Download presentation
Presentation is loading. Please wait.
Published byDomenic Wilkerson Modified over 9 years ago
1
COMP 655: Distributed/Operating Systems Summer 2011 Dr. Chunbo Chu Week 7: Fault Tolerance 11/13/20151Distributed Systems - COMP 655
2
11/13/2015Distributed Systems - COMP 6552 Fault Tolerance Fault tolerance concepts Implementation – distributed agreement Distributed agreement meets transaction processing: 2- and 3-phase commit Bonus material Implementation – reliable point-to-point communication Implementation – process groups Implementation – reliable multicast Recovery Sparing
3
11/13/2015Distributed Systems - COMP 6553 Fault tolerance concepts Availability – can I use it now? –Usually quantified as a percentage Reliability – can I use it for a certain period of time? –Usually quantified as MTBF Safety – will anything really bad happen if it does fail? Maintainability – how hard is it to fix when it fails? –Usually quantified as MTTR
4
11/13/2015Distributed Systems - COMP 6554 Comparing nines 1 year = 8760 hr Availability levels –90% = 876 hr downtime/yr –99% = 87.6 hr downtime/yr –99.9% = 8.76 hr downtime/yr –99.99% = 52.56 min downtime/yr –99.999% = 5.256 min downtime/yr
5
11/13/2015Distributed Systems - COMP 6555 Exercise: how to get five nines 1.Brainstorm what you would have to deal with to build a single-machine system that could run for five years with 25 min downtime. Consider: –Hardware failures, especially disks –Power failures –Network outages –Software installation –What else? 2.Come up with some ideas about how to solve the problems you identify
6
11/13/2015Distributed Systems - COMP 6556 Multiple machines at 99% Assuming independent failures
7
11/13/2015Distributed Systems - COMP 6557 Multiple machines at 95% Assuming independent failures
8
11/13/2015Distributed Systems - COMP 6558 Multiple machines at 80% Assuming independent failures
9
11/13/2015Distributed Systems - COMP 6559 1,000 components
10
11/13/2015Distributed Systems - COMP 65510 Things to watch out for in availability requirements What constitutes an outage … –A client PC going down? –A client applet going into an infinite loop? –A server crashing? –A network outage? –Reports unavailable? –If a transaction times out? –If 100 transactions time out in a 10 min period? –etc
11
11/13/2015Distributed Systems - COMP 65511 More to watch out for What constitutes being back up after an outage? When does an outage start? When does it end? Are there outages that don’t count? –Natural disasters? –Outages due to operator errors? What about MTBF?
12
11/13/2015Distributed Systems - COMP 65512 Ways to get 99% availability 1.MTBF = 99 hr, MTTR = 1 hr 2.MTBF = 99 min, MTTR = 1 min 3.MTBF = 99 sec, MTTR = 1 sec
13
11/13/2015Distributed Systems - COMP 65513 More definitions failure error fault causes may cause Fault tolerance is continuing to work correctly in the presence of faults. Types of faults: transient intermittent permanent
14
11/13/2015Distributed Systems - COMP 65514 Types of failures
15
11/13/2015Distributed Systems - COMP 65515 If you remember one thing Components fail in distributed systems on a regular basis. Distributed systems have to be designed to deal with the failure of individual components so that the system as a whole –Is available and/or –Is reliable and/or –Is safe and/or –Is maintainable depending on the problem it is trying to solve and the resources available …
16
11/13/2015Distributed Systems - COMP 65516 Fault Tolerance Fault tolerance concepts Implementation – distributed agreement Distributed agreement meets transaction processing: 2- and 3-phase commit
17
11/13/2015Distributed Systems - COMP 65517 Two-army problem Red army has 5,000 troops Blue army and White army have 3,000 troops each Attack together and win Attack separately and lose in serial Communication is by messenger, who might be captured Blue and white generals have no way to know when a messenger is captured
18
11/13/2015Distributed Systems - COMP 65518 Activity: outsmart the generals Take your best shot at designing a protocol that can solve the two-army problem Spend ten minutes Did you think of anything promising?
19
11/13/2015Distributed Systems - COMP 65519 Conclusion: go home “agreement between even two processes is not possible in the face of unreliable communication”
20
11/13/2015Distributed Systems - COMP 65520 Byzantine generals Assume perfect communication Assume n generals, m of whom should not be trusted The problem is to reach agreement on troop strength among the non-faulty generals
21
11/13/2015Distributed Systems - COMP 65521 Byzantine generals - example n = 4, m = 1 (units are K-troops) (a)Multicast troop-strength messages (b)Construct troop-strength vectors (c)Compare notes: majority rules in each component Result: 1, 2, and 4 agree on (1,2,unknown,4)
22
11/13/2015Distributed Systems - COMP 65522 Doesn’t work with n =3, m =1
23
11/13/2015Distributed Systems - COMP 65523 Fault Tolerance Fault tolerance concepts Implementation – distributed agreement Distributed agreement meets transaction processing: 2- and 3-phase commit
24
11/13/2015Distributed Systems - COMP 65524 Distributed commit protocols What is the problem they are trying to solve? –Ensure that a group of processes all do something, or none of them do –Example: in a distributed transaction that involves updates to data on three different servers, ensure that all three commit or none of them do
25
11/13/2015Distributed Systems - COMP 65525 2-phase commit CoordinatorParticipant What to do when P, in READY state, contacts Q
26
11/13/2015Distributed Systems - COMP 65526 If coordinator crashes Participants could wait until the coordinator recovers Or, they could try to figure out what to do among themselves –Example, if P contacts Q, and Q is in the COMMIT state, P should COMMIT as well
27
11/13/2015Distributed Systems - COMP 65527 2-phase commit What to do when P, in READY state, contacts Q If all surviving participants are in READY state, 1.Wait for coordinator to recover 2.Elect a new coordinator (?)
28
11/13/2015Distributed Systems - COMP 65528 3-phase commit Problem addressed: –Non-blocking distributed commit in the presence of failures –Interesting theoretically, but rarely used in practice
29
11/13/2015Distributed Systems - COMP 65529 3-phase commit CoordinatorParticipant
30
11/13/2015Distributed Systems - COMP 65530 Bonus material Implementation – reliable point-to- point communication Implementation – process groups Implementation – reliable multicast Recovery Sparing
31
11/13/2015Distributed Systems - COMP 65531 RPC, RMI crash & omission failures Client can’t locate server Request lost Server crashes after receipt of request Response lost Client crashes after sending request
32
11/13/2015Distributed Systems - COMP 65532 Can’t locate server Raise an exception, or Send a signal, or Log an error and return an error code Note: hard to mask distribution in this case
33
11/13/2015Distributed Systems - COMP 65533 Request lost Timeout and retry Back off to “cannot locate server” if too many timeouts occur
34
11/13/2015Distributed Systems - COMP 65534 Server crashes after receipt of request Possible semantic commitments –Exactly once –At least once –At most once NormalWork doneWork not done
35
11/13/2015Distributed Systems - COMP 65535 Behavioral possibilities Server events –Process (P) –Send completion message (M) –Crash (C) Server order –P then M –M then P Client strategies –Retry every message –Retry no messages –Retry if unacknowledged –Retry if acknowledged
36
11/13/2015Distributed Systems - COMP 65536 Combining the options
37
11/13/2015Distributed Systems - COMP 65537 Lost replies Make server operations idempotent whenever possible Structure requests so that server can distinguish retries from the original
38
11/13/2015Distributed Systems - COMP 65538 Client crashes The server-side activity is called an orphan computation Orphans can tie up resources, hold locks, etc Four strategies (at least) –Extermination, based on client-side logs Client writes a log record before and after each call When client restarts after a crash, it checks the log and kills outstanding orphan computations Problems include: –Lots of disk activity –Grand-orphans
39
11/13/2015Distributed Systems - COMP 65539 Client crashes, continued More approaches for handling orphans –Re-incarnation, based on client-defined epochs When client restarts after a crash, it broadcasts a start-of-epoch message On receipt of a start-of-epoch message, each server kills any computation for that client –“Gentle” re-incarnation Similar, but server tries to verify that a computation is really an orphan before killing it
40
11/13/2015Distributed Systems - COMP 65540 Yet more client-crash strategies One more strategy –Expiration Each computation has a lease on life If not complete when the lease expires, a computation must obtain another lease from its owner Clients wait one lease period before restarting after a crash (so any orphans will be gone) Problem: what’s a reasonable lease period?
41
11/13/2015Distributed Systems - COMP 65541 Common problems with client-crash strategies Crashes that involve network partition (communication between partitions will not work at all) Killed orphans may leave persistent traces behind, for example –Locks –Requests in message queues
42
11/13/2015Distributed Systems - COMP 65542 Bonus material Implementation – reliable point-to- point communication Implementation – process groups Implementation – reliable multicast Recovery Sparing
43
11/13/2015Distributed Systems - COMP 65543 How to do it? Redundancy applied –In the appropriate places –In the appropriate ways Types of redundancy –Data (e.g. error correcting codes, replicated data) –Time (e.g. retry) –Physical (e.g. replicated hardware, backup systems)
44
11/13/2015Distributed Systems - COMP 65544 Triple Modular Redundancy
45
11/13/2015Distributed Systems - COMP 65545 Tandem Computers TMR on –CPUs –Memory Duplicated –Buses –Disks –Power supplies A big hit in operations systems for a while
46
11/13/2015Distributed Systems - COMP 65546 Replicated processing Based on process groups A process group consists of one or more identical processes Key events –Message sent to one member of a group –Process joins group –Process leaves group –Process crashes Key requirements –Messages must be received by all members –All members must agree on group membership
47
11/13/2015Distributed Systems - COMP 65547 Flat or non-flat?
48
11/13/2015Distributed Systems - COMP 65548 Effective process groups require Distributed agreement –On group membership –On coordinator elections –On whether or not to commit a transaction Effective communication –Reliable enough –Scalable enough –Often, multicast –Typically looking for atomic multicast
49
11/13/2015Distributed Systems - COMP 65549 Process groups also require Ability to tolerate crash failures and omission failures –Need k+1 processes to deal with up to k silent failures Ability to tolerate performance, response, and arbitrary failures –Need 3k+1 processes to reach agreement with up to k Byzantine failures –Need 2k+1 processes to ensure that a majority of the system produces the correct results with up to k Byzantine failures
50
11/13/2015Distributed Systems - COMP 65550 Bonus material Implementation – reliable point-to- point communication Implementation – process groups Implementation – reliable multicast Recovery Sparing
51
11/13/2015Distributed Systems - COMP 65551 Reliable multicasting
52
11/13/2015Distributed Systems - COMP 65552 Scalability problem Too many acknowledgements –One from each receiver –Can be a huge number in some systems –Also known as “feedback implosion”
53
11/13/2015Distributed Systems - COMP 65553 Basic feedback suppression in scalable reliable multicast If a receiver decides it has missed a message, it waits a random time, then multicasts a retransmission request while waiting, if it sees a sufficient request from another receiver, it does not send its own request server multicasts all retransmissions
54
11/13/2015Distributed Systems - COMP 65554 Hierarchical feedback suppression for scalable reliable multicast messages flow from root toward leaves acks and retransmit requests flow toward root from coordinators each group can use any reliable small- group multicast scheme
55
11/13/2015Distributed Systems - COMP 65555 Atomic multicast Often, in a distributed system, reliable multicast is a step toward atomic multicast Atomic multicast is atomicity applied to communications: –Either all members of a process group receive a message, OR –No members receive it Often requires some form of order agreement as well
56
11/13/2015Distributed Systems - COMP 65556 How atomic multicast helps 1.Assume we have atomic multicast, among a group of processes, each of which owns a replica of a database 2.One replica goes down 3.Database activity continues 4.The process comes back up 5.Atomic multicast allows us to figure out exactly which transactions have to be re-played (see pp 386-387)
57
11/13/2015Distributed Systems - COMP 65557 More concepts Group view View change Virtually synchronous –Each message is received by all non-faulty processes, or –If sender crashes during multicast, message could be ignored by all processes
58
11/13/2015Distributed Systems - COMP 65558 Virtual synchrony picture Basic idea: in virtual synchrony, a multicast cannot cross a view-change
59
11/13/2015Distributed Systems - COMP 65559 Receipt vs Delivery Remember totally-ordered multicast …
60
11/13/2015Distributed Systems - COMP 65560 What about multicast message order? Two aspects: –Relationship between sending order and delivery order –Agreement on delivery order Send/delivery ordering relationships –Unordered –FIFO-ordered –Causally-ordered If receivers agree on delivery order, it’s called totally-ordered multicast
61
11/13/2015Distributed Systems - COMP 65561 Unordered Process P1Process P2Process P3 sends m1 sends m2 delivers m1 delivers m2 delivers m1
62
11/13/2015Distributed Systems - COMP 65562 FIFO-ordered Agreement on: m1 before m2 m3 before m4 Process P1Process P2Process P3 sends m1 sends m2 delivers m1 delivers m3 delivers m2 delivers m4 delivers m3 delivers m1 delivers m2 delivers m4 Process P4 sends m3 sends m4
63
11/13/2015Distributed Systems - COMP 65563 Six types of virtually synchronous reliable multicast Relationship between sending order and delivery order Agreement on delivery order
64
11/13/2015Distributed Systems - COMP 65564 Implementing virtual synchrony Don’t deliver a message until it’s been received everywhere - but “everywhere” can change (a)7’s crash is detected by 4, which sends a view-change message (b)Processes forward unstable messages, followed by flush (c)When have flush from all processes in new view, install new view
65
11/13/2015Distributed Systems - COMP 65565 Bonus material Implementation – reliable point-to- point communication Implementation – process groups Implementation – reliable multicast Recovery Sparing
66
11/13/2015Distributed Systems - COMP 65566 Recovery from error Two main types: –Backward recovery to a checkpoint (assumed to be error-free) –Forward recovery (infer a correct state from available data)
67
11/13/2015Distributed Systems - COMP 65567 More about checkpoints They are expensive Usually combined with a message log Message logs are cleared at checkpoints Recovering a crashed process: –Restart it –Restore its state to the most recent checkpoint –Replay the message log
68
11/13/2015Distributed Systems - COMP 65568 Recovery line == most recent distributed snapshot
69
11/13/2015Distributed Systems - COMP 65569 Domino effect
70
11/13/2015Distributed Systems - COMP 65570 Bonus material Implementation – reliable point-to- point communication Implementation – process groups Implementation – reliable multicast Recovery Sparing
71
11/13/2015Distributed Systems - COMP 65571 Sparing Not really fault tolerance But it can be cheaper, and provide fast restoration time after a failure Types of spares –Cold –Hot –Warm The spare may or may not also have regular responsibilities in the system
72
11/13/2015Distributed Systems - COMP 65572 Switchover Repair is accomplished by switching processing away from a failed server to a spare
73
11/13/2015Distributed Systems - COMP 65573 Questions on switchover Has the failed system really failed? Is the spare operational? Can the spare handle the load? –May need a way to block medium to low priority work during switchovers How will the spare get access to the failed server’s data? What client session data will be preserved, and how?
74
11/13/2015Distributed Systems - COMP 65574 More switchover questions What about configuration files? What about network addressing? What about switching back after the failed server has been repaired? –Partial shutdown of the spare –Updating directories to redirect part of the load –Making up for lost medium-to-low priority work
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.