Consensus: Raft & Paxos

5-node: quorum=3, tolerates 2 failures. 7-node: quorum=4, tolerates 3 failures. 9-node: quorum=5, tolerates 4 failures. Even-node trap: a 6-node cluster has quorum=4, tolerates only 2 failures — same as a 5-node cluster, but costs one extra node. Always use odd counts. 9-node AZ analysis: with 3 nodes/AZ, losing one full AZ = 3 nodes lost, 6 remaining, quorum=5 — still achievable, cluster survives. Losing one AZ + one node from another AZ = 4 nodes lost, 5 remaining, quorum=5 — still works (barely). Losing two full AZs = 6 nodes lost, only 3 remaining — cannot reach quorum=5, cluster halts. Place 5 nodes in primary AZ and 4 in secondary for better single-AZ-failure resilience, but this sacrifices AZ symmetry.

With only 2 nodes (A and B), quorum=3 cannot be reached. Node A stops accepting writes (Raft requires acknowledgment from a majority before committing). Node A may still believe it is leader for up to one election timeout period (150–300ms). During this window, it could serve linearizable reads if it issues a heartbeat — but since it cannot get quorum responses, it will step down. Application clients receive timeout errors after 5 seconds. No split brain: A and B cannot elect a new leader (2 votes < 3 quorum) — the cluster halts safely. Recovery: when C, D, E restart, they rejoin with their last known state. A or B (whoever has the most up-to-date log) wins the election. Any uncommitted log entries from A's tenure are either committed (if C/D/E have them too) or rolled back. Operators can force restart with --force-new-cluster on Node A only as a last resort (losing uncommitted entries).

Lock data model: {lock_id, holder_id, lease_expires_at: now()+60s, fencing_token: monotonically_increasing_integer, granted_at, raft_term}. Acquisition: the Raft leader receives AcquireLock(lock_id, worker_id). It checks if lock_id is free or expired, then proposes a log entry. Only one worker can "win" the log entry commit — the other's request arrives after and sees the lock already held. Lease expiry: the Raft state machine runs a background timer; when lease_expires_at passes, the lock is marked free in the next heartbeat cycle. Fencing token: the lock service increments a global counter for each new grant. The shared resource (e.g., S3 bucket, DB row) stores the last-seen fencing token. A write from zombie worker with token=5 is rejected if the resource has already seen token=6 (new holder's token). The resource, not the lock service, enforces this.

Stale read scenario: Leader L1 is partitioned from followers. Followers elect L2. L1 doesn't know it's deposed and serves reads from its stale local state — linearizability violated. Leader lease: when L1 wins an election, it records the timestamp. No new leader can be elected until election_timeout (e.g., 500ms) passes. So L1 can safely serve reads during [lease_start, lease_start + election_timeout - clock_drift_bound]. L1 serves reads from local state without any follower contact. Clock safety: if L1's clock runs fast by delta ms, the actual lease expires delta ms earlier than L1 thinks — use max_clock_drift as a safety margin: effective_lease = election_timeout - max_clock_drift. CockroachDB uses HLC (Hybrid Logical Clocks) with a 500ms max offset. Lease renewal: L1 sends heartbeats every 150ms (before 500ms timeout). If heartbeat round trip fails (e.g., network issue), L1 stops serving reads and relinquishes leadership after the lease expires — never serves stale data.