View
600
Download
0
Category
Tags:
Preview:
DESCRIPTION
Complex distributed systems fail. They fail more frequently, and in different ways, as they scale and evolve over time. In this session, you learn how Netflix embraces failure to provide high service availability. Netflix discusses their motivations for inducing failure in production, the mechanics of how Netflix does this, and the lessons they learned along the way. Come hear about the Failure Injection Testing (FIT) framework and suite of tools that Netflix created and currently uses to induce controlled system failures in an effort to help discover vulnerabilities, resolve them, and improve the resiliency of their cloud environment.
Citation preview
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
November 12th, 2014 | Las Vegas, NV
PFC305
Embracing FailureFault Injection and Service Resilience at Netflix
Josh Evans and Naresh Gopalani, Netflix
• ~50 million members, ~50 countries
• > 1 billion hours per month
• > 1000 device types
• 3 AWS regions, hundreds of services
• Hundreds of thousands of requests/second
• CDN serves petabytes of data at terabits/second
Netflix Ecosystem
Service
Partners
Static
ContentAkamai
Netflix CDN
AWS/Netflix
Control
PlaneInternet
Availability means that members can
● sign up
● activate a device
● browse
● watch
What keeps us up at night
Failures can happen any time
• Disks fail
• Power outages
• Natural disasters
• Software bugs
• Human error
We design for failure
• Exception handling
• Fault tolerance and isolation
• Fall-backs and degraded experiences
• Auto-scaling clusters
• Redundancy
Testing for failure is hard
• Web-scale traffic
• Massive, changing data sets
• Complex interactions and request patterns
• Asynchronous, concurrent requests
• Complete and partial failure modes
Constant innovation and change
What if we regularly inject failures
into our systems under controlled
circumstances?
Blast Radius
• Unit of isolation
• Scope of an outage
• Scope a chaos exercise
Zone
Region
Instance
Global
An Instance Fails
Edge Cluster
Cluster A
Cluster B
Cluster D
Cluster C
Chaos Monkey
• Monkey loose in your DC• Run during business hours
• What we learned– Auto-replacement works– State is problematic
A State of Xen - Chaos Monkey & Cassandra
Out of our 2700+ Cassandra nodes• 218 rebooted
• 22 did not reboot successfully
• Automation replaced failed nodes
• 0 downtime due to reboot
An Availability Zone Fails
EU-West
US-EastUS-West
AZ1AZ2
Chaos Gorilla
Simulate an Availability
Zone outage
• 3-zone configuration
• Eliminate one zone
• Ensure that others can
handle the load and
nothing breaks
Chaos Gorilla
Challenges
• Rapidly shifting traffic– LBs must expire connections quickly
– Lingering connections to caches must be addressed
• Service configuration– Not all clusters auto-scaled or pinned
– Services not configured for cross-zone calls
– Mismatched timeouts – fallbacks prevented fail-over
A Region Fails
EU-WestUS-EastUS-West
AZ1 AZ2 AZ3
Regional Load Balancers
Zuul – Traffic Shaping/Routing
Data Data Data
Geo-located
Chaos Kong
Chaos Kong
AZ1 AZ2 AZ3
Regional Load Balancers
Zuul – Traffic Shaping/Routing
Data Data Data
Customer
Device
Challenges
● Rapidly shifting traffic
○ Auto-scaling configuration
○ Static configuration/pinning
○ Instance start time
○ Cache fill time
Challenges
● Service Configuration
○ Timeout configurations
○ Fallbacks fail or don’t provide the
desired experience
● No minimal (critical) stack
○ Any service may be critical!
A Service Fails
Zone
Region
Global
Service
Services Slow Down and Fail
Simulate latent/failed service
calls
• Inject arbitrary latency and errors at
the service level
• Observe for effects
Latency Monkey
Latency Monkey
Device ZuulELB Edge Service B
Service C
Internet
Service A
Challenges• Startup resiliency is an issue
• Services owners don’t know all dependencies
• Fallbacks can fail too
• Second order effects not easily tested
• Dependencies are in constant flux
• Latency Monkey tests function and scale
– Not a staged approach
– Lots of opt-outs
More Precise and Continuous
Service Failure Testing:FIT
Distributed Systems Fail
● Complex interactions at scale
● Variability across services
● Byzantine failures
● Combinatorial complexity
Any service can cause cascading failures
ELB
Fault Injection Testing (FIT)
Device Service B
Service C
Internet Edge
Device or Account Override
Zuul
Service A
Request-level simulations
ELB
Failure Injection Points
IPC Cassandra Client Memcached Client Service Container Fault Tolerance
FIT Details
● Common Simulation Syntax
● Single Simulation Interface
● Transported via Http Request header
Integrating Failure
Service
Filter
Ribbon
Service
Filter
Ribbon
ServerRcv
ServerRcv
ClientSend
request
Service A
response
Service B
[sendRequestHeader] >>fit.failure: 1|fit.Serializer|
2|[[{"name”:”failSocial,
”whitelist":false,
"injectionPoints”:
[“SocialService”]},{}
]],
{"Id":
"252c403b-7e34-4c0b-a28a-3606fcc38768"}]]
Failure Scenarios
● Set of injection points to fail
● Defined based on
○ Past outages
○ Specific dependency interactions
○ Whitelist of a set of critical services
○ Dynamic tracing of dependencies
FIT Insights : Salp● Distributed tracing inspired by Dapper paper
● Provides insight into dependencies
● Helps define & visualize scenarios
Functional Validation
● Isolated synthetic transactions
○ Set of devices
Validation at Scale
● Dial up customer traffic - % based
● Simulation of full service failure
Dialing Up Failure
Chaos!
Continuous Validation
Critical
Services
Non-critical
Services
Synthetic
Transactions
Don’t Fear The Monkeys
Take-aways• Don’t wait for random failures
– Cause failure to validate resiliency
– Remove uncertainty by forcing failures regularly
– Better to fail at 2pm than 2am
• Test design assumptions by stressing them
Embrace Failure
The Simian Army is part of the Netflix open source cloud platform
http://netflix.github.com
Netflix talks at re:InventTalk Time Title
BDT-403 Wednesday, 2:15pm Next Generation Big Data Platform at Netflix
PFC-306 Wednesday, 3:30pm Performance Tuning Amazon EC2
DEV-309 Wednesday, 3:30pm From Asgard to Zuul, How Netflix’s proven Open
Source Tools can accelerate and scale your
services
ARC-317 Wednesday, 4:30pm Maintaining a Resilient Front-Door at Massive Scale
PFC-304 Wednesday, 4:30pm Effective InterProcess Communications in the
Cloud: The Pros and Cons of Microservices
Architectures
ENT-209 Wednesday, 4:30pm Cloud Migration, Dev-Ops and Distributed Systems
APP-310 Friday 9:00am Scheduling using Apache Mesos in the Cloud
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals
Josh Evans
jevans@netflix.com
@josh_evans_nflx
Naresh Gopalani
ngopalani@netflix.com
Recommended