental Backup & Restore plan

Ended up sitting down and having a serious think of the design for this over the weekend. These are my notes -- nothing definitive, but I think I am mapping out the problem.

I started working out how and identity-based approach would work -- thinking of "identity" in the sense of the "identity of the content, for example, as shown by the SHA1 of a file. You know with certainty that any change to the file will change the SHA1 hash of it (let's leave aside for a moment perceived or real hash collision issues), therefore, as long as the file hasn't changed at all, you will get the exact same SHA1. There are lots of good things that you can do with that -- but the main requirement for this to work is that the output (from restore) is stable. If the files you are hashing are unstable (like an embedded timestamp every time you save them, or platform-dependent newline issues) then the hash will change though the content actually hasn't.

I initially thought we would have to work at the module or resource level -- but once I started fleshing out the plan I realised that if we can guarantee a stable output from backup, we can just work with full backups without changing the format much. The plan's gotten much simpler -- this writeup is long, but the plan is extremely straightforward

So the outline looks roughly like this:

• On the server, provide a basic workflow that goes from the "generate a backup file" to "publish the backup file".
  • Every published backup file is kept for as long as this course is relevant, even if superceded. Internally, it will have a unique name: it's SHA1.
  • If the published backup file will supercede older backup files, we generate static "incremental" against its last N precedessors (or maybe against all). These incrementals can be thought of as "diffs" or "patches" and are identified internall as "from SHA1 to SHA1".
  • Other aspects of publishing also take place - but are out of scope for this.
• Backup generation MUST have stable output. If content has not changed, then the backup must be identical even if other things may have changed -
  • Ordering of the objects in the XML file must be stable
  • newlines and whitespace in the XML file must be stable
  • any export-time timestamps, or export-operation metadata (user running the export, hostname, tz) must be removed.
  • Might need a stable uid for stable restore purposes (see restore below)
• Restore must be stable - it must be clear to restore code how to determine if a resource being restored maps to an existing or previously seen resource. This might need a uid scheme similar to Midgard/Repligard. Scenarios:
  • New resource
  • Existing resource - unchanged locally
  • Existing resource - changed locally
  • Seen resource - deleted locally
• With backup and restore being stable, a simple compact diff/xdelta of the (unpacked) directory tree from the backup files will be efficient. The diff/xdelta does not need to be reversible, and can declare strictly the SHA1 of the file it must be applied to. This means that we can produce extremely efficient deltas by not including context or "content to be replaced". One way xdeltas can just declare byte-ranges where the new content is applied.
• Review possible xdelta algorithms that we can ship as a small binary for Win32/OSX/Linux or that are simple enough that we can implement in PHP quickly.
  • The xdelta utility on linux/osx is very good for this - and probably has a Win32 port
  • Together with the xdelta generation it is possibly a good idea to have a PHP-based script that can do a XML-aware compare and output the UIDs of objects that seem to have changed. This can make the restore faster / cheaper. It can can run on the server or the client, but itmakes sense to supply it as accessory metadata with the "patch" file. The client is free to ignore it (and load all the restore file regardless) or regenerate it locally.
• The client always keeps the downloaded backup files, and knows their SHA1 identity. So when it "browses" for course updates and finds an update for course X,it reads the "new" SHA1 and it checks the SHA1 of the last version it downloaded, so it fetches the appropriate - file. If that file does not exist (maybe this client has fallen behind, and we only keep deltas against recent versions) then it will fetch the full backup file.
  • If it has fetched a patchfile, the client makes a copy of the unpacked restore tree, and applies the xdelta.
  • If it has fetched a full zipfile, it will unpack it and run the XML-aware "UIDs changed" script mentioned above.
  • Restore is invoked to execute over the unpacked directory, and can take advantage of the "UIDs changed" hints file to avoid restoring unchanged objects.
  • The latest unpacked directory is kept to serve as the base of the next update. If the operation has been successful, earlier versions can be deleted.

One thing to note is that I don't think that zip generation is stable -- IIRC it embeds a timestamp, and perhaps hostname too. If that's the case, we'll want to compute the SHA1 of the whole backup using a more stable approach, and ignore the literal bits in the zipfile itself. Actually - different compression settings will radically change the bits, so yes we should make the backup id something more similar to a git "tree" identifier.

What is a tree? And how do we compute a tree identifier? It is a directory tree (with as many subdirectories, and files is has). To build a unique identifier of the tree what we do is we

• Compute the SHA1 of each file
• Build a manifest with the internal path and the SHA1, like
  • moodle.xml
  • course_files/Media_examples/Test.ppt
• And then we compute the sha1 of the manifest. That SHA1 is the identity of the "tree"
• Note that we only pay attention to files - empty directories aren't interesting.

This plan uses some hashing tricks, but core idea is to publish relatively dumb xdelta patches around. This will work great but has some limitations - most notably, if files in course files are moved or renamed, it won't do anything particularly smart. For a rename X to Y there will be an instruction to delete file X, followed by the whole contents of Y. And while we can address that basic case (by doing a "smart compare" of the tree manifests looking for identical hashes), the not-so-uncommon case of move + small change is extremely hard to handle.

We could address that by using the git-apply-patch utility, which handles this gracefully. I need to think more about this angle - there are a few issues with it

• I want to avoid funny dependencies, like having to ship executables for windows in the client installer. The Win32 and OSX versions of git are excellent, but it's one more thing to support. And while we can probably implement xdelta and related tricks in pure PHP, git-apply-patch is way too complex.
• AFAIK, the git machinery produces reversible xdeltas -- which means that while we'll save bandwidth in move operations, we will waste it in every other change, as it'll include the "old" data that the patch replaces, as well as the new data. Using a plain unidirectional xdelta, a naive move detector on the tree manifest and training course content maintainers avoid moving large resources is probably a better option.

Edit: There's a nice win32 statically compiled xdelta.exe here http://evanjones.ca/software/xdelta-win32.html