Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using TLA+ for fun and profit in the development of Elasticsearch

Published byАркадий Скопин Modified over 5 years ago

Similar presentations

Presentation on theme: "Using TLA+ for fun and profit in the development of Elasticsearch"— Presentation transcript:

1 Using TLA+ for fun and profit in the development of Elasticsearch
Yannick Welsch ywelsch TLA+ Conference, St. Louis, Sept

2 Elasticsearch in 60 seconds
distributed search and analytics engine initially released by Shay Banon in 2010 based on Apache Lucene typical use cases log analytics full-text search operational and security intelligence business analytics metrics, ...

3 Elasticsearch's data replication and clustering
High-level architecture my-index Node 1 Node 2 Node 3 Node 4 Cluster state P0 P1 R2 P2 R1 R0

4 Towards a more resilient system
A multi-year journey users with larger clusters and more demanding use cases stronger resiliency, fault-tolerance & scaling requirements first focus was on the data replication layer losing acknowledged writes, out-of-sync shard copies, slow recoveries, not flexible enough to build new features such as cross-cluster replication sequence numbers project: rework data replication layer to uniquely identify each write operation in the system started off with an informal specification explored ways to use formal methods

5

6 Data replication model
A first formal specification for Elasticsearch Dedalus spec created by Kamala Ramasubramanian PhD student in Peter Alvaro's research group at UCSC specification validated using MOLLY (based on LdFI) no issues found with new model, but validated bugs of old replication model as follow-up, I investigated other techniques and tools (in particular TLA+) TLA+ model of the new data replication algorithm that is powering Elasticsearch since version 6, released in November 2017 860 lines of commented TLA+ code, checking safety properties

7 Studying bugs with TLA+

8 Investigating concurrency and algorithmic bugs
From implementation to formal model and back validated two concurrency bugs using PlusCal spec explored and validated solutions using spec discovered an additional unknown bug in the implementation, which we only later observed in the wild in a different component, testing uncovered a bug which only surfaced after running for months on CI modeled with TLA+, TLC checker finds bug within seconds bug fixes first prototyped using spec and validated with model checker

9 Formal design first A specification for the cluster coordination subsystem

10 What is cluster coordination?
A redesigned cluster coordination subsystem for Elasticsearch 7.0 elects master and publishes cluster state updates must be resilient to node failures, unreliable networks, ... quorum of available nodes sufficient to make progress Elasticsearch 6.x (Zen Discovery) quorum size user-defined through minimum_master_nodes setting algorithmic issues Elasticsearch 7.0 quorums managed by system itself new algorithm validated with TLA+

11 Cluster coordination TLA+ spec
TLA+ spec (370 LOC) covers safety bits of the algorithm single rewritable register, dynamic reconfiguration, bootstrapping manually mapped to Java implementation (570 LOC) code looking very similar all interactions with relevant state of the system threaded through this Java class liveness layer built on top of safety layer (not covered with spec) powering Elasticsearch since version 7.0, released in April 2019

12 TLA+ (370 LOC) Java (570 LOC)

13 Lessons learned

14 Lessons learned resiliency improvements in Elasticsearch thanks to TLA+ versatile use (refine informal spec, map code to spec, formal spec first) state space explosion symmetry sets state constraints TLA+ toolbox very convenient to use TLC model checker great at finding bugs next step: expand use of TLA+ beyond distributed / concurrent issues

15 TLA+ specs available at

Download ppt "Using TLA+ for fun and profit in the development of Elasticsearch"

Similar presentations

How We Manage SaaS Infrastructure Knowledge Track

How We Manage SaaS Infrastructure Knowledge Track
Concurrency: introduction1 ©Magee/Kramer 2 nd Edition Concurrency State Models and Java Programs Jeff Magee and Jeff Kramer.

Concurrency: introduction1 ©Magee/Kramer 2 nd Edition Concurrency State Models and Java Programs Jeff Magee and Jeff Kramer.
Chapter 4 Quality Assurance in Context

Chapter 4 Quality Assurance in Context
Feature requests for Case Manager By Spar Nord Bank A/S IBM Insight 2014 Spar Nord Bank A/S1.

Feature requests for Case Manager By Spar Nord Bank A/S IBM Insight 2014 Spar Nord Bank A/S1.
CS 5150 1 CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.

CS CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.
PaperScope: Visually Exploring the ADS Mark Holliman VOTECH Web Developer University of Edinburgh ADASS XVII, London,

PaperScope: Visually Exploring the ADS Mark Holliman VOTECH Web Developer University of Edinburgh ADASS XVII, London,
From 3 weeks to 30 minutes – a journey through the ups and downs of test automation.

From 3 weeks to 30 minutes – a journey through the ups and downs of test automation.
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 22Slide 1 Verification and Validation u Assuring that a software system meets a user's.

©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 22Slide 1 Verification and Validation u Assuring that a software system meets a user's.
CSC 456 Operating Systems Seminar Presentation (11/13/2012) Leon Weingard, Liang Xin The Google File System.

CSC 456 Operating Systems Seminar Presentation (11/13/2012) Leon Weingard, Liang Xin The Google File System.
1 Yolanda Gil Information Sciences InstituteJanuary 10, 2010 Requirements for caBIG Infrastructure to Support Semantic Workflows Yolanda.

1 Yolanda Gil Information Sciences InstituteJanuary 10, 2010 Requirements for caBIG Infrastructure to Support Semantic Workflows Yolanda.
Cloud Distributed Computing Environment Content of this lecture is primarily from the book “Hadoop, The Definite Guide 2/e)

Cloud Distributed Computing Environment Content of this lecture is primarily from the book “Hadoop, The Definite Guide 2/e)
Presented by CH.Anusha.  Apache Hadoop framework  HDFS and MapReduce  Hadoop distributed file system  JobTracker and TaskTracker  Apache Hadoop NextGen.

Presented by CH.Anusha.  Apache Hadoop framework  HDFS and MapReduce  Hadoop distributed file system  JobTracker and TaskTracker  Apache Hadoop NextGen.
1 Lecture 19 Configuration Management Software Engineering.

1 Lecture 19 Configuration Management Software Engineering.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 3 Slide 1 Software Processes l Coherent sets of activities for specifying, designing,

©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 3 Slide 1 Software Processes l Coherent sets of activities for specifying, designing,
Runtime Refinement Checking of Concurrent Data Structures (the VYRD project) Serdar Tasiran Koç University, Istanbul, Turkey Shaz Qadeer Microsoft Research,

Runtime Refinement Checking of Concurrent Data Structures (the VYRD project) Serdar Tasiran Koç University, Istanbul, Turkey Shaz Qadeer Microsoft Research,
DATABASE MIRRORING  Mirroring is mainly implemented for increasing the database availability.  Is configured on a Database level.  Mainly involves two.

DATABASE MIRRORING  Mirroring is mainly implemented for increasing the database availability.  Is configured on a Database level.  Mainly involves two.
Resisting Denial-of-Service Attacks Using Overlay Networks Ju Wang Advisor: Andrew A. Chien Department of Computer Science and Engineering, University.

Resisting Denial-of-Service Attacks Using Overlay Networks Ju Wang Advisor: Andrew A. Chien Department of Computer Science and Engineering, University.
SUMA: A Scientific Metacomputer Cardinale, Yudith Figueira, Carlos Hernández, Emilio Baquero, Eduardo Berbín, Luis Bouza, Roberto Gamess, Eric García,

SUMA: A Scientific Metacomputer Cardinale, Yudith Figueira, Carlos Hernández, Emilio Baquero, Eduardo Berbín, Luis Bouza, Roberto Gamess, Eric García,
Introduction to Nutch CSCI 572: Information Retrieval and Search Engines Summer 2010.

Introduction to Nutch CSCI 572: Information Retrieval and Search Engines Summer 2010.

Similar presentations

Ads by Google