Fault Tolerance in a High Volume, Distributed System

Fault Tolerance in a High Volume, Distributed SystemBen ChristensenSoftware Engineer – API Platform at Netflix@benjchristensenhttp://www.linkedin.com/in/benjchristensen

Dozens of dependencies.

One going down takes everything down.

99.99%30 = 99.7% uptime0.3% of 1 billion = 3,000,000 failures

2+ hours downtime/montheven if all dependencies have excellent uptime.

Reality is generally worse.

No single dependency should take down the entire app.

Fail fast.Fail silent.Fallback.

Shed load.

Options

Aggressive Network Timeouts

Semaphores (Tryable)

Separate Threads

Circuit Breaker

Options

Separate Threads

Circuit Breaker

Options

Separate Threads

Circuit Breaker

TryableSemaphore executionSemaphore = getExecutionSemaphore();// acquire a permitif (executionSemaphore.tryAcquire()) { try { return executeCommand(); } finally { executionSemaphore.release(); }} else { circuitBreaker.markSemaphoreRejection(); // permit not available so return fallback return getFallback();}

Semaphores (Tryable): Limited Concurrency

if (executionSemaphore.tryAcquire()) { } else { }

if (executionSemaphore.tryAcquire()) { } else { return getFallback();}

Options

Separate Threads

Circuit Breaker

try { if (!threadPool.isQueueSpaceAvailable()) { // we are at the property defined max so want to throw the RejectedExecutionException to simulate // reaching the real max and go through the same codepath and behavior

throw new RejectedExecutionException("Rejected command because thread-pool queueSize is at rejection threshold."); }

... define Callable that performs executeCommand() ... // submit the work to the thread-pool return threadPool.submit(command);} catch (RejectedExecutionException e) { circuitBreaker.markThreadPoolRejection(); // rejected so return fallback return getFallback();}

Separate Threads: Limited Concurrency

if (!threadPool.isQueueSpaceAvailable()) {

throw new RejectedExecutionException }

} catch (RejectedExecutionException e) { }

if (!threadPool.isQueueSpaceAvailable()) {

throw new RejectedExecutionException }

} catch (RejectedExecutionException e) { return getFallback();}

Separate Threads: Timeout

public K get() throws CancellationException, InterruptedException, ExecutionException { try { long timeout = getCircuitBreaker().getCommandTimeoutInMilliseconds(); return get(timeout, TimeUnit.MILLISECONDS); } catch (TimeoutException e) { // report timeout failure circuitBreaker.markTimeout( System.currentTimeMillis() - startTime);

// retrieve the fallback return getFallback(); }}

Override of Future.get()

try { return get(timeout, TimeUnit.MILLISECONDS); } catch (TimeoutException e) {

return getFallback(); }}

Options

Separate Threads

Circuit Breaker

if (circuitBreaker.allowRequest()) { return executeCommand();} else { // short-circuit and go directly to fallback circuitBreaker.markShortCircuited(); return getFallback();}

Circuit Breaker

if (circuitBreaker.allowRequest()) { } else { }

Circuit Breaker

if (circuitBreaker.allowRequest()) { } else { return getFallback(); }

Netflix uses all 4 in combination

Tryable semaphores for “trusted” clients and fallbacks

Separate threads for “untrusted” clients

Aggressive timeouts on threads and network callsto “give up and move on”

Circuit breakers as the “release valve”

Benefits of Separate Threads

Protection from client libraries

Lower risk to accept new/updated clients

Quick recovery from failure

Client misconfiguration

Client service performance characteristic changes

Built-in concurrency30

Drawbacks of Separate Threads

Some computational overhead

Load on machine can be pushed too far

Benefits outweigh drawbackswhen clients are “untrusted”

Visualizing Circuits in Realtime(generally sub-second latency)

Video available athttps://vimeo.com/33576628

Rolling 10 second counter – 1 second granularity

Median Mean 90th 99th 99.5th

Latent Error Timeout Rejected

Error Percentage(error+timeout+rejected)/

(success+latent success+error+timeout+rejected).

Netflix DependencyCommand Implementation

Fallbacks

CacheEventual Consistency

Stubbed DataEmpty Response

Netflix DependencyCommand Implementation

Rolling NumberRealtime Stats and Decision Making

Request CollapsingTake advantage of resiliency to improve efficiency

Fail fast.Fail silent.Fallback.

Shed load.

Questions & More Information

Fault Tolerance in a High Volume, Distributed Systemhttp://techblog.netflix.com/2012/02/fault-tolerance-in-high-volume.html

Making the Netflix API More Resilienthttp://techblog.netflix.com/2011/12/making-netflix-api-more-resilient.html

Ben Christensen@benjchristensen

http://www.linkedin.com/in/benjchristensen

Fault Tolerance in a High Volume, Distributed System

Technology

Byzantine Fault Tolerance 15-440 Distributed Systems

Fault Tolerance in Distributed Systems 05.05.2005 Naim Aksu

Distributed Middleware Reliability & Fault Tolerance Support in System S

Fault tolerance in distributed system using fused data structures

Module 8 - Fault Tolerance · 2015-01-01 · CS454/654 – Distributed Systems Fault Tolerance 1 Module 8 - Fault Tolerance CS454/654 8-2 QReliability OA measure of success with which

Distributed File Systems Synchronization – 11.5 Consistency and Replication - 11.6 Fault Tolerance – 11.7

Real-Time Distributed Discrete-Event Execution with Fault Tolerance

Fault Tolerance in Distributed Systems Using Diynamic Vote Reassignment

Distributed Algorithms – 2g1513 Lecture 9 – by Ali Ghodsi Fault-Tolerance in Distributed Systems

Chapter 5: Distributed Systems: Fault Tolerance

Lecture 13 Fault Tolerance Networked vs. Distributed Operating Systems

Policy Speciﬁcation for Non-Local Fault Tolerance in …jck/publications/varner.thesis.pdf · Policy Speciﬁcation for Non-Local Fault Tolerance in Large Distributed Information

Fault Tolerance in Distributed Systems

Byzantine Fault Tolerance for Distributed Systems

Data Consistency and Fault Tolerancecheo/presentations/fault...Replication for Consistency and Fault Tolerance In distributed systems where both consistency and fault tolerance need

Fault Tolerance Fault Tolerance Basic Concepts Recoverydis.dankook.ac.kr/lectures/ds19/wp-content/uploads/sites/72/2019/1… · Distributed agreement algorithms All non-faulty processes

Middleware and Distributed Systems Fault Tolerance - Operating

Fault Tolerance in Distributed SystemsClassifying fault-tolerance Masking tolerance. Application runs as it is. The failure does not have a visible impact. All properties (both liveness

Fault Tolerance in Distributed Systems

MODEL-DRIVEN FAULT-TOLERANCE PROVISIONING FOR … · MODEL-DRIVEN FAULT-TOLERANCE PROVISIONING FOR COMPONENT-BASED DISTRIBUTED REAL-TIME EMBEDDED SYSTEMS By Sumant Tambe Dissertation