Presentation is loading. Please wait.

Presentation is loading. Please wait.

Marcos K. Aguilera Microsoft Research Silicon Valley No Time for Asynchrony Michael Walfish UCL, Stanford, UT Austin.

Published byLorin Hunter Modified over 9 years ago

Similar presentations

Presentation on theme: "Marcos K. Aguilera Microsoft Research Silicon Valley No Time for Asynchrony Michael Walfish UCL, Stanford, UT Austin."— Presentation transcript:

1 Marcos K. Aguilera Microsoft Research Silicon Valley No Time for Asynchrony Michael Walfish UCL, Stanford, UT Austin

2 Problem: Nodes in Distributed Systems Fail Pragmatic response: end-to-end timeouts  Getting them right: hard. primarybackup apps OS VM protocols drivers Getting them wrong: bad.

3 Problem: Nodes in Distributed Systems Fail Pragmatic response: end-to-end timeouts  Getting them right: hard. primarybackup apps OS VM protocols drivers Getting them wrong: bad.

4 Problem: Nodes in Distributed Systems Fail Pragmatic response: end-to-end timeouts  Getting them right: hard. primarybackup apps OS VM protocols drivers Getting them wrong: bad.

5 Problem: Nodes in Distributed Systems Fail Pragmatic response: end-to-end timeouts  Getting them right: hard. Getting them wrong: bad. Current view/lore/wisdom: design for asynchrony  Very general  guarantee of safety primarybackup ? Paxos apps OS VM protocols drivers

6 Different Points of View 1. Keep it simple: 2. Keep it safe: 3. Our view:  We want simplicity, safety, and high availability  Our mantra: “no end-to-end timeouts” “rely on time and timeouts” “design for asynchrony” there is good in both

7 A Proposal That Meets Our Goals app OS VM/hypervisor network driver network card Spies indicate crashed-or-not authoritatively Why do we want device drivers killing OSes? backupprimary spy failure detector

8 Scope Enterprises, data centers Not Byzantine failures This Talk Will Argue: 1. Asynchrony is problematic  (And often disregarded in practice) 2. Spy-based failure detection meets our goals

9 Asynchrony Detracts From Safety 1. “Safety under asynchrony” downplays liveness  But highest layers in a system have deadlines  Lower layer loses liveness  at deadline, higher layer may be bereft  lose “whole system” safety

10 Asynchrony Detracts from Safety (Cont’d.) 2. Under asynchrony, components hide useful info.  Unresponsiveness  higher layers guess  Wrong guesses  loss of safety 3.  complex designs (example: Paxos)  Complexity  mistakes  safety violations asynchronous component ?

11 Empirical Observations Against Asynchrony Paxos-using systems rely on synchrony for safety World fundamentally synchronous  Electrons, CPUs, human beings, organizations  “Safety under asynchrony” hard to meet  Generality of asynchrony maybe not needed in reality Leases, … Paxos Chubby [Burrows OSDI06], Petal [Lee ASPLOS96], WheelFS [Stribling et al. NSDI09], …

12 Recap Argument Against Asynchrony Appeal of asynchrony: generality  safety Argument against asynchrony: Async. components can lead to unsafe systems Hard to meet “safety under asynchrony” Asynchrony doesn’t represent reality People forced to depart from asynchrony anyway

13 Our Argument, Continued 1. Asynchrony is problematic  (And often disregarded in practice) 2. Spy-based failure detection meets our goals

14 A Powerful Abstraction: Perfect Failure Detectors “ ” “up” ? Want a model where:  CRASHED?( ) [Chandra & Toueg, JACM 96] processes Perfect failure detector (PFD) A perfect failure detector is an oracle Asynchronous model:

15 PFDs  Safe, Simple Distributed Algorithms Replication by primary-backup instead of Paxos Other examples in the paper (not our contribution) PFD backupprimary “ ”

16 How to Build a Perfect Failure Detector? FD ? Failure detection (not PFD) uses status messages Hard to make this FD a PFD  Variable timing, system a black box

17 Current proposals coarse [Fetzer IEEE Trans. 2003, Ricciardi & Birman PODC91]  Focus on E2E behavior  Use E2E timeouts  Kill/exclude any suspect Realizing Perfect Failure Detectors PFD Recall our third goal: high availability. Approach is “surgical”:  Operate inside layers  Use only local timing  Kill as a last resort app OS VM/hypervisor network driver network card ? ?

18 Spies Orchestrated to Form Surgical PFD network switch app OS VM/hypervisor network driver network card Example: spy in VM tracks OS state Lower-level spies also monitor higher-level ones  Allows localization of smallest failed component PFD

19 Limitations and Discussion 1. Under network partition, PFD module blocks 2. To realize spies, must modify system infrastructure We think this is okay in data centers  Partitions often cause block anyway  One administrative domain Harder to address in wide area  Requires spies in Internet switches and routers  Network to host feedback not totally implausible

20 Summary and Conclusion End-to-end timing assumptions problematic. So:  Avoid timing with inside info., assassination  Avoid end-to-end by infiltrating many layers The gain: simple, safe, and live distributed systems But: PFDs, spies not a good fit for all environments Next step: get it implemented and deployed This is a call to arms

Download ppt "Marcos K. Aguilera Microsoft Research Silicon Valley No Time for Asynchrony Michael Walfish UCL, Stanford, UT Austin."

Similar presentations

Remus: High Availability via Asynchronous Virtual Machine Replication

Remus: High Availability via Asynchronous Virtual Machine Replication
Layering and the network layer CS168, Fall 2014 Sylvia Ratnasamy

Layering and the network layer CS168, Fall 2014 Sylvia Ratnasamy
Distributed Systems Overview Ali Ghodsi

Distributed Systems Overview Ali Ghodsi
1 The Case for Byzantine Fault Detection. 2 Challenge: Byzantine faults Distributed systems are subject to a variety of failures and attacks Hacker break-in.

1 The Case for Byzantine Fault Detection. 2 Challenge: Byzantine faults Distributed systems are subject to a variety of failures and attacks Hacker break-in.
Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.

Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.
P. Kouznetsov, 2006 Abstracting out Byzantine Behavior Peter Druschel Andreas Haeberlen Petr Kouznetsov Max Planck Institute for Software Systems.

P. Kouznetsov, 2006 Abstracting out Byzantine Behavior Peter Druschel Andreas Haeberlen Petr Kouznetsov Max Planck Institute for Software Systems.
Nummenmaa & Thanish: Practical Distributed Commit in Modern Environments PDCS’01 PRACTICAL DISTRIBUTED COMMIT IN MODERN ENVIRONMENTS by Jyrki Nummenmaa.

Nummenmaa & Thanish: Practical Distributed Commit in Modern Environments PDCS’01 PRACTICAL DISTRIBUTED COMMIT IN MODERN ENVIRONMENTS by Jyrki Nummenmaa.
Replication and Consistency (2). Reference r Replication in the Harp File System, Barbara Liskov, Sanjay Ghemawat, Robert Gruber, Paul Johnson, Liuba.

Replication and Consistency (2). Reference r Replication in the Harp File System, Barbara Liskov, Sanjay Ghemawat, Robert Gruber, Paul Johnson, Liuba.
Virtual Synchrony Ki Suh Lee Some slides are borrowed from Ken, Jared (cs6410 2009) and Justin (cs614 2005)

Virtual Synchrony Ki Suh Lee Some slides are borrowed from Ken, Jared (cs ) and Justin (cs )
The Need for Language Support for Fault-Tolerant Distributed Systems Cezara Dr ă goi, INRIA ENS CNRS Thomas A. Henzinger, IST Austria Damien Zufferey,

The Need for Language Support for Fault-Tolerant Distributed Systems Cezara Dr ă goi, INRIA ENS CNRS Thomas A. Henzinger, IST Austria Damien Zufferey,
Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 3 – Distributed Systems.

Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 3 – Distributed Systems.
Timeliness, Failure Detectors, and Consensus Performance Idit Keidar and Alexander Shraer Technion – Israel Institute of Technology.

Timeliness, Failure Detectors, and Consensus Performance Idit Keidar and Alexander Shraer Technion – Israel Institute of Technology.
© 2006 Andreas Haeberlen, MPI-SWS 1 The Case for Byzantine Fault Detection Andreas Haeberlen MPI-SWS / Rice University Petr Kouznetsov MPI-SWS Peter Druschel.

© 2006 Andreas Haeberlen, MPI-SWS 1 The Case for Byzantine Fault Detection Andreas Haeberlen MPI-SWS / Rice University Petr Kouznetsov MPI-SWS Peter Druschel.
Distributed Systems 2006 Group Membership * *With material adapted from Ken Birman.

Distributed Systems 2006 Group Membership * *With material adapted from Ken Birman.
Josef Widder1 Why, Where and How to Use the  - Model Josef Widder Embedded Computing Systems Group INRIA Rocquencourt, March 10,

Josef Widder1 Why, Where and How to Use the  - Model Josef Widder Embedded Computing Systems Group INRIA Rocquencourt, March 10,
1 Failure Detectors: A Perspective Sam Toueg LIX, Ecole Polytechnique Cornell University.

1 Failure Detectors: A Perspective Sam Toueg LIX, Ecole Polytechnique Cornell University.
Learning from the Past for Resolving Dilemmas of Asynchrony Paul Ezhilchelvan and Santosh Shrivastava Newcastle University England, UK.

Learning from the Past for Resolving Dilemmas of Asynchrony Paul Ezhilchelvan and Santosh Shrivastava Newcastle University England, UK.
CS 425 / ECE 428 Distributed Systems Fall 2014 Indranil Gupta (Indy) Lecture 19: Paxos All slides © IG.

CS 425 / ECE 428 Distributed Systems Fall 2014 Indranil Gupta (Indy) Lecture 19: Paxos All slides © IG.
The Structuring of Systems Using Upcalls David D. Clark 4/26/20111Frank Sliz, CS533, Upcalls.

The Structuring of Systems Using Upcalls David D. Clark 4/26/20111Frank Sliz, CS533, Upcalls.
Composition Model and its code. bound:=bound+1.

Composition Model and its code. bound:=bound+1.

Similar presentations

Ads by Google