In the world of distributed systems, achieving consensus on a sequence of values is notoriously difficult. Multiple nodes, each with their own view of time and state, must agree not just on what values are chosen, but on the exact order in which they're applied. ZAB solves this challenge through an elegant design principle: designate a single leader as the sole authority for ordering all transactions.

This isn't a limitation—it's a profound simplification. By funneling all state changes through one node, ZAB eliminates the complex multi-proposer coordination that makes protocols like Multi-Paxos challenging to implement correctly. The leader becomes the total ordering authority, and the protocol's job is to ensure this authority is maintained correctly across leader changes, failures, and network partitions.

The decision to use a single leader for ordering all transactions is one of the most important architectural choices in ZAB. Understanding why this design was chosen illuminates core principles of distributed systems design.

The Multi-Proposer Problem:

In protocols that allow multiple nodes to propose values simultaneously (like basic Paxos), several complications arise:

1. Proposal conflicts: Two proposers might try to fill the same slot, requiring resolution
2. Ordering complexity: Proposals can arrive at different nodes in different orders
3. Dueling leaders: Competing proposers can block each other, reducing throughput
4. Gap handling: Slots might be decided out of order, creating holes in the sequence

The Single Leader Solution:

By designating exactly one leader at any given time, ZAB eliminates these problems:

1. No conflicts: Only one node can assign zxids, so no two transactions can claim the same slot
2. Natural ordering: The leader decides order; followers simply accept
3. Maximum throughput: No proposal contentio—the leader processes requests as fast as it can
4. No gaps: The leader assigns zxids sequentially; gaps are structurally impossible

The Coordination Service Sweet Spot:

For a coordination service like Zookeeper, the single-leader trade-offs are favorable:

• Writes are relatively rare: Coordination data (locks, configuration, leader election) changes infrequently compared to reads
• Strong consistency is required: Coordination data must be correct; weak consistency would defeat the purpose
• Cluster size is bounded: Zookeeper clusters are typically 3-7 nodes, so leader election is fast
• Writes are small: Coordination payloads are typically bytes to kilobytes, not megabytes

If Zookeeper had different requirements—high write volume, weak consistency acceptable, or very large clusters—a different design might be appropriate. But for coordination, single-leader ordering is optimal.

The ZAB leader has specific responsibilities that go beyond simply accepting client writes. Understanding these responsibilities clarifies how the protocol maintains its guarantees.

Leader Responsibilities:

1. Transaction Ordering The leader assigns the next zxid to each incoming write request. This assignment is final—once a zxid is assigned, it's never changed. The zxid embeds both the current epoch and a monotonically increasing counter.

2. Proposal Broadcasting For each transaction, the leader creates a proposal containing the zxid and transaction data, then broadcasts this proposal to all followers. The leader logs the proposal before broadcasting (write-ahead).

3. Quorum Collection The leader tracks acknowledgments from followers. Once a quorum (majority) of followers have acknowledged a proposal, it's ready for commit. The leader maintains state tracking which proposals have achieved quorum.

4. Commit Coordination When a proposal reaches quorum, the leader broadcasts a commit message. This tells all followers to apply the transaction to their state machine. The leader also applies locally.

5. Follower Synchronization When new followers join or existing followers recover, the leader determines the synchronization strategy (DIFF, TRUNC, or SNAP) and performs the necessary state transfer.

The Leader as Serialization Point:

The leader acts as a serialization point—all writes pass through this single point, establishing a total order. This pattern appears throughout distributed systems design:

• Database write-ahead logs serialize transactions
• Kafka partition leaders serialize messages within a partition
• Raft leaders serialize log entries

The key insight is that serialization through a single point is both simple and correct. The complexity comes in maintaining the serialization point across failures—which is what the rest of ZAB's protocol handles.

When a Zookeeper cluster starts up or loses its leader, it must elect a new leader before processing writes. ZAB uses the Fast Leader Election (FLE) protocol—an optimized election mechanism designed for rapid convergence.

Election Triggers:

Leader election begins when:

• The cluster is starting fresh (no existing leader)
• A follower detects leader failure (heartbeat timeout)
• A leader voluntarily steps down (rare, typically for maintenance)
• Network partition heals and nodes need to reunify

The Election Goal:

The election must select a leader that:

1. Has the most up-to-date transaction log (highest zxid)
2. Is accepted by a quorum of nodes
3. Will use a higher epoch than any previous leader

Why Most Up-to-Date Matters:

The leader must have all committed transactions from previous epochs. If a less up-to-date node became leader, committed transactions could be lost. The election protocol ensures the node with the highest epoch/zxid wins.

The Fast Leader Election Algorithm:

Step 1: Initial Vote Each node initially votes for itself, proposing: (myId, lastZxid)

Step 2: Vote Exchange Nodes broadcast their current vote to all other nodes

Step 3: Vote Comparison When receiving another node's vote, compare with current vote:

• If received vote has higher zxid → adopt it
• If same zxid, tie-break by server ID → higher ID wins
• Broadcast new vote if changed

Step 4: Quorum Detection When a node sees that a candidate has votes from a quorum (including itself), it considers that candidate elected

Step 5: State Transition If elected: become LEADING and start recovery phase If not elected: become FOLLOWING and connect to leader

Epochs are the mechanism by which ZAB distinguishes between different leadership terms. Proper epoch management is essential for correctness in the face of failures and network partitions.

Epoch Lifecycle:

1. Epoch Increment When a new leader begins the discovery phase, it proposes a new epoch = max(known epochs) + 1. Followers respond with their accepted epoch and last zxid.

2. Epoch Establishment Once the prospective leader receives epoch acknowledgments from a quorum, the new epoch is established. The leader will use this epoch for all zxids in its term.

3. Epoch Recognition Followers only accept proposals from a leader with the current epoch. Messages from lower epochs are rejected (stale leader).

4. Epoch Persistence Each node persists its current epoch to stable storage. On restart, nodes use their persisted epoch to avoid accidentally accepting old messages.

The Split-Brain Prevention:

Epochs are crucial for preventing split-brain scenarios. Consider this case:

1. Leader L1 is in epoch 5
2. Network partition isolates L1 from the majority
3. Majority elects L2 in epoch 6
4. Partition heals—now both L1 and L2 think they're leader

How does ZAB handle this?

• L1's proposals carry epoch 5
• All followers in the majority have accepted epoch 6
• Followers reject L1's epoch-5 proposals
• L1 receives rejections, realizes it's no longer leader
• L1 transitions to follower state and syncs with L2

The epoch acts as a fencing token—a mechanism that ensures only the legitimate current leader can make changes.

Epoch vs. Term in Raft:

ZAB's epoch is analogous to Raft's term, but there are subtle differences:

• Increment timing: ZAB epochs are incremented during discovery (before leader is confirmed); Raft terms are incremented at election start
• Persistence requirements: Both require persistent storage of the current term/epoch
• Message handling: Both reject messages from stale terms/epochs

The core principle is identical: each leadership term has a unique, monotonically increasing identifier that allows nodes to determine which leader is current.

After Fast Leader Election identifies a prospective leader, the Discovery phase begins. This phase serves two critical purposes:

1. Establish the new epoch: Ensure all followers accept the new leadership term
2. Discover committed transactions: Find any transactions the prospective leader might be missing

Discovery Protocol Steps:

Step 1: FOLLOWERINFO Each follower sends FOLLOWERINFO to the prospective leader, containing:

• The follower's accepted epoch
• The follower's last zxid

This tells the prospective leader what history each follower has.

Step 2: LEADERINFO The prospective leader calculates the new epoch (max of all follower epochs + 1) and sends LEADERINFO:

• The new epoch number

This proposes the new leadership term to all followers.

Step 3: ACKEPOCH Followers respond with ACKEPOCH indicating they accept the new epoch. They also include:

• Their current epoch (being replaced)
• Their last zxid
• Optionally, their transaction history

Step 4: Epoch Established Once the prospective leader receives ACKEPOCH from a quorum, the new epoch is established.

The Critical Synchronization Insight:

During discovery, the prospective leader learns the highest zxid among the quorum. If any follower has a higher zxid than the prospective leader, those transactions might be committed (if they achieved quorum in the previous epoch).

The prospective leader must sync to the highest zxid in the quorum before proceeding.

This is non-obvious: the elected leader might not have the most up-to-date log! Fast Leader Election prefers higher zxids, but the actual elected leader might have slightly stale data if:

• FLE votes were based on zxids at election start
• Transactions committed during the election
• Minor timing differences in vote propagation

Discovery corrects for this by identifying the true highest zxid in the quorum and syncing the leader accordingly.

After discovery establishes the new epoch and identifies the highest committed state, the Synchronization phase ensures all followers in the quorum have consistent state before broadcast begins.

Synchronization Goals:

1. Bring all followers up to the leader's state
2. Truncate any uncommitted transactions on followers (from a failed leader)
3. Ensure prefix consistency before new transactions begin

Synchronization Protocol:

Step 1: Leader evaluates each follower For each follower, based on their last zxid, leader determines sync method:

• DIFF: Follower needs incremental transactions
• TRUNC: Follower has uncommitted transactions to discard
• SNAP: Follower is too far behind; needs full snapshot

Step 2: Leader sends sync messages The appropriate sync messages are sent:

• For DIFF: sequence of PROPOSAL messages for missing transactions
• For TRUNC: TRUNC message with the zxid to truncate to
• For SNAP: SNAP message followed by complete state snapshot

Step 3: Commit pending transactions Leader sends COMMIT for all synced transactions

Step 4: NEWLEADER message Leader sends NEWLEADER message indicating sync is complete

Step 5: Followers acknowledge Followers send ACK for NEWLEADER when they've processed all sync data

Step 6: Quorum achieved Once leader receives NEWLEADER ACKs from a quorum, synchronization phase completes

Handling the TRUNC Case:

The TRUNC case deserves special attention as it represents a subtle correctness scenario:

Scenario:

1. Leader L1 proposes transaction T at zxid Z
2. Follower F1 receives and logs T
3. L1 crashes before T achieves quorum (before F2 and F3 see it)
4. New leader L2 is elected (from F2 and F3)
5. L2's quorum never included T, so T is not committed
6. F1 reconnects with T in its log

Resolution:

• L2 detects F1's last zxid (Z) is higher than L2's last committed zxid
• L2 sends TRUNC to F1, instructing it to truncate to L2's last committed zxid
• F1 discards T—it was never committed, so this is safe
• F1's log now matches the committed prefix

This is correct because T never achieved quorum acknowledgment. The client that proposed T never received a confirmation, so from the client's perspective, T failed (correctly).

Understanding how ZAB handles various leader failure scenarios is essential for reasoning about system behavior and correctness. Let's analyze the key failure modes.

Scenario 1: Leader Fails Before Proposing

Client sends request → Leader crashes before creating proposal

Outcome: Request is lost (never entered the system). Client times out and can retry. No consistency issues—transaction was never started.

Scenario 2: Leader Fails After Proposing, Before Any Acknowledgment

Leader creates proposal → Leader crashes → No followers received it

Outcome: Proposal is lost. Leader might have logged it, but since no follower has it, new leader won't discover it. Client times out. Safe—transaction never reached any other node.

Scenario 3: Leader Fails After Some Acknowledgments, Before Quorum

Leader proposes → Some followers ACK → Leader crashes before quorum

Outcome: Some followers have the proposal in their log, others don't. New leader election occurs:

• If new leader is from followers who have the proposal AND they form a quorum of the old proposal → proposal might be committed by new leader
• If new leader is from followers who lack the proposal → proposal is orphaned | followers with it will TRUNC

This is the subtle case—the outcome depends on quorum membership.

Scenario 4: Leader Fails After Quorum ACKs, Before Commit (Critical)

This scenario deserves deep analysis:

1. Leader proposes T with zxid Z
2. Leader and followers F1, F2 ACK (quorum = 3 of 5)
3. Leader crashes before sending COMMIT
4. F3, F4 never received the proposal

Analysis:

• The proposal achieved quorum ACK on {Leader, F1, F2}
• Any new quorum must include at least one of these (quorum intersection)
• If new leader is F1 or F2: they have the proposal and must commit it
• If new leader is F3 or F4: during discovery, they'll learn about Z from F1 or F2

The quorum intersection property guarantees that T will be discovered and committed by the new leader. This is why quorum-based replication is safe!

Scenario 5: Leader Fails After Committing Locally

1. Leader commits T, updates state machine
2. Leader crashes before sending COMMIT to followers
3. Followers have T proposed but not committed

Result: New leader will find T in quorum and commit it. Client might not know T succeeded, but T is durably committed. Idempotency on client side handles the uncertainty.

While leader failures trigger dramatic protocol transitions, follower failures are handled more gracefully. The system continues operating as long as quorum remains available.

Follower Crash Scenarios:

Scenario A: Follower Crashes, Quorum Still Available

• Leader notices missing heartbeat from follower
• Leader removes follower from active set
• Pending proposals only need remaining quorum
• System continues with reduced redundancy

Scenario B: Multiple Followers Crash, Quorum Lost

• Leader can no longer achieve quorum for commit
• Outstanding proposals cannot commit
• Leader blocks, waiting for quorum recovery or eventually times out
• System is unavailable for writes but consistent

Scenario C: Follower Recovers After Short Outage

• Follower reconnects to leader
• Leader initiates DIFF sync (incremental)
• Follower catches up quickly
• Follower rejoins active set

Follower Lagging During Broadcast:

In steady state, a slow follower might fall behind the leader. ZAB handles this gracefully:

1. Leader continues broadcasting: Proposals are sent to all followers; slow follower receives them eventually
2. Commit can proceed: As long as quorum (excluding slow follower) acknowledges, transactions commit
3. Follower catches up: Slow follower processes proposals in order, eventually reaching committed state
4. Sync if too slow: If follower falls too far behind (leader's log is truncated), standard sync protocol applies

This is why ZAB uses asynchronous broadcast—the leader doesn't wait for all followers, only quorum.

Observer Nodes:

Zookeeper also supports observer nodes—replicas that receive broadcasts but don't participate in quorum voting. Benefits:

• Scale read capacity without increasing quorum size
• Deploy in distant data centers without affecting write latency
• Provide local reads for clients

Observers receive all commits but their acknowledgment isn't required for commit. They're eventually consistent with leaders.

We've explored how ZAB uses a single leader to establish total ordering for transactions. Let's consolidate the essential concepts:

What's Next:

Now that you understand ZAB's leader-based ordering mechanics, the next page provides a detailed comparison of ZAB with Raft and Paxos. We'll analyze the design choices each protocol makes, their performance characteristics, and when each is most appropriate.