1. Distributed Systems CS 15-440
Fault Tolerance- Part II
Lecture 18, Nov 13, 2013
Mohammad Hammoud

2. Today… Last session: Fault Tolerance – Part I Today’s Session:
Fault Tolerance – Part II
Reliable communication
Announcements:
Project 2 grades are out
PS3 is due today by 11:59PM
Project 4 is due on Dec. 5 by 11:59PM
Quiz 2 is on Wed. Nov. 20

3. Discussion on Fault Tolerance
Objectives
Discussion on Fault Tolerance
Recovery from failures
Atomicity and distributed commit protocols
Process resilience, failure detection and reliable communication
General background on fault tolerance

4. Reliable Communication
Fault tolerance in distributed systems typically concentrates on faulty processes
However, we also need to consider communication failures
We will focus on two types of reliable communication:
Reliable request-reply communication (e.g., RPC)
Reliable group communication (e.g., multicasting schemes) P1 P0
In practice, the focus is on masking crash and omission failures
A communication channel may exhibit crash, omission, timing, and byzantine failures
Add a slide prior to this slide with an animated example to make your point clear.

5. Reliable Communication
Reliable Request-Reply Communication
Reliable Group Communication
Reliable Group Communication
In practice, the focus is on masking crash and omission failures
A communication channel may exhibit crash, omission, timing, and byzantine failures
Add a slide prior to this slide with an animated example to make your point clear.

6. Request-Reply Communication
The request-reply (RR) communication is designed to support the roles and message exchanges in typical client-server interactions
This sort of communication is mainly based on a trio of communication primitives, doOperation, getRequest and sendReply
Client
Server
doOperation
(wait)
(continuation)
Request Message
getRequest
select operation
execute operation
sendReply
- In practice, the focus is on masking crash and omission failures
Add a slide prior to this slide with an animated example to make your point clear.
Reply Message

7. Timeouts
Request-reply communication may suffer from crash, omission, timing, and byzantine failures
To allow for occasions where a request or a reply message is not delivered (e.g., lost), doOperation uses a timeout mechanism
There are various options as to what doOperation can do after a timeout:
Return immediately with an indication to the client that the request has failed
Send the request message repeatedly until either a reply is received or the server is assumed to have failed
- In practice, the focus is on masking crash and omission failures
Add a slide prior to this slide with an animated example to make your point clear.

8. Idempotent Operations
In cases when the request message is retransmitted, the server may receive it more than once
This can cause the server executing an operation more than once for the same request
Not every operation can be executed more than once and obtain the same results each time
Operations that can be executed repeatedly with the same effect are called idempotent operations
- In practice, the focus is on masking crash and omission failures
Add a slide prior to this slide with an animated example to make your point clear.

9. Duplicate Filtering
To avoid problems with non-idempotent operations, the server should recognize successive messages from the same client and filter out duplicates
If the server has already sent the reply when it receives a “duplicate” request, it can either:
Re-execute the operation again to obtain the result (only for idempotent operations)
Or do not re-execute the operation if it has chosen to retain the outcome of the first and only execution
- In practice, the focus is on masking crash and omission failures
Add a slide prior to this slide with an animated example to make your point clear.

10. Keeping History
Servers can maintain the execution outcomes of requests in what is called the history
More precisely, the term ‘history’ is used to refer to a structure that contains records of (reply) messages that have been transmitted
- In practice, the focus is on masking crash and omission failures
Add a slide prior to this slide with an animated example to make your point clear.
Fields of a history record:
Request ID
Message
Client ID

11. Managing History
The server can interpret each request from a client as an ACK of its previous reply
Thus, the history needs contain ONLY the last reply message sent to each client
But, if the number of clients is large, memory cost might become a problem
Messages in a history are normally discarded after a limited period of time
- In practice, the focus is on masking crash and omission failures
Add a slide prior to this slide with an animated example to make your point clear.

12. In Summary…
RR protocol can be implemented in different ways to provide different delivery guarantees. The main choices are:
Retry request message (client side): Controls whether to retransmit the request message until either a reply is received or the server is assumed to have failed
Duplicate filtering (server side): Controls when retransmissions are used and whether to filter out duplicate requests at the server
Retransmission of results (server side): Controls whether to keep a history of result messages to enable lost results to be retransmitted without re-executing the operations at the server
- In practice, the focus is on masking crash and omission failures
Add a slide prior to this slide with an animated example to make your point clear.

13. Request-Reply Call Semantics
Combinations of request-reply protocols lead to a variety of possible semantics for the reliability of remote invocations
Fault Tolerance Measure
Call Semantics (Pertaining to Remote Procedures)
Retransmit Request Message
Duplicate Filtering
Re-execute Procedure or Retransmit Reply No
N/A
Maybe
Yes
Re-execute Procedure
At-least-once
Retransmit Reply
At-most-once
Fault Tolerance Measure
Call Semantics
Retransmit Request Message
Duplicate Filtering
Re-execute Procedure or Retransmit Reply No
N/A
Maybe
Yes
Re-execute Procedure
At-least-once
Retransmit Reply
At-most-once
Fault Tolerance Measure
Call Semantics
Retransmit Request Message
Duplicate Filtering
Re-execute Procedure or Retransmit Reply No
N/A
Maybe
Yes
Re-execute Procedure
At-least-once
Retransmit Reply
At-most-once
- In practice, the focus is on masking crash and omission failures
Add a slide prior to this slide with an animated example to make your point clear.

14. Classes of Failures in Request-Reply Communication
There are 5 different classes of failures that can occur in request-reply systems:
Class 1: The client is unable to locate the server
Class 2: The request message from the client to the server is lost
Class 3: The server crashes after receiving a request
Class 4: The reply message from the server to the client is lost
Class 5: The client crashes after sending a request
We now take a closer look at client-server communication when using high-level communication facilities such as Remote Procedure Calls (RPCs).

15. Classes of Failures in Request-Reply Communication
There are 5 different classes of failures that can occur in request-reply systems:
Class 1: The client is unable to locate the server
Class 2: The request message from the client to the server is lost
Class 3: The server crashes after receiving a request
Class 4: The reply message from the server to the client is lost
Class 5: The client crashes after sending a request
We now take a closer look at client-server communication when using high-level communication facilities such as Remote Procedure Calls (RPCs).

16. Class 1: Possible Solution
One possible solution for the client being unable to locate the server is to have doOperation raise an exception at the client side
Considerations:
Not every language has exceptions or signals
Writing an exception identifies the location of the error and, hence, destroys the transparency of the distributed system
We now take a closer look at client-server communication when using high-level communication facilities such as Remote Procedure Calls (RPCs).
The differences between local and remote calls are not always easy to mask.

17. Classes of Failures in Request-Reply Communication
There are 5 different classes of failures that can occur in request-reply systems:
Class1: The client is unable to locate the server
Class2: The request message from the client to the server is lost
Class3: The server crashes after receiving a request
Class4: The reply message from the server to the client is lost
Class5: The client crashes after sending a request
We now take a closer look at client-server communication when using high-level communication facilities such as Remote Procedure Calls (RPCs).

18. Class 2: Possible Solution
The doOperation can start a timer when sending the request message
If the timer expires before a reply or an ACK comes back, the message is retransmitted
Considerations:
If the message was lost, the server might not be able to recognize the difference between a first transmission and a retransmission
If the message was not lost, the server has to detect that it is dealing with a retransmission request
We now take a closer look at client-server communication when using high-level communication facilities such as Remote Procedure Calls (RPCs).

19. Classes of Failures in Request-Reply Communication
There are 5 different classes of failures that can occur in request-reply systems:
Class1: The client is unable to locate the server
Class2: The request message from the client to the server is lost
Class3: The server crashes after receiving a request
Class4: The reply message from the server to the client is lost
Class5: The client crashes after sending a request
We now take a closer look at client-server communication when using high-level communication facilities such as Remote Procedure Calls (RPCs).

20. Class 3: Possible Solution
The doOperation can start a timer when sending the request message
If the timer expires before a reply or an ACK comes back, the message is retransmitted
Main Consideration:
The crash failure may occur either before or after the operation at the server is executed
We now take a closer look at client-server communication when using high-level communication facilities such as Remote Procedure Calls (RPCs).

21. Sequence of Events at the Server
The sequence of events at the server is as follows:
In the last 2 cases, the doOperation cannot tell which is which (all it knows is that its timer has expired)
Server
Server
Server
REQ
REQ
REQ
Receive
Execute
Reply
Receive
Execute
Crash
Receive
Crash
REP
REP
REP
The normal case
Crash after execution
Crash before execution
We now take a closer look at client-server communication when using high-level communication facilities such as Remote Procedure Calls (RPCs).

22. A Printing Example
A client’s remote operation consists of printing some text at a server
When a client issues a request, it receives an ACK that the request has been delivered to the server
The server sends a completion message to the client when the text is printed

23. The Printing Example: Possible Events at Server
Three events can occur at the server:
Send the completion message (M)
Print the text (P)
Crash (C)
The parentheses indicate an event that can no longer happen because the server already crashed.

24. The Printing Example: Server Strategies
The server has a choice between two strategies:
Send a completion message just before commanding the printer to do its work
Send a completion message after the text is printed

25. The Printing Example: A Failure Scenario
The server crashes, subsequently recovers and announces that to all clients

26. The Printing Example: Server Events Ordering
Server events can occur in 6 different orderings:
Ordering
Description
MPC
A crash occurs after sending the completion message and printing the text
MC(P)
A crash occurs after sending the completion message, but before the text is printed
PMC
A crash occurs after printing the text and sending the completion message
PC(M)
The text is printed, after which a crash occurs before the completion message is sent
C(PM)
A crash happens before the server could do anything
C(MP)
Ordering
Description
MPC
A crash occurs after sending the completion message and printing the text
MC(P)
A crash occurs after sending the completion message, but before the text is printed
PMC
A crash occurs after printing the text and sending the completion message
PC(M)
The text is printed, after which a crash occurs before the completion message is sent
C(PM)
A crash happens before the server could do anything
C(MP)
Ordering
Description
MPC
A crash occurs after sending the completion message and printing the text
MC(P)
A crash occurs after sending the completion message, but before the text is printed
PMC
A crash occurs after printing the text and sending the completion message
PC(M)
The text is printed, after which a crash occurs before the completion message is sent
C(PM)
A crash happens before the server could do anything
C(MP)
Ordering
Description
MPC
A crash occurs after sending the completion message and printing the text
MC(P)
A crash occurs after sending the completion message, but before the text is printed
PMC
A crash occurs after printing the text and sending the completion message
PC(M)
The text is printed, after which a crash occurs before the completion message is sent
C(PM)
A crash happens before the server could do anything
C(MP)
Ordering
Description
MPC
A crash occurs after sending the completion message and printing the text
MC(P)
A crash occurs after sending the completion message, but before the text is printed
PMC
A crash occurs after printing the text and sending the completion message
PC(M)
The text is printed, after which a crash occurs before the completion message is sent
C(PM)
A crash happens before the server could do anything
C(MP)
Ordering
Description
MPC
A crash occurs after sending the completion message and printing the text
MC(P)
A crash occurs after sending the completion message, but before the text is printed
PMC
A crash occurs after printing the text and sending the completion message
PC(M)
The text is printed, after which a crash occurs before the completion message is sent
C(PM)
A crash happens before the server could do anything
C(MP)
The parentheses indicate an event that can no longer happen because the server already crashed.

27. The Printing Example: Client Reissue Strategies
After the crash of the server, the client does not know whether its request to print some text was carried out or not
The client has a choice between 4 strategies:
Reissue Strategy
Description
Never
Never reissue a request, at the risk that the text will not be printed
Always
Always reissue a request, potentially leading to the text being printed twice
Reissue When Not ACKed
Reissue a request only if it did not yet receive an ACK that its print request had been delivered to the server
Reissue When ACKed
Reissue a request only if it has received an ACK for the print request
Reissue Strategy
Description
Never
Never reissue a request, at the risk that the text will not be printed
Always
Always reissue a request, potentially leading to the text being printed twice
Reissue When Not ACKed
Reissue a request only if it did not yet receive an ACK that its print request had been delivered to the server
Reissue a request only if it has received an ACK for the print request if no ACK has been received on request completion
Reissue Strategy
Description
Never
Never reissue a request, at the risk that the text will not be printed
Always
Always reissue a request, potentially leading to the text being printed twice
Reissue When ACKed
Reissue a request only if it did not yet receive an ACK that its print request had been delivered to the server
Reissue When Not ACKed
Reissue a request only if it has received an ACK for the print request if no ACK has been received on request completion
Reissue Strategy
Description
Never
Never reissue a request, at the risk that the text will not be printed
Always
Always reissue a request, potentially leading to the text being printed twice
Reissue When ACKed
Reissue a request only if it did not yet receive an ACK that its print request had been delivered to the server
Reissue When Not ACKed
Reissue a request only if it has received an ACK for the print request if no ACK has been received on request completion

28. The Printing Example: Summary and Conclusion
The different combinations of client and server strategies are as follows:
There is NO combination of a client strategy and a server strategy that will work correctly under all possible event sequences
The client can never know whether the server crashed just before or after having the text printed
Reissue Strategy
Strategy MP
Strategy PM
MPC
MC(P)
C(MP)
PMC
PC(M)
C(PM)
Always
DUP OK
Never
ZERO
Only when ACKed
Only when NOT ACKed
Reissue Strategy
Strategy MP
Strategy PM
MPC
MC(P)
C(MP)
PMC
PC(M)
C(PM)
Always
DUP OK
Never
ZERO
Only when ACKed
Only when NOT ACKed
Reissue Strategy
Strategy MP
Strategy PM
MPC
MC(P)
C(MP)
PMC
PC(M)
C(PM)
Always
DUP OK
Never
ZERO
Only when ACKed
Only when NOT ACKed
Reissue Strategy
Strategy MP
Strategy PM
MPC
MC(P)
C(MP)
PMC
PC(M)
C(PM)
Always
DUP OK
Never
ZERO
Only when ACKed
Only when NOT ACKed
OK= Text is printed once, DUP= Text is printed twice, and ZERO= Text is not printed

29. Classes of Failures in Request-Reply Communication
There are 5 different classes of failures that can occur in request-reply systems:
Class 1: The client is unable to locate the server
Class 2: The request message from the client to the server is lost
Class 3: The server crashes after receiving a request
Class 4: The reply message from the server to the client is lost
Class5: The client crashes after sending a request
We now take a closer look at client-server communication when using high-level communication facilities such as Remote Procedure Calls (RPCs).

30. Class4: Possible Solution
The doOperation can start a timer when sending the request message
If the timer expires before a reply or an ACK comes back, the message is retransmitted
Considerations:
The remote procedure should be idempotent
Or, the server should apply a duplicate filtering mechanism and maintain a history
The parentheses indicate an event that can no longer happen because the server already crashed.
Conclusion: It is always safe to perform an original request; retransmissions may require more care.

31. Classes of Failures in Request-Reply Communication
There are 5 different classes of failures that can occur in request-reply systems:
Class 1: The client is unable to locate the server
Class 2: The request message from the client to the server is lost
Class 3: The server crashes after receiving a request
Class 4: The reply message from the server to the client is lost
Class 5: The client crashes after sending a request
We now take a closer look at client-server communication when using high-level communication facilities such as Remote Procedure Calls (RPCs).

32. Class 5: Orphans
A client might crash while the server is performing a corresponding computation
Such a computation becomes an orphan
Orphans can cause a variety of problems that can interfere with the normal operation of the system:
They waste CPU cycles
They might lock up files and tie up valuable resources
A confusion might occur:
Client reboots, retransmits the request, and afterwards an orphan reply comes back
The parentheses indicate an event that can no longer happen because the server already crashed.

33. Class 5: Possible Solutions [Nelson 1981]
Extermination: Use logging to explicitly kill off an orphan after a client reboot
Reincarnation: Use broadcasting to kill all remote computations on a client’s behalf after rebooting and getting a new epoch number
Gentle Reincarnation: After an epoch broadcast comes in, a machine kills a computation only if its owner cannot be located anywhere
Expiration: each remote invocation is given a standard amount of time to fulfill the job
Orphan elimination is discussed in more detail by Panzieri and Shrivastave (1988)

34. Discussion on Fault Tolerance
Objectives
Discussion on Fault Tolerance
Recovery from failures
Atomicity and distributed commit protocols
Process resilience, failure detection and reliable communication
General background on fault tolerance

35. Reliable Communication
Reliable Request-Reply Communication
Reliable Group Communication
In practice, the focus is on masking crash and omission failures
A communication channel may exhibit crash, omission, timing, and byzantine failures
Add a slide prior to this slide with an animated example to make your point clear.

36. Reliable Group Communication
As we considered reliable request-reply communication, we need also to consider reliable multicasting services
E.g., Some election algorithms use multicasting schemes 1 2 7 3 6 4
Multicasting services guarantee that messages are delivered to all members in a process group. 5

37. Reliable Group Communication
A Basic Reliable-Multicasting Scheme
Scalability in Reliable Multicasting
Atomic Multicast

38. Reliable Group Communication
A Basic Reliable-Multicasting Scheme
Scalability in Reliable Multicasting
Atomic Multicast

39. Reliable Multicasting
Reliable multicasting indicates that a message that is sent to a process group should be delivered to each member of that group
A distinction should be made between:
Reliable communication in the presence of faulty processes
Reliable communication when processes are assumed to operate correctly
In the presence of faulty processes, multicasting is considered to be reliable when it can be guaranteed that all non-faulty group members receive the message
Reliable multicasting turns out to be surprisingly tricky

40. Basic Reliable Multicasting Questions
What happens if during communication a process P joins a group?
Should P also receive the message?
What happens if a (sending) process crashes during communication?
What about message ordering?
The situation becomes simpler if we assume an agreement exists on who is a member of the group and who is not.
Processes do not fail, and processes do not join or leave the group while communication is going on.
Reliable multicasting can be redefined, as such, so that every message should be delivered to each current group member.

41. Reliable Multicasting with Feedback Messages: A Scenario
Consider the case when a single sender S wants to multicast a message to multiple receivers
An S’s multicast message may be lost part way and delivered to some, but not to all, of the intended receivers
Assume that messages are received in the same order as they are sent
The situation becomes simpler if we assume an agreement exists on who is a member of the group and who is not.
Processes do not fail, and processes do not join or leave the group while communication is going on.
Reliable multicasting can be redefined, as such, so that every message should be delivered to each current group member.

42. Reliable Multicasting with Feedback Messages
Sender
Receiver
Receiver
Receiver
Receiver
M25
M25
M25
M25
M25
M25
M25
M25
M25
M25
M25
M25
M25
M25
M25
History
Buffer
Last = 24
Last = 24
Last = 23
Last = 24
Network
Sender
Receiver
Receiver
Receiver
Receiver
We assume that messages are received in the order they are sent.
Last = 24
Last = 24
Last = 23
Last = 24
M25
M25
M25
M25
ACK25
ACK25
Missed 24
ACK25
An extensive and detailed survey of total-order broadcasts can be found in Defago et al. (2004)

43. Reliable Group Communication
A Basic Reliable-Multicasting Scheme
Scalability in Reliable Multicasting
Atomic Multicast

44. Scalability Issues with a Feedback-Based Scheme
If there are N receivers in a multicasting process, the sender must be prepared to accept at least N ACKs
This might cause a feedback implosion
Instead, we can let a receiver return only a NACK
Limitations:
No hard guarantees can be given that a feedback implosion will not happen
It is not clear for how long the sender should keep a message in its history buffer
Reliable multicasting turns out to be surprisingly tricky

45. Nonhierarchical Feedback Control
How can we control the number of NACKs sent back to the sender?
A NACK is sent to all the group members after some random delay
A group member suppresses its own feedback concerning a missing message after receiving a NACK feedback about the same message

46. Hierarchical Feedback Control
Feedback suppression is basically a nonhierarchical solution
Achieving scalability for very large groups of receivers requires that hierarchical approaches are adopted
The group of receivers is partitioned into a number of subgroups, which are organized into a tree R
The main problem here is the construction of the tree.
Receiver

47. Hierarchical Feedback Control
The subgroup containing the sender S forms the root of the tree
Within a subgroup, any reliable multicasting scheme can be used
Each subgroup appoints a local coordinator C responsible for handling retransmission requests in its subgroup
If C misses a message m, it asks the C of the parent subgroup to retransmit m S
Coordinator C C R
Root
The main problem here is the construction of the tree.

48. Reliable Group Communication
A Basic Reliable-Multicasting Scheme
Scalability in Reliable Multicasting
Atomic Multicast

49. Atomic Multicast
P1: What is often needed in a distributed system is the guarantee that a message is delivered to either all processes or to none at all
P2: It is also generally required that all messages are delivered in the same order to all processes
Satisfying P1 and P2 results in an atomic multicast
Atomic multicast:
Ensures that non-faulty processes maintain a consistent view
Forces reconciliation when a process recovers and rejoins the group

50. Virtual Synchrony (1)
A multicast message m is uniquely associated with a list of processes to which it should be delivered
This delivery list corresponds to a group view (G)
There is only one case in which delivery of m is allowed to fail:
When a group-membership-change is the result of the sender of m crashing
In this case, m may either be delivered to all remaining processes, or ignored by each of them
A multicast message m is uniquely associated with a list of processes to which it should be delivered
This delivery list corresponds to a group view (G)
There is only one case in which delivery of m is allowed to fail:
When a group-membership-change is the result of the sender of m crashing
In this case, m may either be delivered to all remaining processes, or ignored by each of them
A reliable multicast with this property is said to be virtually synchronous

51. Next Class Discussion on Fault Tolerance Fault-Tolerance- Part III
Recovery from failures
Atomicity and distributed commit protocols
Process resilience, failure detection and reliable multicasting
General background on fault tolerance
Fault-Tolerance- Part III