Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP 655: Distributed/Operating Systems Summer 2011 Dr. Chunbo Chu Week 7: Fault Tolerance 11/13/20151Distributed Systems - COMP 655.

Similar presentations


Presentation on theme: "COMP 655: Distributed/Operating Systems Summer 2011 Dr. Chunbo Chu Week 7: Fault Tolerance 11/13/20151Distributed Systems - COMP 655."— Presentation transcript:

1 COMP 655: Distributed/Operating Systems Summer 2011 Dr. Chunbo Chu Week 7: Fault Tolerance 11/13/20151Distributed Systems - COMP 655

2 11/13/2015Distributed Systems - COMP 6552 Fault Tolerance Fault tolerance concepts Implementation – distributed agreement Distributed agreement meets transaction processing: 2- and 3-phase commit Bonus material Implementation – reliable point-to-point communication Implementation – process groups Implementation – reliable multicast Recovery Sparing

3 11/13/2015Distributed Systems - COMP 6553 Fault tolerance concepts Availability – can I use it now? –Usually quantified as a percentage Reliability – can I use it for a certain period of time? –Usually quantified as MTBF Safety – will anything really bad happen if it does fail? Maintainability – how hard is it to fix when it fails? –Usually quantified as MTTR

4 11/13/2015Distributed Systems - COMP 6554 Comparing nines 1 year = 8760 hr Availability levels –90% = 876 hr downtime/yr –99% = 87.6 hr downtime/yr –99.9% = 8.76 hr downtime/yr –99.99% = 52.56 min downtime/yr –99.999% = 5.256 min downtime/yr

5 11/13/2015Distributed Systems - COMP 6555 Exercise: how to get five nines 1.Brainstorm what you would have to deal with to build a single-machine system that could run for five years with 25 min downtime. Consider: –Hardware failures, especially disks –Power failures –Network outages –Software installation –What else? 2.Come up with some ideas about how to solve the problems you identify

6 11/13/2015Distributed Systems - COMP 6556 Multiple machines at 99% Assuming independent failures

7 11/13/2015Distributed Systems - COMP 6557 Multiple machines at 95% Assuming independent failures

8 11/13/2015Distributed Systems - COMP 6558 Multiple machines at 80% Assuming independent failures

9 11/13/2015Distributed Systems - COMP 6559 1,000 components

10 11/13/2015Distributed Systems - COMP 65510 Things to watch out for in availability requirements What constitutes an outage … –A client PC going down? –A client applet going into an infinite loop? –A server crashing? –A network outage? –Reports unavailable? –If a transaction times out? –If 100 transactions time out in a 10 min period? –etc

11 11/13/2015Distributed Systems - COMP 65511 More to watch out for What constitutes being back up after an outage? When does an outage start? When does it end? Are there outages that don’t count? –Natural disasters? –Outages due to operator errors? What about MTBF?

12 11/13/2015Distributed Systems - COMP 65512 Ways to get 99% availability 1.MTBF = 99 hr, MTTR = 1 hr 2.MTBF = 99 min, MTTR = 1 min 3.MTBF = 99 sec, MTTR = 1 sec

13 11/13/2015Distributed Systems - COMP 65513 More definitions failure error fault causes may cause Fault tolerance is continuing to work correctly in the presence of faults. Types of faults: transient intermittent permanent

14 11/13/2015Distributed Systems - COMP 65514 Types of failures

15 11/13/2015Distributed Systems - COMP 65515 If you remember one thing Components fail in distributed systems on a regular basis. Distributed systems have to be designed to deal with the failure of individual components so that the system as a whole –Is available and/or –Is reliable and/or –Is safe and/or –Is maintainable depending on the problem it is trying to solve and the resources available …

16 11/13/2015Distributed Systems - COMP 65516 Fault Tolerance Fault tolerance concepts Implementation – distributed agreement Distributed agreement meets transaction processing: 2- and 3-phase commit

17 11/13/2015Distributed Systems - COMP 65517 Two-army problem Red army has 5,000 troops Blue army and White army have 3,000 troops each Attack together and win Attack separately and lose in serial Communication is by messenger, who might be captured Blue and white generals have no way to know when a messenger is captured

18 11/13/2015Distributed Systems - COMP 65518 Activity: outsmart the generals Take your best shot at designing a protocol that can solve the two-army problem Spend ten minutes Did you think of anything promising?

19 11/13/2015Distributed Systems - COMP 65519 Conclusion: go home “agreement between even two processes is not possible in the face of unreliable communication”

20 11/13/2015Distributed Systems - COMP 65520 Byzantine generals Assume perfect communication Assume n generals, m of whom should not be trusted The problem is to reach agreement on troop strength among the non-faulty generals

21 11/13/2015Distributed Systems - COMP 65521 Byzantine generals - example n = 4, m = 1 (units are K-troops) (a)Multicast troop-strength messages (b)Construct troop-strength vectors (c)Compare notes: majority rules in each component Result: 1, 2, and 4 agree on (1,2,unknown,4)

22 11/13/2015Distributed Systems - COMP 65522 Doesn’t work with n =3, m =1

23 11/13/2015Distributed Systems - COMP 65523 Fault Tolerance Fault tolerance concepts Implementation – distributed agreement Distributed agreement meets transaction processing: 2- and 3-phase commit

24 11/13/2015Distributed Systems - COMP 65524 Distributed commit protocols What is the problem they are trying to solve? –Ensure that a group of processes all do something, or none of them do –Example: in a distributed transaction that involves updates to data on three different servers, ensure that all three commit or none of them do

25 11/13/2015Distributed Systems - COMP 65525 2-phase commit CoordinatorParticipant What to do when P, in READY state, contacts Q

26 11/13/2015Distributed Systems - COMP 65526 If coordinator crashes Participants could wait until the coordinator recovers Or, they could try to figure out what to do among themselves –Example, if P contacts Q, and Q is in the COMMIT state, P should COMMIT as well

27 11/13/2015Distributed Systems - COMP 65527 2-phase commit What to do when P, in READY state, contacts Q If all surviving participants are in READY state, 1.Wait for coordinator to recover 2.Elect a new coordinator (?)

28 11/13/2015Distributed Systems - COMP 65528 3-phase commit Problem addressed: –Non-blocking distributed commit in the presence of failures –Interesting theoretically, but rarely used in practice

29 11/13/2015Distributed Systems - COMP 65529 3-phase commit CoordinatorParticipant

30 11/13/2015Distributed Systems - COMP 65530 Bonus material Implementation – reliable point-to- point communication Implementation – process groups Implementation – reliable multicast Recovery Sparing

31 11/13/2015Distributed Systems - COMP 65531 RPC, RMI crash & omission failures Client can’t locate server Request lost Server crashes after receipt of request Response lost Client crashes after sending request

32 11/13/2015Distributed Systems - COMP 65532 Can’t locate server Raise an exception, or Send a signal, or Log an error and return an error code Note: hard to mask distribution in this case

33 11/13/2015Distributed Systems - COMP 65533 Request lost Timeout and retry Back off to “cannot locate server” if too many timeouts occur

34 11/13/2015Distributed Systems - COMP 65534 Server crashes after receipt of request Possible semantic commitments –Exactly once –At least once –At most once NormalWork doneWork not done

35 11/13/2015Distributed Systems - COMP 65535 Behavioral possibilities Server events –Process (P) –Send completion message (M) –Crash (C) Server order –P then M –M then P Client strategies –Retry every message –Retry no messages –Retry if unacknowledged –Retry if acknowledged

36 11/13/2015Distributed Systems - COMP 65536 Combining the options

37 11/13/2015Distributed Systems - COMP 65537 Lost replies Make server operations idempotent whenever possible Structure requests so that server can distinguish retries from the original

38 11/13/2015Distributed Systems - COMP 65538 Client crashes The server-side activity is called an orphan computation Orphans can tie up resources, hold locks, etc Four strategies (at least) –Extermination, based on client-side logs Client writes a log record before and after each call When client restarts after a crash, it checks the log and kills outstanding orphan computations Problems include: –Lots of disk activity –Grand-orphans

39 11/13/2015Distributed Systems - COMP 65539 Client crashes, continued More approaches for handling orphans –Re-incarnation, based on client-defined epochs When client restarts after a crash, it broadcasts a start-of-epoch message On receipt of a start-of-epoch message, each server kills any computation for that client –“Gentle” re-incarnation Similar, but server tries to verify that a computation is really an orphan before killing it

40 11/13/2015Distributed Systems - COMP 65540 Yet more client-crash strategies One more strategy –Expiration Each computation has a lease on life If not complete when the lease expires, a computation must obtain another lease from its owner Clients wait one lease period before restarting after a crash (so any orphans will be gone) Problem: what’s a reasonable lease period?

41 11/13/2015Distributed Systems - COMP 65541 Common problems with client-crash strategies Crashes that involve network partition (communication between partitions will not work at all) Killed orphans may leave persistent traces behind, for example –Locks –Requests in message queues

42 11/13/2015Distributed Systems - COMP 65542 Bonus material Implementation – reliable point-to- point communication Implementation – process groups Implementation – reliable multicast Recovery Sparing

43 11/13/2015Distributed Systems - COMP 65543 How to do it? Redundancy applied –In the appropriate places –In the appropriate ways Types of redundancy –Data (e.g. error correcting codes, replicated data) –Time (e.g. retry) –Physical (e.g. replicated hardware, backup systems)

44 11/13/2015Distributed Systems - COMP 65544 Triple Modular Redundancy

45 11/13/2015Distributed Systems - COMP 65545 Tandem Computers TMR on –CPUs –Memory Duplicated –Buses –Disks –Power supplies A big hit in operations systems for a while

46 11/13/2015Distributed Systems - COMP 65546 Replicated processing Based on process groups A process group consists of one or more identical processes Key events –Message sent to one member of a group –Process joins group –Process leaves group –Process crashes Key requirements –Messages must be received by all members –All members must agree on group membership

47 11/13/2015Distributed Systems - COMP 65547 Flat or non-flat?

48 11/13/2015Distributed Systems - COMP 65548 Effective process groups require Distributed agreement –On group membership –On coordinator elections –On whether or not to commit a transaction Effective communication –Reliable enough –Scalable enough –Often, multicast –Typically looking for atomic multicast

49 11/13/2015Distributed Systems - COMP 65549 Process groups also require Ability to tolerate crash failures and omission failures –Need k+1 processes to deal with up to k silent failures Ability to tolerate performance, response, and arbitrary failures –Need 3k+1 processes to reach agreement with up to k Byzantine failures –Need 2k+1 processes to ensure that a majority of the system produces the correct results with up to k Byzantine failures

50 11/13/2015Distributed Systems - COMP 65550 Bonus material Implementation – reliable point-to- point communication Implementation – process groups Implementation – reliable multicast Recovery Sparing

51 11/13/2015Distributed Systems - COMP 65551 Reliable multicasting

52 11/13/2015Distributed Systems - COMP 65552 Scalability problem Too many acknowledgements –One from each receiver –Can be a huge number in some systems –Also known as “feedback implosion”

53 11/13/2015Distributed Systems - COMP 65553 Basic feedback suppression in scalable reliable multicast If a receiver decides it has missed a message, it waits a random time, then multicasts a retransmission request while waiting, if it sees a sufficient request from another receiver, it does not send its own request server multicasts all retransmissions

54 11/13/2015Distributed Systems - COMP 65554 Hierarchical feedback suppression for scalable reliable multicast messages flow from root toward leaves acks and retransmit requests flow toward root from coordinators each group can use any reliable small- group multicast scheme

55 11/13/2015Distributed Systems - COMP 65555 Atomic multicast Often, in a distributed system, reliable multicast is a step toward atomic multicast Atomic multicast is atomicity applied to communications: –Either all members of a process group receive a message, OR –No members receive it Often requires some form of order agreement as well

56 11/13/2015Distributed Systems - COMP 65556 How atomic multicast helps 1.Assume we have atomic multicast, among a group of processes, each of which owns a replica of a database 2.One replica goes down 3.Database activity continues 4.The process comes back up 5.Atomic multicast allows us to figure out exactly which transactions have to be re-played (see pp 386-387)

57 11/13/2015Distributed Systems - COMP 65557 More concepts Group view View change Virtually synchronous –Each message is received by all non-faulty processes, or –If sender crashes during multicast, message could be ignored by all processes

58 11/13/2015Distributed Systems - COMP 65558 Virtual synchrony picture Basic idea: in virtual synchrony, a multicast cannot cross a view-change

59 11/13/2015Distributed Systems - COMP 65559 Receipt vs Delivery Remember totally-ordered multicast …

60 11/13/2015Distributed Systems - COMP 65560 What about multicast message order? Two aspects: –Relationship between sending order and delivery order –Agreement on delivery order Send/delivery ordering relationships –Unordered –FIFO-ordered –Causally-ordered If receivers agree on delivery order, it’s called totally-ordered multicast

61 11/13/2015Distributed Systems - COMP 65561 Unordered Process P1Process P2Process P3 sends m1 sends m2 delivers m1 delivers m2 delivers m1

62 11/13/2015Distributed Systems - COMP 65562 FIFO-ordered Agreement on: m1 before m2 m3 before m4 Process P1Process P2Process P3 sends m1 sends m2 delivers m1 delivers m3 delivers m2 delivers m4 delivers m3 delivers m1 delivers m2 delivers m4 Process P4 sends m3 sends m4

63 11/13/2015Distributed Systems - COMP 65563 Six types of virtually synchronous reliable multicast Relationship between sending order and delivery order Agreement on delivery order

64 11/13/2015Distributed Systems - COMP 65564 Implementing virtual synchrony Don’t deliver a message until it’s been received everywhere - but “everywhere” can change (a)7’s crash is detected by 4, which sends a view-change message (b)Processes forward unstable messages, followed by flush (c)When have flush from all processes in new view, install new view

65 11/13/2015Distributed Systems - COMP 65565 Bonus material Implementation – reliable point-to- point communication Implementation – process groups Implementation – reliable multicast Recovery Sparing

66 11/13/2015Distributed Systems - COMP 65566 Recovery from error Two main types: –Backward recovery to a checkpoint (assumed to be error-free) –Forward recovery (infer a correct state from available data)

67 11/13/2015Distributed Systems - COMP 65567 More about checkpoints They are expensive Usually combined with a message log Message logs are cleared at checkpoints Recovering a crashed process: –Restart it –Restore its state to the most recent checkpoint –Replay the message log

68 11/13/2015Distributed Systems - COMP 65568 Recovery line == most recent distributed snapshot

69 11/13/2015Distributed Systems - COMP 65569 Domino effect

70 11/13/2015Distributed Systems - COMP 65570 Bonus material Implementation – reliable point-to- point communication Implementation – process groups Implementation – reliable multicast Recovery Sparing

71 11/13/2015Distributed Systems - COMP 65571 Sparing Not really fault tolerance But it can be cheaper, and provide fast restoration time after a failure Types of spares –Cold –Hot –Warm The spare may or may not also have regular responsibilities in the system

72 11/13/2015Distributed Systems - COMP 65572 Switchover Repair is accomplished by switching processing away from a failed server to a spare

73 11/13/2015Distributed Systems - COMP 65573 Questions on switchover Has the failed system really failed? Is the spare operational? Can the spare handle the load? –May need a way to block medium to low priority work during switchovers How will the spare get access to the failed server’s data? What client session data will be preserved, and how?

74 11/13/2015Distributed Systems - COMP 65574 More switchover questions What about configuration files? What about network addressing? What about switching back after the failed server has been repaired? –Partial shutdown of the spare –Updating directories to redirect part of the load –Making up for lost medium-to-low priority work


Download ppt "COMP 655: Distributed/Operating Systems Summer 2011 Dr. Chunbo Chu Week 7: Fault Tolerance 11/13/20151Distributed Systems - COMP 655."

Similar presentations


Ads by Google