Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Systems CS 15-440 Fault Tolerance- Part II Lecture 18, Nov 19, 2012 Majd F. Sakr and Mohammad Hammoud 1.

Published byGodfrey Jennings Modified over 8 years ago

Similar presentations

Presentation on theme: "Distributed Systems CS 15-440 Fault Tolerance- Part II Lecture 18, Nov 19, 2012 Majd F. Sakr and Mohammad Hammoud 1."— Presentation transcript:

1 Distributed Systems CS 15-440 Fault Tolerance- Part II Lecture 18, Nov 19, 2012 Majd F. Sakr and Mohammad Hammoud 1

2 Today…  Last session  Programming Model- Part III  Fault Tolerance – Part I  A brief overview  Today’s session  Fault Tolerance – Part II  Reliable communication  Announcements:  Quiz 3 grades are out  PS3 is due today by 11:59PM (Just submit the first two problems)  Project 3 is due on Nov. 22 by 11:59PM 2

3 Objectives Discussion on Fault Tolerance General background on fault tolerance Process resilience, failure detection and reliable communication Atomicity and distributed commit protocols Recovery from failures

4 Reliable Communication  Fault tolerance in distributed systems typically concentrates on faulty processes  However, we also need to consider communication failures  We will focus on two types of reliable communication:  Reliable request-reply communication (e.g., RPC)  Reliable group communication (e.g., multicasting schemes) 4 P1P0

5 Reliable Communication 5 Reliable Request-Reply Communication Reliable Group Communication

6 Request-Reply Communication  The request-reply communication is designed to support the roles and message exchanges in typical client-server interactions  This sort of communication is mainly based on a trio of communication primitives, doOperation, getRequest and sendReply 6 doOperation (wait) (continuation) Client getRequest select operation execute operation sendReply Server Request Message Reply Message

7 Timeouts  Request-reply communication may suffer from crash, omission, timing, and byzantine failures  To allow for occasions where a request or a reply message is not delivered (e.g., lost), doOperation uses a timeout  There are various options as to what doOperation can do after a timeout:  Return immediately with an indication to the client that the request has failed  Send the request message repeatedly until either a reply is received or the server is assumed to have failed 7

8 Duplicate Filtering  In cases when the request message is retransmitted, the server may receive it more than once  This can cause the server executing an operation more than once for the same request  To avoid this, the server should recognize successive messages from the same client and filter out duplicates 8

9 Lost Reply Messages  If the server has already sent the reply when it receives a duplicate request, it can either:  Re-execute the operation again to obtain the result  Or do not re-execute the operation if it has chosen to retain the outcome of the first execution  Not every operation can be executed more than once and obtain the same results each time  An idempotent operation is an operation that can be performed repeatedly with the same effect as if it had been performed exactly once 9

10 History  For servers that require retransmission of replies without re- execution of operations, a history may be used  The term ‘history’ is used to refer to a structure that contains a record of (reply) messages that have been transmitted 10 Request IDMessageClient ID Fields of a history record:

11 History  The server can interpret each request from a client as an ACK of its previous reply  Thus, the history needs contain only the last reply message sent to each client  But, if the number of clients is large, memory cost might become a problem  Messages in a history are normally discarded after a limited period of time 11

12 Summary of Request-Reply Protocols  RR protocol can be implemented in different ways to provide different delivery guarantees. The main choices are: 1.Retry request message (client side): Controls whether to retransmit the request message until either a reply is received or the server is assumed to have failed 2.Duplicate filtering (server side): Controls when retransmissions are used and whether to filter out duplicate requests at the server 3.Retransmission of results (server side): Controls whether to keep a history of result messages to enable lost results to be retransmitted without re-executing the operations at the server 12

13 Request-Reply Call Semantics  Combinations of request-reply protocols lead to a variety of possible semantics for the reliability of remote invocations 13 Fault Tolerance Measure Call Semantics Retransmit Request Message Duplicate Filtering Re-execute Procedure or Retransmit Reply NoN/A Maybe YesNoRe-execute Procedure At-least-once Yes Retransmit ReplyAt-most-once Fault Tolerance Measure Call Semantics Retransmit Request Message Duplicate Filtering Re-execute Procedure or Retransmit Reply NoN/A Maybe YesNoRe-execute Procedure At-least-once Yes Retransmit ReplyAt-most-once Fault Tolerance Measure Call Semantics (Pertaining to Remote Procedures) Retransmit Request Message Duplicate Filtering Re-execute Procedure or Retransmit Reply NoN/A Maybe YesNoRe-execute Procedure At-least-once Yes Retransmit ReplyAt-most-once

14 Maybe Semantics  With Maybe Semantics:  The invoker receives nothing  The remote procedure may be executed once or not at all  Maybe Semantics arises when no fault-tolerance measures are applied and can suffer from the following types of failures:  Omission failures: if the request or reply message is lost  Crash failures: when the server containing the remote procedure fails  Maybe Semantics is useful only for applications in which occasional call failures are acceptable 14

15 Maybe Semantics: Revisit 15 Fault Tolerance Measure Call Semantics (Pertaining to Remote Procedures) Retransmit Request Message Duplicate Filtering Re-execute Procedure or Retransmit Reply NoN/A Maybe YesNoRe-execute Procedure At-least-once Yes Retransmit ReplyAt-most-once

16 At-Least-Once Semantics  With At-Least-Once Semantics:  The invoker receives either a result or an exception  The remote procedure is executed at least once  At-Least-Once Semantics:  Masks the send failures due to retransmissions  Suffers from crash failures when the server containing the remote procedure fails  Might suffer from response failures if a re-executed procedure is not idempotent 16

17 At-Least-Once Semantics: Revisit 17 Fault Tolerance Measure Call Semantics (Pertaining to Remote Procedures) Retransmit Request Message Duplicate Filtering Re-execute Procedure or Retransmit Reply NoN/A Maybe YesNoRe-execute Procedure At-least-once Yes Retransmit ReplyAt-most-once

18 At-Most-Once Semantics  With At-Most-Once Semantics:  The invoker receives either a result or an exception  The remote procedure is executed either once or not at all  At-Most-Once Semantics:  Masks the omission failures of the request/reply messages by re-transmitting request messages  Avoids response failures by ensuring that each procedure is never executed more than once (safe for non-idempotent operations) 18

19 At-Most-Once Semantics: Revisit 19 Fault Tolerance Measure Call Semantics (Pertaining to Remote Procedures) Retransmit Request Message Duplicate Filtering Re-execute Procedure or Retransmit Reply NoN/A Maybe YesNoRe-execute Procedure At-least-once Yes Retransmit ReplyAt-most-once

20 Classes of Failures in Request- Reply Communication  There are 5 different classes of failures that can occur in request-reply systems: Class1: The client is unable to locate the server Class2: The request message from the client to the server is lost Class3: The server crashes after receiving a request Class4: The reply message from the server to the client is lost Class5: The client crashes after sending a request 20

21 Classes of Failures in Request- Reply Communication  There are 5 different classes of failures that can occur in request-reply systems: Class1: The client is unable to locate the server Class2: The request message from the client to the server is lost Class3: The server crashes after receiving a request Class4: The reply message from the server to the client is lost Class5: The client crashes after sending a request 21

22 Class1: Possible Solution  One possible solution for the client being unable to locate the server is to have doOperation raise an exception at the client side  Considerations:  Not every language has exceptions or signals  Writing an exception identifies the location of the error and, hence, destroys the transparency of the distributed system 22

23 Classes of Failures in Request- Reply Communication  There are 5 different classes of failures that can occur in request-reply systems: Class1: The client is unable to locate the server Class2: The request message from the client to the server is lost Class3: The server crashes after receiving a request Class4: The reply message from the server to the client is lost Class5: The client crashes after sending a request 23

24 Class2: Possible Solution  The doOperation can start a timer when sending the request message  If the timer expires before a reply or an ACK comes back, the message is retransmitted  Considerations:  If the message was lost, the server might not be able to recognize the difference between a first transmission and a retransmission  If the message was not lost, the server has to detect that it is dealing with a retransmission request 24

25 Classes of Failures in Request- Reply Communication  There are 5 different classes of failures that can occur in request-reply systems: Class1: The client is unable to locate the server Class2: The request message from the client to the server is lost Class3: The server crashes after receiving a request Class4: The reply message from the server to the client is lost Class5: The client crashes after sending a request 25

26 Class3: Possible Solution  The doOperation can start a timer when sending the request message  If the timer expires before a reply or an ACK comes back, the message is retransmitted  Main Consideration:  The crash failure may occur either before or after the operation at the server is executed 26

27 Sequence of Events at the Server  The sequence of events at the server is as follows:  In the last 2 cases, doOperation cannot tell which is which (all it knows is that its timer has expired) Receive Execute Reply REQ REP The normal case Receive Execute Crash REQ REP Crash after execution Server Receive Crash REQ REP Crash before execution Server 27

28 A Printing Example: A Normal Scenario  A client’s remote operation consists of printing some text at a server  When a client issues a request, it receives an ACK that the request has been delivered to the server  The server sends a completion message to the client when the text is printed 28

29 The Printing Example: Possible Events at Server  Three events can occur at the server: 1.Send the completion message (M) 2.Print the text (P) 3.Crash (C) 29

30 The Printing Example: Server Strategies  The server has a choice between two strategies: 1.Send a completion message just before commanding the printer to do its work 2.Send a completion message after the text is printed 30

31 The Printing Example: A Failure Scenario 31 The server crashes, subsequently recovers and announces that to all clients

32 The Printing Example: Server Events Ordering  Server events can occur in 6 different orderings: 32 OrderingDescription MPCMPCA crash occurs after sending the completion message and printing the text M  C(  P)A crash occurs after sending the completion message, but before the text is printed PMCPMCA crash occurs after printing the text and sending the completion message P  C(  M)The text is printed, after which a crash occurs before the completion message is sent C(  P  M)A crash happens before the server could do anything C(  M  P)A crash happens before the server could do anything OrderingDescription MPCMPCA crash occurs after sending the completion message and printing the text M  C(  P)A crash occurs after sending the completion message, but before the text is printed PMCPMCA crash occurs after printing the text and sending the completion message P  C(  M)The text is printed, after which a crash occurs before the completion message is sent C(  P  M)A crash happens before the server could do anything C(  M  P)A crash happens before the server could do anything OrderingDescription MPCMPCA crash occurs after sending the completion message and printing the text M  C(  P)A crash occurs after sending the completion message, but before the text is printed PMCPMCA crash occurs after printing the text and sending the completion message P  C(  M)The text is printed, after which a crash occurs before the completion message is sent C(  P  M)A crash happens before the server could do anything C(  M  P)A crash happens before the server could do anything OrderingDescription MPCMPCA crash occurs after sending the completion message and printing the text M  C(  P)A crash occurs after sending the completion message, but before the text is printed PMCPMCA crash occurs after printing the text and sending the completion message P  C(  M)The text is printed, after which a crash occurs before the completion message is sent C(  P  M)A crash happens before the server could do anything C(  M  P)A crash happens before the server could do anything OrderingDescription MPCMPCA crash occurs after sending the completion message and printing the text M  C(  P)A crash occurs after sending the completion message, but before the text is printed PMCPMCA crash occurs after printing the text and sending the completion message P  C(  M)The text is printed, after which a crash occurs before the completion message is sent C(  P  M)A crash happens before the server could do anything C(  M  P)A crash happens before the server could do anything OrderingDescription MPCMPCA crash occurs after sending the completion message and printing the text M  C(  P)A crash occurs after sending the completion message, but before the text is printed PMCPMCA crash occurs after printing the text and sending the completion message P  C(  M)The text is printed, after which a crash occurs before the completion message is sent C(  P  M)A crash happens before the server could do anything C(  M  P)A crash happens before the server could do anything

33 The Printing Example: Client Reissue Strategies  After the crash of the server, the client does not know whether its request to print some text was carried out or not  The client has a choice between 4 strategies: 33 Reissue StrategyDescription NeverNever reissue a request, at the risk that the text will not be printed AlwaysAlways reissue a request, potentially leading to the text being printed twice Reissue When ACKed Reissue a request only if it did not yet receive an ACK that its print request had been delivered to the server Reissue When Not ACKed Reissue a request only if it has received an ACK for the print request if no ACK has been received on request completion Reissue StrategyDescription NeverNever reissue a request, at the risk that the text will not be printed AlwaysAlways reissue a request, potentially leading to the text being printed twice Reissue When ACKed Reissue a request only if it did not yet receive an ACK that its print request had been delivered to the server Reissue When Not ACKed Reissue a request only if it has received an ACK for the print request if no ACK has been received on request completion Reissue StrategyDescription NeverNever reissue a request, at the risk that the text will not be printed AlwaysAlways reissue a request, potentially leading to the text being printed twice Reissue When Not ACKed Reissue a request only if it did not yet receive an ACK that its print request had been delivered to the server Reissue When Not ACKed Reissue a request only if it has received an ACK for the print request if no ACK has been received on request completion Reissue StrategyDescription NeverNever reissue a request, at the risk that the text will not be printed AlwaysAlways reissue a request, potentially leading to the text being printed twice Reissue When Not ACKed Reissue a request only if it did not yet receive an ACK that its print request had been delivered to the server Reissue When ACKed Reissue a request only if it has received an ACK for the print request

34 The Printing Example: Summary and Conclusion Reissue Strategy Strategy M  PStrategy P  M MPCMC(P)C(MP)PMCPC(M)C(PM) Always DUPOK DUP OK Never OKZERO OK ZERO Only when ACKed DUPOKZERODUPOKZERO Only when NOT ACKed OKZEROOK DUPOK  The different combinations of client and server strategies are as follows: Reissue Strategy Strategy M  PStrategy P  M MPCMC(P)C(MP)PMCPC(M)C(PM) Always DUPOK DUP OK Never OKZERO OK ZERO Only when ACKed DUPOKZERODUPOKZERO Only when NOT ACKed OKZEROOK DUPOK Reissue Strategy Strategy M  PStrategy P  M MPCMC(P)C(MP)PMCPC(M)C(PM) Always DUPOK DUP OK Never OKZERO OK ZERO Only when ACKed DUPOKZERODUPOKZERO Only when NOT ACKed OKZEROOK DUPOK Reissue Strategy Strategy M  PStrategy P  M MPCMC(P)C(MP)PMCPC(M)C(PM) Always DUPOK DUP OK Never OKZERO OK ZERO Only when ACKed DUPOKZERODUPOKZERO Only when NOT ACKed OKZEROOK DUPOK  There is NO combination of a client strategy and a server strategy that will work correctly under all possible event sequences  The client can never know whether the server crashed just before or after having the text printed OK= Text is printed once, DUP= Text is printed twice, and ZERO= Text is not printed

35 Classes of Failures in Request- Reply Communication  There are 5 different classes of failures that can occur in request-reply systems: Class1: The client is unable to locate the server Class2: The request message from the client to the server is lost Class3: The server crashes after receiving a request Class4: The reply message from the server to the client is lost Class5: The client crashes after sending a request 35

36 Class4: Possible Solution  The doOperation can start a timer when sending the request message  If the timer expires before a reply or an ACK comes back, the message is retransmitted  Considerations:  The remote procedure should be idempotent  Or, the server should apply a duplicate filter if a history is maintained 36

37 Classes of Failures in Request- Reply Communication  There are 5 different classes of failures that can occur in request-reply systems: Class1: The client is unable to locate the server Class2: The request message from the client to the server is lost Class3: The server crashes after receiving a request Class4: The reply message from the server to the client is lost Class5: The client crashes after sending a request 37

38 Class5: Orphans  A client might crash while the server is performing a respective computation  Such a computation becomes an orphan  Orphans can cause a variety of problems that can interfere with the normal operation of the system:  They waste CPU cycles  They might lock up files and tie up valuable resources  A confusion might occur:  Client reboots, retransmits the request, and afterwards an orphan reply comes back 38

39 Class5: Possible Solutions [Nelson 1981] 1)Extermination: Use logging to explicitly kill off an orphan after a client reboot 2)Reincarnation: Use broadcasting to kill all remote computations on a client’s behalf after rebooting and getting a new epoch number 3)Gentle Reincarnation: After an epoch broadcast comes in, a machine kills a computation only if its owner cannot be located anywhere 4)Expiration: each remote invocation is given a standard amount of time to fulfill the job Orphan elimination is discussed in more detail by Panzieri and Shrivastave (1988)

40 Next Class Discussion on Fault Tolerance General background on fault tolerance Process resilience, failure detection and reliable multicasting Atomicity and distributed commit protocols Recovery from failures Fault-Tolerance- Part III

Download ppt "Distributed Systems CS 15-440 Fault Tolerance- Part II Lecture 18, Nov 19, 2012 Majd F. Sakr and Mohammad Hammoud 1."

Similar presentations

CS 542: Topics in Distributed Systems Diganta Goswami.

CS 542: Topics in Distributed Systems Diganta Goswami.
Remote Procedure Call (RPC)

Remote Procedure Call (RPC)
Remote Procedure Call Design issues Implementation RPC programming

Remote Procedure Call Design issues Implementation RPC programming
Distributed Objects and Remote Invocation

Distributed Objects and Remote Invocation
L-15 Fault Tolerance 1. Fault Tolerance Terminology & Background Byzantine Fault Tolerance Issues in client/server Reliable group communication 2.

L-15 Fault Tolerance 1. Fault Tolerance Terminology & Background Byzantine Fault Tolerance Issues in client/server Reliable group communication 2.
Tam Vu (tvu@mail.eecis.udel.edu) Remote Procedure Call CISC 879 – Spring 03 Tam Vu (tvu@mail.eecis.udel.edu) March 06, 03.

Tam Vu Remote Procedure Call CISC 879 – Spring 03 Tam Vu March 06, 03.
Computing Systems 15, 2015 Next up Client-server model RPC Mutual exclusion.

Computing Systems 15, 2015 Next up Client-server model RPC Mutual exclusion.
Distributed Object & Remote Invocation Vidya Satyanarayanan.

Distributed Object & Remote Invocation Vidya Satyanarayanan.
Exercises for Chapter 4: Interprocess Communication

Exercises for Chapter 4: Interprocess Communication
Computer Science Lecture 18, page 1 CS677: Distributed OS Last Class: Fault Tolerance Basic concepts and failure models Failure masking using redundancy.

Computer Science Lecture 18, page 1 CS677: Distributed OS Last Class: Fault Tolerance Basic concepts and failure models Failure masking using redundancy.
CS 582 / CMPE 481 Distributed Systems Fault Tolerance.

CS 582 / CMPE 481 Distributed Systems Fault Tolerance.
Computer Science Lecture 17, page 1 CS677: Distributed OS Last Class: Fault Tolerance Basic concepts and failure models Failure masking using redundancy.

Computer Science Lecture 17, page 1 CS677: Distributed OS Last Class: Fault Tolerance Basic concepts and failure models Failure masking using redundancy.
Distributed Systems CS 15-440 Fault Tolerance- Part II Lecture 14, Oct 19, 2011 Majd F. Sakr, Mohammad Hammoud andVinay Kolar 1.

Distributed Systems CS Fault Tolerance- Part II Lecture 14, Oct 19, 2011 Majd F. Sakr, Mohammad Hammoud andVinay Kolar 1.
CS 582 / CMPE 481 Distributed Systems Communications (cont.)

CS 582 / CMPE 481 Distributed Systems Communications (cont.)
Fault Tolerance A partial failure occurs when a component in a distributed system fails. Conjecture: build the system in a such a way that continues to.

Fault Tolerance A partial failure occurs when a component in a distributed system fails. Conjecture: build the system in a such a way that continues to.
Distributed Systems Fall 2009 Replication Fall 20095DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.

Distributed Systems Fall 2009 Replication Fall 20095DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.
Top Three Layers Session Layer Presentation Layer Application Layer.

Top Three Layers Session Layer Presentation Layer Application Layer.
.NET Mobile Application Development Remote Procedure Call.

.NET Mobile Application Development Remote Procedure Call.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Chapter 8 Fault.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Chapter 8 Fault.
CS425 /CSE424/ECE428 – Distributed Systems – Fall 2011 2011-09-22Nikita Borisov - UIUC1 Material derived from slides by I. Gupta, M. Harandi, J. Hou, S.

CS425 /CSE424/ECE428 – Distributed Systems – Fall Nikita Borisov - UIUC1 Material derived from slides by I. Gupta, M. Harandi, J. Hou, S.

Similar presentations

Ads by Google