MySQL 8.0 Reference Manual Including MySQL NDB Cluster 8.0
Group Replication's distributed recovery process has a number of built-in measures to ensure fault tolerance in the event of any problems during the process.
The donor for distributed recovery is selected randomly from the existing list of suitable online group members in the current view. Selecting a random donor means that there is a good chance that the same server is not selected more than once when multiple members enter the group. From MySQL 8.0.17, for state transfer from the binary log, the joiner only selects a donor that is running a lower or equal patch version of MySQL Server compared to itself. For earlier releases, all of the online members are allowed to be a donor. For a remote cloning operation, the joiner only selects a donor that is running the same patch version as itself. Note that when the joining member has restarted at the end of the operation, it establishes a connection with a new donor for state transfer from the binary log, which might be a different member from the original donor used for the remote cloning operation.
In the following situations, Group Replication detects an error in distributed recovery, automatically switches over to a new donor, and retries the state transfer:
Connection error - There is an authentication issue or another problem with making the connection to a candidate donor.
Replication errors - One of the replication threads (the receiver or applier threads) being used for state transfer from the binary log fails. Because this method of state transfer uses the existing MySQL replication framework, it is possible that some transient errors could cause errors in the receiver or applier threads.
Remote cloning operation errors - A remote cloning operation fails or is stopped before it completes.
Donor leaves the group - The donor leaves the group, or Group Replication is stopped on the donor, while state transfer is in progress.
The Performance Schema table
replication_applier_status_by_worker
displays the error that caused the last retry. In these
situations, the new connection following the error is attempted
with a new candidate donor. Selecting a different donor in the
event of an error means that there is a chance the new candidate
donor does not have the same error. If the clone plugin is
installed, Group Replication attempts a remote cloning operation
with each of the suitable online clone-supporting donors first.
If all those attempts fail, Group Replication attempts state
transfer from the binary log with all the suitable donors in
turn, if that is possible.
For a remote cloning operation, user-created tablespaces and data on the recipient (the joining member) are dropped before the remote cloning operation begins to transfer the data from the donor. If the remote cloning operation starts but does not complete, the joining member might be left with a partial set of its original data files, or with no user data. Data transferred by the donor is removed from the recipient if the cloning operation is stopped before the data is fully cloned. This situation can be repaired by retrying the cloning operation, which Group Replication does automatically.
In the following situations, the distributed recovery process cannot be completed, and the joining member leaves the group:
Purged transactions - Transactions that are required by the joining member are not present in any online group member's binary log files, and the data cannot be obtained by a remote cloning operation (because the clone plugin is not installed, or because cloning was attempted with all possible donors but failed). The joining member is therefore unable to catch up with the group.
Extra transactions - The joining member already contains some transactions that are not present in the group. If a remote cloning operation was carried out, these transactions would be deleted and lost, because the data directory on the joining member is erased. If state transfer from a donor's binary log was carried out, these transactions could conflict with the group's transactions. For advice on dealing with this situation, see Extra Transactions.
Connection retry limit reached - The
joining member has made all the connection attempts allowed
by the connection retry limit. You can configure this using
the
group_replication_recovery_retry_count
system variable (see
Section 20.5.4.3, “Configuring Distributed Recovery”).
No more donors - The joining member has unsuccessfully attempted a remote cloning operation with each of the online clone-supporting donors in turn (if the clone plugin is installed), then has unsuccessfully attempted state transfer from the binary log with each of the suitable online donors in turn, if possible.
Joining member leaves the group - The joining member leaves the group or Group Replication is stopped on the joining member while state transfer is in progress.
If the joining member left the group unintentionally, so in any
situation listed above except the last, it proceeds to take the
action specified by the
group_replication_exit_state_action
system variable.