This article covers various levels of consistency guarantees with regards to:
- receiving messages
- updating user data
- sending messages
It does not discuss the transaction isolation aspect. Transaction isolation applies only to the process of updating the user data, it does not affect the overall coordination and failure handling.
Four levels of guarantees with regards to message processing are offered. A level's availability depends on the selected transport.
The implementation details for each transport are discussed in the dedicated documentation sections. They can be accessed by clicking the links with the transport name in the following table:
In this mode the transport receive operation is wrapped in a
TransactionScope. Other operations inside this scope, both sending messages and manipulating data, are guaranteed to be executed (eventually) as a whole or rolled back as a whole.
If required, the transaction is escalated to a distributed transaction (following two-phase commit protocol coordinated by MSDTC) if both the transport and the persistence support it. A fully distributed transaction is not always required, for example when using SQL Server transport with SQL persistence, both using the same database connection string. In this case the ADO.NET driver guarantees that everything happens inside a single database transaction and ACID guarantees are held for the whole processing.
Transaction scope mode is enabled by default for the transports that support it (i.e. MSMQ and SQL Server transport). It can be enabled explicitly with the following code:
var transport = endpointConfiguration.UseTransport<MyTransport>(); transport.Transactions(TransportTransactionMode.TransactionScope);
In this mode handlers will execute inside a
TransactionScope created by the transport. This means that all the data updates and queue operations are all committed or all rolled back.
A distributed transaction between the queueing system and the persistent storage guarantees atomic commits but guarantees only eventual consistency.
Consider a system using MSMQ transport and RavenDB persistence implementing the following message exchange scenario with a saga that models a simple order lifecycle:
OrderSagaDatainstance is created and stored in RavenDB.
- NServiceBus completes the distributed transaction and the DTC instructs MSMQ and RavenDB resource managers to commit their local transactions.
StartOrdermessage is removed from the input queue and
VerifyPaymentis immediately sent to
- RavenDB acknowledges the transaction commit and begins writing
VerifyPaymentmessage and immediately responds with a
CompleteOrdermessage to the originating
CompleteOrdermessage and attempts to complete the saga.
OrderSagaqueries RavenDB to find the
OrderSagaDatainstance to complete.
- RavenDB has not finished writing
OrderSagaDatato disk and returns an empty result set.
OrderSagafails to complete.
In the example above the
TransactionScope guarantees atomicity for the
OrderSaga: consuming the incoming
StartOrder message, storing
OrderSagaData in RavenDB and sending the outgoing
VerifyPayment message are committed as one atomic operation. The saga data may not be immediately available for reading even though the incoming message has already been processed.
OrderSaga is thus only eventually consistent. The
CompleteOrder message needs to be retried until RavenDB successfully returns an
In this mode the receive operation is wrapped in a transport's native transaction. This mode guarantees that the message is not permanently deleted from the incoming queue until at least one processing attempt (including storing user data and sending out messages) is finished successfully. See also recoverability for more details on retries.
Messages that are required to be sent immediately should use the immediate dispatch option which bypasses batching.
Use the following code to use this mode:
var transport = endpointConfiguration.UseTransport<MyTransport>(); transport.Transactions(TransportTransactionMode.ReceiveOnly);
In this mode some (or all) handlers might get invoked multiple times and partial results might be visible:
- partial updates - where one handler succeeded updating its data but the other didn't
- partial sends - where some of the messages have been sent but others not
When using this mode all handlers must be idempotent, i.e. the result needs to be consistent from a business perspective even when the message is processed more than once.
Outbox section below for details on how NServiceBus can handle idempotency at the infrastructure level.
Some transports support enlisting outgoing operations in the current receive transaction. This prevents messages being sent to downstream endpoints during retries.
Use the following code to use this mode:
var transport = endpointConfiguration.UseTransport<MyTransport>(); transport.Transactions(TransportTransactionMode.SendsAtomicWithReceive);
This mode has the same consistency guarantees as the Receive Only mode, but additionally it prevents occurrence of ghost messages since all outgoing operations are atomic with the ongoing receive operation.
Disabling transactions is generally not recommended, because it might lead to message loss. It might be considered if losing some messages is not problematic and if the messages get outdated quickly, e.g. when sending readings from sensors at regular intervals.
var transport = endpointConfiguration.UseTransport<MyTransport>(); transport.Transactions(TransportTransactionMode.None);
The Outbox feature provides idempotency at the infrastructure level and allows running in transport transaction mode while still getting the same semantics as Transaction scope mode.
When using the Outbox, any messages resulting from processing a given received message are not sent immediately but rather stored in the persistence database and pushed out after the handling logic is done. This mechanism ensures that the handling logic can only succeed once so there is no need to design for idempotency.
In transaction modes lower than TransactionScope there is a risk of partial updates because one handler might succeed in updating business data while another handler fails. To avoid this configure NServiceBus to wrap all handlers in a
TransactionScope that will act as a unit of work and make sure that there are no partial updates. Use the following code to enable a wrapping scope:
var unitOfWorkSettings = endpointConfiguration.UnitOfWork(); unitOfWorkSettings.WrapHandlersInATransactionScope();
The following options for transaction scopes used during message processing can be configured.
NServiceBus will by default use the
ReadCommitted isolation level. Change the isolation level using
var transport = endpointConfiguration.UseTransport<MyTransport>(); transport.Transactions(TransportTransactionMode.TransactionScope); transport.TransactionScopeOptions( isolationLevel: IsolationLevel.RepeatableRead);
The only recommended isolation levels used with TransactionScope guarantee are
RepeatableRead. Using lower isolation levels may lead to subtle errors in certain configurations that are hard to troubleshoot.
NServiceBus will use the default transaction timeout of the machine the endpoint is running on.
Change the transaction timeout using
var transport = endpointConfiguration.UseTransport<MyTransport>(); transport.Transactions(TransportTransactionMode.TransactionScope); transport.TransactionScopeOptions( timeout: TimeSpan.FromSeconds(30));