Chaos Engineering: Why Breaking Things Should Be Practiced

© 2019, Amazon Web Services, Inc. or its affiliates. All
rights reserved. S U M M I T Chaos Engineering: Why breaking things should be practiced Adrian Hornsby Sr. Technical Evangelist Amazon Web Services Qais Ammouri Head of Technology Almosafer @adhorn

rights reserved. S U M M I T Been there?

rights reserved. S U M M I T Distributed Systems are hard Amazon Twitter Netflix

rights reserved. S U M M I T Failures are a given and everything will eventually fail over time. Werner Vogels CTO – Amazon.com “ “

rights reserved. S U M M I T Resiliency: Ability for a system to handle and eventually recover from unexpected conditions

rights reserved. S U M M I T Partial failure mode

rights reserved. S U M M I T How do we build resilient software systems?

rights reserved. S U M M I T People Application Network & Data Infrastructure

rights reserved. S U M M I T Building confidence through testing Unit testing of components: • Tested in isolation to ensure function meets expectations. Functional testing of integrations: • Each execution path tested to assure expected results. Is it enough???

rights reserved. S U M M I T GameDay at Amazon Creating Resiliency Through Destruction https://www.youtube.com/watch?v=zoz0ZjfrQ9s

rights reserved. S U M M I T Chaos engineering https://github.com/Netflix/SimianArmy

rights reserved. S U M M I T Failure injection • Start small & build confidence • Application level • Host failure • Resource attacks (CPU, memory, …) • Network attacks (dependencies, latency, …) • Region attack • Human attack https://www.gremlin.com https://github.com/Netflix/SimianArmy https://chaostoolkit.org

rights reserved. S U M M I T Break your systems on purpose. Find out their weaknesses and fix them before they break when least expected.

rights reserved. S U M M I T Chaos engineering is NOT about breaking things randomly without a purpose, chaos engineering is about breaking things in a controlled environment and through well- planned experiments in order to build confidence in your application to withstand turbulent conditions.

rights reserved. S U M M I T Steady State Hypothesis Design & Run Experiment Fix Build Resilient Systems Verify & Learn

rights reserved. S U M M I T Build Resilient Systems

rights reserved. S U M M I T Our sales were less than 1 million SAR 2012 It all started from a handful of people between Riyadh and Egypt. In 2012, Almosafer started between Egypt and Riyadh with focus on hotels through social media and call center.

rights reserved. S U M M I T We grew to 70 employees & our sales reached to 74 million SAR 2015 Al Tayyar Travel Group (now Seera Group) acquired 60% of Almosafer…

rights reserved. S U M M I T We grew to 1000+ employees & Our sales exceeded 1.3 billion SAR 2018 Crossing the billion line. Becoming the largest OTA in Saudi, fully acquired by Seera Group In 2018, Almosafer became largest OTA in Saudi Arabia in the flight market.

All rights reserved. Start with people • Try to avoid the word “Chaos” when talking your business . • Embrace failure, and fix it. • Replace: “If it fails” with “when it fails”. • Everything fails, at least once!

All rights reserved. Start with people • Try to avoid the word “Chaos” when talking your business . • Embrace failure, and fix it. • Replace: “If it fails” with “when it fails”. • Everything fails, at least once! • Do fire drills, at least once a month.

All rights reserved. Resiliency in Almosafer • Monitor everything, or die trying . • Architect with failure in mind, it is not an edge case. • Resiliency starts in the frontend, avoid blocking UI. • Automation testing is not a “nice to have” it is a “Must have”.

All rights reserved. Resiliency in Almosafer • Monitor everything, or die trying . • Architect with failure in mind, it is not an edge case. • Resiliency starts in the frontend, avoid blocking UI. • Automation testing is not a luxury product. • Use circuit breaking - timeouts, retries and fallbacks.

rights reserved. S U M M I T Steady State

rights reserved. S U M M I T What is steady state? • ”normal” behavior of your system https://www.elastic.co/blog/timelion-tutorial-from-zero-to-hero

rights reserved. S U M M I T What is steady state? • ”normal” behavior of your system • Business Metric https://medium.com/netflix-techblog/sps-the-pulse-of-netflix-streaming-ae4db0e05f8a

rights reserved. S U M M I T Business metrics at work Amazon: 100 ms of extra load time caused a 1% drop in sales (Greg Linden). Google: 500 ms of extra load time caused 20% fewer searches (Marissa Mayer). Yahoo!: 400 ms of extra load time caused a 5–9% increase in the number of people who clicked “back” before the page even loaded (Nicole Sullivan).

rights reserved. S U M M I T Hypothesis

rights reserved. S U M M I T What if…? “What if this load balancer breaks?” “What if Redis becomes slow?” “What if a host on Cassandra goes away?” ”What if latency increases by 300ms?” ”What if the database stops?” Make it everyone’s problem!

rights reserved. S U M M I T Disclaimer! Don’t make an hypothesis that you know will break you!

rights reserved. S U M M I T Design & Run Experiment

rights reserved. S U M M I T Designing experiment • Pick hypothesis • Scope the experiment • Identify metrics • Notify the organization

rights reserved. S U M M I T Rules of thumbs • Start with very small • As close as possible to production • Minimize the blast radius. • Have an emergency STOP!

rights reserved. S U M M I T Running Chaos Experiment Users Canary deployment Normal Version 99% Users 1% Users Start with ..

rights reserved. S U M M I T Verify & Learn

rights reserved. S U M M I T Quantifying the result of the experiment • Time to detect? • Time for notification? And escalation? • Time to public notification? • Time for graceful degradation to kick-in? • Time for self healing to happen? • Time to recovery – partial and full? • Time to all-clear and stable?

rights reserved. S U M M I T PostMortems – COE (Correction of Errors) The 5 WHYs Outage Because of … Because of … Because of … Because of … NOT ENOUGH

rights reserved. S U M M I T More questions to ask • Can you clarify if there were any preceding events? • Why would they believe acting in this way was the best course of action to deliver the desired outcome? • Is there another failure mode that could present here? • What decisions or events prior to this made this work before? • Why stop there – are there places to dig deeper that could shine a light more on this? • Did others step in to help, to advise, or to intercede?

rights reserved. S U M M I T Rules to remember! 1. Failure requires multiple faults 2. There is no isolated ‘cause’ of an accident. 3. There are multiple contributors to accidents.

rights reserved. S U M M I T DON’T blame that one person …

rights reserved. S U M M I T Fix

rights reserved. S U M M I T Big challenges to chaos engineering Mostly Cultural • no time or flexibility to simulate disasters. • teams already spending all of its time fixing things. • can be very political. • might force deep conversations. • deeply invested in a specific technical roadmap (micro-services) that chaos engineering tests show is not as resilient to failures as originally predicted.

rights reserved. S U M M I T Changing culture takes time! Be patient…

rights reserved. S U M M I T

rights reserved. S U M M I T More Resources • https://mvdirona.com/jrh/talksAndPapers/JamesRH_Lisa.pdf • https://www.gremlin.com • https://queue.acm.org/detail.cfm?id=2353017 • https://softwareengineeringdaily.com/ • https://github.com/dastergon/awesome-sre • https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-yuan.pdf • https://medium.com/@NetflixTechBlog • http://principlesofchaos.org • https://speakerdeck.com/tammybutow/chaos-engineering-bootcamp • https://github.com/adhorn/awesome-chaos-engineering • https://www.infoq.com/presentations/netflix-chaos-microservices • http://royal.pingdom.com/wp-content/uploads/2015/04/pingdom_uptime_cheat_sheet.pdf • http://willgallego.com/2018/04/02/no-seriously-root-cause-is-a-fallacy • https://medium.com/@adhorn

Chaos Engineering: Why Breaking Things Should Be Practiced

Chaos Engineering: Why Breaking Things Should Be Practiced

More Decks by Adrian Hornsby

Other Decks in Programming

Featured

Transcript